From 5c0ae2dd2c6026157466d2fac3cdd1e9e3d40c62 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Mon, 21 Apr 2025 12:41:37 -0700 Subject: [PATCH 01/20] Refactor common bridge protocol code for reuse - Move common bridge protocol definitions to subpackage under internal/gcs - Move helper functions to internal/bridgeutils pkg so that they can be used by gcs-sidecar as well Signed-off-by: Kirtana Ashok --- internal/bridgeutils/commonutils/utilities.go | 83 ++++++ .../{guest => bridgeutils}/gcserr/errors.go | 0 internal/gcs/bridge.go | 35 +-- internal/gcs/bridge_test.go | 31 +- internal/gcs/container.go | 53 ++-- internal/gcs/guestconnection.go | 57 ++-- internal/gcs/guestconnection_test.go | 31 +- internal/gcs/process.go | 41 +-- internal/gcs/{ => prot}/protocol.go | 265 +++++++++--------- internal/guest/bridge/bridge.go | 47 +--- internal/guest/bridge/bridge_unit_test.go | 2 +- internal/guest/bridge/bridge_v2.go | 4 +- internal/guest/commonutils/utilities.go | 26 -- internal/guest/prot/protocol.go | 21 +- internal/guest/runtime/hcsv2/container.go | 2 +- internal/guest/runtime/hcsv2/network.go | 2 +- internal/guest/runtime/hcsv2/process.go | 2 +- internal/guest/runtime/hcsv2/uvm.go | 3 +- internal/guest/runtime/runc/runc.go | 2 +- internal/guest/runtime/runtime.go | 2 +- internal/uvm/create_lcow.go | 6 +- internal/uvm/create_wcow.go | 15 +- internal/uvm/start.go | 3 +- 23 files changed, 364 insertions(+), 369 deletions(-) create mode 100644 internal/bridgeutils/commonutils/utilities.go rename internal/{guest => bridgeutils}/gcserr/errors.go (100%) rename internal/gcs/{ => prot}/protocol.go (51%) delete mode 100644 internal/guest/commonutils/utilities.go diff --git a/internal/bridgeutils/commonutils/utilities.go b/internal/bridgeutils/commonutils/utilities.go new file mode 100644 index 0000000000..4409825ad1 --- /dev/null +++ b/internal/bridgeutils/commonutils/utilities.go @@ -0,0 +1,83 @@ +package commonutils + +import ( + "encoding/json" + "fmt" + "io" + "math" + "strconv" + + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" + "github.com/sirupsen/logrus" +) + +type ErrorRecord struct { + Result int32 // HResult + Message string + StackTrace string `json:",omitempty"` + ModuleName string + FileName string + Line uint32 + FunctionName string `json:",omitempty"` +} + +// UnmarshalJSONWithHresult unmarshals the given data into the given interface, and +// wraps any error returned in an HRESULT error. +func UnmarshalJSONWithHresult(data []byte, v interface{}) error { + if err := json.Unmarshal(data, v); err != nil { + return gcserr.WrapHresult(err, gcserr.HrVmcomputeInvalidJSON) + } + return nil +} + +// DecodeJSONWithHresult decodes the JSON from the given reader into the given +// interface, and wraps any error returned in an HRESULT error. +func DecodeJSONWithHresult(r io.Reader, v interface{}) error { + if err := json.NewDecoder(r).Decode(v); err != nil { + return gcserr.WrapHresult(err, gcserr.HrVmcomputeInvalidJSON) + } + return nil +} + +func SetErrorForResponseBaseUtil(errForResponse error, moduleName string) (hresult gcserr.Hresult, errorMessage string, newRecord ErrorRecord) { + errorMessage = errForResponse.Error() + stackString := "" + fileName := "" + // We use -1 as a sentinel if no line number found (or it cannot be parsed), + // but that will ultimately end up as [math.MaxUint32], so set it to that explicitly. + // (Still keep using -1 for backwards compatibility ...) + lineNumber := uint32(math.MaxUint32) + functionName := "" + if stack := gcserr.BaseStackTrace(errForResponse); stack != nil { + bottomFrame := stack[0] + stackString = fmt.Sprintf("%+v", stack) + fileName = fmt.Sprintf("%s", bottomFrame) + lineNumberStr := fmt.Sprintf("%d", bottomFrame) + if n, err := strconv.ParseUint(lineNumberStr, 10, 32); err == nil { + lineNumber = uint32(n) + } else { + logrus.WithFields(logrus.Fields{ + "line-number": lineNumberStr, + logrus.ErrorKey: err, + }).Error("opengcs::bridge::setErrorForResponseBase - failed to parse line number, using -1 instead") + } + functionName = fmt.Sprintf("%n", bottomFrame) + } + hresult, err := gcserr.GetHresult(errForResponse) + if err != nil { + // Default to using the generic failure HRESULT. + hresult = gcserr.HrFail + } + + newRecord = ErrorRecord{ + Result: int32(hresult), + Message: errorMessage, + StackTrace: stackString, + ModuleName: moduleName, + FileName: fileName, + Line: lineNumber, + FunctionName: functionName, + } + + return hresult, errorMessage, newRecord +} diff --git a/internal/guest/gcserr/errors.go b/internal/bridgeutils/gcserr/errors.go similarity index 100% rename from internal/guest/gcserr/errors.go rename to internal/bridgeutils/gcserr/errors.go diff --git a/internal/gcs/bridge.go b/internal/gcs/bridge.go index 0aa9d54536..79daec0d7e 100644 --- a/internal/gcs/bridge.go +++ b/internal/gcs/bridge.go @@ -19,6 +19,7 @@ import ( "go.opencensus.io/trace" "golang.org/x/sys/windows" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/oc" ) @@ -36,16 +37,16 @@ const ( ) type requestMessage interface { - Base() *requestBase + Base() *prot.RequestBase } type responseMessage interface { - Base() *responseBase + Base() *prot.ResponseBase } // rpc represents an outstanding rpc request to the guest type rpc struct { - proc rpcProc + proc prot.RpcProc id int64 req requestMessage resp responseMessage @@ -78,7 +79,7 @@ const ( bridgeFailureTimeout = time.Minute * 5 ) -type notifyFunc func(*containerNotification) error +type notifyFunc func(*prot.ContainerNotification) error // newBridge returns a bridge on `conn`. It calls `notify` when a // notification message arrives from the guest. It logs transport errors and @@ -141,7 +142,7 @@ func (brdg *bridge) Wait() error { // AsyncRPC sends an RPC request to the guest but does not wait for a response. // If the message cannot be sent before the context is done, then an error is // returned. -func (brdg *bridge) AsyncRPC(ctx context.Context, proc rpcProc, req requestMessage, resp responseMessage) (*rpc, error) { +func (brdg *bridge) AsyncRPC(ctx context.Context, proc prot.RpcProc, req requestMessage, resp responseMessage) (*rpc, error) { call := &rpc{ ch: make(chan struct{}), proc: proc, @@ -222,7 +223,7 @@ func (call *rpc) Wait() { // If allowCancel is set and the context becomes done, returns an error without // waiting for a response. Avoid this on messages that are not idempotent or // otherwise safe to ignore the response of. -func (brdg *bridge) RPC(ctx context.Context, proc rpcProc, req requestMessage, resp responseMessage, allowCancel bool) error { +func (brdg *bridge) RPC(ctx context.Context, proc prot.RpcProc, req requestMessage, resp responseMessage, allowCancel bool) error { call, err := brdg.AsyncRPC(ctx, proc, req, resp) if err != nil { return err @@ -259,7 +260,7 @@ func (brdg *bridge) recvLoopRoutine() { } } -func readMessage(r io.Reader) (int64, msgType, []byte, error) { +func readMessage(r io.Reader) (int64, prot.MsgType, []byte, error) { _, span := oc.StartSpan(context.Background(), "bridge receive read message", oc.WithClientSpanKind) defer span.End() @@ -268,7 +269,7 @@ func readMessage(r io.Reader) (int64, msgType, []byte, error) { if err != nil { return 0, 0, nil, err } - typ := msgType(binary.LittleEndian.Uint32(h[hdrOffType:])) + typ := prot.MsgType(binary.LittleEndian.Uint32(h[hdrOffType:])) n := binary.LittleEndian.Uint32(h[hdrOffSize:]) id := int64(binary.LittleEndian.Uint64(h[hdrOffID:])) span.AddAttributes( @@ -309,8 +310,8 @@ func (brdg *bridge) recvLoop() error { "type": typ.String(), "message-id": id}).Trace("bridge receive") - switch typ & msgTypeMask { - case msgTypeResponse: + switch typ & prot.MsgTypeMask { + case prot.MsgTypeResponse: // Find the request associated with this response. brdg.mu.Lock() call := brdg.rpcs[id] @@ -342,11 +343,11 @@ func (brdg *bridge) recvLoop() error { return err } - case msgTypeNotify: - if typ != notifyContainer|msgTypeNotify { + case prot.MsgTypeNotify: + if typ != prot.NotifyContainer|prot.MsgTypeNotify { return fmt.Errorf("bridge received unknown unknown notification message %s", typ) } - var ntf containerNotification + var ntf prot.ContainerNotification ntf.ResultInfo.Value = &json.RawMessage{} err := json.Unmarshal(b, &ntf) if err != nil { @@ -381,7 +382,7 @@ func (brdg *bridge) sendLoop() { } } -func (brdg *bridge) writeMessage(buf *bytes.Buffer, enc *json.Encoder, typ msgType, id int64, req interface{}) error { +func (brdg *bridge) writeMessage(buf *bytes.Buffer, enc *json.Encoder, typ prot.MsgType, id int64, req interface{}) error { var err error _, span := oc.StartSpan(context.Background(), "bridge send", oc.WithClientSpanKind) defer span.End() @@ -406,9 +407,9 @@ func (brdg *bridge) writeMessage(buf *bytes.Buffer, enc *json.Encoder, typ msgTy b := buf.Bytes()[hdrSize:] switch typ { // container environment vars are in rpCreate for linux; rpcExecuteProcess for windows - case msgType(rpcCreate) | msgTypeRequest: + case prot.MsgType(prot.RpcCreate) | prot.MsgTypeRequest: b, err = log.ScrubBridgeCreate(b) - case msgType(rpcExecuteProcess) | msgTypeRequest: + case prot.MsgType(prot.RpcExecuteProcess) | prot.MsgTypeRequest: b, err = log.ScrubBridgeExecProcess(b) } if err != nil { @@ -441,7 +442,7 @@ func (brdg *bridge) sendRPC(buf *bytes.Buffer, enc *json.Encoder, call *rpc) err brdg.rpcs[id] = call brdg.nextID++ brdg.mu.Unlock() - typ := msgType(call.proc) | msgTypeRequest + typ := prot.MsgType(call.proc) | prot.MsgTypeRequest err := brdg.writeMessage(buf, enc, typ, id, call.req) if err != nil { // Try to reclaim this request and fail it. diff --git a/internal/gcs/bridge_test.go b/internal/gcs/bridge_test.go index d6b3265c60..5a6ab368f1 100644 --- a/internal/gcs/bridge_test.go +++ b/internal/gcs/bridge_test.go @@ -13,6 +13,7 @@ import ( "testing" "time" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/sirupsen/logrus" ) @@ -33,7 +34,7 @@ func pipeConn() (*stitched, *stitched) { return &stitched{r1, w2}, &stitched{r2, w1} } -func sendMessage(t *testing.T, w io.Writer, typ msgType, id int64, msg []byte) { +func sendMessage(t *testing.T, w io.Writer, typ prot.MsgType, id int64, msg []byte) { t.Helper() var h [16]byte binary.LittleEndian.PutUint32(h[:], uint32(typ)) @@ -63,18 +64,18 @@ func reflector(t *testing.T, rw io.ReadWriteCloser, delay time.Duration) { return } time.Sleep(delay) // delay is used to test timeouts (when non-zero) - typ ^= msgTypeResponse ^ msgTypeRequest + typ ^= prot.MsgTypeResponse ^ prot.MsgTypeRequest sendMessage(t, rw, typ, id, msg) } } type testReq struct { - requestBase + prot.RequestBase X, Y int } type testResp struct { - responseBase + prot.ResponseBase X, Y int } @@ -92,7 +93,7 @@ func TestBridgeRPC(t *testing.T) { defer b.Close() req := testReq{X: 5} var resp testResp - err := b.RPC(context.Background(), rpcCreate, &req, &resp, false) + err := b.RPC(context.Background(), prot.RpcCreate, &req, &resp, false) if err != nil { t.Fatal(err) } @@ -107,7 +108,7 @@ func TestBridgeRPCResponseTimeout(t *testing.T) { b.Timeout = time.Millisecond * 100 req := testReq{X: 5} var resp testResp - err := b.RPC(context.Background(), rpcCreate, &req, &resp, false) + err := b.RPC(context.Background(), prot.RpcCreate, &req, &resp, false) if err == nil || !strings.Contains(err.Error(), "bridge closed") { t.Fatalf("expected bridge disconnection, got %s", err) } @@ -121,7 +122,7 @@ func TestBridgeRPCContextDone(t *testing.T) { defer cancel() req := testReq{X: 5} var resp testResp - err := b.RPC(ctx, rpcCreate, &req, &resp, true) + err := b.RPC(ctx, prot.RpcCreate, &req, &resp, true) if err != context.DeadlineExceeded { //nolint:errorlint t.Fatalf("expected deadline exceeded, got %s", err) } @@ -135,7 +136,7 @@ func TestBridgeRPCContextDoneNoCancel(t *testing.T) { defer cancel() req := testReq{X: 5} var resp testResp - err := b.RPC(ctx, rpcCreate, &req, &resp, false) + err := b.RPC(ctx, prot.RpcCreate, &req, &resp, false) if err == nil || !strings.Contains(err.Error(), "bridge closed") { t.Fatalf("expected bridge disconnection, got %s", err) } @@ -145,13 +146,13 @@ func TestBridgeRPCBridgeClosed(t *testing.T) { b := startReflectedBridge(t, 0) eerr := errors.New("forcibly terminated") b.kill(eerr) - err := b.RPC(context.Background(), rpcCreate, nil, nil, false) + err := b.RPC(context.Background(), prot.RpcCreate, nil, nil, false) if err != eerr { //nolint:errorlint t.Fatal("unexpected: ", err) } } -func sendJSON(t *testing.T, w io.Writer, typ msgType, id int64, msg interface{}) error { +func sendJSON(t *testing.T, w io.Writer, typ prot.MsgType, id int64, msg interface{}) error { t.Helper() msgb, err := json.Marshal(msg) if err != nil { @@ -161,7 +162,7 @@ func sendJSON(t *testing.T, w io.Writer, typ msgType, id int64, msg interface{}) return nil } -func notifyThroughBridge(t *testing.T, typ msgType, msg interface{}, fn notifyFunc) error { +func notifyThroughBridge(t *testing.T, typ prot.MsgType, msg interface{}, fn notifyFunc) error { t.Helper() s, c := pipeConn() b := newBridge(s, fn, logrus.NewEntry(logrus.StandardLogger())) @@ -176,9 +177,9 @@ func notifyThroughBridge(t *testing.T, typ msgType, msg interface{}, fn notifyFu } func TestBridgeNotify(t *testing.T) { - ntf := &containerNotification{Operation: "testing"} + ntf := &prot.ContainerNotification{Operation: "testing"} recvd := false - err := notifyThroughBridge(t, msgTypeNotify|notifyContainer, ntf, func(nntf *containerNotification) error { + err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error { if !reflect.DeepEqual(ntf, nntf) { t.Errorf("%+v != %+v", ntf, nntf) } @@ -194,9 +195,9 @@ func TestBridgeNotify(t *testing.T) { } func TestBridgeNotifyFailure(t *testing.T) { - ntf := &containerNotification{Operation: "testing"} + ntf := &prot.ContainerNotification{Operation: "testing"} errMsg := "notify should have failed" - err := notifyThroughBridge(t, msgTypeNotify|notifyContainer, ntf, func(nntf *containerNotification) error { + err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error { return errors.New(errMsg) }) if err == nil || !strings.Contains(err.Error(), errMsg) { diff --git a/internal/gcs/container.go b/internal/gcs/container.go index a64408b834..728f38a43a 100644 --- a/internal/gcs/container.go +++ b/internal/gcs/container.go @@ -9,6 +9,7 @@ import ( "time" "github.com/Microsoft/hcsshim/internal/cow" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/Microsoft/hcsshim/internal/hcs/schema1" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" @@ -53,12 +54,12 @@ func (gc *GuestConnection) CreateContainer(ctx context.Context, cid string, conf if err != nil { return nil, err } - req := containerCreate{ - requestBase: makeRequest(ctx, cid), - ContainerConfig: anyInString{config}, + req := prot.ContainerCreate{ + RequestBase: makeRequest(ctx, cid), + ContainerConfig: prot.AnyInString{config}, } - var resp containerCreateResponse - err = gc.brdg.RPC(ctx, rpcCreate, &req, &resp, false) + var resp prot.ContainerCreateResponse + err = gc.brdg.RPC(ctx, prot.RpcCreate, &req, &resp, false) if err != nil { return nil, err } @@ -129,27 +130,27 @@ func (c *Container) Modify(ctx context.Context, config interface{}) (err error) defer func() { oc.SetSpanStatus(span, err) }() span.AddAttributes(trace.StringAttribute("cid", c.id)) - req := containerModifySettings{ - requestBase: makeRequest(ctx, c.id), + req := prot.ContainerModifySettings{ + RequestBase: makeRequest(ctx, c.id), Request: config, } - var resp responseBase - return c.gc.brdg.RPC(ctx, rpcModifySettings, &req, &resp, false) + var resp prot.ResponseBase + return c.gc.brdg.RPC(ctx, prot.RpcModifySettings, &req, &resp, false) } -// Properties returns the requested container properties targeting a V1 schema container. +// Properties returns the requested container properties targeting a V1 schema prot.Container. func (c *Container) Properties(ctx context.Context, types ...schema1.PropertyType) (_ *schema1.ContainerProperties, err error) { ctx, span := oc.StartSpan(ctx, "gcs::Container::Properties", oc.WithClientSpanKind) defer span.End() defer func() { oc.SetSpanStatus(span, err) }() span.AddAttributes(trace.StringAttribute("cid", c.id)) - req := containerGetProperties{ - requestBase: makeRequest(ctx, c.id), - Query: containerPropertiesQuery{PropertyTypes: types}, + req := prot.ContainerGetProperties{ + RequestBase: makeRequest(ctx, c.id), + Query: prot.ContainerPropertiesQuery{PropertyTypes: types}, } - var resp containerGetPropertiesResponse - err = c.gc.brdg.RPC(ctx, rpcGetProperties, &req, &resp, true) + var resp prot.ContainerGetPropertiesResponse + err = c.gc.brdg.RPC(ctx, prot.RpcGetProperties, &req, &resp, true) if err != nil { return nil, err } @@ -163,12 +164,12 @@ func (c *Container) PropertiesV2(ctx context.Context, types ...hcsschema.Propert defer func() { oc.SetSpanStatus(span, err) }() span.AddAttributes(trace.StringAttribute("cid", c.id)) - req := containerGetPropertiesV2{ - requestBase: makeRequest(ctx, c.id), - Query: containerPropertiesQueryV2{PropertyTypes: types}, + req := prot.ContainerGetPropertiesV2{ + RequestBase: makeRequest(ctx, c.id), + Query: prot.ContainerPropertiesQueryV2{PropertyTypes: types}, } - var resp containerGetPropertiesResponseV2 - err = c.gc.brdg.RPC(ctx, rpcGetProperties, &req, &resp, true) + var resp prot.ContainerGetPropertiesResponseV2 + err = c.gc.brdg.RPC(ctx, prot.RpcGetProperties, &req, &resp, true) if err != nil { return nil, err } @@ -183,13 +184,13 @@ func (c *Container) Start(ctx context.Context) (err error) { span.AddAttributes(trace.StringAttribute("cid", c.id)) req := makeRequest(ctx, c.id) - var resp responseBase - return c.gc.brdg.RPC(ctx, rpcStart, &req, &resp, false) + var resp prot.ResponseBase + return c.gc.brdg.RPC(ctx, prot.RpcStart, &req, &resp, false) } -func (c *Container) shutdown(ctx context.Context, proc rpcProc) error { +func (c *Container) shutdown(ctx context.Context, proc prot.RpcProc) error { req := makeRequest(ctx, c.id) - var resp responseBase + var resp prot.ResponseBase err := c.gc.brdg.RPC(ctx, proc, &req, &resp, true) if err != nil { if uint32(resp.Result) != hrComputeSystemDoesNotExist { @@ -215,7 +216,7 @@ func (c *Container) Shutdown(ctx context.Context) (err error) { ctx, cancel := context.WithTimeout(ctx, 30*time.Second) defer cancel() - return c.shutdown(ctx, rpcShutdownGraceful) + return c.shutdown(ctx, prot.RpcShutdownGraceful) } // Terminate sends a forceful terminate request to the container. The container @@ -229,7 +230,7 @@ func (c *Container) Terminate(ctx context.Context) (err error) { ctx, cancel := context.WithTimeout(ctx, 30*time.Second) defer cancel() - return c.shutdown(ctx, rpcShutdownForced) + return c.shutdown(ctx, prot.RpcShutdownForced) } func (c *Container) WaitChannel() <-chan struct{} { diff --git a/internal/gcs/guestconnection.go b/internal/gcs/guestconnection.go index fe974b5c17..9607c61261 100644 --- a/internal/gcs/guestconnection.go +++ b/internal/gcs/guestconnection.go @@ -16,6 +16,7 @@ import ( "github.com/Microsoft/go-winio" "github.com/Microsoft/go-winio/pkg/guid" "github.com/Microsoft/hcsshim/internal/cow" + "github.com/Microsoft/hcsshim/internal/gcs/prot" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/logfields" @@ -28,7 +29,7 @@ import ( const ( protocolVersion = 4 - firstIoChannelVsockPort = LinuxGcsVsockPort + 1 + firstIoChannelVsockPort = prot.LinuxGcsVsockPort + 1 nullContainerID = "00000000-0000-0000-0000-000000000000" ) @@ -117,12 +118,12 @@ func (gc *GuestConnection) Protocol() uint32 { // isColdStart should be true when the UVM is being connected to for the first time post-boot. // It should be false for subsequent connections (e.g. if reconnecting to an existing UVM). func (gc *GuestConnection) connect(ctx context.Context, isColdStart bool, initGuestState *InitialGuestState) (err error) { - req := negotiateProtocolRequest{ + req := prot.NegotiateProtocolRequest{ MinimumVersion: protocolVersion, MaximumVersion: protocolVersion, } - var resp negotiateProtocolResponse - err = gc.brdg.RPC(ctx, rpcNegotiateProtocol, &req, &resp, true) + var resp prot.NegotiateProtocolResponse + err = gc.brdg.RPC(ctx, prot.RpcNegotiateProtocol, &req, &resp, true) if err != nil { return err } @@ -141,25 +142,25 @@ func (gc *GuestConnection) connect(ctx context.Context, isColdStart bool, initGu } if isColdStart && resp.Capabilities.SendHostCreateMessage { - conf := &uvmConfig{ + conf := &prot.UvmConfig{ SystemType: "Container", } if initGuestState != nil && initGuestState.Timezone != nil { conf.TimeZoneInformation = initGuestState.Timezone } - createReq := containerCreate{ - requestBase: makeRequest(ctx, nullContainerID), - ContainerConfig: anyInString{conf}, + createReq := prot.ContainerCreate{ + RequestBase: makeRequest(ctx, nullContainerID), + ContainerConfig: prot.AnyInString{conf}, } - var createResp responseBase - err = gc.brdg.RPC(ctx, rpcCreate, &createReq, &createResp, true) + var createResp prot.ResponseBase + err = gc.brdg.RPC(ctx, prot.RpcCreate, &createReq, &createResp, true) if err != nil { return err } if resp.Capabilities.SendHostStartMessage { startReq := makeRequest(ctx, nullContainerID) - var startResp responseBase - err = gc.brdg.RPC(ctx, rpcStart, &startReq, &startResp, true) + var startResp prot.ResponseBase + err = gc.brdg.RPC(ctx, prot.RpcStart, &startReq, &startResp, true) if err != nil { return err } @@ -175,12 +176,12 @@ func (gc *GuestConnection) Modify(ctx context.Context, settings interface{}) (er defer span.End() defer func() { oc.SetSpanStatus(span, err) }() - req := containerModifySettings{ - requestBase: makeRequest(ctx, nullContainerID), + req := prot.ContainerModifySettings{ + RequestBase: makeRequest(ctx, nullContainerID), Request: settings, } - var resp responseBase - return gc.brdg.RPC(ctx, rpcModifySettings, &req, &resp, false) + var resp prot.ResponseBase + return gc.brdg.RPC(ctx, prot.RpcModifySettings, &req, &resp, false) } func (gc *GuestConnection) DumpStacks(ctx context.Context) (response string, err error) { @@ -188,11 +189,11 @@ func (gc *GuestConnection) DumpStacks(ctx context.Context) (response string, err defer span.End() defer func() { oc.SetSpanStatus(span, err) }() - req := dumpStacksRequest{ - requestBase: makeRequest(ctx, nullContainerID), + req := prot.DumpStacksRequest{ + RequestBase: makeRequest(ctx, nullContainerID), } - var resp dumpStacksResponse - err = gc.brdg.RPC(ctx, rpcDumpStacks, &req, &resp, false) + var resp prot.DumpStacksResponse + err = gc.brdg.RPC(ctx, prot.RpcDumpStacks, &req, &resp, false) return resp.GuestStacks, err } @@ -202,11 +203,11 @@ func (gc *GuestConnection) DeleteContainerState(ctx context.Context, cid string) defer func() { oc.SetSpanStatus(span, err) }() span.AddAttributes(trace.StringAttribute("cid", cid)) - req := deleteContainerStateRequest{ - requestBase: makeRequest(ctx, cid), + req := prot.DeleteContainerStateRequest{ + RequestBase: makeRequest(ctx, cid), } - var resp responseBase - return gc.brdg.RPC(ctx, rpcDeleteContainerState, &req, &resp, false) + var resp prot.ResponseBase + return gc.brdg.RPC(ctx, prot.RpcDeleteContainerState, &req, &resp, false) } // Close terminates the guest connection. It is undefined to call any other @@ -263,7 +264,7 @@ func (gc *GuestConnection) requestNotify(cid string, ch chan struct{}) error { return nil } -func (gc *GuestConnection) notify(ntf *containerNotification) error { +func (gc *GuestConnection) notify(ntf *prot.ContainerNotification) error { cid := ntf.ContainerID gc.mu.Lock() ch := gc.notifyChs[cid] @@ -287,14 +288,14 @@ func (gc *GuestConnection) clearNotifies() { } } -func makeRequest(ctx context.Context, cid string) requestBase { - r := requestBase{ +func makeRequest(ctx context.Context, cid string) prot.RequestBase { + r := prot.RequestBase{ ContainerID: cid, } span := trace.FromContext(ctx) if span != nil { sc := span.SpanContext() - r.OpenCensusSpanContext = &ocspancontext{ + r.OpenCensusSpanContext = &prot.Ocspancontext{ TraceID: hex.EncodeToString(sc.TraceID[:]), SpanID: hex.EncodeToString(sc.SpanID[:]), TraceOptions: uint32(sc.TraceOptions), diff --git a/internal/gcs/guestconnection_test.go b/internal/gcs/guestconnection_test.go index facb0dd34b..8c505be54b 100644 --- a/internal/gcs/guestconnection_test.go +++ b/internal/gcs/guestconnection_test.go @@ -21,6 +21,7 @@ import ( "go.opencensus.io/trace" "go.opencensus.io/trace/tracestate" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/Microsoft/hcsshim/internal/oc" ) @@ -55,24 +56,24 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error { } return err } - switch proc := rpcProc(typ &^ msgTypeRequest); proc { - case rpcNegotiateProtocol: - err := sendJSON(t, rw, msgTypeResponse|msgType(proc), id, &negotiateProtocolResponse{ + switch proc := prot.RpcProc(typ &^ prot.MsgTypeRequest); proc { + case prot.RpcNegotiateProtocol: + err := sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.NegotiateProtocolResponse{ Version: protocolVersion, - Capabilities: gcsCapabilities{ + Capabilities: prot.GcsCapabilities{ RuntimeOsType: "linux", }, }) if err != nil { return err } - case rpcCreate: - err := sendJSON(t, rw, msgTypeResponse|msgType(proc), id, &containerCreateResponse{}) + case prot.RpcCreate: + err := sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.ContainerCreateResponse{}) if err != nil { return err } - case rpcExecuteProcess: - var req containerExecuteProcess + case prot.RpcExecuteProcess: + var req prot.ContainerExecuteProcess var params baseProcessParams req.Settings.ProcessParameters.Value = ¶ms err := json.Unmarshal(b, &req) @@ -111,27 +112,27 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error { stdout.Close() }() } - err = sendJSON(t, rw, msgTypeResponse|msgType(proc), id, &containerExecuteProcessResponse{ + err = sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.ContainerExecuteProcessResponse{ ProcessID: 42, }) if err != nil { return err } - case rpcWaitForProcess: + case prot.RpcWaitForProcess: // nothing - case rpcShutdownForced: - var req requestBase + case prot.RpcShutdownForced: + var req prot.RequestBase err = json.Unmarshal(b, &req) if err != nil { return err } - err = sendJSON(t, rw, msgTypeResponse|msgType(proc), id, &responseBase{}) + err = sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.ResponseBase{}) if err != nil { return err } time.Sleep(50 * time.Millisecond) - err = sendJSON(t, rw, msgType(msgTypeNotify|notifyContainer), 0, &containerNotification{ - requestBase: requestBase{ + err = sendJSON(t, rw, prot.MsgType(prot.MsgTypeNotify|prot.NotifyContainer), 0, &prot.ContainerNotification{ + RequestBase: prot.RequestBase{ ContainerID: req.ContainerID, }, }) diff --git a/internal/gcs/process.go b/internal/gcs/process.go index 87c5c29ae4..f5f013cd57 100644 --- a/internal/gcs/process.go +++ b/internal/gcs/process.go @@ -12,6 +12,7 @@ import ( "github.com/Microsoft/go-winio" "github.com/Microsoft/hcsshim/internal/cow" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/logfields" "github.com/Microsoft/hcsshim/internal/oc" @@ -29,7 +30,7 @@ type Process struct { cid string id uint32 waitCall *rpc - waitResp containerWaitForProcessResponse + waitResp prot.ContainerWaitForProcessResponse stdin, stdout, stderr *ioChannel stdinCloseWriteOnce sync.Once stdinCloseWriteErr error @@ -52,10 +53,10 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac return nil, err } - req := containerExecuteProcess{ - requestBase: makeRequest(ctx, cid), - Settings: executeProcessSettings{ - ProcessParameters: anyInString{params}, + req := prot.ContainerExecuteProcess{ + RequestBase: makeRequest(ctx, cid), + Settings: prot.ExecuteProcessSettings{ + ProcessParameters: prot.AnyInString{params}, }, } @@ -68,8 +69,8 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac // Construct the stdio channels. Windows guests expect hvsock service IDs // instead of vsock ports. - var hvsockSettings executeProcessStdioRelaySettings - var vsockSettings executeProcessVsockStdioRelaySettings + var hvsockSettings prot.ExecuteProcessStdioRelaySettings + var vsockSettings prot.ExecuteProcessVsockStdioRelaySettings if gc.os == "windows" { req.Settings.StdioRelaySettings = &hvsockSettings } else { @@ -100,20 +101,20 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac hvsockSettings.StdErr = &g } - var resp containerExecuteProcessResponse - err = gc.brdg.RPC(ctx, rpcExecuteProcess, &req, &resp, false) + var resp prot.ContainerExecuteProcessResponse + err = gc.brdg.RPC(ctx, prot.RpcExecuteProcess, &req, &resp, false) if err != nil { return nil, err } p.id = resp.ProcessID log.G(ctx).WithField("pid", p.id).Debug("created process pid") // Start a wait message. - waitReq := containerWaitForProcess{ - requestBase: makeRequest(ctx, cid), + waitReq := prot.ContainerWaitForProcess{ + RequestBase: makeRequest(ctx, cid), ProcessID: p.id, TimeoutInMs: 0xffffffff, } - p.waitCall, err = gc.brdg.AsyncRPC(ctx, rpcWaitForProcess, &waitReq, &p.waitResp) + p.waitCall, err = gc.brdg.AsyncRPC(ctx, prot.RpcWaitForProcess, &waitReq, &p.waitResp) if err != nil { return nil, fmt.Errorf("failed to wait on process, leaking process: %w", err) } @@ -220,14 +221,14 @@ func (p *Process) ResizeConsole(ctx context.Context, width, height uint16) (err trace.StringAttribute("cid", p.cid), trace.Int64Attribute("pid", int64(p.id))) - req := containerResizeConsole{ - requestBase: makeRequest(ctx, p.cid), + req := prot.ContainerResizeConsole{ + RequestBase: makeRequest(ctx, p.cid), ProcessID: p.id, Height: height, Width: width, } - var resp responseBase - return p.gc.brdg.RPC(ctx, rpcResizeConsole, &req, &resp, true) + var resp prot.ResponseBase + return p.gc.brdg.RPC(ctx, prot.RpcResizeConsole, &req, &resp, true) } // Signal sends a signal to the process, returning whether it was delivered. @@ -239,15 +240,15 @@ func (p *Process) Signal(ctx context.Context, options interface{}) (_ bool, err trace.StringAttribute("cid", p.cid), trace.Int64Attribute("pid", int64(p.id))) - req := containerSignalProcess{ - requestBase: makeRequest(ctx, p.cid), + req := prot.ContainerSignalProcess{ + RequestBase: makeRequest(ctx, p.cid), ProcessID: p.id, Options: options, } - var resp responseBase + var resp prot.ResponseBase // FUTURE: SIGKILL is idempotent and can safely be cancelled, but this interface // does currently make it easy to determine what signal is being sent. - err = p.gc.brdg.RPC(ctx, rpcSignalProcess, &req, &resp, false) + err = p.gc.brdg.RPC(ctx, prot.RpcSignalProcess, &req, &resp, false) if err != nil { if uint32(resp.Result) != hrNotFound { return false, err diff --git a/internal/gcs/protocol.go b/internal/gcs/prot/protocol.go similarity index 51% rename from internal/gcs/protocol.go rename to internal/gcs/prot/protocol.go index 7aeeb4991f..0555d71c5f 100644 --- a/internal/gcs/protocol.go +++ b/internal/gcs/prot/protocol.go @@ -1,6 +1,6 @@ //go:build windows -package gcs +package prot import ( "encoding/json" @@ -8,6 +8,7 @@ import ( "strconv" "github.com/Microsoft/go-winio/pkg/guid" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" "github.com/Microsoft/hcsshim/internal/hcs/schema1" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" ) @@ -33,97 +34,97 @@ var WindowsGcsHvHostID = guid.GUID{ Data4: [8]uint8{0x93, 0xfe, 0x42, 0x96, 0x9a, 0xe6, 0xd8, 0xd1}, } -type anyInString struct { +type AnyInString struct { Value interface{} } -func (a *anyInString) MarshalText() ([]byte, error) { +func (a *AnyInString) MarshalText() ([]byte, error) { return json.Marshal(a.Value) } -func (a *anyInString) UnmarshalText(b []byte) error { +func (a *AnyInString) UnmarshalText(b []byte) error { return json.Unmarshal(b, &a.Value) } -type rpcProc uint32 +type RpcProc uint32 const ( - rpcCreate rpcProc = (iota+1)<<8 | 1 - rpcStart - rpcShutdownGraceful - rpcShutdownForced - rpcExecuteProcess - rpcWaitForProcess - rpcSignalProcess - rpcResizeConsole - rpcGetProperties - rpcModifySettings - rpcNegotiateProtocol - rpcDumpStacks - rpcDeleteContainerState - rpcUpdateContainer - rpcLifecycleNotification + RpcCreate RpcProc = (iota+1)<<8 | 1 + RpcStart + RpcShutdownGraceful + RpcShutdownForced + RpcExecuteProcess + RpcWaitForProcess + RpcSignalProcess + RpcResizeConsole + RpcGetProperties + RpcModifySettings + RpcNegotiateProtocol + RpcDumpStacks + RpcDeleteContainerState + RpcUpdateContainer + RpcLifecycleNotification ) -func (rpc rpcProc) String() string { +func (rpc RpcProc) String() string { switch rpc { - case rpcCreate: + case RpcCreate: return "Create" - case rpcStart: + case RpcStart: return "Start" - case rpcShutdownGraceful: + case RpcShutdownGraceful: return "ShutdownGraceful" - case rpcShutdownForced: + case RpcShutdownForced: return "ShutdownForced" - case rpcExecuteProcess: + case RpcExecuteProcess: return "ExecuteProcess" - case rpcWaitForProcess: + case RpcWaitForProcess: return "WaitForProcess" - case rpcSignalProcess: + case RpcSignalProcess: return "SignalProcess" - case rpcResizeConsole: + case RpcResizeConsole: return "ResizeConsole" - case rpcGetProperties: + case RpcGetProperties: return "GetProperties" - case rpcModifySettings: + case RpcModifySettings: return "ModifySettings" - case rpcNegotiateProtocol: + case RpcNegotiateProtocol: return "NegotiateProtocol" - case rpcDumpStacks: + case RpcDumpStacks: return "DumpStacks" - case rpcDeleteContainerState: + case RpcDeleteContainerState: return "DeleteContainerState" - case rpcUpdateContainer: + case RpcUpdateContainer: return "UpdateContainer" - case rpcLifecycleNotification: + case RpcLifecycleNotification: return "LifecycleNotification" default: return "0x" + strconv.FormatUint(uint64(rpc), 16) } } -type msgType uint32 +type MsgType uint32 const ( - msgTypeRequest msgType = 0x10100000 - msgTypeResponse msgType = 0x20100000 - msgTypeNotify msgType = 0x30100000 - msgTypeMask msgType = 0xfff00000 + MsgTypeRequest MsgType = 0x10100000 + MsgTypeResponse MsgType = 0x20100000 + MsgTypeNotify MsgType = 0x30100000 + MsgTypeMask MsgType = 0xfff00000 - notifyContainer = 1<<8 | 1 + NotifyContainer = 1<<8 | 1 ) -func (typ msgType) String() string { +func (typ MsgType) String() string { var s string - switch typ & msgTypeMask { - case msgTypeRequest: + switch typ & MsgTypeMask { + case MsgTypeRequest: s = "Request(" - case msgTypeResponse: + case MsgTypeResponse: s = "Response(" - case msgTypeNotify: + case MsgTypeNotify: s = "Notify(" - switch typ - msgTypeNotify { - case notifyContainer: + switch typ - MsgTypeNotify { + case NotifyContainer: s += "Container" default: s += fmt.Sprintf("%#x", uint32(typ)) @@ -132,13 +133,13 @@ func (typ msgType) String() string { default: return fmt.Sprintf("%#x", uint32(typ)) } - s += rpcProc(typ &^ msgTypeMask).String() + s += RpcProc(typ &^ MsgTypeMask).String() return s + ")" } -// ocspancontext is the internal JSON representation of the OpenCensus +// Ocspancontext is the internal JSON representation of the OpenCensus // `trace.SpanContext` for fowarding to a GCS that supports it. -type ocspancontext struct { +type Ocspancontext struct { // TraceID is the `hex` encoded string of the OpenCensus // `SpanContext.TraceID` to propagate to the guest. TraceID string `json:",omitempty"` @@ -158,7 +159,7 @@ type ocspancontext struct { Tracestate string `json:",omitempty"` } -type requestBase struct { +type RequestBase struct { ContainerID string `json:"ContainerId"` ActivityID guid.GUID `json:"ActivityId"` @@ -168,155 +169,145 @@ type requestBase struct { // NOTE: This is not a part of the protocol but because its a JSON protocol // adding fields is a non-breaking change. If the guest supports it this is // just additive context. - OpenCensusSpanContext *ocspancontext `json:"ocsc,omitempty"` + OpenCensusSpanContext *Ocspancontext `json:"ocsc,omitempty"` } -func (req *requestBase) Base() *requestBase { +func (req *RequestBase) Base() *RequestBase { return req } -type responseBase struct { - Result int32 // HResult - ErrorMessage string `json:",omitempty"` - ActivityID guid.GUID `json:"ActivityId,omitempty"` - ErrorRecords []errorRecord `json:",omitempty"` +type ResponseBase struct { + Result int32 // HResult + ErrorMessage string `json:",omitempty"` + ActivityID guid.GUID `json:"ActivityId,omitempty"` + ErrorRecords []commonutils.ErrorRecord `json:",omitempty"` } -type errorRecord struct { - Result int32 // HResult - Message string - StackTrace string `json:",omitempty"` - ModuleName string - FileName string - Line uint32 - FunctionName string `json:",omitempty"` -} - -func (resp *responseBase) Base() *responseBase { +func (resp *ResponseBase) Base() *ResponseBase { return resp } -type negotiateProtocolRequest struct { - requestBase +type NegotiateProtocolRequest struct { + RequestBase MinimumVersion uint32 MaximumVersion uint32 } -type negotiateProtocolResponse struct { - responseBase +type NegotiateProtocolResponse struct { + ResponseBase Version uint32 `json:",omitempty"` - Capabilities gcsCapabilities `json:",omitempty"` + Capabilities GcsCapabilities `json:",omitempty"` } -type dumpStacksRequest struct { - requestBase +type DumpStacksRequest struct { + RequestBase } -type dumpStacksResponse struct { - responseBase +type DumpStacksResponse struct { + ResponseBase GuestStacks string } -type deleteContainerStateRequest struct { - requestBase +type DeleteContainerStateRequest struct { + RequestBase } -type containerCreate struct { - requestBase - ContainerConfig anyInString +type ContainerCreate struct { + RequestBase + ContainerConfig AnyInString } -type uvmConfig struct { +type UvmConfig struct { SystemType string // must be "Container" TimeZoneInformation *hcsschema.TimeZoneInformation } -type containerNotification struct { - requestBase +type ContainerNotification struct { + RequestBase Type string // Compute.System.NotificationType Operation string // Compute.System.ActiveOperation Result int32 // HResult - ResultInfo anyInString `json:",omitempty"` + ResultInfo AnyInString `json:",omitempty"` } -type containerExecuteProcess struct { - requestBase - Settings executeProcessSettings +type ContainerExecuteProcess struct { + RequestBase + Settings ExecuteProcessSettings } -type executeProcessSettings struct { - ProcessParameters anyInString - StdioRelaySettings *executeProcessStdioRelaySettings `json:",omitempty"` - VsockStdioRelaySettings *executeProcessVsockStdioRelaySettings `json:",omitempty"` +type ExecuteProcessSettings struct { + ProcessParameters AnyInString + StdioRelaySettings *ExecuteProcessStdioRelaySettings `json:",omitempty"` + VsockStdioRelaySettings *ExecuteProcessVsockStdioRelaySettings `json:",omitempty"` } -type executeProcessStdioRelaySettings struct { +type ExecuteProcessStdioRelaySettings struct { StdIn *guid.GUID `json:",omitempty"` StdOut *guid.GUID `json:",omitempty"` StdErr *guid.GUID `json:",omitempty"` } -type executeProcessVsockStdioRelaySettings struct { +type ExecuteProcessVsockStdioRelaySettings struct { StdIn uint32 `json:",omitempty"` StdOut uint32 `json:",omitempty"` StdErr uint32 `json:",omitempty"` } -type containerResizeConsole struct { - requestBase +type ContainerResizeConsole struct { + RequestBase ProcessID uint32 `json:"ProcessId"` Height uint16 Width uint16 } -type containerWaitForProcess struct { - requestBase +type ContainerWaitForProcess struct { + RequestBase ProcessID uint32 `json:"ProcessId"` TimeoutInMs uint32 } -type containerSignalProcess struct { - requestBase +type ContainerSignalProcess struct { + RequestBase ProcessID uint32 `json:"ProcessId"` Options interface{} `json:",omitempty"` } -type containerPropertiesQuery schema1.PropertyQuery +type ContainerPropertiesQuery schema1.PropertyQuery -func (q *containerPropertiesQuery) MarshalText() ([]byte, error) { +func (q *ContainerPropertiesQuery) MarshalText() ([]byte, error) { return json.Marshal((*schema1.PropertyQuery)(q)) } -func (q *containerPropertiesQuery) UnmarshalText(b []byte) error { +func (q *ContainerPropertiesQuery) UnmarshalText(b []byte) error { return json.Unmarshal(b, (*schema1.PropertyQuery)(q)) } -type containerPropertiesQueryV2 hcsschema.PropertyQuery +type ContainerPropertiesQueryV2 hcsschema.PropertyQuery -func (q *containerPropertiesQueryV2) MarshalText() ([]byte, error) { +func (q *ContainerPropertiesQueryV2) MarshalText() ([]byte, error) { return json.Marshal((*hcsschema.PropertyQuery)(q)) } -func (q *containerPropertiesQueryV2) UnmarshalText(b []byte) error { +func (q *ContainerPropertiesQueryV2) UnmarshalText(b []byte) error { return json.Unmarshal(b, (*hcsschema.PropertyQuery)(q)) } -type containerGetProperties struct { - requestBase - Query containerPropertiesQuery +type ContainerGetProperties struct { + RequestBase + Query ContainerPropertiesQuery } -type containerGetPropertiesV2 struct { - requestBase - Query containerPropertiesQueryV2 +type ContainerGetPropertiesV2 struct { + RequestBase + Query ContainerPropertiesQueryV2 } -type containerModifySettings struct { - requestBase +type ContainerModifySettings struct { + RequestBase Request interface{} } -type gcsCapabilities struct { +type GcsCapabilities struct { SendHostCreateMessage bool SendHostStartMessage bool HvSocketConfigOnStartup bool @@ -326,46 +317,46 @@ type gcsCapabilities struct { GuestDefinedCapabilities json.RawMessage } -type containerCreateResponse struct { - responseBase +type ContainerCreateResponse struct { + ResponseBase } -type containerExecuteProcessResponse struct { - responseBase +type ContainerExecuteProcessResponse struct { + ResponseBase ProcessID uint32 `json:"ProcessId"` } -type containerWaitForProcessResponse struct { - responseBase +type ContainerWaitForProcessResponse struct { + ResponseBase ExitCode uint32 } -type containerProperties schema1.ContainerProperties +type ContainerProperties schema1.ContainerProperties -func (p *containerProperties) MarshalText() ([]byte, error) { +func (p *ContainerProperties) MarshalText() ([]byte, error) { return json.Marshal((*schema1.ContainerProperties)(p)) } -func (p *containerProperties) UnmarshalText(b []byte) error { +func (p *ContainerProperties) UnmarshalText(b []byte) error { return json.Unmarshal(b, (*schema1.ContainerProperties)(p)) } -type containerPropertiesV2 hcsschema.Properties +type ContainerPropertiesV2 hcsschema.Properties -func (p *containerPropertiesV2) MarshalText() ([]byte, error) { +func (p *ContainerPropertiesV2) MarshalText() ([]byte, error) { return json.Marshal((*hcsschema.Properties)(p)) } -func (p *containerPropertiesV2) UnmarshalText(b []byte) error { +func (p *ContainerPropertiesV2) UnmarshalText(b []byte) error { return json.Unmarshal(b, (*hcsschema.Properties)(p)) } -type containerGetPropertiesResponse struct { - responseBase - Properties containerProperties +type ContainerGetPropertiesResponse struct { + ResponseBase + Properties ContainerProperties } -type containerGetPropertiesResponseV2 struct { - responseBase - Properties containerPropertiesV2 +type ContainerGetPropertiesResponseV2 struct { + ResponseBase + Properties ContainerPropertiesV2 } diff --git a/internal/guest/bridge/bridge.go b/internal/guest/bridge/bridge.go index f14663344f..024c7108b9 100644 --- a/internal/guest/bridge/bridge.go +++ b/internal/guest/bridge/bridge.go @@ -11,9 +11,7 @@ import ( "encoding/json" "fmt" "io" - "math" "os" - "strconv" "sync" "sync/atomic" "time" @@ -23,7 +21,8 @@ import ( "go.opencensus.io/trace" "go.opencensus.io/trace/tracestate" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/prot" "github.com/Microsoft/hcsshim/internal/guest/runtime/hcsv2" "github.com/Microsoft/hcsshim/internal/log" @@ -360,7 +359,7 @@ func (b *Bridge) ListenAndServe(bridgeIn io.ReadCloser, bridgeOut io.WriteCloser if span != nil { oc.SetSpanStatus(span, err) } - setErrorForResponseBase(resp.Base(), err) + setErrorForResponseBase(resp.Base(), err, "gcs" /* moduleName */) } br.response = resp b.responseChan <- br @@ -446,45 +445,9 @@ func (b *Bridge) PublishNotification(n *prot.ContainerNotification) { // setErrorForResponseBase modifies the passed-in MessageResponseBase to // contain information pertaining to the given error. -func setErrorForResponseBase(response *prot.MessageResponseBase, errForResponse error) { - errorMessage := errForResponse.Error() - stackString := "" - fileName := "" - // We use -1 as a sentinel if no line number found (or it cannot be parsed), - // but that will ultimately end up as [math.MaxUint32], so set it to that explicitly. - // (Still keep using -1 for backwards compatibility ...) - lineNumber := uint32(math.MaxUint32) - functionName := "" - if stack := gcserr.BaseStackTrace(errForResponse); stack != nil { - bottomFrame := stack[0] - stackString = fmt.Sprintf("%+v", stack) - fileName = fmt.Sprintf("%s", bottomFrame) - lineNumberStr := fmt.Sprintf("%d", bottomFrame) - if n, err := strconv.ParseUint(lineNumberStr, 10, 32); err == nil { - lineNumber = uint32(n) - } else { - logrus.WithFields(logrus.Fields{ - "line-number": lineNumberStr, - logrus.ErrorKey: err, - }).Error("opengcs::bridge::setErrorForResponseBase - failed to parse line number, using -1 instead") - } - functionName = fmt.Sprintf("%n", bottomFrame) - } - hresult, err := gcserr.GetHresult(errForResponse) - if err != nil { - // Default to using the generic failure HRESULT. - hresult = gcserr.HrFail - } +func setErrorForResponseBase(response *prot.MessageResponseBase, errForResponse error, moduleName string) { + hresult, errorMessage, newRecord := commonutils.SetErrorForResponseBaseUtil(errForResponse, moduleName) response.Result = int32(hresult) response.ErrorMessage = errorMessage - newRecord := prot.ErrorRecord{ - Result: int32(hresult), - Message: errorMessage, - StackTrace: stackString, - ModuleName: "gcs", - FileName: fileName, - Line: lineNumber, - FunctionName: functionName, - } response.ErrorRecords = append(response.ErrorRecords, newRecord) } diff --git a/internal/guest/bridge/bridge_unit_test.go b/internal/guest/bridge/bridge_unit_test.go index 67f583da05..613eaf326b 100644 --- a/internal/guest/bridge/bridge_unit_test.go +++ b/internal/guest/bridge/bridge_unit_test.go @@ -12,7 +12,7 @@ import ( "sync" "testing" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/prot" "github.com/Microsoft/hcsshim/internal/guest/transport" "github.com/pkg/errors" diff --git a/internal/guest/bridge/bridge_v2.go b/internal/guest/bridge/bridge_v2.go index f9712abc9d..800094e549 100644 --- a/internal/guest/bridge/bridge_v2.go +++ b/internal/guest/bridge/bridge_v2.go @@ -13,8 +13,8 @@ import ( "go.opencensus.io/trace" "golang.org/x/sys/unix" - "github.com/Microsoft/hcsshim/internal/guest/commonutils" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/prot" "github.com/Microsoft/hcsshim/internal/guest/runtime/hcsv2" "github.com/Microsoft/hcsshim/internal/guest/stdio" diff --git a/internal/guest/commonutils/utilities.go b/internal/guest/commonutils/utilities.go deleted file mode 100644 index adcf70e6c2..0000000000 --- a/internal/guest/commonutils/utilities.go +++ /dev/null @@ -1,26 +0,0 @@ -package commonutils - -import ( - "encoding/json" - "io" - - "github.com/Microsoft/hcsshim/internal/guest/gcserr" -) - -// UnmarshalJSONWithHresult unmarshals the given data into the given interface, and -// wraps any error returned in an HRESULT error. -func UnmarshalJSONWithHresult(data []byte, v interface{}) error { - if err := json.Unmarshal(data, v); err != nil { - return gcserr.WrapHresult(err, gcserr.HrVmcomputeInvalidJSON) - } - return nil -} - -// DecodeJSONWithHresult decodes the JSON from the given reader into the given -// interface, and wraps any error returned in an HRESULT error. -func DecodeJSONWithHresult(r io.Reader, v interface{}) error { - if err := json.NewDecoder(r).Decode(v); err != nil { - return gcserr.WrapHresult(err, gcserr.HrVmcomputeInvalidJSON) - } - return nil -} diff --git a/internal/guest/prot/protocol.go b/internal/guest/prot/protocol.go index 891891d510..88993ae563 100644 --- a/internal/guest/prot/protocol.go +++ b/internal/guest/prot/protocol.go @@ -11,7 +11,7 @@ import ( oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" - "github.com/Microsoft/hcsshim/internal/guest/commonutils" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" @@ -601,26 +601,13 @@ func UnmarshalContainerModifySettings(b []byte) (*ContainerModifySettings, error return &request, nil } -// ErrorRecord represents a single error to be reported back to the HCS. It -// allows for specifying information about the source of the error, as well as -// an error message and stack trace. -type ErrorRecord struct { - Result int32 - Message string - StackTrace string `json:",omitempty"` - ModuleName string - FileName string - Line uint32 - FunctionName string `json:",omitempty"` -} - // MessageResponseBase is the base type embedded in all messages sent from the // GCS to the HCS except for ContainerNotification. type MessageResponseBase struct { Result int32 - ActivityID string `json:"ActivityId,omitempty"` - ErrorMessage string `json:",omitempty"` // Only used by hcsshim external bridge - ErrorRecords []ErrorRecord `json:",omitempty"` + ActivityID string `json:"ActivityId,omitempty"` + ErrorMessage string `json:",omitempty"` // Only used by hcsshim external bridge + ErrorRecords []commonutils.ErrorRecord `json:",omitempty"` } // Base returns the response base by reference. diff --git a/internal/guest/runtime/hcsv2/container.go b/internal/guest/runtime/hcsv2/container.go index d1094f7e9a..79dd2a732e 100644 --- a/internal/guest/runtime/hcsv2/container.go +++ b/internal/guest/runtime/hcsv2/container.go @@ -18,7 +18,7 @@ import ( "github.com/sirupsen/logrus" "go.opencensus.io/trace" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/prot" "github.com/Microsoft/hcsshim/internal/guest/runtime" specGuest "github.com/Microsoft/hcsshim/internal/guest/spec" diff --git a/internal/guest/runtime/hcsv2/network.go b/internal/guest/runtime/hcsv2/network.go index 136f544153..f6052e84f9 100644 --- a/internal/guest/runtime/hcsv2/network.go +++ b/internal/guest/runtime/hcsv2/network.go @@ -14,7 +14,7 @@ import ( "github.com/vishvananda/netns" "go.opencensus.io/trace" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/network" "github.com/Microsoft/hcsshim/internal/oc" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" diff --git a/internal/guest/runtime/hcsv2/process.go b/internal/guest/runtime/hcsv2/process.go index e29e6e62f7..e94c9792f6 100644 --- a/internal/guest/runtime/hcsv2/process.go +++ b/internal/guest/runtime/hcsv2/process.go @@ -10,7 +10,7 @@ import ( "sync" "syscall" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/runtime" "github.com/Microsoft/hcsshim/internal/guest/stdio" "github.com/Microsoft/hcsshim/internal/log" diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 11db7b4534..87cc5f333c 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -29,9 +29,8 @@ import ( "github.com/pkg/errors" "github.com/sirupsen/logrus" "golang.org/x/sys/unix" - + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/debug" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" "github.com/Microsoft/hcsshim/internal/guest/policy" "github.com/Microsoft/hcsshim/internal/guest/prot" "github.com/Microsoft/hcsshim/internal/guest/runtime" diff --git a/internal/guest/runtime/runc/runc.go b/internal/guest/runtime/runc/runc.go index 555fd17a7e..cd11cefdda 100644 --- a/internal/guest/runtime/runc/runc.go +++ b/internal/guest/runtime/runc/runc.go @@ -16,7 +16,7 @@ import ( "github.com/pkg/errors" "golang.org/x/sys/unix" - "github.com/Microsoft/hcsshim/internal/guest/commonutils" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" "github.com/Microsoft/hcsshim/internal/guest/runtime" "github.com/Microsoft/hcsshim/internal/guest/stdio" ) diff --git a/internal/guest/runtime/runtime.go b/internal/guest/runtime/runtime.go index a8c5231cfc..db24459c27 100644 --- a/internal/guest/runtime/runtime.go +++ b/internal/guest/runtime/runtime.go @@ -8,7 +8,7 @@ import ( "io" "syscall" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/stdio" oci "github.com/opencontainers/runtime-spec/specs-go" ) diff --git a/internal/uvm/create_lcow.go b/internal/uvm/create_lcow.go index 1f310f8d60..338c742fc2 100644 --- a/internal/uvm/create_lcow.go +++ b/internal/uvm/create_lcow.go @@ -20,7 +20,7 @@ import ( "go.opencensus.io/trace" "github.com/Microsoft/hcsshim/internal/copyfile" - "github.com/Microsoft/hcsshim/internal/gcs" + "github.com/Microsoft/hcsshim/internal/gcs/prot" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/logfields" @@ -438,7 +438,7 @@ func makeLCOWVMGSDoc(ctx context.Context, opts *OptionsLCOW, uvm *UtilityVM) (_ // entropyVsockPort - 1 is the entropy port, // linuxLogVsockPort - 109 used by vsockexec to log stdout/stderr logging, // 0x40000000 + 1 (LinuxGcsVsockPort + 1) is the bridge (see guestconnectiuon.go) - hvSockets := []uint32{entropyVsockPort, linuxLogVsockPort, gcs.LinuxGcsVsockPort, gcs.LinuxGcsVsockPort + 1} + hvSockets := []uint32{entropyVsockPort, linuxLogVsockPort, prot.LinuxGcsVsockPort, prot.LinuxGcsVsockPort + 1} hvSockets = append(hvSockets, opts.ExtraVSockPorts...) for _, whichSocket := range hvSockets { key := winio.VsockServiceID(whichSocket).String() @@ -984,7 +984,7 @@ func CreateLCOW(ctx context.Context, opts *OptionsLCOW) (_ *UtilityVM, err error if opts.UseGuestConnection { log.G(ctx).WithField("vmID", uvm.runtimeID).Debug("Using external GCS bridge") - l, err := uvm.listenVsock(gcs.LinuxGcsVsockPort) + l, err := uvm.listenVsock(prot.LinuxGcsVsockPort) if err != nil { return nil, err } diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index 0b91e42cf2..2b6f8c8b2d 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -15,7 +15,7 @@ import ( "github.com/sirupsen/logrus" "go.opencensus.io/trace" - "github.com/Microsoft/hcsshim/internal/gcs" + "github.com/Microsoft/hcsshim/internal/gcs/prot" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/logfields" @@ -57,15 +57,6 @@ type OptionsWCOW struct { AdditionalRegistryKeys []hcsschema.RegistryValue } -// WindowsSidecarGcsHvsockServiceID is the hvsock service ID that the Windows GCS -// sidecar will connect to. This is only used in the confidential mode. -var windowsSidecarGcsHvsockServiceID = guid.GUID{ - Data1: 0xae8da506, - Data2: 0xa019, - Data3: 0x4553, - Data4: [8]uint8{0xa5, 0x2b, 0x90, 0x2b, 0xc0, 0xfa, 0x04, 0x11}, -} - // NewDefaultOptionsWCOW creates the default options for a bootable version of // WCOW. The caller `MUST` set the `BootFiles` on the returned value. // @@ -502,9 +493,9 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error return nil, fmt.Errorf("error while creating the compute system: %w", err) } - gcsServiceID := gcs.WindowsGcsHvsockServiceID + gcsServiceID := prot.WindowsGcsHvsockServiceID if opts.SecurityPolicyEnabled { - gcsServiceID = windowsSidecarGcsHvsockServiceID + gcsServiceID = prot.WindowsSidecarGcsHvsockServiceID } if err = uvm.startExternalGcsListener(ctx, gcsServiceID); err != nil { diff --git a/internal/uvm/start.go b/internal/uvm/start.go index ec8cdf1ee9..9ab8a9bdd5 100644 --- a/internal/uvm/start.go +++ b/internal/uvm/start.go @@ -18,6 +18,7 @@ import ( "golang.org/x/sys/windows" "github.com/Microsoft/hcsshim/internal/gcs" + "github.com/Microsoft/hcsshim/internal/gcs/prot" "github.com/Microsoft/hcsshim/internal/hcs" "github.com/Microsoft/hcsshim/internal/hcs/schema1" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" @@ -134,7 +135,7 @@ func (uvm *UtilityVM) configureHvSocketForGCS(ctx context.Context) (err error) { hvsocketAddress := &hcsschema.HvSocketAddress{ LocalAddress: uvm.runtimeID.String(), - ParentAddress: gcs.WindowsGcsHvHostID.String(), + ParentAddress: prot.WindowsGcsHvHostID.String(), } conSetupReq := &hcsschema.ModifySettingRequest{ From 3f07f1ed7fe081e0d60c4d389fe1df1cd8575792 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Mon, 21 Apr 2025 09:48:24 -0700 Subject: [PATCH 02/20] gcs-sidecar framework This commit makes the high level changes needed for gcs-sidecar - Starts sidecar as service - Dereferences the various valid rpc requests - Adds code to invoke refs formatter Note: This commit does not add invokers to the code for new ResourceTypes like SecurityPolicy, CWCOWBlockCIMs, Container scratch formatting etc. This will come in along with functional tests in later PRs. There are some TODO comments in the code which will be addressed in upcoming PRs as well. To make this initialization of the gcs-sidecar flow complete, certain high level code for the policy enforcement have been brought into this commit from Mahati's changes. Example: internal/gcs-sidecar/policy.go, internal/gcs-sidecar/host.go and helper functions in internal/gcs-sidecar/host.go. Hence adding her as co-author in this commit. The rest of the policy framework code will be brought in by Mahati as follow up PRs. Co-authored-by: Signed-off-by: Kirtana Ashok --- cmd/gcs-sidecar/main.go | 241 +++++++++ internal/fsformatter/formatter_driver.go | 283 ++++++++++ internal/gcs-sidecar/bridge.go | 450 ++++++++++++++++ internal/gcs-sidecar/handlers.go | 492 ++++++++++++++++++ internal/gcs-sidecar/host.go | 64 +++ internal/gcs-sidecar/policy.go | 19 + internal/gcs-sidecar/uvm.go | 124 +++++ internal/gcs/bridge.go | 44 +- internal/gcs/bridge_test.go | 10 +- internal/gcs/container.go | 18 +- internal/gcs/guestconnection.go | 14 +- internal/gcs/guestconnection_test.go | 12 +- internal/gcs/process.go | 10 +- internal/gcs/prot/protocol.go | 109 ++-- internal/guest/prot/protocol.go | 8 +- internal/guest/runtime/hcsv2/uvm.go | 14 +- internal/protocol/guestresource/resources.go | 39 ++ .../securitypolicy_uvmpath_linux.go | 34 ++ .../securitypolicy_uvmpath_windows.go | 24 + pkg/securitypolicy/securitypolicyenforcer.go | 22 +- test/gcs/container_test.go | 2 +- 21 files changed, 1906 insertions(+), 127 deletions(-) create mode 100644 cmd/gcs-sidecar/main.go create mode 100644 internal/fsformatter/formatter_driver.go create mode 100644 internal/gcs-sidecar/bridge.go create mode 100644 internal/gcs-sidecar/handlers.go create mode 100644 internal/gcs-sidecar/host.go create mode 100644 internal/gcs-sidecar/policy.go create mode 100644 internal/gcs-sidecar/uvm.go create mode 100644 pkg/securitypolicy/securitypolicy_uvmpath_linux.go create mode 100644 pkg/securitypolicy/securitypolicy_uvmpath_windows.go diff --git a/cmd/gcs-sidecar/main.go b/cmd/gcs-sidecar/main.go new file mode 100644 index 0000000000..aa949d8c80 --- /dev/null +++ b/cmd/gcs-sidecar/main.go @@ -0,0 +1,241 @@ +//go:build windows +// +build windows + +package main + +import ( + "context" + "flag" + "fmt" + "net" + "os" + + "github.com/Microsoft/go-winio" + "github.com/Microsoft/hcsshim/internal/gcs/prot" + shimlog "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/oc" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" + "github.com/sirupsen/logrus" + "go.opencensus.io/trace" + "golang.org/x/sys/windows" + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/debug" + + sidecar "github.com/Microsoft/hcsshim/internal/gcs-sidecar" +) + +var ( + defaultLogFile = "C:\\gcs-sidecar-logs.log" + defaultLogLevel = "trace" +) + +type handler struct { + fromsvc chan error +} + +// Accepts new connection and closes listener. +func acceptAndClose(ctx context.Context, l net.Listener) (net.Conn, error) { + var conn net.Conn + ch := make(chan error) + go func() { + var err error + conn, err = l.Accept() + ch <- err + }() + select { + case err := <-ch: + l.Close() + return conn, err + case <-ctx.Done(): + } + l.Close() + err := <-ch + if err == nil { + return conn, err + } + + if ctx.Err() != nil { + return nil, ctx.Err() + } + return nil, err +} + +func (h *handler) Execute(args []string, r <-chan svc.ChangeRequest, status chan<- svc.Status) (bool, uint32) { + const cmdsAccepted = svc.AcceptStop | svc.AcceptShutdown | svc.Accepted(windows.SERVICE_ACCEPT_PARAMCHANGE) + + status <- svc.Status{State: svc.StartPending, Accepts: 0} + // unblock runService() + h.fromsvc <- nil + + status <- svc.Status{State: svc.Running, Accepts: cmdsAccepted} + +loop: + for c := range r { + switch c.Cmd { + case svc.Interrogate: + status <- c.CurrentStatus + case svc.Stop, svc.Shutdown: + logrus.Println("Shutting service...!") + break loop + case svc.Pause: + status <- svc.Status{State: svc.Paused, Accepts: cmdsAccepted} + case svc.Continue: + status <- svc.Status{State: svc.Running, Accepts: cmdsAccepted} + default: + logrus.Printf("Unexpected service control request #%d", c) + } + } + + status <- svc.Status{State: svc.StopPending} + return false, 1 +} + +func runService(name string, isDebug bool) error { + h := &handler{ + fromsvc: make(chan error), + } + + var err error + go func() { + if isDebug { + err = debug.Run(name, h) + if err != nil { + logrus.Errorf("Error running service in debug mode.Err: %v", err) + } + } else { + err = svc.Run(name, h) + if err != nil { + logrus.Errorf("Error running service in Service Control mode.Err %v", err) + } + } + h.fromsvc <- err + }() + + // Wait for the first signal from the service handler. + logrus.Tracef("waiting for first signal from service handler\n") + return <-h.fromsvc +} + +func main() { + logLevel := flag.String("loglevel", + defaultLogLevel, + "Logging Level: trace, debug, info, warning, error, fatal, panic.") + logFile := flag.String("logfile", + defaultLogFile, + "Logging Target. Default is at C:\\gcs-sidecar-logs.log inside UVM") + + flag.Usage = func() { + fmt.Fprintf(os.Stderr, "\nUsage of %s:\n", os.Args[0]) + flag.PrintDefaults() + fmt.Fprintf(os.Stderr, "Examples:\n") + fmt.Fprintf(os.Stderr, " %s -loglevel=trace -logfile=C:\\sidecarLogs.log \n", os.Args[0]) + } + + flag.Parse() + + ctx := context.Background() + logFileHandle, err := os.OpenFile(*logFile, os.O_RDWR|os.O_CREATE|os.O_SYNC|os.O_TRUNC, 0666) + if err != nil { + fmt.Printf("error opening file: %v", err) + } + defer logFileHandle.Close() + + logrus.AddHook(shimlog.NewHook()) + + level, err := logrus.ParseLevel(*logLevel) + if err != nil { + logrus.Fatal(err) + } + logrus.SetLevel(level) + logrus.SetOutput(logFileHandle) + trace.ApplyConfig(trace.Config{DefaultSampler: trace.AlwaysSample()}) + trace.RegisterExporter(&oc.LogrusExporter{}) + + if err := windows.SetStdHandle(windows.STD_ERROR_HANDLE, windows.Handle(logFileHandle.Fd())); err != nil { + logrus.WithError(err).Error("error redirecting handle") + return + } + os.Stderr = logFileHandle + + chsrv := make(chan error) + go func() { + defer close(chsrv) + + if err := runService("gcs-sidecar", false); err != nil { + logrus.Errorf("error starting gcs-sidecar service: %v", err) + } + + chsrv <- err + }() + + select { + case <-ctx.Done(): + logrus.Error("context deadline exceeded") + return + case r := <-chsrv: + if r != nil { + logrus.Error(r) + return + } + } + + // 1. Start external server to connect with inbox GCS + listener, err := winio.ListenHvsock(&winio.HvsockAddr{ + VMID: prot.HvGUIDLoopback, + ServiceID: prot.WindowsGcsHvsockServiceID, + }) + if err != nil { + logrus.WithError(err).Errorf("error starting listener for sidecar <-> inbox gcs communication") + return + } + + var gcsListener net.Listener = listener + gcsCon, err := acceptAndClose(ctx, gcsListener) + if err != nil { + logrus.WithError(err).Errorf("error accepting inbox GCS connection") + return + } + + // 2. Setup connection with external gcs connection started from hcsshim + hvsockAddr := &winio.HvsockAddr{ + VMID: prot.HvGUIDParent, + ServiceID: prot.WindowsSidecarGcsHvsockServiceID, + } + + logrus.WithFields(logrus.Fields{ + "hvsockAddr": hvsockAddr, + }).Tracef("Dialing to hcsshim external bridge at address %v", hvsockAddr) + shimCon, err := winio.Dial(ctx, hvsockAddr) + if err != nil { + logrus.WithError(err).Errorf("error dialing hcsshim external bridge") + return + } + + // gcs-sidecar can be used for non-confidentail hyperv wcow + // as well. So we do not always want to check for initialPolicyStance + var initialEnforcer securitypolicy.SecurityPolicyEnforcer + // TODO (kiashok/Mahati): The initialPolicyStance is set to allow + // only for dev. This will eventually be set to allow/deny depending on + // on whether SNP is supported or not. + initialPolicyStance := "allow" + switch initialPolicyStance { + case "allow": + initialEnforcer = &securitypolicy.OpenDoorSecurityPolicyEnforcer{} + logrus.Tracef("initial-policy-stance: allow") + case "deny": + initialEnforcer = &securitypolicy.ClosedDoorSecurityPolicyEnforcer{} + logrus.Tracef("initial-policy-stance: deny") + default: + logrus.Error("unknown initial-policy-stance") + } + + // 3. Create bridge and initializa + brdg := sidecar.NewBridge(shimCon, gcsCon, initialEnforcer) + brdg.AssignHandlers() + + // 3. Listen and serve for hcsshim requests. + err = brdg.ListenAndServeShimRequests() + if err != nil { + logrus.WithError(err).Errorf("failed to serve request") + } +} diff --git a/internal/fsformatter/formatter_driver.go b/internal/fsformatter/formatter_driver.go new file mode 100644 index 0000000000..14f743cf0b --- /dev/null +++ b/internal/fsformatter/formatter_driver.go @@ -0,0 +1,283 @@ +//go:build windows +// +build windows + +package fsformatter + +import ( + "context" + "encoding/binary" + "syscall" + "unicode/utf16" + "unsafe" + + "github.com/pkg/errors" + "golang.org/x/sys/windows" +) + +// This file contains all the supporting structures needed to make +// an ioctl call to RefsFormatter. +const ( + ioctlKernelFormatVolumeFormat = 0x40001000 + // This is used to construct the disk path that refsFormatter + // understands. `harddisk%d` here refers to the disk number + // associated with the corresponding lun of the attached + // scsi device. + VirtualDevObjectPathFormat = "\\device\\harddisk%d\\partition0" + checksumTypeSha256 = uint16(4) + refsChecksumType = checksumTypeSha256 + maxSizeOfKernelFormatVolumeFormatRefsParameters = 16 * 8 // 128 bytes + sizeOfWchar = int(unsafe.Sizeof(uint16(0))) + kernelFormatVolumeMaxVolumeLabelLength = uint32(33 * sizeOfWchar) + kernelFormatVolumeWin32DriverPath = "\\\\?\\KernelFSFormatter" + // Allocate large enough buffer for output from fsFormatter + maxSizeOfOutputBuffer = uint32(512) + + // KERNEL_FORMAT_VOLUME_FORMAT_REFS_PARAMETERS member offsets + clusterSizeOffset = 0 + checksumTypeOffset = 4 + useDataIntegrityOffset = 6 + majorVersionOffset = 8 + minorVersionOffset = 10 +) + +type kernelFormatVolumeFilesystemTypes uint32 + +const ( + kernelFormatVolumeFilesystemTypeInvalid = kernelFormatVolumeFilesystemTypes(iota) + kernelFormatVolumeFilesystemTypeRefs = kernelFormatVolumeFilesystemTypes(1) + kernelFormatVolumeFilesystemTypeMax = kernelFormatVolumeFilesystemTypes(2) +) + +// We only want to allow refs formatting +func (filesystemType kernelFormatVolumeFilesystemTypes) String() string { + switch filesystemType { + case kernelFormatVolumeFilesystemTypeRefs: + return "KERNEL_FORMAT_VOLUME_FILESYSTEM_TYPE_REFS" + default: + return "Unknown" + } +} + +type kernelFormatVolumeFormatInputBufferFlags uint32 + +const kernelFormatVolumeFormatInputBufferFlagNone = kernelFormatVolumeFormatInputBufferFlags(0x00000000) + +func (flag kernelFormatVolumeFormatInputBufferFlags) String() string { + switch flag { + case kernelFormatVolumeFormatInputBufferFlagNone: + return "kernelFormatVolumeFormatInputBufferFlagNone" + default: + return "Unknown" + } +} + +type KernelFormatVolumeFormatRefsParameters struct { + ClusterSize uint32 + MetadataChecksumType uint16 + UseDataIntegrity bool + MajorVersion uint16 + MinorVersion uint16 +} + +type KernelFormatVolumeFormatFsParameters struct { + FileSystemType kernelFormatVolumeFilesystemTypes + // Represents a WCHAR character array + VolumeLabel [kernelFormatVolumeMaxVolumeLabelLength / uint32(sizeOfWchar)]uint16 + // Length of volume label in bytes + VolumeLabelLength uint16 + // RefsFormatterParams represents the following union + /* + union { + + KERNEL_FORMAT_VOLUME_FORMAT_REFS_PARAMETERS RefsParameters; + + // + // This structure can't grow in size nor change in alignment. 16 ULONGLONGs + // should be more than enough for supporting other filesystems down the + // line. This also serves to enforce 8 byte alignment. + // + Reserved [16]uint64 + }; + */ + RefsFormatterParams [128]byte +} + +type KernelFormatVolumeFormatInputBuffer struct { + Size uint64 + FsParameters KernelFormatVolumeFormatFsParameters + Flags kernelFormatVolumeFormatInputBufferFlags + Reserved [4]uint32 + // Size of DiskPathBuffer in bytes + DiskPathLength uint16 + // DiskPathBuffer holds the disk path. It represents a + // variable size WCHAR character array + DiskPathBuffer []uint16 +} + +type kernelFormatVolumeFormatOutputBufferFlags uint32 + +const kernelFormatVolumeFormatOutputBufferFlagsNone = kernelFormatVolumeFormatOutputBufferFlags(0x00000000) + +func (flag kernelFormatVolumeFormatOutputBufferFlags) String() string { + switch flag { + case kernelFormatVolumeFormatOutputBufferFlagsNone: + return "kernelFormatVolumeFormatOutputBufferFlagsNone" + default: + return "Unknown" + } +} + +type KernelFormarVolumeFormatOutputBuffer struct { + Size uint32 + Flags kernelFormatVolumeFormatOutputBufferFlags + Reserved [4]uint32 + // VolumePathLength holds size of VolumePathBuffer + // in bytes + VolumePathLength uint16 + // VolumePathBuffer holds the mounted volume path + // as returned from refsFormatter. It represents + // a variable size WCHAR character array + VolumePathBuffer []uint16 +} + +// GetVolumePathBufferOffset gets offset to KernelFormarVolumeFormatOutputBuffer{}.VolumePathBuffer +func GetVolumePathBufferOffset() uint32 { + volPathBufferOffset := uint32(unsafe.Sizeof(KernelFormarVolumeFormatOutputBuffer{}.Size) + + unsafe.Sizeof(KernelFormarVolumeFormatOutputBuffer{}.Flags) + + unsafe.Sizeof(KernelFormarVolumeFormatOutputBuffer{}.Reserved) + + unsafe.Sizeof(KernelFormarVolumeFormatOutputBuffer{}.VolumePathLength)) + + return volPathBufferOffset +} + +// getInputBufferSize gets the total size needed for input buffer +func getInputBufferSize(wcharDiskPathLength uint16) uint32 { + bufferSize := uint32(unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Size)+ + /* This is specifically for the union in KernelFormatVolumeFormatFsParameters */ + unsafe.Offsetof(KernelFormatVolumeFormatFsParameters{}.RefsFormatterParams)+ + maxSizeOfKernelFormatVolumeFormatRefsParameters+ + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Flags)+ + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Reserved)+ + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.DiskPathLength)) + + uint32(wcharDiskPathLength) + + return bufferSize +} + +// getInputBufferDiskPathBufferOffset gets offset to KernelFormatVolumeFormatInputBuffer{}.DiskPathBuffer +func getInputBufferDiskPathBufferOffset() uint32 { + diskPathBufferOffset := uint32(unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Size) + + unsafe.Offsetof(KernelFormatVolumeFormatFsParameters{}.RefsFormatterParams) + + maxSizeOfKernelFormatVolumeFormatRefsParameters + + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Flags) + + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.Reserved) + + unsafe.Sizeof(KernelFormatVolumeFormatInputBuffer{}.DiskPathLength)) + + return diskPathBufferOffset +} + +// KmFmtCreateFormatOutputBuffer formats an output buffer as expected +// by the fsFormatter driver +func KmFmtCreateFormatOutputBuffer() *KernelFormarVolumeFormatOutputBuffer { + buf := make([]uint16, maxSizeOfOutputBuffer) + outputBuffer := (*KernelFormarVolumeFormatOutputBuffer)(unsafe.Pointer(&buf[0])) + outputBuffer.Size = uint32(maxSizeOfOutputBuffer) + + return outputBuffer +} + +func toUTF16(s string) []uint16 { + return utf16.Encode([]rune(s)) +} + +// KmFmtCreateFormatInputBuffer formats an input buffer as expected +// by the refsFormatter driver. +// diskPath represents disk path in VirtualDevObjectPathFormat. +func KmFmtCreateFormatInputBuffer(diskPath string) *KernelFormatVolumeFormatInputBuffer { + refsParametersBuf := make([]byte, unsafe.Sizeof(KernelFormatVolumeFormatRefsParameters{})) + refsParameters := (*KernelFormatVolumeFormatRefsParameters)(unsafe.Pointer(&refsParametersBuf[0])) + + utf16DiskPath := toUTF16(diskPath) + wcharDiskPathLength := uint16(len(utf16DiskPath) * sizeOfWchar) + + refsParameters.ClusterSize = 0x1000 + refsParameters.MetadataChecksumType = refsChecksumType + refsParameters.UseDataIntegrity = true + refsParameters.MajorVersion = uint16(3) + refsParameters.MinorVersion = uint16(14) + + bufferSize := getInputBufferSize(wcharDiskPathLength) + buf := make([]byte, bufferSize) + inputBuffer := (*KernelFormatVolumeFormatInputBuffer)(unsafe.Pointer(&buf[0])) + + inputBuffer.Size = uint64(bufferSize) + inputBuffer.Flags = kernelFormatVolumeFormatInputBufferFlagNone + + inputBuffer.FsParameters.FileSystemType = kernelFormatVolumeFilesystemTypeRefs + inputBuffer.FsParameters.VolumeLabelLength = 0 + inputBuffer.FsParameters.VolumeLabel = [33]uint16{} + + // Write KERNEL_FORMAT_VOLUME_FORMAT_REFS_PARAMETERS + binary.LittleEndian.PutUint32(inputBuffer.FsParameters.RefsFormatterParams[clusterSizeOffset:], refsParameters.ClusterSize) + binary.LittleEndian.PutUint16(inputBuffer.FsParameters.RefsFormatterParams[checksumTypeOffset:], refsParameters.MetadataChecksumType) + if refsParameters.UseDataIntegrity { + inputBuffer.FsParameters.RefsFormatterParams[useDataIntegrityOffset] = 1 + } else { + inputBuffer.FsParameters.RefsFormatterParams[useDataIntegrityOffset] = 0 + } + binary.LittleEndian.PutUint16(inputBuffer.FsParameters.RefsFormatterParams[majorVersionOffset:], refsParameters.MajorVersion) + binary.LittleEndian.PutUint16(inputBuffer.FsParameters.RefsFormatterParams[minorVersionOffset:], refsParameters.MinorVersion) + + // Finally write the diskPathLength and diskPathBuffer with the input disk path + inputBuffer.DiskPathLength = wcharDiskPathLength + // DiskBuffer writing + ptr := unsafe.Add(unsafe.Pointer(inputBuffer), getInputBufferDiskPathBufferOffset()) + // Convert the string to UTF-16 slice + utf16Array := toUTF16(diskPath) + diskPathBuf := unsafe.Slice((*uint16)(ptr), len(utf16Array)) + copy(diskPathBuf, utf16Array) + + return inputBuffer +} + +// InvokeFsFormatter makes an ioctl call to the fsFormatter driver and returns +// a path to the mountedVolume +func InvokeFsFormatter(ctx context.Context, diskPath string) (string, error) { + // Prepare input and output buffers as expected by refsFormatter + inputBuffer := KmFmtCreateFormatInputBuffer(diskPath) + outputBuffer := KmFmtCreateFormatOutputBuffer() + + utf16DriverPath, _ := windows.UTF16PtrFromString(kernelFormatVolumeWin32DriverPath) + deviceHandle, err := windows.CreateFile(utf16DriverPath, + windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE, + 0, + nil, + windows.OPEN_EXISTING, + 0, + 0) + if err != nil { + return "", errors.Wrap(err, "failed to get handle to refsFormatter driver") + } + defer windows.Close(deviceHandle) + + // Ioctl to fsFormatter driver + var bytesReturned uint32 + if err := windows.DeviceIoControl( + deviceHandle, + ioctlKernelFormatVolumeFormat, + (*byte)(unsafe.Pointer(inputBuffer)), + uint32(inputBuffer.Size), + (*byte)(unsafe.Pointer(outputBuffer)), + outputBuffer.Size, + &bytesReturned, + nil, + ); err != nil { + return "", errors.Wrap(err, "ioctl to refsFormatter driver failed") + } + + // Read the returned volume path from the corresponding offset in outputBuffer + ptr := unsafe.Pointer(uintptr(unsafe.Pointer(outputBuffer)) + uintptr(GetVolumePathBufferOffset())) + utf16Data := unsafe.Slice((*uint16)(ptr), outputBuffer.VolumePathLength/2) + mountedVolumePath := syscall.UTF16ToString(utf16Data) + return mountedVolumePath, err +} diff --git a/internal/gcs-sidecar/bridge.go b/internal/gcs-sidecar/bridge.go new file mode 100644 index 0000000000..8df933621a --- /dev/null +++ b/internal/gcs-sidecar/bridge.go @@ -0,0 +1,450 @@ +//go:build windows +// +build windows + +package bridge + +import ( + "bufio" + "bytes" + "context" + "encoding/base64" + "encoding/binary" + "encoding/hex" + "encoding/json" + "fmt" + "io" + "sync" + + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "go.opencensus.io/trace" + "go.opencensus.io/trace/tracestate" + "golang.org/x/sys/windows" + + "github.com/Microsoft/go-winio/pkg/guid" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" + "github.com/Microsoft/hcsshim/internal/gcs/prot" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/oc" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" +) + +type Bridge struct { + mu sync.Mutex + hostState *Host + // List of handlers for handling different rpc message requests. + rpcHandlerList map[prot.RPCProc]HandlerFunc + + // hcsshim and inbox GCS connections respectively. + shimConn io.ReadWriteCloser + inboxGCSConn io.ReadWriteCloser + + // Response channels to forward incoming requests to inbox GCS + // and send responses back to hcsshim respectively. + sendToGCSCh chan request + sendToShimCh chan bridgeResponse +} + +// SequenceID is used to correlate requests and responses. +type sequenceID uint64 + +// messageHeader is the common header present in all communications messages. +type messageHeader struct { + Type prot.MsgType + Size uint32 + ID sequenceID +} + +type bridgeResponse struct { + ctx context.Context + header messageHeader + response []byte +} + +type request struct { + // Context created once received from the bridge. + ctx context.Context + // header is the wire format message header that preceded the message for + // this request. + header messageHeader + // activityID is the id of the specific activity for this request. + activityID guid.GUID + // message is the portion of the request that follows the `Header`. + message []byte +} + +func NewBridge(shimConn io.ReadWriteCloser, inboxGCSConn io.ReadWriteCloser, initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Bridge { + hostState := NewHost(initialEnforcer) + return &Bridge{ + rpcHandlerList: make(map[prot.RPCProc]HandlerFunc), + hostState: hostState, + shimConn: shimConn, + inboxGCSConn: inboxGCSConn, + sendToGCSCh: make(chan request), + sendToShimCh: make(chan bridgeResponse), + } +} + +func NewPolicyEnforcer(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *SecurityPoliyEnforcer { + return &SecurityPoliyEnforcer{ + securityPolicyEnforcerSet: false, + securityPolicyEnforcer: initialEnforcer, + } +} + +// UnknownMessage represents the default handler logic for an unmatched request +// type sent from the bridge. +func UnknownMessage(r *request) error { + log.G(r.ctx).Debugf("bridge: function not supported, header type %v", prot.MsgType(r.header.Type).String()) + return gcserr.WrapHresult(errors.Errorf("bridge: function not supported, header type: %v", r.header.Type), gcserr.HrNotImpl) +} + +// HandlerFunc is an adapter to use functions as handlers. +type HandlerFunc func(*request) error + +func (b *Bridge) getRequestHandler(r *request) (HandlerFunc, error) { + b.mu.Lock() + defer b.mu.Unlock() + + var handler HandlerFunc + var ok bool + messageType := r.header.Type + rpcProcID := prot.RPCProc(messageType &^ prot.MsgTypeMask) + if handler, ok = b.rpcHandlerList[rpcProcID]; !ok { + return nil, UnknownMessage(r) + } + return handler, nil +} + +// ServeMsg serves request by calling appropriate handler functions. +func (b *Bridge) ServeMsg(r *request) error { + if r == nil { + panic("bridge: nil request to handler") + } + + var handler HandlerFunc + var err error + if handler, err = b.getRequestHandler(r); err != nil { + return UnknownMessage(r) + } + return handler(r) +} + +// Handle registers the handler for the given message id and protocol version. +func (b *Bridge) Handle(rpcProcID prot.RPCProc, handlerFunc HandlerFunc) { + b.mu.Lock() + defer b.mu.Unlock() + + if handlerFunc == nil { + panic("empty function handler") + } + + if _, ok := b.rpcHandlerList[rpcProcID]; ok { + logrus.WithFields(logrus.Fields{ + "message-type": rpcProcID.String(), + }).Warn("overwriting bridge handler") + } + + b.rpcHandlerList[rpcProcID] = handlerFunc +} + +func (b *Bridge) HandleFunc(rpcProcID prot.RPCProc, handler func(*request) error) { + if handler == nil { + panic("bridge: nil handler func") + } + + b.Handle(rpcProcID, HandlerFunc(handler)) +} + +// AssignHandlers creates and assigns appropriate event handlers +// for the different bridge message types. +func (b *Bridge) AssignHandlers() { + b.HandleFunc(prot.RPCCreate, b.createContainer) + b.HandleFunc(prot.RPCStart, b.startContainer) + b.HandleFunc(prot.RPCShutdownGraceful, b.shutdownGraceful) + b.HandleFunc(prot.RPCShutdownForced, b.shutdownForced) + b.HandleFunc(prot.RPCExecuteProcess, b.executeProcess) + b.HandleFunc(prot.RPCWaitForProcess, b.waitForProcess) + b.HandleFunc(prot.RPCSignalProcess, b.signalProcess) + b.HandleFunc(prot.RPCResizeConsole, b.resizeConsole) + b.HandleFunc(prot.RPCGetProperties, b.getProperties) + b.HandleFunc(prot.RPCModifySettings, b.modifySettings) + b.HandleFunc(prot.RPCNegotiateProtocol, b.negotiateProtocol) + b.HandleFunc(prot.RPCDumpStacks, b.dumpStacks) + b.HandleFunc(prot.RPCDeleteContainerState, b.deleteContainerState) + b.HandleFunc(prot.RPCUpdateContainer, b.updateContainer) + b.HandleFunc(prot.RPCLifecycleNotification, b.lifecycleNotification) +} + +// readMessage reads the message from io.Reader +func readMessage(r io.Reader) (messageHeader, []byte, error) { + var h [prot.HdrSize]byte + _, err := io.ReadFull(r, h[:]) + if err != nil { + return messageHeader{}, nil, err + } + var header messageHeader + buf := bytes.NewReader(h[:]) + err = binary.Read(buf, binary.LittleEndian, &header) + if err != nil { + logrus.WithError(err).Errorf("error reading message header") + return messageHeader{}, nil, err + } + + n := header.Size + if n < prot.HdrSize || n > prot.MaxMsgSize { + logrus.Errorf("invalid message size %d", n) + return messageHeader{}, nil, fmt.Errorf("invalid message size %d: %w", n, err) + } + + n -= prot.HdrSize + msg := make([]byte, n) + _, err = io.ReadFull(r, msg) + if err != nil { + if errors.Is(err, io.EOF) { + err = io.ErrUnexpectedEOF + } + return messageHeader{}, nil, err + } + + return header, msg, nil +} + +func isLocalDisconnectError(err error) bool { + return errors.Is(err, windows.WSAECONNABORTED) +} + +// Sends request to the inbox GCS channel +func (b *Bridge) forwardRequestToGcs(req *request) { + b.sendToGCSCh <- *req +} + +// Sends response to the hcsshim channel +func (b *Bridge) sendResponseToShim(ctx context.Context, rpcProcType prot.RPCProc, id sequenceID, response interface{}) error { + respType := prot.MsgTypeResponse | prot.MsgType(rpcProcType) + msgb, err := json.Marshal(response) + if err != nil { + return err + } + msgHeader := messageHeader{ + Type: respType, + Size: uint32(len(msgb) + prot.HdrSize), + ID: id, + } + + b.sendToShimCh <- bridgeResponse{ + ctx: ctx, + header: msgHeader, + response: msgb, + } + return nil +} + +func getContextAndSpan(baseSpanCtx *prot.Ocspancontext) (context.Context, *trace.Span) { + var ctx context.Context + var span *trace.Span + if baseSpanCtx != nil { + sc := trace.SpanContext{} + if bytes, err := hex.DecodeString(baseSpanCtx.TraceID); err == nil { + copy(sc.TraceID[:], bytes) + } + if bytes, err := hex.DecodeString(baseSpanCtx.SpanID); err == nil { + copy(sc.SpanID[:], bytes) + } + sc.TraceOptions = trace.TraceOptions(baseSpanCtx.TraceOptions) + if baseSpanCtx.Tracestate != "" { + if bytes, err := base64.StdEncoding.DecodeString(baseSpanCtx.Tracestate); err == nil { + var entries []tracestate.Entry + if err := json.Unmarshal(bytes, &entries); err == nil { + if ts, err := tracestate.New(nil, entries...); err == nil { + sc.Tracestate = ts + } + } + } + } + ctx, span = oc.StartSpanWithRemoteParent( + context.Background(), + "sidecar::request", + sc, + oc.WithServerSpanKind, + ) + } else { + ctx, span = oc.StartSpan( + context.Background(), + "sidecar::request", + oc.WithServerSpanKind, + ) + } + + return ctx, span +} + +// ListenAndServeShimRequests listens to messages on the hcsshim +// and inbox GCS connections and schedules them for processing. +// After processing, messages are forwarded to inbox GCS on success +// and responses from inbox GCS or error messages are sent back +// to hcsshim via bridge connection. +func (b *Bridge) ListenAndServeShimRequests() error { + shimRequestChan := make(chan request) + sidecarErrChan := make(chan error) + + defer b.inboxGCSConn.Close() + defer close(shimRequestChan) + defer close(sidecarErrChan) + defer b.shimConn.Close() + defer close(b.sendToShimCh) + defer close(b.sendToGCSCh) + + // Listen to requests from hcsshim + go func() { + var recverr error + br := bufio.NewReader(b.shimConn) + for { + header, msg, err := readMessage(br) + if err != nil { + if errors.Is(err, io.EOF) || isLocalDisconnectError(err) { + return + } + recverr = errors.Wrap(err, "bridge read from shim connection failed") + logrus.Error(recverr) + break + } + var msgBase prot.RequestBase + _ = json.Unmarshal(msg, &msgBase) + ctx, span := getContextAndSpan(msgBase.OpenCensusSpanContext) + span.AddAttributes( + trace.Int64Attribute("message-id", int64(header.ID)), + trace.StringAttribute("message-type", header.Type.String()), + trace.StringAttribute("activityID", msgBase.ActivityID.String()), + trace.StringAttribute("containerID", msgBase.ContainerID)) + + req := request{ + ctx: ctx, + activityID: msgBase.ActivityID, + header: header, + message: msg, + } + shimRequestChan <- req + } + sidecarErrChan <- recverr + }() + // Process each bridge request received from shim asynchronously. + go func() { + for req := range shimRequestChan { + // Requests are served sequentially to avoid + // racing/reordering of incoming message order. + // This becomes important for confidential cases + // where the shim could be compromised and replay + // messages out of order. + if err := b.ServeMsg(&req); err != nil { + log.G(req.ctx).WithError(err).Errorf("failed to serve request: %v", req.header.Type.String()) + // In case of error, create appropriate response message to + // be sent to hcsshim. + resp := &prot.ResponseBase{ + Result: int32(windows.ERROR_GEN_FAILURE), + ErrorMessage: err.Error(), + ActivityID: req.activityID, + } + setErrorForResponseBase(resp, err, "gcs-sidecar" /* moduleName */) + err = b.sendResponseToShim(req.ctx, prot.RPCProc(prot.MsgTypeResponse), req.header.ID, resp) + log.G(req.ctx).WithError(err).Errorf("failed to send response to shim") + } + } + }() + go func() { + var err error + for req := range b.sendToGCSCh { + // Forward message to gcs + log.G(req.ctx).Tracef("bridge send to gcs, req %v, %v", req.header.Type.String(), string(req.message)) + buffer, err := b.prepareResponseMessage(req.header, req.message) + if err != nil { + err = errors.Wrap(err, "error preparing response") + logrus.Error(err) + break + } + + _, err = buffer.WriteTo(b.inboxGCSConn) + if err != nil { + err = errors.Wrap(err, "err forwarding shim req to inbox GCS") + logrus.Error(err) + break + } + } + sidecarErrChan <- err + }() + // Receive response from gcs and forward to hcsshim + go func() { + var recverr error + for { + header, message, err := readMessage(b.inboxGCSConn) + if err != nil { + if errors.Is(err, io.EOF) || isLocalDisconnectError(err) { + return + } + recverr = errors.Wrap(err, "bridge read from gcs failed") + logrus.Error(recverr) + break + } + + // Forward to shim + resp := bridgeResponse{ + ctx: context.Background(), + header: header, + response: message, + } + b.sendToShimCh <- resp + } + sidecarErrChan <- recverr + }() + // Send response to hcsshim + go func() { + var sendErr error + for resp := range b.sendToShimCh { + // Send response to shim + logrus.Tracef("Send response to shim. Header:{ID: %v, Type: %v, Size: %v} msg: %v", resp.header.ID, + resp.header.Type, resp.header.Size, string(resp.response)) + buffer, err := b.prepareResponseMessage(resp.header, resp.response) + if err != nil { + sendErr = errors.Wrap(err, "error preparing response") + logrus.Error(sendErr) + break + } + _, sendErr = buffer.WriteTo(b.shimConn) + if sendErr != nil { + sendErr = errors.Wrap(sendErr, "err sending response to shim") + logrus.Error(sendErr) + break + } + } + sidecarErrChan <- sendErr + }() + + err := <-sidecarErrChan + return err +} + +// Prepare response message +func (b *Bridge) prepareResponseMessage(header messageHeader, message []byte) (bytes.Buffer, error) { + // Create a buffer to hold the serialized header data + var headerBuf bytes.Buffer + err := binary.Write(&headerBuf, binary.LittleEndian, header) + if err != nil { + return headerBuf, err + } + + // Write message header followed by actual payload. + var buf bytes.Buffer + buf.Write(headerBuf.Bytes()) + buf.Write(message[:]) + return buf, nil +} + +// setErrorForResponseBase modifies the passed-in ResponseBase to +// contain information pertaining to the given error. +func setErrorForResponseBase(response *prot.ResponseBase, errForResponse error, moduleName string) { + hresult, errorMessage, newRecord := commonutils.SetErrorForResponseBaseUtil(errForResponse, moduleName) + response.Result = int32(hresult) + response.ErrorMessage = errorMessage + response.ErrorRecords = append(response.ErrorRecords, newRecord) +} diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go new file mode 100644 index 0000000000..7d9aeafad4 --- /dev/null +++ b/internal/gcs-sidecar/handlers.go @@ -0,0 +1,492 @@ +//go:build windows +// +build windows + +package bridge + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + "time" + + "github.com/Microsoft/hcsshim/hcn" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" + "github.com/Microsoft/hcsshim/internal/fsformatter" + "github.com/Microsoft/hcsshim/internal/gcs/prot" + hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/oc" + "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/Microsoft/hcsshim/internal/windevice" + "github.com/Microsoft/hcsshim/pkg/cimfs" + "github.com/pkg/errors" +) + +const ( + sandboxStateDirName = "WcSandboxState" + hivesDirName = "Hives" + devPathFormat = "\\\\.\\PHYSICALDRIVE%d" +) + +// - Handler functions handle the incoming message requests. It +// also enforces security policy for confidential cwcow containers. +// - These handler functions may do some additional processing before +// forwarding requests to inbox GCS or send responses back to hcsshim. +// - In case of any error encountered during processing, appropriate error +// messages are returned and responses are sent back to hcsshim from ListenAndServer(). +// TODO (kiashok): Verbose logging is for WIP and will be removed eventually. +func (b *Bridge) createContainer(req *request) (err error) { + ctx, span := oc.StartSpan(req.ctx, "sidecar::createContainer") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerCreate + var containerConfig json.RawMessage + r.ContainerConfig.Value = &containerConfig + if err = commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal createContainer") + } + + // containerConfig can be of type uvnConfig or hcsschema.HostedSystem + var ( + uvmConfig prot.UvmConfig + hostedSystemConfig hcsschema.HostedSystem + ) + if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &uvmConfig); err == nil && + uvmConfig.SystemType != "" { + systemType := uvmConfig.SystemType + timeZoneInformation := uvmConfig.TimeZoneInformation + log.G(ctx).Tracef("createContainer: uvmConfig: {systemType: %v, timeZoneInformation: %v}}", systemType, timeZoneInformation) + } else if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &hostedSystemConfig); err == nil && + hostedSystemConfig.SchemaVersion != nil && hostedSystemConfig.Container != nil { + schemaVersion := hostedSystemConfig.SchemaVersion + container := hostedSystemConfig.Container + log.G(ctx).Tracef("createContainer: HostedSystemConfig: {schemaVersion: %v, container: %v}}", schemaVersion, container) + } else { + return fmt.Errorf("invalid request to createContainer") + } + + b.forwardRequestToGcs(req) + return err +} + +func (b *Bridge) startContainer(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::startContainer") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.RequestBase + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrapf(err, "failed to unmarshal startContainer") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) shutdownGraceful(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::shutdownGraceful") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.RequestBase + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal shutdownGraceful") + } + + // TODO (kiashok/Mahati): Since gcs-sidecar can be used for all types of windows + // containers, it is important to check if we want to + // enforce policy or not. + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) shutdownForced(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::shutdownForced") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.RequestBase + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal shutdownForced") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) executeProcess(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::executeProcess") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerExecuteProcess + var processParamSettings json.RawMessage + r.Settings.ProcessParameters.Value = &processParamSettings + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal executeProcess") + } + + var processParams hcsschema.ProcessParameters + if err := commonutils.UnmarshalJSONWithHresult(processParamSettings, &processParams); err != nil { + return errors.Wrap(err, "executeProcess: invalid params type for request") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) waitForProcess(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::waitForProcess") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerWaitForProcess + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal waitForProcess") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) signalProcess(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::signalProcess") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerSignalProcess + var rawOpts json.RawMessage + r.Options = &rawOpts + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal signalProcess") + } + + var wcowOptions guestresource.SignalProcessOptionsWCOW + if rawOpts != nil { + if err := commonutils.UnmarshalJSONWithHresult(rawOpts, &wcowOptions); err != nil { + return errors.Wrap(err, "signalProcess: invalid Options type for request") + } + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) resizeConsole(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::resizeConsole") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerResizeConsole + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return fmt.Errorf("failed to unmarshal resizeConsole: %v", req) + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) getProperties(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::getProperties") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var getPropReqV2 prot.ContainerGetPropertiesV2 + if err := commonutils.UnmarshalJSONWithHresult(req.message, &getPropReqV2); err != nil { + return errors.Wrapf(err, "failed to unmarshal getProperties: %v", string(req.message)) + } + log.G(req.ctx).Tracef("getProperties query: %v", getPropReqV2.Query.PropertyTypes) + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) negotiateProtocol(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::negotiateProtocol") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.NegotiateProtocolRequest + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal negotiateProtocol") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) dumpStacks(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::dumpStacks") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.DumpStacksRequest + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal dumpStacks") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) deleteContainerState(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::deleteContainerState") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.DeleteContainerStateRequest + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return errors.Wrap(err, "failed to unmarshal deleteContainerState") + } + + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) updateContainer(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::updateContainer") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + // No callers in the code for rpcUpdateContainer + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) lifecycleNotification(req *request) (err error) { + _, span := oc.StartSpan(req.ctx, "sidecar::lifecycleNotification") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + // No callers in the code for rpcLifecycleNotification + b.forwardRequestToGcs(req) + return nil +} + +func (b *Bridge) modifySettings(req *request) (err error) { + ctx, span := oc.StartSpan(req.ctx, "sidecar::modifySettings") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + log.G(ctx).Tracef("modifySettings: MsgType: %v, Payload: %v", req.header.Type, string(req.message)) + modifyRequest, err := unmarshalContainerModifySettings(req) + if err != nil { + return err + } + modifyGuestSettingsRequest := modifyRequest.Request.(*guestrequest.ModificationRequest) + guestResourceType := modifyGuestSettingsRequest.ResourceType + guestRequestType := modifyGuestSettingsRequest.RequestType + log.G(ctx).Tracef("modifySettings: resourceType: %v, requestType: %v", guestResourceType, guestRequestType) + + if guestRequestType == "" { + guestRequestType = guestrequest.RequestTypeAdd + } + + switch guestRequestType { + case guestrequest.RequestTypeAdd: + case guestrequest.RequestTypeRemove: + case guestrequest.RequestTypePreAdd: + case guestrequest.RequestTypeUpdate: + default: + return fmt.Errorf("invald guestRequestType %v", guestRequestType) + } + + if guestResourceType != "" { + switch guestResourceType { + case guestresource.ResourceTypeCombinedLayers: + settings := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWCombinedLayers) + log.G(ctx).Tracef("WCOWCombinedLayers: {%v}", settings) + + case guestresource.ResourceTypeNetworkNamespace: + settings := modifyGuestSettingsRequest.Settings.(*hcn.HostComputeNamespace) + log.G(ctx).Tracef("HostComputeNamespaces { %v}", settings) + + case guestresource.ResourceTypeNetwork: + settings := modifyGuestSettingsRequest.Settings.(*guestrequest.NetworkModifyRequest) + log.G(ctx).Tracef("NetworkModifyRequest { %v}", settings) + + case guestresource.ResourceTypeMappedVirtualDisk: + wcowMappedVirtualDisk := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWMappedVirtualDisk) + log.G(ctx).Tracef("wcowMappedVirtualDisk { %v}", wcowMappedVirtualDisk) + + case guestresource.ResourceTypeHvSocket: + hvSocketAddress := modifyGuestSettingsRequest.Settings.(*hcsschema.HvSocketAddress) + log.G(ctx).Tracef("hvSocketAddress { %v }", hvSocketAddress) + + case guestresource.ResourceTypeMappedDirectory: + settings := modifyGuestSettingsRequest.Settings.(*hcsschema.MappedDirectory) + log.G(ctx).Tracef("hcsschema.MappedDirectory { %v }", settings) + + case guestresource.ResourceTypeSecurityPolicy: + securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWConfidentialOptions) + log.G(ctx).Tracef("WCOWConfidentialOptions: { %v}", securityPolicyRequest) + _ = b.hostState.SetWCOWConfidentialUVMOptions(securityPolicyRequest) + + // Send response back to shim + resp := &prot.ResponseBase{ + Result: 0, // 0 means success + ActivityID: req.activityID, + } + err := b.sendResponseToShim(req.ctx, prot.RPCModifySettings, req.header.ID, resp) + if err != nil { + return errors.Wrap(err, "error sending response to hcsshim") + } + return nil + + case guestresource.ResourceTypeWCOWBlockCims: + // This is request to mount the merged cim at given volumeGUID + wcowBlockCimMounts := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWBlockCIMMounts) + log.G(ctx).Tracef("WCOWBlockCIMMounts { %v}", wcowBlockCimMounts) + + // The block device takes some time to show up. Wait for a few seconds. + time.Sleep(2 * time.Second) + + var layerCIMs []*cimfs.BlockCIM + for _, blockCimDevice := range wcowBlockCimMounts.BlockCIMs { + // Get the scsi device path for the blockCim lun + devNumber, err := windevice.GetDeviceNumberFromControllerLUN( + ctx, + 0, /* controller is always 0 for wcow */ + uint8(blockCimDevice.Lun)) + if err != nil { + return errors.Wrap(err, "err getting scsiDevPath") + } + layerCim := cimfs.BlockCIM{ + Type: cimfs.BlockCIMTypeDevice, + BlockPath: fmt.Sprintf(devPathFormat, devNumber), + CimName: blockCimDevice.CimName, + } + layerCIMs = append(layerCIMs, &layerCim) + } + if len(layerCIMs) > 1 { + // Get the topmost merge CIM and invoke the MountMergedBlockCIMs + _, err := cimfs.MountMergedBlockCIMs(layerCIMs[0], layerCIMs[1:], wcowBlockCimMounts.MountFlags, wcowBlockCimMounts.VolumeGUID) + if err != nil { + return errors.Wrap(err, "error mounting multilayer block cims") + } + } else { + _, err := cimfs.Mount(filepath.Join(layerCIMs[0].BlockPath, layerCIMs[0].CimName), wcowBlockCimMounts.VolumeGUID, wcowBlockCimMounts.MountFlags) + if err != nil { + return errors.Wrap(err, "error mounting merged block cims") + } + } + + // Send response back to shim + resp := &prot.ResponseBase{ + Result: 0, // 0 means success + ActivityID: req.activityID, + } + err = b.sendResponseToShim(req.ctx, prot.RPCModifySettings, req.header.ID, resp) + if err != nil { + return errors.Wrap(err, "error sending response to hcsshim") + } + return nil + + case guestresource.ResourceTypeCWCOWCombinedLayers: + settings := modifyGuestSettingsRequest.Settings.(*guestresource.CWCOWCombinedLayers) + containerID := settings.ContainerID + log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v", + containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath) + + // TODO: Update modifyCombinedLayers with verified CimFS API + + // The following two folders are expected to be present in the scratch. + // But since we have just formatted the scratch we would need to + // create them manually. + sandboxStateDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, sandboxStateDirName) + err = os.Mkdir(sandboxStateDirectory, 0777) + if err != nil { + return errors.Wrap(err, "failed to create sandboxStateDirectory") + } + + hivesDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, hivesDirName) + err = os.Mkdir(hivesDirectory, 0777) + if err != nil { + return errors.Wrap(err, "failed to create hivesDirectory") + } + + // Reconstruct WCOWCombinedLayers{} req before forwarding to GCS + // as GCS does not understand ResourceTypeCWCOWCombinedLayers + modifyGuestSettingsRequest.ResourceType = guestresource.ResourceTypeCombinedLayers + modifyGuestSettingsRequest.Settings = settings.CombinedLayers + modifyRequest.Request = modifyGuestSettingsRequest + buf, err := json.Marshal(modifyRequest) + if err != nil { + return errors.Wrap(err, "failed to marshal rpcModifySettings") + } + var newRequest request + newRequest.ctx = req.ctx + newRequest.header = req.header + newRequest.header.Size = uint32(len(buf)) + prot.HdrSize + newRequest.message = buf + req = &newRequest + + case guestresource.ResourceTypeMappedVirtualDiskForContainerScratch: + wcowMappedVirtualDisk := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWMappedVirtualDisk) + log.G(ctx).Tracef("ResourceTypeMappedVirtualDiskForContainerScratch: { %v }", wcowMappedVirtualDisk) + + // 1. TODO (Mahati): Need to enforce policy before calling into fsFormatter + // 2. Call fsFormatter to format the scratch disk. + // This will return the volume path of the mounted scratch. + // Scratch disk should be >= 30 GB for refs formatter to work. + + // fsFormatter understands only virtualDevObjectPathFormat. Therefore fetch the + // disk number for the corresponding lun + var devNumber uint32 + // It could take a few seconds for the attached scsi disk + // to show up inside the UVM. Therefore adding retry logic + // with delay here. + for try := 0; try < 5; try++ { + time.Sleep(1 * time.Second) + devNumber, err = windevice.GetDeviceNumberFromControllerLUN(req.ctx, + 0, /* Only one controller allowed in wcow hyperv */ + uint8(wcowMappedVirtualDisk.Lun)) + if err != nil { + if try == 4 { + // bail out + return errors.Wrapf(err, "error getting diskNumber for LUN %d", wcowMappedVirtualDisk.Lun) + } + continue + } else { + log.G(ctx).Tracef("DiskNumber of lun %d is: %d", wcowMappedVirtualDisk.Lun, devNumber) + break + } + } + diskPath := fmt.Sprintf(fsformatter.VirtualDevObjectPathFormat, devNumber) + log.G(ctx).Tracef("diskPath: %v, diskNumber: %v ", diskPath, devNumber) + mountedVolumePath, err := fsformatter.InvokeFsFormatter(req.ctx, diskPath) + if err != nil { + return errors.Wrap(err, "failed to invoke refsFormatter") + } + log.G(ctx).Tracef("mountedVolumePath returned from InvokeFsFormatter: %v", mountedVolumePath) + + // Forward the req as is to inbox gcs and let it retreive the volume. + // While forwarding request to inbox gcs, make sure to replace the + // resourceType to ResourceTypeMappedVirtualDisk that inbox GCS + // understands. + modifyGuestSettingsRequest.ResourceType = guestresource.ResourceTypeMappedVirtualDisk + modifyRequest.Request = modifyGuestSettingsRequest + buf, err := json.Marshal(modifyRequest) + if err != nil { + return errors.Wrap(err, "failed to marshal WCOWMappedVirtualDisk") + } + var newRequest request + newRequest.ctx = req.ctx + newRequest.header = req.header + newRequest.header.Size = uint32(len(buf)) + prot.HdrSize + newRequest.message = buf + req = &newRequest + + default: + // Invalid request + return fmt.Errorf("invald modifySettingsRequest: %v", guestResourceType) + } + } + + b.forwardRequestToGcs(req) + return nil +} diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go new file mode 100644 index 0000000000..601801ad61 --- /dev/null +++ b/internal/gcs-sidecar/host.go @@ -0,0 +1,64 @@ +//go:build windows +// +build windows + +package bridge + +import ( + "errors" + "fmt" + "sync" + + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" +) + +type Host struct { + // state required for the security policy enforcement + policyMutex sync.Mutex + securityPolicyEnforcer securitypolicy.SecurityPolicyEnforcer + securityPolicyEnforcerSet bool +} + +type SecurityPoliyEnforcer struct { + // State required for the security policy enforcement + securityPolicyEnforcer securitypolicy.SecurityPolicyEnforcer + securityPolicyEnforcerSet bool +} + +func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Host { + return &Host{ + securityPolicyEnforcer: initialEnforcer, + securityPolicyEnforcerSet: false, + } +} + +func (h *Host) SetWCOWConfidentialUVMOptions(securityPolicyRequest *guestresource.WCOWConfidentialOptions) error { + h.policyMutex.Lock() + defer h.policyMutex.Unlock() + + if h.securityPolicyEnforcerSet { + return errors.New("security policy has already been set") + } + + // This limit ensures messages are below the character truncation limit that + // can be imposed by an orchestrator + maxErrorMessageLength := 3 * 1024 + + // Initialize security policy enforcer for a given enforcer type and + // encoded security policy. + p, err := securitypolicy.CreateSecurityPolicyEnforcer( + "rego", + securityPolicyRequest.EncodedSecurityPolicy, + DefaultCRIMounts(), + DefaultCRIPrivilegedMounts(), + maxErrorMessageLength, + ) + if err != nil { + return fmt.Errorf("error creating security policy enforcer: %w", err) + } + + h.securityPolicyEnforcer = p + h.securityPolicyEnforcerSet = true + + return nil +} diff --git a/internal/gcs-sidecar/policy.go b/internal/gcs-sidecar/policy.go new file mode 100644 index 0000000000..13b96ce64d --- /dev/null +++ b/internal/gcs-sidecar/policy.go @@ -0,0 +1,19 @@ +//go:build windows +// +build windows + +package bridge + +import ( + oci "github.com/opencontainers/runtime-spec/specs-go" +) + +// DefaultCRIMounts returns default mounts added to windows spec by containerD. +func DefaultCRIMounts() []oci.Mount { + return []oci.Mount{} +} + +// DefaultCRIPrivilegedMounts returns a slice of mounts which are added to the +// windows container spec when a container runs in a privileged mode. +func DefaultCRIPrivilegedMounts() []oci.Mount { + return []oci.Mount{} +} diff --git a/internal/gcs-sidecar/uvm.go b/internal/gcs-sidecar/uvm.go new file mode 100644 index 0000000000..85f4d6609b --- /dev/null +++ b/internal/gcs-sidecar/uvm.go @@ -0,0 +1,124 @@ +//go:build windows +// +build windows + +package bridge + +import ( + "encoding/json" + "fmt" + + "github.com/Microsoft/hcsshim/hcn" + "github.com/Microsoft/hcsshim/internal/bridgeutils/commonutils" + "github.com/Microsoft/hcsshim/internal/gcs/prot" + hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/oc" + "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/pkg/errors" +) + +func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySettings, err error) { + ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalContainerModifySettings") + defer span.End() + defer func() { oc.SetSpanStatus(span, err) }() + + var r prot.ContainerModifySettings + var requestRawSettings json.RawMessage + r.Request = &requestRawSettings + if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + return nil, errors.Wrap(err, "failed to unmarshal rpcModifySettings") + } + + var modifyGuestSettingsRequest guestrequest.ModificationRequest + var rawGuestRequest json.RawMessage + modifyGuestSettingsRequest.Settings = &rawGuestRequest + if err := commonutils.UnmarshalJSONWithHresult(requestRawSettings, &modifyGuestSettingsRequest); err != nil { + return nil, errors.Wrap(err, "invalid rpcModifySettings ModificationRequest") + } + + if modifyGuestSettingsRequest.RequestType == "" { + modifyGuestSettingsRequest.RequestType = guestrequest.RequestTypeAdd + } + + if modifyGuestSettingsRequest.ResourceType != "" { + switch modifyGuestSettingsRequest.ResourceType { + case guestresource.ResourceTypeCWCOWCombinedLayers: + settings := &guestresource.CWCOWCombinedLayers{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, settings); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeCWCOWCombinedLayers request") + } + modifyGuestSettingsRequest.Settings = settings + + case guestresource.ResourceTypeCombinedLayers: + settings := &guestresource.WCOWCombinedLayers{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, settings); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeCombinedLayers request") + } + modifyGuestSettingsRequest.Settings = settings + + case guestresource.ResourceTypeNetworkNamespace: + settings := &hcn.HostComputeNamespace{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, settings); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeNetworkNamespace request") + } + modifyGuestSettingsRequest.Settings = settings + + case guestresource.ResourceTypeNetwork: + settings := &guestrequest.NetworkModifyRequest{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, settings); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeNetwork request") + } + modifyGuestSettingsRequest.Settings = settings + + case guestresource.ResourceTypeMappedVirtualDisk: + wcowMappedVirtualDisk := &guestresource.WCOWMappedVirtualDisk{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, wcowMappedVirtualDisk); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeMappedVirtualDisk request") + } + modifyGuestSettingsRequest.Settings = wcowMappedVirtualDisk + + case guestresource.ResourceTypeHvSocket: + hvSocketAddress := &hcsschema.HvSocketAddress{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, hvSocketAddress); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeHvSocket request") + } + modifyGuestSettingsRequest.Settings = hvSocketAddress + + case guestresource.ResourceTypeMappedDirectory: + settings := &hcsschema.MappedDirectory{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, settings); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeMappedDirectory request") + } + modifyGuestSettingsRequest.Settings = settings + + case guestresource.ResourceTypeSecurityPolicy: + securityPolicyRequest := &guestresource.WCOWConfidentialOptions{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, securityPolicyRequest); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeSecurityPolicy request") + } + modifyGuestSettingsRequest.Settings = securityPolicyRequest + + case guestresource.ResourceTypeMappedVirtualDiskForContainerScratch: + wcowMappedVirtualDisk := &guestresource.WCOWMappedVirtualDisk{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, wcowMappedVirtualDisk); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeMappedVirtualDiskForContainerScratch request") + } + modifyGuestSettingsRequest.Settings = wcowMappedVirtualDisk + + case guestresource.ResourceTypeWCOWBlockCims: + wcowBlockCimMounts := &guestresource.WCOWBlockCIMMounts{} + if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, wcowBlockCimMounts); err != nil { + return nil, errors.Wrap(err, "invalid ResourceTypeWCOWBlockCims request") + } + modifyGuestSettingsRequest.Settings = wcowBlockCimMounts + + default: + // Invalid request + log.G(ctx).Errorf("Invald modifySettingsRequest: %v", modifyGuestSettingsRequest.ResourceType) + return nil, fmt.Errorf("invald modifySettingsRequest") + } + } + r.Request = &modifyGuestSettingsRequest + return &r, nil +} diff --git a/internal/gcs/bridge.go b/internal/gcs/bridge.go index 79daec0d7e..65ada4ed45 100644 --- a/internal/gcs/bridge.go +++ b/internal/gcs/bridge.go @@ -24,18 +24,6 @@ import ( "github.com/Microsoft/hcsshim/internal/oc" ) -const ( - hdrSize = 16 - hdrOffType = 0 - hdrOffSize = 4 - hdrOffID = 8 - - // maxMsgSize is the maximum size of an incoming message. This is not - // enforced by the guest today but some maximum must be set to avoid - // unbounded allocations. - maxMsgSize = 0x10000 -) - type requestMessage interface { Base() *prot.RequestBase } @@ -46,7 +34,7 @@ type responseMessage interface { // rpc represents an outstanding rpc request to the guest type rpc struct { - proc prot.RpcProc + proc prot.RPCProc id int64 req requestMessage resp responseMessage @@ -142,7 +130,7 @@ func (brdg *bridge) Wait() error { // AsyncRPC sends an RPC request to the guest but does not wait for a response. // If the message cannot be sent before the context is done, then an error is // returned. -func (brdg *bridge) AsyncRPC(ctx context.Context, proc prot.RpcProc, req requestMessage, resp responseMessage) (*rpc, error) { +func (brdg *bridge) AsyncRPC(ctx context.Context, proc prot.RPCProc, req requestMessage, resp responseMessage) (*rpc, error) { call := &rpc{ ch: make(chan struct{}), proc: proc, @@ -223,7 +211,7 @@ func (call *rpc) Wait() { // If allowCancel is set and the context becomes done, returns an error without // waiting for a response. Avoid this on messages that are not idempotent or // otherwise safe to ignore the response of. -func (brdg *bridge) RPC(ctx context.Context, proc prot.RpcProc, req requestMessage, resp responseMessage, allowCancel bool) error { +func (brdg *bridge) RPC(ctx context.Context, proc prot.RPCProc, req requestMessage, resp responseMessage, allowCancel bool) error { call, err := brdg.AsyncRPC(ctx, proc, req, resp) if err != nil { return err @@ -264,22 +252,22 @@ func readMessage(r io.Reader) (int64, prot.MsgType, []byte, error) { _, span := oc.StartSpan(context.Background(), "bridge receive read message", oc.WithClientSpanKind) defer span.End() - var h [hdrSize]byte + var h [prot.HdrSize]byte _, err := io.ReadFull(r, h[:]) if err != nil { return 0, 0, nil, err } - typ := prot.MsgType(binary.LittleEndian.Uint32(h[hdrOffType:])) - n := binary.LittleEndian.Uint32(h[hdrOffSize:]) - id := int64(binary.LittleEndian.Uint64(h[hdrOffID:])) + typ := prot.MsgType(binary.LittleEndian.Uint32(h[prot.HdrOffType:])) + n := binary.LittleEndian.Uint32(h[prot.HdrOffSize:]) + id := int64(binary.LittleEndian.Uint64(h[prot.HdrOffID:])) span.AddAttributes( trace.StringAttribute("type", typ.String()), trace.Int64Attribute("message-id", id)) - if n < hdrSize || n > maxMsgSize { + if n < prot.HdrSize || n > prot.MaxMsgSize { return 0, 0, nil, fmt.Errorf("invalid message size %d", n) } - n -= hdrSize + n -= prot.HdrSize b := make([]byte, n) _, err = io.ReadFull(r, b) if err != nil { @@ -392,24 +380,24 @@ func (brdg *bridge) writeMessage(buf *bytes.Buffer, enc *json.Encoder, typ prot. trace.Int64Attribute("message-id", id)) // Prepare the buffer with the message. - var h [hdrSize]byte - binary.LittleEndian.PutUint32(h[hdrOffType:], uint32(typ)) - binary.LittleEndian.PutUint64(h[hdrOffID:], uint64(id)) + var h [prot.HdrSize]byte + binary.LittleEndian.PutUint32(h[prot.HdrOffType:], uint32(typ)) + binary.LittleEndian.PutUint64(h[prot.HdrOffID:], uint64(id)) buf.Write(h[:]) err = enc.Encode(req) if err != nil { return fmt.Errorf("bridge encode: %w", err) } // Update the message header with the size. - binary.LittleEndian.PutUint32(buf.Bytes()[hdrOffSize:], uint32(buf.Len())) + binary.LittleEndian.PutUint32(buf.Bytes()[prot.HdrOffSize:], uint32(buf.Len())) if brdg.log.Logger.GetLevel() > logrus.DebugLevel { - b := buf.Bytes()[hdrSize:] + b := buf.Bytes()[prot.HdrSize:] switch typ { // container environment vars are in rpCreate for linux; rpcExecuteProcess for windows - case prot.MsgType(prot.RpcCreate) | prot.MsgTypeRequest: + case prot.MsgType(prot.RPCCreate) | prot.MsgTypeRequest: b, err = log.ScrubBridgeCreate(b) - case prot.MsgType(prot.RpcExecuteProcess) | prot.MsgTypeRequest: + case prot.MsgType(prot.RPCExecuteProcess) | prot.MsgTypeRequest: b, err = log.ScrubBridgeExecProcess(b) } if err != nil { diff --git a/internal/gcs/bridge_test.go b/internal/gcs/bridge_test.go index 5a6ab368f1..3da35e9d9d 100644 --- a/internal/gcs/bridge_test.go +++ b/internal/gcs/bridge_test.go @@ -93,7 +93,7 @@ func TestBridgeRPC(t *testing.T) { defer b.Close() req := testReq{X: 5} var resp testResp - err := b.RPC(context.Background(), prot.RpcCreate, &req, &resp, false) + err := b.RPC(context.Background(), prot.RPCCreate, &req, &resp, false) if err != nil { t.Fatal(err) } @@ -108,7 +108,7 @@ func TestBridgeRPCResponseTimeout(t *testing.T) { b.Timeout = time.Millisecond * 100 req := testReq{X: 5} var resp testResp - err := b.RPC(context.Background(), prot.RpcCreate, &req, &resp, false) + err := b.RPC(context.Background(), prot.RPCCreate, &req, &resp, false) if err == nil || !strings.Contains(err.Error(), "bridge closed") { t.Fatalf("expected bridge disconnection, got %s", err) } @@ -122,7 +122,7 @@ func TestBridgeRPCContextDone(t *testing.T) { defer cancel() req := testReq{X: 5} var resp testResp - err := b.RPC(ctx, prot.RpcCreate, &req, &resp, true) + err := b.RPC(ctx, prot.RPCCreate, &req, &resp, true) if err != context.DeadlineExceeded { //nolint:errorlint t.Fatalf("expected deadline exceeded, got %s", err) } @@ -136,7 +136,7 @@ func TestBridgeRPCContextDoneNoCancel(t *testing.T) { defer cancel() req := testReq{X: 5} var resp testResp - err := b.RPC(ctx, prot.RpcCreate, &req, &resp, false) + err := b.RPC(ctx, prot.RPCCreate, &req, &resp, false) if err == nil || !strings.Contains(err.Error(), "bridge closed") { t.Fatalf("expected bridge disconnection, got %s", err) } @@ -146,7 +146,7 @@ func TestBridgeRPCBridgeClosed(t *testing.T) { b := startReflectedBridge(t, 0) eerr := errors.New("forcibly terminated") b.kill(eerr) - err := b.RPC(context.Background(), prot.RpcCreate, nil, nil, false) + err := b.RPC(context.Background(), prot.RPCCreate, nil, nil, false) if err != eerr { //nolint:errorlint t.Fatal("unexpected: ", err) } diff --git a/internal/gcs/container.go b/internal/gcs/container.go index 728f38a43a..549abd35a2 100644 --- a/internal/gcs/container.go +++ b/internal/gcs/container.go @@ -56,10 +56,10 @@ func (gc *GuestConnection) CreateContainer(ctx context.Context, cid string, conf } req := prot.ContainerCreate{ RequestBase: makeRequest(ctx, cid), - ContainerConfig: prot.AnyInString{config}, + ContainerConfig: prot.AnyInString{Value: config}, } var resp prot.ContainerCreateResponse - err = gc.brdg.RPC(ctx, prot.RpcCreate, &req, &resp, false) + err = gc.brdg.RPC(ctx, prot.RPCCreate, &req, &resp, false) if err != nil { return nil, err } @@ -135,7 +135,7 @@ func (c *Container) Modify(ctx context.Context, config interface{}) (err error) Request: config, } var resp prot.ResponseBase - return c.gc.brdg.RPC(ctx, prot.RpcModifySettings, &req, &resp, false) + return c.gc.brdg.RPC(ctx, prot.RPCModifySettings, &req, &resp, false) } // Properties returns the requested container properties targeting a V1 schema prot.Container. @@ -150,7 +150,7 @@ func (c *Container) Properties(ctx context.Context, types ...schema1.PropertyTyp Query: prot.ContainerPropertiesQuery{PropertyTypes: types}, } var resp prot.ContainerGetPropertiesResponse - err = c.gc.brdg.RPC(ctx, prot.RpcGetProperties, &req, &resp, true) + err = c.gc.brdg.RPC(ctx, prot.RPCGetProperties, &req, &resp, true) if err != nil { return nil, err } @@ -169,7 +169,7 @@ func (c *Container) PropertiesV2(ctx context.Context, types ...hcsschema.Propert Query: prot.ContainerPropertiesQueryV2{PropertyTypes: types}, } var resp prot.ContainerGetPropertiesResponseV2 - err = c.gc.brdg.RPC(ctx, prot.RpcGetProperties, &req, &resp, true) + err = c.gc.brdg.RPC(ctx, prot.RPCGetProperties, &req, &resp, true) if err != nil { return nil, err } @@ -185,10 +185,10 @@ func (c *Container) Start(ctx context.Context) (err error) { req := makeRequest(ctx, c.id) var resp prot.ResponseBase - return c.gc.brdg.RPC(ctx, prot.RpcStart, &req, &resp, false) + return c.gc.brdg.RPC(ctx, prot.RPCStart, &req, &resp, false) } -func (c *Container) shutdown(ctx context.Context, proc prot.RpcProc) error { +func (c *Container) shutdown(ctx context.Context, proc prot.RPCProc) error { req := makeRequest(ctx, c.id) var resp prot.ResponseBase err := c.gc.brdg.RPC(ctx, proc, &req, &resp, true) @@ -216,7 +216,7 @@ func (c *Container) Shutdown(ctx context.Context) (err error) { ctx, cancel := context.WithTimeout(ctx, 30*time.Second) defer cancel() - return c.shutdown(ctx, prot.RpcShutdownGraceful) + return c.shutdown(ctx, prot.RPCShutdownGraceful) } // Terminate sends a forceful terminate request to the container. The container @@ -230,7 +230,7 @@ func (c *Container) Terminate(ctx context.Context) (err error) { ctx, cancel := context.WithTimeout(ctx, 30*time.Second) defer cancel() - return c.shutdown(ctx, prot.RpcShutdownForced) + return c.shutdown(ctx, prot.RPCShutdownForced) } func (c *Container) WaitChannel() <-chan struct{} { diff --git a/internal/gcs/guestconnection.go b/internal/gcs/guestconnection.go index 9607c61261..9107dd4d3b 100644 --- a/internal/gcs/guestconnection.go +++ b/internal/gcs/guestconnection.go @@ -123,7 +123,7 @@ func (gc *GuestConnection) connect(ctx context.Context, isColdStart bool, initGu MaximumVersion: protocolVersion, } var resp prot.NegotiateProtocolResponse - err = gc.brdg.RPC(ctx, prot.RpcNegotiateProtocol, &req, &resp, true) + err = gc.brdg.RPC(ctx, prot.RPCNegotiateProtocol, &req, &resp, true) if err != nil { return err } @@ -150,17 +150,17 @@ func (gc *GuestConnection) connect(ctx context.Context, isColdStart bool, initGu } createReq := prot.ContainerCreate{ RequestBase: makeRequest(ctx, nullContainerID), - ContainerConfig: prot.AnyInString{conf}, + ContainerConfig: prot.AnyInString{Value: conf}, } var createResp prot.ResponseBase - err = gc.brdg.RPC(ctx, prot.RpcCreate, &createReq, &createResp, true) + err = gc.brdg.RPC(ctx, prot.RPCCreate, &createReq, &createResp, true) if err != nil { return err } if resp.Capabilities.SendHostStartMessage { startReq := makeRequest(ctx, nullContainerID) var startResp prot.ResponseBase - err = gc.brdg.RPC(ctx, prot.RpcStart, &startReq, &startResp, true) + err = gc.brdg.RPC(ctx, prot.RPCStart, &startReq, &startResp, true) if err != nil { return err } @@ -181,7 +181,7 @@ func (gc *GuestConnection) Modify(ctx context.Context, settings interface{}) (er Request: settings, } var resp prot.ResponseBase - return gc.brdg.RPC(ctx, prot.RpcModifySettings, &req, &resp, false) + return gc.brdg.RPC(ctx, prot.RPCModifySettings, &req, &resp, false) } func (gc *GuestConnection) DumpStacks(ctx context.Context) (response string, err error) { @@ -193,7 +193,7 @@ func (gc *GuestConnection) DumpStacks(ctx context.Context) (response string, err RequestBase: makeRequest(ctx, nullContainerID), } var resp prot.DumpStacksResponse - err = gc.brdg.RPC(ctx, prot.RpcDumpStacks, &req, &resp, false) + err = gc.brdg.RPC(ctx, prot.RPCDumpStacks, &req, &resp, false) return resp.GuestStacks, err } @@ -207,7 +207,7 @@ func (gc *GuestConnection) DeleteContainerState(ctx context.Context, cid string) RequestBase: makeRequest(ctx, cid), } var resp prot.ResponseBase - return gc.brdg.RPC(ctx, prot.RpcDeleteContainerState, &req, &resp, false) + return gc.brdg.RPC(ctx, prot.RPCDeleteContainerState, &req, &resp, false) } // Close terminates the guest connection. It is undefined to call any other diff --git a/internal/gcs/guestconnection_test.go b/internal/gcs/guestconnection_test.go index 8c505be54b..6a72cb8a3f 100644 --- a/internal/gcs/guestconnection_test.go +++ b/internal/gcs/guestconnection_test.go @@ -56,8 +56,8 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error { } return err } - switch proc := prot.RpcProc(typ &^ prot.MsgTypeRequest); proc { - case prot.RpcNegotiateProtocol: + switch proc := prot.RPCProc(typ &^ prot.MsgTypeRequest); proc { + case prot.RPCNegotiateProtocol: err := sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.NegotiateProtocolResponse{ Version: protocolVersion, Capabilities: prot.GcsCapabilities{ @@ -67,12 +67,12 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error { if err != nil { return err } - case prot.RpcCreate: + case prot.RPCCreate: err := sendJSON(t, rw, prot.MsgTypeResponse|prot.MsgType(proc), id, &prot.ContainerCreateResponse{}) if err != nil { return err } - case prot.RpcExecuteProcess: + case prot.RPCExecuteProcess: var req prot.ContainerExecuteProcess var params baseProcessParams req.Settings.ProcessParameters.Value = ¶ms @@ -118,9 +118,9 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error { if err != nil { return err } - case prot.RpcWaitForProcess: + case prot.RPCWaitForProcess: // nothing - case prot.RpcShutdownForced: + case prot.RPCShutdownForced: var req prot.RequestBase err = json.Unmarshal(b, &req) if err != nil { diff --git a/internal/gcs/process.go b/internal/gcs/process.go index f5f013cd57..91d3a87faa 100644 --- a/internal/gcs/process.go +++ b/internal/gcs/process.go @@ -56,7 +56,7 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac req := prot.ContainerExecuteProcess{ RequestBase: makeRequest(ctx, cid), Settings: prot.ExecuteProcessSettings{ - ProcessParameters: prot.AnyInString{params}, + ProcessParameters: prot.AnyInString{Value: params}, }, } @@ -102,7 +102,7 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac } var resp prot.ContainerExecuteProcessResponse - err = gc.brdg.RPC(ctx, prot.RpcExecuteProcess, &req, &resp, false) + err = gc.brdg.RPC(ctx, prot.RPCExecuteProcess, &req, &resp, false) if err != nil { return nil, err } @@ -114,7 +114,7 @@ func (gc *GuestConnection) exec(ctx context.Context, cid string, params interfac ProcessID: p.id, TimeoutInMs: 0xffffffff, } - p.waitCall, err = gc.brdg.AsyncRPC(ctx, prot.RpcWaitForProcess, &waitReq, &p.waitResp) + p.waitCall, err = gc.brdg.AsyncRPC(ctx, prot.RPCWaitForProcess, &waitReq, &p.waitResp) if err != nil { return nil, fmt.Errorf("failed to wait on process, leaking process: %w", err) } @@ -228,7 +228,7 @@ func (p *Process) ResizeConsole(ctx context.Context, width, height uint16) (err Width: width, } var resp prot.ResponseBase - return p.gc.brdg.RPC(ctx, prot.RpcResizeConsole, &req, &resp, true) + return p.gc.brdg.RPC(ctx, prot.RPCResizeConsole, &req, &resp, true) } // Signal sends a signal to the process, returning whether it was delivered. @@ -248,7 +248,7 @@ func (p *Process) Signal(ctx context.Context, options interface{}) (_ bool, err var resp prot.ResponseBase // FUTURE: SIGKILL is idempotent and can safely be cancelled, but this interface // does currently make it easy to determine what signal is being sent. - err = p.gc.brdg.RPC(ctx, prot.RpcSignalProcess, &req, &resp, false) + err = p.gc.brdg.RPC(ctx, prot.RPCSignalProcess, &req, &resp, false) if err != nil { if uint32(resp.Result) != hrNotFound { return false, err diff --git a/internal/gcs/prot/protocol.go b/internal/gcs/prot/protocol.go index 0555d71c5f..6be8f95482 100644 --- a/internal/gcs/prot/protocol.go +++ b/internal/gcs/prot/protocol.go @@ -13,9 +13,37 @@ import ( hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" ) -// LinuxGcsVsockPort is the vsock port number that the Linux GCS will -// connect to. -const LinuxGcsVsockPort = 0x40000000 +const ( + HdrSize = 16 + HdrOffType = 0 + HdrOffSize = 4 + HdrOffID = 8 + + // maxMsgSize is the maximum size of an incoming message. This is not + // enforced by the guest today but some maximum must be set to avoid + // unbounded allocations. + MaxMsgSize = 0x10000 + + // LinuxGcsVsockPort is the vsock port number that the Linux GCS will + // connect to. + LinuxGcsVsockPort = 0x40000000 +) + +// e0e16197-dd56-4a10-9195-5ee7a155a838 +var HvGUIDLoopback = guid.GUID{ + Data1: 0xe0e16197, + Data2: 0xdd56, + Data3: 0x4a10, + Data4: [8]uint8{0x91, 0x95, 0x5e, 0xe7, 0xa1, 0x55, 0xa8, 0x38}, +} + +// a42e7cda-d03f-480c-9cc2-a4de20abb878 +var HvGUIDParent = guid.GUID{ + Data1: 0xa42e7cda, + Data2: 0xd03f, + Data3: 0x480c, + Data4: [8]uint8{0x9c, 0xc2, 0xa4, 0xde, 0x20, 0xab, 0xb8, 0x78}, +} // WindowsGcsHvsockServiceID is the hvsock service ID that the Windows GCS // will connect to. @@ -26,6 +54,15 @@ var WindowsGcsHvsockServiceID = guid.GUID{ Data4: [8]uint8{0x85, 0x6b, 0x62, 0x45, 0xe6, 0x9f, 0x46, 0x20}, } +// WindowsSidecarGcsHvsockServiceID is the hvsock service ID that the Windows GCS +// sidecar will connect to. This is only used in the confidential mode. +var WindowsSidecarGcsHvsockServiceID = guid.GUID{ + Data1: 0xae8da506, + Data2: 0xa019, + Data3: 0x4553, + Data4: [8]uint8{0xa5, 0x2b, 0x90, 0x2b, 0xc0, 0xfa, 0x04, 0x11}, +} + // WindowsGcsHvHostID is the hvsock address for the parent of the VM running the GCS var WindowsGcsHvHostID = guid.GUID{ Data1: 0x894cc2d6, @@ -46,57 +83,57 @@ func (a *AnyInString) UnmarshalText(b []byte) error { return json.Unmarshal(b, &a.Value) } -type RpcProc uint32 +type RPCProc uint32 const ( - RpcCreate RpcProc = (iota+1)<<8 | 1 - RpcStart - RpcShutdownGraceful - RpcShutdownForced - RpcExecuteProcess - RpcWaitForProcess - RpcSignalProcess - RpcResizeConsole - RpcGetProperties - RpcModifySettings - RpcNegotiateProtocol - RpcDumpStacks - RpcDeleteContainerState - RpcUpdateContainer - RpcLifecycleNotification + RPCCreate RPCProc = (iota+1)<<8 | 1 + RPCStart + RPCShutdownGraceful + RPCShutdownForced + RPCExecuteProcess + RPCWaitForProcess + RPCSignalProcess + RPCResizeConsole + RPCGetProperties + RPCModifySettings + RPCNegotiateProtocol + RPCDumpStacks + RPCDeleteContainerState + RPCUpdateContainer + RPCLifecycleNotification ) -func (rpc RpcProc) String() string { +func (rpc RPCProc) String() string { switch rpc { - case RpcCreate: + case RPCCreate: return "Create" - case RpcStart: + case RPCStart: return "Start" - case RpcShutdownGraceful: + case RPCShutdownGraceful: return "ShutdownGraceful" - case RpcShutdownForced: + case RPCShutdownForced: return "ShutdownForced" - case RpcExecuteProcess: + case RPCExecuteProcess: return "ExecuteProcess" - case RpcWaitForProcess: + case RPCWaitForProcess: return "WaitForProcess" - case RpcSignalProcess: + case RPCSignalProcess: return "SignalProcess" - case RpcResizeConsole: + case RPCResizeConsole: return "ResizeConsole" - case RpcGetProperties: + case RPCGetProperties: return "GetProperties" - case RpcModifySettings: + case RPCModifySettings: return "ModifySettings" - case RpcNegotiateProtocol: + case RPCNegotiateProtocol: return "NegotiateProtocol" - case RpcDumpStacks: + case RPCDumpStacks: return "DumpStacks" - case RpcDeleteContainerState: + case RPCDeleteContainerState: return "DeleteContainerState" - case RpcUpdateContainer: + case RPCUpdateContainer: return "UpdateContainer" - case RpcLifecycleNotification: + case RPCLifecycleNotification: return "LifecycleNotification" default: return "0x" + strconv.FormatUint(uint64(rpc), 16) @@ -133,7 +170,7 @@ func (typ MsgType) String() string { default: return fmt.Sprintf("%#x", uint32(typ)) } - s += RpcProc(typ &^ MsgTypeMask).String() + s += RPCProc(typ &^ MsgTypeMask).String() return s + ")" } diff --git a/internal/guest/prot/protocol.go b/internal/guest/prot/protocol.go index 88993ae563..576ac5e5f1 100644 --- a/internal/guest/prot/protocol.go +++ b/internal/guest/prot/protocol.go @@ -501,9 +501,9 @@ type ResourceModificationRequestResponse struct { Settings interface{} `json:",omitempty"` } -// ContainerModifySettings is the message from the HCS specifying how a certain +// containerModifySettings is the message from the HCS specifying how a certain // container resource should be modified. -type ContainerModifySettings struct { +type containerModifySettings struct { MessageBase Request interface{} } @@ -512,9 +512,9 @@ type ContainerModifySettings struct { // ContainerModifySettings message. This function is required because properties // such as `Settings` can be of many types identified by the `ResourceType` and // require dynamic unmarshalling. -func UnmarshalContainerModifySettings(b []byte) (*ContainerModifySettings, error) { +func UnmarshalContainerModifySettings(b []byte) (*containerModifySettings, error) { // Unmarshal the message. - var request ContainerModifySettings + var request containerModifySettings var requestRawSettings json.RawMessage request.Request = &requestRawSettings if err := commonutils.UnmarshalJSONWithHresult(b, &request); err != nil { diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 87cc5f333c..c35e981bbc 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -22,13 +22,6 @@ import ( "github.com/Microsoft/cosesign1go/pkg/cosesign1" didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver" - "github.com/Microsoft/hcsshim/pkg/annotations" - "github.com/Microsoft/hcsshim/pkg/securitypolicy" - "github.com/mattn/go-shellwords" - "github.com/opencontainers/runtime-spec/specs-go" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "golang.org/x/sys/unix" "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/debug" "github.com/Microsoft/hcsshim/internal/guest/policy" @@ -48,6 +41,13 @@ import ( "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/verity" + "github.com/Microsoft/hcsshim/pkg/annotations" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" + "github.com/mattn/go-shellwords" + "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) // UVMContainerID is the ContainerID that will be sent on any prot.MessageBase diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 89c2003d7e..b848017c13 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -4,6 +4,7 @@ import ( "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" "github.com/opencontainers/runtime-spec/specs-go" + "github.com/Microsoft/go-winio/pkg/guid" hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" ) @@ -33,6 +34,10 @@ const ( // ResourceTypeCombinedLayers is the modify resource type for combined // layers ResourceTypeCombinedLayers guestrequest.ResourceType = "CombinedLayers" + // ResourceTypeCWCOWCombinedLayers is the modify resource type for combined + // layers call for cwcow cases. This resource type wraps containerID around + // ResourceTypeCombinedLayers. + ResourceTypeCWCOWCombinedLayers guestrequest.ResourceType = "CWCOWCombinedLayers" // ResourceTypeVPMemDevice is the modify resource type for VPMem devices ResourceTypeVPMemDevice guestrequest.ResourceType = "VPMemDevice" // ResourceTypeVPCIDevice is the modify resource type for vpci devices @@ -46,6 +51,12 @@ const ( ResourceTypeSecurityPolicy guestrequest.ResourceType = "SecurityPolicy" // ResourceTypePolicyFragment is the modify resource type for injecting policy fragments. ResourceTypePolicyFragment guestrequest.ResourceType = "SecurityPolicyFragment" + // ResourceTypeWCOWBlockCims is the modify resource type for mounting block cims for hyperv + // wcow containers. + ResourceTypeWCOWBlockCims guestrequest.ResourceType = "WCOWBlockCims" + // ResourceTypeMappedVirtualDiskForContainerScratch is the modify resource type + // specifically for refs formatting and mounting scratch vhds for c-wcow cases only. + ResourceTypeMappedVirtualDiskForContainerScratch guestrequest.ResourceType = "MappedVirtualDiskForContainerScratch" ) // This class is used by a modify request to add or remove a combined layers @@ -67,6 +78,11 @@ type WCOWCombinedLayers struct { ScratchPath string `json:"ScratchPath,omitempty"` } +type CWCOWCombinedLayers struct { + ContainerID string `json:"ContainerID,omitempty"` + CombinedLayers WCOWCombinedLayers `json:"CombinedLayers,omitempty"` +} + // Defines the schema for hosted settings passed to GCS and/or OpenGCS // SCSIDevice represents a SCSI device that is attached to the system. @@ -92,6 +108,18 @@ type LCOWMappedVirtualDisk struct { Filesystem string `json:"Filesystem,omitempty"` } +type BlockCIMDevice struct { + CimName string + Lun int32 +} + +type WCOWBlockCIMMounts struct { + // BlockCIMs should be ordered from merged CIM followed by Layer n .. layer 1 + BlockCIMs []BlockCIMDevice `json:"BlockCIMs,omitempty"` + VolumeGUID guid.GUID `json:"VolumeGUID,omitempty"` + MountFlags uint32 `json:"MountFlags,omitempty"` +} + type WCOWMappedVirtualDisk struct { ContainerPath string `json:"ContainerPath,omitempty"` Lun int32 `json:"Lun,omitempty"` @@ -207,3 +235,14 @@ type LCOWConfidentialOptions struct { type LCOWSecurityPolicyFragment struct { Fragment string `json:"Fragment,omitempty"` } + +type WCOWConfidentialOptions struct { + EnforcerType string `json:"EnforcerType,omitempty"` + EncodedSecurityPolicy string `json:"EncodedSecurityPolicy,omitempty"` + // Optional security policy + WCOWSecurityPolicy string + // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length + WCOWSecurityPolicyEnabled bool + // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic. + WCOWSecurityPolicyEnforcer string +} diff --git a/pkg/securitypolicy/securitypolicy_uvmpath_linux.go b/pkg/securitypolicy/securitypolicy_uvmpath_linux.go new file mode 100644 index 0000000000..4fdfaafdcc --- /dev/null +++ b/pkg/securitypolicy/securitypolicy_uvmpath_linux.go @@ -0,0 +1,34 @@ +//go:build linux +// +build linux + +package securitypolicy + +import ( + "strings" + + specInternal "github.com/Microsoft/hcsshim/internal/guest/spec" + "github.com/Microsoft/hcsshim/internal/guestpath" +) + +// This is being used by StandEnforcer. +// substituteUVMPath substitutes mount prefix to an appropriate path inside +// UVM. At policy generation time, it's impossible to tell what the sandboxID +// will be, so the prefix substitution needs to happen during runtime. +func substituteUVMPath(sandboxID string, m mountInternal) mountInternal { + if strings.HasPrefix(m.Source, guestpath.SandboxMountPrefix) { + m.Source = specInternal.SandboxMountSource(sandboxID, m.Source) + } else if strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) { + m.Source = specInternal.HugePagesMountSource(sandboxID, m.Source) + } + return m +} + +// SandboxMountsDir returns sandbox mounts directory inside UVM/host. +func SandboxMountsDir(sandboxID string) string { + return specInternal.SandboxMountsDir((sandboxID)) +} + +// HugePagesMountsDir returns hugepages mounts directory inside UVM. +func HugePagesMountsDir(sandboxID string) string { + return specInternal.HugePagesMountsDir(sandboxID) +} diff --git a/pkg/securitypolicy/securitypolicy_uvmpath_windows.go b/pkg/securitypolicy/securitypolicy_uvmpath_windows.go new file mode 100644 index 0000000000..cc6949fa68 --- /dev/null +++ b/pkg/securitypolicy/securitypolicy_uvmpath_windows.go @@ -0,0 +1,24 @@ +//go:build windows +// +build windows + +package securitypolicy + +// This is being used by StandEnforcer and is a no-op for windows. +// substituteUVMPath substitutes mount prefix to an appropriate path inside +// UVM. At policy generation time, it's impossible to tell what the sandboxID +// will be, so the prefix substitution needs to happen during runtime. +func substituteUVMPath(sandboxID string, m mountInternal) mountInternal { + //no-op for windows + _ = sandboxID + return m +} + +// SandboxMountsDir returns sandbox mounts directory inside UVM/host. +func SandboxMountsDir(sandboxID string) string { + return "" +} + +// HugePagesMountsDir returns hugepages mounts directory inside UVM. +func HugePagesMountsDir(sandboxID string) string { + return "" +} diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go index 5806eb7544..8792966229 100644 --- a/pkg/securitypolicy/securitypolicyenforcer.go +++ b/pkg/securitypolicy/securitypolicyenforcer.go @@ -1,6 +1,3 @@ -//go:build linux -// +build linux - package securitypolicy import ( @@ -10,15 +7,11 @@ import ( "fmt" "regexp" "strconv" - "strings" "sync" "syscall" oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" - - specGuest "github.com/Microsoft/hcsshim/internal/guest/spec" - "github.com/Microsoft/hcsshim/internal/guestpath" ) type createEnforcerFunc func(base64EncodedPolicy string, criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int) (SecurityPolicyEnforcer, error) @@ -89,12 +82,15 @@ type SecurityPolicyEnforcer interface { GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) } +//nolint type stringSet map[string]struct{} +//nolint func (s stringSet) add(item string) { s[item] = struct{}{} } +//nolint func (s stringSet) contains(item string) bool { _, contains := s[item] return contains @@ -856,18 +852,6 @@ func (c *securityPolicyContainer) matchMount(sandboxID string, m oci.Mount) (err return fmt.Errorf("mount is not allowed by policy: %+v", m) } -// substituteUVMPath substitutes mount prefix to an appropriate path inside -// UVM. At policy generation time, it's impossible to tell what the sandboxID -// will be, so the prefix substitution needs to happen during runtime. -func substituteUVMPath(sandboxID string, m mountInternal) mountInternal { - if strings.HasPrefix(m.Source, guestpath.SandboxMountPrefix) { - m.Source = specGuest.SandboxMountSource(sandboxID, m.Source) - } else if strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) { - m.Source = specGuest.HugePagesMountSource(sandboxID, m.Source) - } - return m -} - func stringSlicesEqual(slice1, slice2 []string) bool { if len(slice1) != len(slice2) { return false diff --git a/test/gcs/container_test.go b/test/gcs/container_test.go index 6a68e55c33..2f29f3979e 100644 --- a/test/gcs/container_test.go +++ b/test/gcs/container_test.go @@ -12,7 +12,7 @@ import ( "github.com/containerd/containerd/oci" "golang.org/x/sync/errgroup" - "github.com/Microsoft/hcsshim/internal/guest/gcserr" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" "github.com/Microsoft/hcsshim/internal/guest/stdio" testoci "github.com/Microsoft/hcsshim/test/internal/oci" From 42508de001d7d1ac1b47f7bbced72a3e1e3325d4 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Mon, 24 Mar 2025 09:59:29 -0700 Subject: [PATCH 03/20] Add Block CIM mount and refs format support - Add new resource type and code needed to support block cim mounts for hyperv wcow - Add support to invoke refs formatter Signed-off-by: Kirtana Ashok --- ...osofthcsshim\357\200\276\357\200\222-f qq" | 37974 ++++++++++++++++ internal/protocol/guestresource/resources.go | 10 +- internal/uvm/scsi/backend.go | 8 + internal/uvm/scsi/manager.go | 4 + internal/uvm/scsi/mount.go | 1 + internal/wclayer/cim/mount.go | 1 + pkg/cimfs/mount_cim.go | 6 +- "\357\200\222-f" | 1 + 8 files changed, 37998 insertions(+), 7 deletions(-) create mode 100644 "erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" create mode 100644 "\357\200\222-f" diff --git "a/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" "b/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" new file mode 100644 index 0000000000..4582acf83e --- /dev/null +++ "b/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" @@ -0,0 +1,37974 @@ +commit 81dd14bd8d2d1596220d2558bd057402734d62a9 (HEAD -> gcs-sidecar-framework) +Author: Kirtana Ashok <99994218+kiashok@users.noreply.github.com> +Date: Thu Apr 3 09:27:33 2025 -0700 + + Add ResourceTypeMappedDirectory request (#32) + + Signed-off-by: Kirtana Ashok + (cherry picked from commit 2dc7c56ae9bd4d30f6abd96ba8c20bde9d846b3c) + Signed-off-by: Kirtana Ashok + (cherry picked from commit e4f5d4739858a3d3684a4f0acb9f0d6ac6f17adf) + Signed-off-by: Kirtana Ashok + +commit 918a60089edf8ef2c207d2156f3bf8691c9a1e89 +Author: Kirtana Ashok +Date: Mon Mar 24 09:59:29 2025 -0700 + + Add Block CIM mount and refs format support + + - Add new resource type and code needed + to support block cim mounts for hyperv wcow + - Add support to invoke refs formatter + + Signed-off-by: Kirtana Ashok + (cherry picked from commit 5e48feece5ad357ca8decae49698054e75f867d9) + Signed-off-by: Kirtana Ashok + +commit 9843bfba982c0d421a44e866a3ab1f37fa565447 +Author: Kirtana Ashok +Date: Thu Apr 24 14:06:30 2025 -0700 + + Build break + + Signed-off-by: Kirtana Ashok + +commit 88f598f76ad15ff397a47baba478ff4f4c9c7b97 +Author: Kirtana Ashok +Date: Wed Apr 23 08:15:46 2025 -0700 + + WIP: cleanup fsformatter invoker + + Signed-off-by: Kirtana Ashok + +commit df342a3cea1899b42ae591592aa728580d212281 +Author: Kirtana Ashok +Date: Mon Apr 21 09:48:24 2025 -0700 + + gcs-sidecar framework + + Signed-off-by: Kirtana Ashok + +commit 92b788140f629159b6f29afdec25b4e0fcd59323 +Author: Kirtana Ashok +Date: Mon Apr 21 12:41:37 2025 -0700 + + Refactor common bridge protocol code for reuse + + - Move common bridge protocol definitions to subpackage + under internal/gcs + - Move helper functions to internal/bridgeutils pkg + so that they can be used by gcs-sidecar as well + + Signed-off-by: Kirtana Ashok + +commit 7084bd2fa445d83629a67a91ff4e072517a11f04 (origin/main, origin/HEAD, main) +Author: Maksim An +Date: Mon Apr 21 10:49:13 2025 -0700 + + rego policy enforcer should use the same user parsing logic as GCS (#2405) + + This PR fixes a discrepancy between user info handling between + GCS and rego policy enforcer. For example, GCS doesn't require the + user/group to exist in container's /etc/passwd and /etc/group + and has a fallback to UID and GID 0, when the user is absent. + Rego enforcer's `GetUserInfo`, however, always tries to + lookup user/group in /etc/passwd and /etc/group and returns + an error when the UID doesn't exist. This behavior is inconsistent + with non confidential LCOW workloads and fixed in this PR. + + To avoid circular imports, the spec.go and spec_devices.go under + `internal/guest/runtime/hcsv2` have been moved under + `internal/guest/spec` and the dependent code updated accordingly. + As a result a bunch of methods are now exported, but still under + `internal`, so this shouldn't cause problems. + + User parsing has been updated and split into `ParseUserStr`, which + returns UID and GID for a given `username` string and `SetUserStr`, + which just sets the UID and GID for the OCI process. + + Rego enforcer's `GetUserInfo` now prioritizes the result of + `ParseUserStr` and fallbacks to the previous behavior of UID/GID + lookup in container's filesystem. + + Signed-off-by: Maksim An + +commit a5c5b4c46f51ec5481421b2ebf824cea2bc66ba0 +Author: Hamza El-Saawy +Date: Mon Apr 21 11:31:42 2025 -0400 + + Deps/crypto vulnFix golang.org/x/crypto vulnerability (#2416) + + * Fix `golang.org/x/crypto` & `/net` vulnerabilities + + Update `golang.org/x/crypto` and`golang.org/x/net` to fix reported + vulnerabilies. + (This update requires `go1.23`, so updated that in `go.mod`). + + Also update other `golang.org/x/` modules. + + PRs: + - 2418 + - 2417 + - 2415 + - 2414 + - 2411 + - 2409 + - 2408 + - 2396 + - 2395 + + NOTE: **This commit only has updates to `go.mod`.** + + Signed-off-by: Hamza El-Saawy + + * `go.sum` and vendor updates + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit a00144a51864f1068148efbe9bb89516ea4934b6 (mahati/main, mahati/HEAD) +Author: Amit Barve +Date: Wed Apr 9 13:13:13 2025 -0400 + + Add support for running confidential WCOW UVMs + + Initial changes to allow creating confidential WCOW UVMs. uvmboot tool is also updated for + easier command line testing of confidential UVMs. + + Signed-off-by: Amit Barve + +commit 5def1d7e26fee3525c1842221e265a40efabded2 +Author: Amit Barve +Date: Wed Apr 9 13:13:13 2025 -0400 + + Allow different types of boot configurations for WCOW UVM + + Currently WCOW UVM only support booting with VmbFS and legacy layers. However, we are + adding support for booting the UVM with BlockCIM layers. This commit updates the + WCOWBootFiles struct to support different boot configurations. + + Signed-off-by: Amit Barve + +commit b4e07445e062c54f4c0a08682cec322135a92613 +Merge: d7e384230 e5f8fd835 +Author: Maksim An +Date: Wed Apr 9 14:24:53 2025 -0700 + + Merge pull request #2406 from anmaxvl/privileged-pause + + tooling: allow pause container to be run in privileged mode + +commit e5f8fd83592962bf2a089cc5ca949224eaf88480 +Author: Maksim An +Date: Tue Apr 1 11:20:37 2025 -0700 + + tooling: allow pause container to be run in privileged mode + + Signed-off-by: Maksim An + +commit d7e384230944f153215473fa6c715b8723d1ba47 (hcsshim/master, hcsshim/kirtana/wcow-block-cim, hcsshim/HEAD) +Author: Maksim An +Date: Mon Mar 17 09:42:02 2025 -0700 + + feature: cross-container named pipes (#2358) + + * feature: cross-container named pipes + + Add new "uvm://" mount prefix to support cross-container + pipes for Xenon WCOW containers. For now, it's a WCOW-only + feature, while the Linux work is being prototyped. + + Additionally, extend the logic of `GetContainerPipeMapping` to + also handle cross-container pipes within the UVM. The syntax + similar to sandbox mounts: + + ``` + { + "host_path": "uvm://\\\\.\\pipe\\uvmPipe", + "container_path": "\\\\.\\pipe\\containerPipe" + } + ``` + + Containers sharing the pipe need to have the same "host_path". + + refactor how named pipes are parsed and added for WCOW. + + `setupMounts` will now try to parse mount source as a named pipe + for both process isolated and hyper-v isolated containers. + The mapped pipes will be tracked under `namedPipeMounts` and + later added to HCS container doc. + + go mod tidy in test directory + --------- + + Signed-off-by: Maksim An + +commit 62ddb129f044a01c4938e64c741ba243fea89fc6 (upstream-hcshsim/ms/release/0.1, upstream-hcshsim/main, upstream-hcshsim/HEAD, hcsshim/ms/release/0.1, adoshim/dev/kiashok/update-ms-rel-0.1, adoshim/dev/kiashok/ms/release/0.1, dev/kiashok/pipeline-ms-rel-0.1) +Author: Maksim An +Date: Mon Mar 3 10:50:44 2025 -0800 + + HvSocket support for containers (#2353) + + * HvSocket support for containers + + Applications connecting from the host into the container should use + container-specific VMID. This ID will need to be the same as the + container's VMID inside the guest, which is calculated by HCS/GCS + like it's done in this PR by `HCSIDToGUID`. + + To allow the container ID to work with HvSocket on the host, we + need to set up an AddressInfo mapping to tell HvSocket to redirect + the call into the UVM, which is done in this PR by default for + all WCOW containers. + + Add internal `hvsocketaddr.exe` tool that clients can use to generate + VM ID for container. + + Add a generic function for creating HvSocket address info mapping. + + export a function that creates a mapping for containers only. + + --------- + + Signed-off-by: Maksim An + Co-authored-by: Kevin Parsons + +commit fa9d402bce734aa3031fd7db1c9c997c3448cb78 +Author: Maksim An +Date: Thu Feb 27 19:36:02 2025 -0800 + + ci: fix golangci-lint config (#2387) + +commit a3c0edf1b6bea7b95f96680c88108a56e41f11b6 +Author: Maksim An +Date: Thu Feb 13 13:44:38 2025 -0800 + + github-actions: update lint action (#2379) + + * github-actions: update lint action + + seems like something broke with newer golang versions. + + Update golangci-lint version and set `only-new-issues` to `true`. + + Signed-off-by: Maksim An + + * lint: fix lint errors + + Signed-off-by: Maksim An + + --------- + + Signed-off-by: Maksim An + +commit b9fc67d6189cc2c0921eb67e4b61401eb96832e2 +Author: Jie Chen +Date: Tue Feb 11 09:49:23 2025 -0800 + + Revert "Enabled Linux UVM tests to run on 1ES github runner pool" + + This reverts commit e5c83a121b980b1b85f4df0813cfba2d83572bac. + + The OIDC authentication is failing for PRs from external contributors because the id-token write permission is not granted to forked repos. Disabling the Linux UVM tests for now until it is fixed. + + Signed-off-by: Jie Chen + +commit e5c83a121b980b1b85f4df0813cfba2d83572bac +Author: Jie Chen +Date: Tue Jan 21 09:54:57 2025 -0800 + + Enabled Linux UVM tests to run on 1ES github runner pool + + Skipped uvm plan9 test until azurelinux rootfs is fixed + + Signed-off-by: Jie Chen + +commit 56e7aa82c4da7a2241756c2ca56f824a8bfa15e6 +Author: Kathryn Baldauf +Date: Thu Jan 30 10:15:54 2025 -0800 + + Fix TestLCOW_IPv6_Assignment functional test (#2359) + + * Previously we were just using the IPAM routes configured earlier in the test, + * but this causes an error since the IPAM route will append the scope identifier + * at the end of IPv6 routes' NextHop. + + Signed-off-by: Kathryn Baldauf + +commit 9e50c9b5c3999ed2db783059ff3c4711e43b8096 +Author: Jie Chen +Date: Tue Jan 28 16:40:27 2025 -0800 + + Fix duplicate artifact name in github CI + + Signed-off-by: Jie Chen + +commit 24ef284ce6c57c5cdf915c8a86d592ce41083cd9 +Merge: 8d81359dc 367ccd5ed +Author: Jie Chen +Date: Tue Jan 28 13:10:30 2025 -0800 + + Merge pull request #2365 from jiechen0826/skip_hvsock_functional_tests + + Skip HVSock_* flaky tests until they are fixed + +commit 367ccd5ed6560d3b09b5463131235cf2a4e1697e +Author: Jie Chen +Date: Tue Jan 28 09:18:02 2025 -0800 + + Skip HVSock_* flaky tests until they are fixed + + Signed-off-by: Jie Chen + +commit 8d81359dc374e39d9edd63639a0402fbbea694f9 +Author: Kathryn Baldauf +Date: Wed Jan 15 12:55:51 2025 -0800 + + Add support for HCN v2 endpoint and add unit tests (#2343) + + * Add support for HCN v2 endpoint and add unit tests + * switch to HCN v2 endpoint API instead of HNS v1 endpoint API + * Support parsing routes in GCS when we setup the network interfaces + * [breaking] update gcs bridge LCOW network adapter type with new fields that better + align with v2 endpoint + * Add unit tests for new GCS side changes + * Add legacy policy based routing for lcow and an annotation to toggle use + + Signed-off-by: Kathryn Baldauf + + --------- + + Signed-off-by: Kathryn Baldauf + +commit bac751f6dc7337d8cfc37528b3ce5acc4b5987b6 +Merge: 20e8795e2 c38d4366a +Author: Jie Chen +Date: Tue Jan 14 10:31:58 2025 -0800 + + Merge pull request #2338 from microsoft/jiechen3/github_runner + + Enable Windows UVM functional tests + +commit c38d4366a501294c0be7d1157f87d643c01f0783 +Author: Jie Chen +Date: Thu Jan 9 15:45:18 2025 -0800 + + Enabled Windows UVM tests to run on 1ES Github Runner Pool + + Co-authored-by: Hamza El-Saawy + Signed-off-by: Jie Chen + +commit 20e8795e2765d37014ebe5d3048c186b5ddd38fa (tag: v0.13.0-rc.3) +Author: Hamza El-Saawy +Date: Fri Jan 10 15:24:56 2025 -0500 + + Omnibus dependabot update (#2347) + + * Omnibus dependabot update + + Consolidate and resolve the dependabot PRs (mostly handle nested + module): + + - 2267 + - 2296 + - 2307 + - 2315 + - 2323 + - 2324 + - 2333 + - 2334 + - 2335 + - 2336 + - 2339 + - 2340 + - 2341 + - 2345 (https://github.com/microsoft/hcsshim/security/dependabot/113) + - 2346 (https://github.com/microsoft/hcsshim/security/dependabot/115) + + Two commits: first is core updates, second is module tidy and vendor, + along with (protobuf) file regen. + + Signed-off-by: Hamza El-Saawy + + * go mod tidy and vendor, protobuf update + + Replace deprecated `github.com/opencontainers/runc/libcontainer/user` + with `github.com/moby/sys/user` (which it is an alias for). + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 36c11610a8c78b7176062c012cf5bc30f5c774d3 +Author: Hamza El-Saawy +Date: Thu Jan 9 17:51:24 2025 -0500 + + Use abs path to testing binary (#2344) + + * Use abs path to testing binary + + Use the full path to the `functional.test.exe` binary when sharing into + the uVM or container for the `TestHVSock_*` test cases in + `test\functional\hvsock_test.go` to prevent vSMB share issues. + + Otherwise, `os.Args[0]` will return the path that the tests were run + with (e.g., `.\functional.test.exe`), which can cause vSMB to fail with + `The parameter is incorrect.` (likely because it cannot find the current + file). + + Signed-off-by: Hamza El-Saawy + + * PR: bug fix + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit d9a4231b9d7a03dffdabb6019318fc43eb6ba996 +Merge: f234e83a3 bacda3961 +Author: Kevin Parsons +Date: Tue Dec 17 11:31:09 2024 -0800 + + Merge pull request #2327 from kevpar/compat-ws2025 + + osversion: Add new versions, fix compat bug, improve tests + +commit f234e83a39219dadb30902bd4c6880639b3b3538 +Author: Amit Barve +Date: Tue Dec 17 10:41:43 2024 -0500 + + Use Block CIM layers for container RootFS + + This commit adds the ability to parse block CIM layer mounts and to mount the merged block + CIMs to be used as a rootfs for a container. + + Signed-off-by: Amit Barve + +commit dd7420482d99f61884eb9d550594599b980b2c91 +Author: Amit Barve +Date: Tue Dec 17 10:41:38 2024 -0500 + + Add LayerWriter for block CIMs + + This commit adds a layer writer that can be used for extracting an image layer tar into a + Block CIM format. + + Existing forked CIM layer writer was renamed to a common base type `cimLayerWriter`. + Forked CIM layer writer & Block CIM layer writer both now extend this common base type to + write layers in that specific format. + + This commit also removes some code that used `time.Now()` as the default timestamps for + some files that it creates within the layer CIM. These timestamps cause differences in the + layer CIMs generated from the same layer tar. This change fixes that. + + Signed-off-by: Amit Barve + +commit ccb51aa79b2eb946274395a20e9319b6ea8f3cfe +Author: Amit Barve +Date: Tue Dec 17 10:41:31 2024 -0500 + + Block CIM types and new CimFS API wrappers + + CimFS now supports a new format for storing CIMs, named BlockCIM. A block CIM format can + store the entire CIM on a block device (like a VHD) or a file formatted like a block + device. + + This commit adds Go wrappers for the new CimFS APIs that allow creation, merging and + mounting of such Block CIMs. Some new flags required when creating and mounting these CIMs + are added and some deprecated flags have been removed. New type has been introduced to + represent a block CIM. Unit tests have been added to test the newly added CimFS + functionality. Lastly, CimFS flags aren't a part of the hcs schema (only the CimMount + request is), those flags are moved from the hcs/schema2 package to the cimfs package. + + Signed-off-by: Amit Barve + +commit 0d6d57252a69cd5ffb7a46b8b4a1201e875b3b93 +Author: Amit Barve +Date: Tue Dec 17 10:41:31 2024 -0500 + + Remove unnecessary cim mount cache + + Currently we have a map which maintains a mapping of CIM & containerd ID to the volume at + which a CIM is mounted for the given container. This was required before the layer + refactoring work when we needed to get the volume path from the layer cim path. However, + this isn't needed anymore. As of now, this map doesn't provide much value and makes the code a + bit complicated. Moreover, we will need to rewrite some of this code anyway when we do the work + required for handling `shim delete` cleanups properly (https://github.com/containerd/containerd/issues/9727). + + Signed-off-by: Amit Barve + +commit 1a8c2e3ba7d5fc1ecdb708e1ef623597574432c9 +Merge: ca5ca6e7e e0e242309 +Author: Kevin Parsons +Date: Wed Dec 11 09:56:57 2024 -0800 + + Merge pull request #2330 from kevpar/spanfix + + octtrpc: Fix span status defer, add tests + +commit ca5ca6e7ed80f8e8c7ae9f083c9c5db0b3921498 +Author: Mahati Chamarthy +Date: Thu Dec 5 19:16:42 2024 +0000 + + Fix path in security policyenginesimulator sample (#2329) + + Signed-off-by: Mahati Chamarthy + +commit 66a6fc14923487cb8d8656abd2af1ea53225e45b +Merge: b0b5a0c68 db9d4e44b +Author: Kevin Parsons +Date: Tue Nov 26 14:19:26 2024 -0600 + + Merge pull request #2326 from kevpar/fix-gomod + + Fix go.mod to have the correct Go version + +commit e0e2423096779446ad46fc1022124c3ec5c6197d +Author: Kevin Parsons +Date: Mon Nov 25 15:20:34 2024 -0800 + + octtrpc: Fix span status defer, add tests + + It turns out for years that the autogenerated TTRPC spans have not been + marked correctly if the call failed. This is because defers evaluate + their arguments immediately, rather than at the deferred execution time. + Fix this by changing err from an argument to the defer, to a variable + evaluated inside the defer. + + Also adds tests for octtrpc client and server interceptors. + + Signed-off-by: Kevin Parsons + +commit bacda3961da2630b0b7fecafe801905c9dcca93b +Author: Kevin Parsons +Date: Mon Nov 25 15:05:58 2024 -0800 + + osversion: Add new versions, fix compat bug, improve tests + + - Add V23H2 (annual channel) and LTSC2025 to the version list + - Use the LTSC build naming in the compat checks and tests, to make + intent clearer + - Fix a bug in the compat check. A given LTSC release should be able to + run everything from the previous LTSC up to itself + - Add new test cases, including for the fixed compat check bug + - Change the tests to use t.Run for each test case + + Signed-off-by: Kevin Parsons + +commit db9d4e44bcde8e0b0b4d4d54845bfe4bdc092caf +Author: Kevin Parsons +Date: Mon Nov 25 10:45:52 2024 -0800 + + Fix go.mod to have the correct Go version + + As of recent Go versions, specifying the go directive without a patch + (e.g. 1.22) is no longer supported. Because go tries to download a + matching toolchain if you're not already using one, it will try to + download go toolchain version 1.22, which doesn't exist (1.22.0 does). + + Fix the go.mod version to specify the full version with patch, 1.22.0. + + Signed-off-by: Kevin Parsons + +commit b0b5a0c6843178b3ee8c9655621fcf05c4087d4e +Author: Kathryn Baldauf +Date: Mon Nov 25 10:55:25 2024 -0800 + + Add build version block for pod CPU limits updating (#2321) + + Signed-off-by: Kathryn Baldauf + +commit 9cf7c1c7e7cd1d9f241709f97a76cb72a6830b22 +Author: Maksim An +Date: Mon Nov 18 17:03:55 2024 -0800 + + remove dmverity-vhd code and release pipeline (#2318) + + dmverity-vhd code was moved to a separate repo, + this PR removes the binary and release pipeline + associated with it. + + Signed-off-by: Maksim An + +commit c65b7892d7994291dd99c298931ecb624704b36b +Author: Kathryn Baldauf +Date: Mon Nov 4 14:47:24 2024 -0800 + + Fix issue with mask length of gatway addresses that are out of the (#2305) + + interface's subnet + * See documentation at https://pkg.go.dev/net#ParseIP + + Signed-off-by: Kathryn Baldauf + +commit 1c29e9d8cc4c7a01060caf8ab5c337c11df34292 +Author: Maksim An +Date: Thu Oct 31 16:47:01 2024 -0700 + + add `longPathAware` to shim manifest (#2303) + + Depending on the version of Go used to build the shim binaries + the process may or may not be long path aware, for example MS Go + removed it https://github.com/microsoft/go/commit/af3d04ecaf07be0e0f37ccfda756a2279047aab3. + + Microsoft recommends adding long path support through manifest + https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=registry#enable-long-paths-in-windows-10-version-1607-and-later + + Signed-off-by: Maksim An + +commit 1b095260edf2f8396896e96df504261176d30e19 (upstream-hcshsim/kevpar/hcsshim, origin/kevpar/hcsshim) +Author: Kirtana Ashok +Date: Mon Oct 28 10:50:11 2024 -0700 + + Switch to using containerd/errdefs/pkg/errgrpc for grpc translation + + Signed-off-by: Kirtana Ashok + +commit 0269ad38a0fbfe6188458153b4af42465fd16ae8 +Author: Kirtana Ashok +Date: Mon Oct 28 10:32:59 2024 -0700 + + Update go version to 1.22 + + Signed-off-by: Kirtana Ashok + +commit 11e1033a45b19e2fae15981275696e2e8f84d5e2 (tag: v0.13.0-rc.2) +Merge: 677a76a59 4cd6fef63 +Author: Kathryn Baldauf +Date: Fri Oct 18 15:12:17 2024 -0700 + + Merge pull request #2293 from dmcgowan/update-containerd-1.7.23 + + Update containerd to v1.7.23 + +commit 4cd6fef63241324078e1431be3e0fe8168f247e5 +Author: Derek McGowan +Date: Mon Oct 14 14:37:13 2024 -0700 + + Update containerd to v1.7.23 + + Signed-off-by: Derek McGowan + +commit 677a76a59a9be164621448efdf3e30d0d0aa6cc2 +Merge: e78ef44f6 ffe8282eb +Author: Kathryn Baldauf +Date: Mon Oct 14 08:44:04 2024 -0700 + + Merge pull request #2279 from katiewasnothere/user/kabaldau/fix_parse_devices + + Fix parse pod devices to not include invalid devices + +commit e78ef44f61098d395a4dbea1ca84c87455fa8cd9 +Author: Heather Garvison +Date: Tue Oct 8 19:25:57 2024 -0400 + + Update dmverity tool to take a directory as input to create a VHD (#2274) + + update dmverity tool to take data tar as input to create a verity VHD + + Signed-off-by: Heather Garvison + +commit 514a8b7637b64aed0108409ab2722c042caa552d +Author: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> +Date: Tue Oct 8 09:13:22 2024 -0700 + + Fixing typo (#2287) + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + +commit 1d69a9c658655b77dd4e5275bff99caad6b38416 +Author: Maksim An +Date: Tue Oct 1 14:04:53 2024 -0700 + + scsi: relax mount re-use constraint (#2280) + + This is to fix a case with shared scratch enabled where the pause + container scratch and workload container scratch should be the same + mountpoint. This effectively changes the SCSI mount logic to have + the same semantics as before the SCSI refactor, which mainly affected: + * where the `runc` config.json for a container is written + * scratch encryption + The old semantics ensured that the scratch (in a shared scratch case) + is encrypted only once and also ensured that runc config.json for a + given container is written to a unique location: either container's + scratch (when scratch isn't shared) or tmpfs (when scratch is shared). + + As before, the eventual hope is to remove guestPath support, and + always generate a path, but that requires more extensive work to pass + this path to the GCS. + + Signed-off-by: Kevin Parsons + Signed-off-by: Maksim An + Co-authored-by: Kevin Parsons + +commit c6e7159431112fe8949824eef4e7e884fe648266 +Merge: e1b4506e2 3b7c087db +Author: Kevin Parsons +Date: Fri Sep 27 16:57:47 2024 -0500 + + Merge pull request #2278 from kevpar/scsi-mount-fix-2 + + scsi: Support optional guest path for mount, add tests, refcount fix + +commit 3b7c087db13be3514524d6a736fc6f84ffc1259c +Author: Kevin Parsons +Date: Fri Sep 27 11:50:24 2024 -0700 + + scsi: Add tests and fix refcount bug + + Adds various tests to the SCSI manager code. As part of this testing, + a bug tracking attachment refcounts was also found. The attachment + refcount is increased every time a new top-level request comes in, even + if an existing mount is re-used. This means that the attachment refcount + should also be decremented every time one is released, even if the mount + refcount is not at 0. + + Signed-off-by: Kevin Parsons + +commit ffe8282ebe4441c51813f9130059d9e2efd6bbe3 +Author: Kathryn Baldauf +Date: Fri Sep 27 14:03:54 2024 -0700 + + Fix parse devices to not include invalid device + + Signed-off-by: Kathryn Baldauf + +commit c1d649299c57828e494dc743c99e32a53d22a0b1 +Author: Kevin Parsons +Date: Fri Sep 27 11:23:53 2024 -0700 + + scsi: Take optional guest path for mount + + Currently the SCSI mount manager will generate a new path for each new + mount, based on a format string that it is instantiated with. However, + it turns out some code in the GCS (e.g. sandbox mounts) assumes that the + container scratch is mounted at a certain path. The long-term best + solution here is probably to pass what paths to use explicitly to the + GCS, but that would be more impactful. We need a more contained fix. + + This commit addresses the issue by allowing an optional guest path to be + given for a SCSI mount. The mount manager has been changed as follows: + - If a guest path is not supplied: The mount can re-use (refcount++) any + existing mount with the same controller/lun/options. If a new mount is + created, the mount manager will generate a path for it. + - If a guest path is supplied: The mount can re-use (refcount++) any + existing mount with the same controller/lun/guestpath/options. If a + new mount is created, the mount manager will use the supplied path for + it. + + Accordingly, code calling into the mount manager has been updated to + pass an empty string for the guest path. The exception to this is the + LCOW layer mounting code, which will pass an explicit guest path for the + scratch disk. As far as I know, WCOW does not depend on a specific path + for its scratch disk. + + Signed-off-by: Kevin Parsons + +commit e1b4506e26dd587d3e27682560c5a1d68a70c96d +Author: Maksim An +Date: Thu Sep 26 09:46:02 2024 -0700 + + fix: verity boot overrides SCSI config (#2262) + + When creating HCS doc for SNP UVM with verity boot, the SCSI + controllers are overriden to always have only a single SCSI + controller. This limits the max number of container layers to + 64. + + Signed-off-by: Maksim An + +commit 16dc8eba1e3036be4109725203b649ab777dcdaf +Author: Takuro Sato +Date: Wed Sep 25 18:31:49 2024 +0100 + + Make tar2ext4 deterministic with files without parent dir in tar (#2270) + + Make tar2ext4 deterministic with files without parent dir in tar + + Signed-off-by: Takuro Sato + +commit 0b833ccebb7ec414cc33d3ac0fe3424d459abd14 +Merge: e55a82b1c 89620dc26 +Author: Kathryn Baldauf +Date: Wed Sep 11 15:28:34 2024 -0700 + + Merge pull request #2220 from katiewasnothere/kabaldau/guest_caps + + Refactor guest defined capabilities + +commit e55a82b1c962d666c68df8acb76bb311cd0a69db +Merge: 31569925b 512aaa21c +Author: Kathryn Baldauf +Date: Wed Sep 11 11:16:14 2024 -0700 + + Merge pull request #2249 from katiewasnothere/kabaldau/fabric_manager_config + + Support passing in fabric manager config + +commit 89620dc2614857f45ae16aea29d79ab8270c51f1 +Author: Kathryn Baldauf +Date: Mon Jul 29 17:35:16 2024 -0700 + + Refactor guest defined capabilities + + Signed-off-by: Kathryn Baldauf + +commit 31569925b06a13530a7b6f2b6cc7bdefd6f3bbca +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Sep 10 10:13:18 2024 -0400 + + Omnibus dependabot update: (#2260) + + - hcsshim/2259 + - hcsshim/2258 + - hcsshim/2257 + - hcsshim/2256 + - hcsshim/2255 + - hcsshim/2254 + - hcsshim/2253 + - hcsshim/2247 + - hcsshim/2227 + + Also, update `github.com/Microsoft/cosesign1go` to retract the + `github.com/veraison/go-cose@v1.2.0` implicit import. + + Signed-off-by: Hamza El-Saawy + +commit ca3f8b3b51fdae0114f6a5879289edac76d8153c +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Sep 9 16:43:00 2024 +0000 + + Bump google.golang.org/grpc from 1.65.0 to 1.66.0 in /test (#2252) + +commit a4215dc7b31e6e1c3bed4a134e7a9a0109c7b7bb +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Sep 9 16:03:34 2024 +0000 + + Bump golang.org/x/sync from 0.7.0 to 0.8.0 in /test (#2230) + +commit ddf0556bc7b3daab940b8d1aa8a88371a637b09d +Merge: d2836fb99 291d13e7a +Author: Kathryn Baldauf +Date: Thu Sep 5 14:31:34 2024 -0700 + + Merge pull request #2248 from katiewasnothere/kabaldau/fix_device_wait + + Fix no such device error when getting device filesystem + +commit 291d13e7af01f5f6d6c86001ee961cd91804eba1 +Author: Kathryn Baldauf +Date: Fri Aug 23 15:42:21 2024 -0700 + + Fix no such device error when getting device filesystem + * os.Stat does not open the file. We're seeing issues where after stat'ing the device path in /dev, we get the error from _getDeviceFsType "No such device or address", aka ENXIO, when trying to open the device to read the superblock. + * Change os.Stat call to os.Open when waiting for the /dev device to show up to ensure we can successfully open the device later. + + Signed-off-by: Kathryn Baldauf + +commit d2836fb99ff0ad3c25343b3c1163f6542fec4c1a +Merge: f80cf917a bf239f668 +Author: Kathryn Baldauf +Date: Wed Aug 28 10:09:51 2024 -0700 + + Merge pull request #2234 from hgarvison/main + + Update dmverity tool to fix bug where hdv creation fails + +commit 512aaa21c168604b70bb3ac8c4743ebe98fa871d +Author: Kathryn Baldauf +Date: Tue Aug 27 13:50:51 2024 -0700 + + Support passing in fabric manager config + * Allows the ability to customize log file path, log rotation, and more + + Signed-off-by: Kathryn Baldauf + +commit f80cf917a3963e05f86327149fb2abe36fcde6c0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Aug 27 14:58:09 2024 -0400 + + Add `.clang-format` and format C files (#2246) + + Add `.clang-format` file that can be used directly by the clang + formatter or by the Microsoft C/C++ VSCode extension. + Style based on Microsoft default style guide, but update brace and case + indentation settings to match current files better (as well as Go code). + + Run formatter on `init\init.c` and `vsockexec\vsockexec.c`. + Changes mostly with brace position, spacing, indentation, and pointer + alignment. + + Signed-off-by: Hamza El-Saawy + +commit 59e8375cfad4883ea18bc75b765bc4cb64cb7b6b +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Aug 27 11:39:30 2024 -0400 + + Add and updateCodeQL suppression (#2245) + + Microsoft CodeQL analyzer's suppression format is slightly different + than GitHub's, and expects the suppression comment to be one line. + Update suppression comments in `pkg\ociwclayer\import.go` to conform. + + Suppress warnings for "uncontrolled process operation" in `init\init.c` + and `vsockexec\vsockexec.c`. + Suppress "incorrect conversion between integer types" in + `internal\jobobject\limits.go`, and add fix to + `internal\guest\runtime\hcsv2\uvm.go`. + + Signed-off-by: Hamza El-Saawy + +commit 1e97fa626c65df43f7619083b68d32b9717b6e59 +Merge: 925fb1e04 41c6cb0b2 +Author: Kathryn Baldauf +Date: Fri Aug 23 15:24:13 2024 -0700 + + Merge pull request #2240 from katiewasnothere/kabaldau/support_ko_xz_ext + + Add support for kernel modules files ending in .ko.xz + +commit 41c6cb0b2866991c2a5b1af8b343aca9f74f89bc +Author: Kathryn Baldauf +Date: Tue Aug 20 17:07:56 2024 -0700 + + Add support for kernel modules files ending in .ko.xz + * Azure linux provides compressed kernel modules in files by default for some modules. + This PR adds support for both compressed and uncompressed module files. + + Signed-off-by: Kathryn Baldauf + +commit 925fb1e0442cd5f1a74d1fc5d9417247f48a7d2f +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Aug 23 15:54:57 2024 -0400 + + Consolidate Go installation step (#2244) + + Create composite action to call `actions/setup-go` with common values + and logic across different jobs and workflows to reduce duplication and + make sure workflows all use the same Go version. + + Specifically, the action defaults to `oldstable` for the Go version, + uses both `go.sum` and `test/go.sum` for the cache dependency, and + allows pre-filling the Go module cache after installing Go. + + It exposes the same outputs as `actions/setup-go` as well. + + Signed-off-by: Hamza El-Saawy + +commit e7a1be7061b457cea9b70f8b3a917e3cc8a33796 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Aug 23 10:15:11 2024 -0400 + + Filter vendor and test CodeQL results (#2243) + + Skip scanning for files under the `test/` or `vendor/` directories, or + for `_test.go` files. + + Neither the Go or C/C++ CodeQL scanning support the `path-ignore` config + options, raising the warning: + ``` + Path filters have no effect for Go + Go does not support path-based filtering. The paths and paths-ignore configuration properties will have no effect for this language. + ``` + + Use the recommended `advanced-security/filter-sarif` action to instead + filter results, based on [provided + example](https://github.com/advanced-security/filter-sarif?tab=readme-ov-file#example). + + Remove the config file since there is nothing to configure. + + Additionally, build the `securitypolicy.exe` and `dmverity-vhd` binaries + during CodeQL, and `securitypolicy` during the normal build CI. + + Signed-off-by: Hamza El-Saawy + +commit 00640ef8d7dff66019c2b06278a0581c933e0515 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Aug 22 14:42:04 2024 -0400 + + Use `atomic` types instead of raw values (#2241) + + Per Go documentation recommendation (e.g. + [link](https://pkg.go.dev/sync/atomic#AddUint64)), use the `atomic` + types and their associated methods instead of the + `atomic.Add*`/`.Store*` functions. + + This makes the intent for atomic access clearer, prevents (accidental) + non-atomic access, and (for boolean variables) simplifies code. + + Signed-off-by: Hamza El-Saawy + +commit e2a2b5f4e2a70d0b41f5f0f70b49587cf15917ec +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Aug 22 12:54:39 2024 -0400 + + Configure advanced codeql.yml scanning (#2242) + + It appears GH doesn't recognize our CodeQL pipeline and attempts to run + its own default version. + Rename the workflow to conform to what GH expects of the standard + "advanced setup" for CodeQL, with some minor updates: + - run on `release/*` branches + - use the recommended job permissions + - explicit `manual` build mode + - use `c-cpp` instead of `cpp` + - add a `codeql-config` file to ignore the test and vendor directories + + Based on recommendations here, which simple create the appropriate + workflow: + https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale + + Signed-off-by: Hamza El-Saawy + +commit 4f3da95b5b48f6c340cbed6f5fcca107216125b4 +Merge: 008474976 327e53588 +Author: Kathryn Baldauf +Date: Tue Aug 20 12:00:44 2024 -0700 + + Merge pull request #2239 from katiewasnothere/kabaldau/check_exist_modules_dir + + Remove kernel panic when kmod load fails + +commit 327e53588be2d777630234e0da5d4836fceca577 +Author: Kathryn Baldauf +Date: Mon Aug 19 20:25:38 2024 -0700 + + Remove kernel panic if ftw returns an error + + Signed-off-by: Kathryn Baldauf + +commit 008474976972163ac32a39fc12111a95c66ae428 +Author: Davanum Srinivas +Date: Wed Aug 14 18:24:14 2024 -0400 + + drop usage of deprecated package/methods + + Signed-off-by: Davanum Srinivas + +commit 56e8cf904ce1b0e4391ce7ca8d1ea8b80aa80d34 +Author: Davanum Srinivas +Date: Wed Aug 14 18:12:10 2024 -0400 + + drop usage of deprecated package/methods + + Signed-off-by: Davanum Srinivas + +commit 9b0599b0bb93f6f5b546b09bfb4cab6221ff16b4 +Author: Davanum Srinivas +Date: Wed Aug 14 17:47:13 2024 -0400 + + Bump opa/containerd to latest versions + + Signed-off-by: Davanum Srinivas + +commit ba6e8eaf1851250a44ec179727760b15cee48899 +Merge: a8ef0c488 07fea0dc9 +Author: Kathryn Baldauf +Date: Wed Aug 14 14:31:44 2024 -0700 + + Merge pull request #2231 from katiewasnothere/kabaldau/sort_endpoints + + Sort the endpoints such that eth0 is first + +commit 07fea0dc90880a4543f1f83e60784cacf055874f +Author: Kathryn Baldauf +Date: Mon Aug 12 14:19:41 2024 -0700 + + Sort the endpoints such that eth0 is first + + Signed-off-by: Kathryn Baldauf + +commit bf239f668b713fbf1d976835695d310689f620a1 +Author: Heather Garvison +Date: Wed Aug 14 14:05:42 2024 -0400 + + update dmverity tool to fix bug where hdv creation fails to move all VHDs from the temp dir + + Signed-off-by: Heather Garvison + +commit a8ef0c488fd3919ba9af8fc2599e803a1bf39b2a +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Aug 5 16:31:56 2024 -0400 + + Upgrade deps to resolve CVEs (#2225) + + CVE alerts: + + - https://github.com/microsoft/hcsshim/security/dependabot/108 + - https://github.com/microsoft/hcsshim/security/dependabot/107 + + Dependabot PRs: + + - 2224 + - 2223 + - 2219 + - 2218 + - 2213 + + Signed-off-by: Hamza El-Saawy + +commit a1586171de44edfbc3609fd769f21987f7d5685f +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 5 18:09:26 2024 +0000 + + Bump google.golang.org/grpc from 1.64.0 to 1.65.0 in /test (#2195) + +commit 0952ff694227a4123ee4ad5092df243008fcf8f5 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 5 18:09:04 2024 +0000 + + Bump softprops/action-gh-release from 2.0.7 to 2.0.8 (#2212) + +commit 415030aefbf56caccf1c44414fee18069857425d +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 5 14:06:42 2024 -0400 + + Bump github.com/docker/docker in /test (#2221) + + Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.0.0+incompatible to 27.1.0+incompatible. + - [Release notes](https://github.com/docker/docker/releases) + - [Commits](https://github.com/docker/docker/commits/v27.1.0) + + --- + updated-dependencies: + - dependency-name: github.com/docker/docker + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 7edc1f5203c22e21124d8d0f739ce0ada7f5cf61 +Author: Seth Hollandsworth +Date: Wed Jul 31 13:09:10 2024 -0400 + + updating a link in the readme to its new location (#2214) + + Signed-off-by: sethho + +commit a658eee405cb0dc85121e7edb41fd26086013595 +Author: Kirtana Ashok +Date: Thu Jul 18 16:00:44 2024 -0700 + + Fix HPC tests + + Signed-off-by: Kirtana Ashok + +commit 5c81656ca4bd1c51295f7c18d3c562aa880253a1 +Author: Maksim An +Date: Wed Jul 24 15:17:12 2024 -0700 + + fix: use block device mount to format scratch (#2215) + + By default create LCOW will set the number of SCSI controllers to 4, when + VPMem isn't used, which is the case when formatting scratch. This makes the + device path lookup non-determenistic, since the SCSI controllers in the guest + may have different indices. + + To workaround that, use a block device mount and use the mount-path to format + the scratch VHDX without needing to lookup the actual dev node path. + + Signed-off-by: Maksim An + +commit eb8c5c67775b348f2a8c2a8fe5905a8f559e5d11 +Merge: eedd1fece 0c061a1ee +Author: Kathryn Baldauf +Date: Tue Jul 23 10:53:16 2024 -0700 + + Merge pull request #2201 from katiewasnothere/kabaldau/boot_nvidia_services + + Start nvidia-persistenced and nv-fabricmanager daemons in init script + +commit 0c061a1eeefff209adb65f98de4f40f506e3fc62 +Author: Kathryn Baldauf +Date: Mon Jun 24 15:56:26 2024 -0700 + + Start nvidia_persistenced and nv-fabricmanager daemons in init script + + Signed-off-by: Kathryn Baldauf + +commit eedd1fece70183480075409c54fc307e5d045fc2 +Merge: c1e403cfe 848523221 +Author: Kathryn Baldauf +Date: Mon Jul 22 10:15:13 2024 -0700 + + Merge pull request #2206 from katiewasnothere/kabaldau/remove_graceful_dda_cleanup + + Remove graceful removal of DDA devices added on pod boot + +commit c1e403cfe1e4991c78fcd3535308a88403e42477 +Merge: c28c0b237 408381769 +Author: Kathryn Baldauf +Date: Thu Jul 18 17:24:23 2024 -0700 + + Merge pull request #2207 from katiewasnothere/kabaldau/runhcs_higher_memory + + Add higher memory size for create scratch UVM + +commit 40838176901554ca9b2147683a5be1d4fd4f34ca +Author: Kathryn Baldauf +Date: Mon Jun 17 17:00:48 2024 -0700 + + Increasing the memory size as Azure Linux requires more memory to run + + Signed-off-by: Kathryn Baldauf + +commit c28c0b2376f275735dbd4f9ebc716111a241df9c +Author: Maksim An +Date: Thu Jul 18 09:40:18 2024 -0700 + + fix: error shadowing removing read-write mount tracking (#2208) + + When filesystem mount fails, we attempt to cleanup + read-write mount tracking. However, the return error is + being shadowed and `RemoveRWDevice` is never called. + + Signed-off-by: Maksim An + +commit ffe0492588fe581a24573a94223df96a0a6601a9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Jul 18 15:10:58 2024 +0000 + + Bump softprops/action-gh-release from 2.0.5 to 2.0.7 (#2209) + +commit 8ad5a9794372865ff0cc6b64ec4a2df713017387 +Author: apurv15 <69455689+apurv15@users.noreply.github.com> +Date: Wed Jul 17 11:05:20 2024 +0530 + + Create UVM honoring NUMA configuration parameters (#2198) + + * Expose NUMA config to containers. Use HCS device affinity so that UVM is configured on same NUMA node as the device. Expose SLIT configuration to UVM to gather NUMA node distances. + + Signed-off-by: Apurv Barve + + * Fixing lint errors + + Signed-off-by: Apurv Barve + + * Fix linter errors + + Signed-off-by: Apurv Barve + + * Addressing review comments + + Signed-off-by: Apurv Barve + + * Addressing review comments + + Signed-off-by: Apurv Barve + + * Schema changes + + Signed-off-by: Apurv Barve + + * OS build version check + + Signed-off-by: Apurv Barve + + * Removing some checks not required for container platform + + Signed-off-by: Apurv Barve + + * Removing a TODO comment + + Signed-off-by: Apurv Barve + + * Conditionalize setting PropagateNumaAffinity for newer OS build only + + Signed-off-by: Apurv Barve + + * Changing variable name from propagationEnabled to propagateAffinity for better readability + + Signed-off-by: Apurv Barve + + * Modifying comment and not initializing pointer as it happens implicitly. + + Signed-off-by: Apurv Barve + + --------- + + Signed-off-by: Apurv Barve + +commit 848523221903d628002cd8b6953b149f63b689b8 +Author: Kathryn Baldauf +Date: Tue Jul 16 14:41:16 2024 -0700 + + Remove graceful removal of vpci devices + + Signed-off-by: Kathryn Baldauf + +commit d69c26d67ca8ec4b13a220a344bb93237459515b +Author: Prince Pereira +Date: Tue Jul 16 00:16:14 2024 +0530 + + Modifying network flag EnableIov. + + Signed-off-by: Prince Pereira + +commit 7af6804e753190024abb9d89b777572814153276 +Author: PRINCE PEREIRA +Date: Thu Jul 11 01:39:07 2024 +0530 + + Introducing new network flag EnableIov. (#2192) + + Signed-off-by: Prince Pereira + +commit 376b320b332e24c4a8830407139522abe5fdb2d5 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Jul 8 14:47:48 2024 -0400 + + [test] Add Hyper-V socket functional tests (#1979) + + * [test] Add hvsock connection tests + + Add tests for binding to and listening on hyper-v sockets from within a + uVM (as well as a hyper-v isolated containers). + Tests verify default SDDL and wildcard bind settings, as well updating + the settings for a particular service ID. + + In order to test HVSocket communication, an agent is needed to run from + within the uVM (or container within that). + To accomplish that, the ability to re-exec the (functional) testing + binary is added, so that it can be shared into the uVM (or container) + and then run a separate code path that is defined within the same test + case that is running on the host. + + For example, while running the test case + `TestHVSock_Container_GuestBind/default`, the functional testing binary + that is being run (i.e. `functional.test.exe`) is shared within the + running container and then run with the flag + `-run=^TestHVSock_Container_GuestBind$/^default$`. This causes the guest + to bind to the agreed-upon Service GUID, and then (after the host + connects to the same Service GUID), the guest verifies the expected VM + and service GUIDs, and then ensures communication is possible. + + Signed-off-by: Hamza El-Saawy + + * PR: remove hvsock feature + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 7bcf0ceac7b2a78364f1e75f02798b443091019f +Author: Maksim An +Date: Mon Jul 8 10:35:46 2024 -0700 + + fix: uvmboot gcs exec (#2193) + + Rely on default `sh` to be in `PATH` rather than hardcoding + to `/bin/sh` when using uvmboot with GCS and exec. + + Signed-off-by: Maksim An + +commit 200feabd854da69f615a598ed6a1263ce9531676 (tag: v0.13.0-rc.1) +Author: Prince Pereira +Date: Fri Jun 21 14:41:53 2024 +0530 + + Hcsshim wrapper over HNS API needed for exclusion of management mac addresses for VF reassignment. + + Signed-off-by: Prince Pereira + +commit 53f2486325624a81d2797b26294021c8647a6811 +Author: Maksim An +Date: Wed Jun 26 09:14:33 2024 -0700 + + feature: block-device mounts (#2168) + + This PR adds capability to mount virtual and passthrough disks + as block devices inside containers. + + We add a new "blockdev://" prefix to OCI `Mount.ContainerPath`, + which indicates that the source should be mounted as a blcok + device. + + A new `BlockDev` field has been added to `mountConfig` used by + `mountManager`, which indicates that the SCSI attachment should + be mounted as a block device. + + The GCS has also been updated to handle `BlockDev`. Instead of + mounting the filesystem, GCS creates a symlink to the block device + corresponding to the SCSI attachment. The symlink path is set + by shim as a source of bind mount in OCI container spec. GCS + resolves the symlink and adds the corresponding device cgroup. + Without the cgroup, the container won't be able to work with the + block device. + + We chose a symlink approach instead of bind mounting the device + directly, because the shim doesn't know the path at which the + device will appear inside UVM. For this to work, we either need + to encode the SCSI controller/LUN in the OCI mount's HostPath or + update the communication protocol between the shim and GCS, where + GCS would either return the device path, or add capability for + the shim to query for it. + + Below are some CRI container config examples for physical and + virtual disks: + + Passthrough physical disk: + ```json + { + ... + "mounts": [ + { + "host_path": "\\\\.\\PHYSICALDRIVE1", + "container_path": "blockdev:///my/block/mount", + "readonly": false + } + ] + ... + } + ``` + + Virtual VHD disk: + ```json + { + ... + "mounts": [ + { + "host_path": "C:\\path\\to\\my\\disk.vhdx", + "container_path": "blockdev:///my/block/mount", + "readonly": false + } + ] + ... + } + ``` + + Mount manager will differentiate between a block device and a + filesystem mount. Two containers can use the same managed disk + inside UVM as a block device or filesystem at the same time. + For block device mount a symlink will be created, for filesystem + mount the block device will be mounted in the UVM. + ``` + bash-5.0# ls -l /run/mounts/scsi/ + total 16 + drwxr-xr-x 3 root root 4096 Jan 1 1970 m0 + drwxr-xr-x 4 root root 4096 Jun 20 23:20 m1 + drwxr-xr-x 18 root root 4096 Jan 1 1970 m2 + drwxr-xr-x 3 root root 4096 Jun 20 23:20 m3 + lrwxrwxrwx 1 root root 8 Jun 20 23:22 m4 -> /dev/sde + bash-5.0# mount | grep sde + /dev/sde on /run/mounts/scsi/m3 type ext4 (rw,relatime) + ``` + + Signed-off-by: Maksim An + +commit e96bfcd186703633a600134d100a61ae4f173077 +Author: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> +Date: Tue Jun 18 12:40:06 2024 -0700 + + Adding state attribute to the HNSEndpoint struct to support hyperv containers for k8s + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Adding stringer for usage and CI/CD + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Fixing build errors + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Ignore linting for files generated by Stringer + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Trying to fix CI go gen + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Removing extra step to fix CI go gen + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + go gen CI fix try 2 + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Skip autogenerated file from linting + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Fixing linting + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Fixing linting + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Removing stringer to avoid increasing package bloat for hcsshim + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + cleanup + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Adding comment for future HNS v2 change + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + + Fix linting + + Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> + +commit 66f4e4d68bd3afb15d3926f8c13c1d8803364b12 +Merge: 75311a3dd 3e6830005 +Author: Kathryn Baldauf +Date: Sun Jun 23 16:36:56 2024 -0700 + + Merge pull request #2167 from katiewasnothere/kabaldau/add_back_kmod_init + + Add support for loading modules in init script when makefile variable is set + +commit 75311a3dd1e88ed6d486b8ec365bee8556406525 +Merge: c12580828 f5f103dcc +Author: Kathryn Baldauf +Date: Fri Jun 21 15:55:33 2024 -0700 + + Merge pull request #2164 from katiewasnothere/kabaldau/host_process_unsafe_op + + Disable host process containers when disable unsafe operations is enabled + +commit c12580828ff856adede9a64697777cbc2463428e +Merge: 75428d123 7f60d8ffd +Author: Kathryn Baldauf +Date: Fri Jun 21 15:41:50 2024 -0700 + + Merge pull request #2181 from katiewasnothere/kabaldau/remove_nvidia_load_kmods + + Remove load-kmods option to libnvidia-container + +commit 7f60d8ffdaf78f23b47f48c3ffe5fd9a61cc62b4 +Author: Kathryn Baldauf +Date: Fri Jun 21 10:27:47 2024 -0700 + + Remove load-kmods option to libnvidia-container + + Signed-off-by: Kathryn Baldauf + +commit 75428d123ada3f341e1c55e13e738a92d11cbfd6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jun 18 13:50:26 2024 -0400 + + Omnibus dependency update (#2166) + + Dependebot PRs: + + - hcsshim/2140 + - hcsshim/2145 + - hcsshim/2146 + - hcsshim/2149 + - hcsshim/2153 + - hcsshim/2154 + - hcsshim/2159 + - hcsshim/2161 + - hcsshim/2174 + - hcsshim/2175 + - hcsshim/2176 + + Update protobuf files. + + `google.golang.org/grpc v1.64.0` deprecated `Dial[Context]` and + `WithBlock`. + Replacing either is non-trivial, and left for a future PR. + + Update dependabot file to ignore patch updates: they rarely provide bug + fixes and increase repo churn. + + Signed-off-by: Hamza El-Saawy + +commit f5f103dcc7c1f079723e79aa56d2b33e741d9c42 +Author: Kathryn Baldauf +Date: Mon Jun 10 16:25:39 2024 -0700 + + Add new annotation to disable host process containers as a child + annotation to DisableUnsafeOperations + + Signed-off-by: Kathryn Baldauf + +commit 3e6830005fd9e763e08d0db4e42067bc9716802e +Author: Kathryn Baldauf +Date: Mon Apr 1 16:57:41 2024 -0700 + + Add support for loading modules in init script when makefile variable + is set. + + Signed-off-by: Kathryn Baldauf + +commit efb0296a0a369e4a1212ca165ad0652ba82d800e +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Jun 12 17:13:33 2024 +0000 + + Bump golang.org/x/sys from 0.20.0 to 0.21.0 in /test (#2158) + +commit c8ec2736eb00b70ca33320bf04a7e790b26f6fa3 +Merge: 8beabacfc 472097790 +Author: Kathryn Baldauf +Date: Tue Jun 11 13:08:14 2024 -0700 + + Merge pull request #2128 from katiewasnothere/kabaldau/add_devices_at_boot_time + + Support passing oci devices on pod boot + +commit 8beabacfc2d21767a07c20f8dd5f9f3932dbf305 +Author: PRINCE PEREIRA +Date: Tue Jun 4 21:22:05 2024 +0530 + + Changes for checking the global version for modify policy version support. (#2139) + + Signed-off-by: Prince Pereira + +commit 472097790b59c13ed696cb896a23e991d25885a1 +Author: Kathryn Baldauf +Date: Tue Apr 9 16:00:19 2024 -0700 + + Support passing oci devices on pod boot + + Signed-off-by: Kathryn Baldauf + +commit c79a6310e6f15a893430063ca76f44dcb7711426 +Author: Debjit +Date: Wed May 29 11:28:51 2024 -0700 + + OutBoundNATPolicy Schema changes (#2106) + + Signed-off-by: Debjit Mondal + +commit 62b77d5a6a25a064b09814e36fe992f73ffa486f +Merge: 63adf6a1b b271a2c5d +Author: Kathryn Baldauf +Date: Tue May 28 15:03:04 2024 -0700 + + Merge pull request #2152 from katiewasnothere/kabaldau/runhcs_use_pa_memory + + Change runhcs create-scratch to use physical backed memory by default + +commit 63adf6a1b539409398f2f098381b7c090c454719 +Author: Maksim An +Date: Tue May 28 14:44:20 2024 -0700 + + verity-boot: append hash device to rootfs (#2142) + + * verity-boot: append hash device to rootfs + + Turned out that dev nodes for SCSI devices may not be + determenistic, where the hash device and rootfs may end + up appearing under /dev/sda and /dev/sdb respectively. + + Instead of mounting a separate hash device, append the + verity Merkle tree to rootfs ext4 filesystem, similarly + to how it's done for layer VHDs and mount single VHD. + Remove redundant hash device code. + + The default `GuestStateFile` filename was changed to `kernel.vmgs`. + + Update the IVGM kernel init to reflect the changes. + + The kernel command looks something like this: + + 8250_core.nr_uarts=0 panic=-1 debug loglevel=7 root=/dev/dm-0 \ + dm-mod.create="dmverity,,,ro,0 173768 verity \ + 1 /dev/sda /dev/sda 4096 4096 21721 21721 sha256 \ + 42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62 \ + a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" \ + init=/startup.sh + + To break this down a little further: + + dm-mod.create=",,,,[table {verity_params}]" + table=" verity_params" + verity_params=" \ + \ + []" + + With the example above we get: + + name: "dmverity" + uuid: "" + minor: "" + flags: "ro" + table: 0 0 173768 verity + verity_params: + version: 1 + data_device: /dev/sda + hash_device: /dev/sda + data_block_size: 4096 + hash_block_size: 4096 + num_data_blocks: 21721 + hash_start_block: 21721 + algorithm: "sha256" + root_digest: "42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62" + salt: "a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" + + The support for booting non-SNP UVMs with dm-verity has also been added + as part of this PR. A new annotation can be used to pass the `dm-mod.create` + parameters to kernel. The assumption that the rootfs VHD will also have Merkle + tree appended after ext4 filesystem still holds. The new annotation is + "io.microsoft.virtualmachine.lcow.dmverity-create-args" and must be used + in conjunction with an existing "io.microsoft.virtualmachine.lcow.dmverity-mode" + annotation. + + Add an internal "io.microsoft.virtualmachine.console.pipe" annotation, which + can be used to set the serial for the UVM for debugging purposes. + + Note that dm-verity boot has a dependency on `CONFIG_DM_INIT` kernel config. + + --------- + + Signed-off-by: Maksim An + +commit 32498a77e3db5c47172d265c1571ec578e95db3e +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 28 15:15:35 2024 -0400 + + [test] Update WCOW uVM and vSMB, and HostProcess functional tests (#1965) + + * Initial file reorg & rename + + WCOW tests can be integrated directly into existing LCOW tests as + subtests, after generalizing the original (LCOW-only) tests to run both + types of uVMs and containers. + + Break the change into two: + (1) move (and rename) the original LCOW-only tests; and + (2) generalize the tests and add the WCOW components. + + To simplify the diffs, this commit only includes the first process. + Specifically, move: + - `lcow_bench_test.go` to `uvm_bench_test.go` + - `lcow_container_test.go` to `container_test.go` + - `lcow_test.go` to `lcow_uvm_test.go` + + Within `lcow_uvm_test.go`, combine and generalize kernel arg tests + (i.e., `TestLCOW_UVMNoSCSINoVPMemInitrd` and + `TestLCOW_UVMNoSCSISingleVPMemVHD`) to `TestLCOW_UVM_KernelArgs`. + + Combine and generalize boot/time tests (e.g., + `TestLCOW_TimeUVMStartVHD`, `TestLCOW_UVMStart_KernelDirect_VHD`) to + `TestLCOW_UVM_Boot`. + + Also, since go1.21, `"github.com/Microsoft/hcsshim/internal/sync"` is no + longer necessary, so replace it with `"sync".OnceValue[s]`. + + Signed-off-by: Hamza El-Saawy + + * Export `FileBindingSupported` function + + Expose `FileBindingSupported()` function from `"internal\jobcontainers"` + so it can be used in functional testing code. + + Switch from `sync.Once` to checking for `bindfltapi.dll` during package + init, since the check is (relatively) cheap. + + Signed-off-by: Hamza El-Saawy + + * Add WCOW and vSMB functional tests + + Un-skip and fix WCOW uVM and container tests. + Add WCOW: + - uVM benchmarks + - vSMB tests + - Host Process tests + + For WCOW host process tests, add dedicated tests for setting + username, and verifying hostname and volume mounts. + + Fix bug where removing a direct-mapped vSMB share fails. + + Run (non-virtualization/uVM) functional tests within CI. + + Starting Host Process containers requires SYSTEM to create a + process with a specified token, so use PsExec.exe (from sysutils) + to run tests. + + Make sure container specs are created with the default working + directory (`C:\`), similar to how `internal\cmd` works). + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit b271a2c5dd14aaadfadafd8fc0f5f6d61f447e2a +Author: Kathryn Baldauf +Date: Wed May 22 13:56:35 2024 -0700 + + Change runhcs create-scratch to use physical backed memory by default + + Signed-off-by: Kathryn Baldauf + +commit 43d1ab5f87a346654b6e3061520f53a48949b23f +Author: Maksim An +Date: Tue May 21 13:01:28 2024 -0700 + + scrubbing: scrub execute process message inside the guest (#2144) + + Signed-off-by: Maksim An + +commit 8e5438a31c954829c7c318732966cf0368907e4a +Author: Maksim An +Date: Thu May 16 12:02:38 2024 -0700 + + always scrub logs in SNP mode (#2143) + + Signed-off-by: Maksim An + +commit 46ef279de8dbe80851358ab9947b333f4586ecd7 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu May 9 15:23:27 2024 +0000 + + Bump softprops/action-gh-release from 2.0.4 to 2.0.5 (#2138) + +commit 75dcbc4a6bc68c15efe5b563e343ea4fa2208b6c +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Tue May 7 15:08:53 2024 +0000 + + Bump golangci/golangci-lint-action from 5 to 6 (#2137) + +commit 575f7f83a743b64ea554eb6f41ea453704425641 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon May 6 18:35:49 2024 +0000 + + Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 in /test (#2135) + +commit b0ae328a8afba19690235516f1d193138e348ad7 +Author: Maksim An +Date: Mon May 6 11:07:22 2024 -0700 + + fix: wrong src and dst when copying vmgs/rootfs/hash device (#2125) + + Signed-off-by: Maksim An + +commit e2b26fad26c5c4801130a0a8d88a186d5a43aa35 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 6 11:24:42 2024 -0400 + + Omnibus dependabot update (#2124) + + Consolidate dependabot PRs: + + - 2131 + - 2130 + - 2122 + - 2120 + - 2119 + - 2112 + - 2105 + - 2093 + + Signed-off-by: Hamza El-Saawy + +commit ac2fd71f9742d301e3a68d5d1cc2a63be846a60a +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed May 1 16:02:21 2024 +0000 + + Bump golang.org/x/net from 0.22.0 to 0.23.0 in /test (#2111) + +commit 7690cc75ccc2e844e444279eaf613dcb13340e43 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed May 1 15:35:19 2024 +0000 + + Bump google.golang.org/grpc from 1.62.1 to 1.63.2 in /test (#2108) + +commit 81becbcf6c02116f7e43533a64d2f0e0a244d91f +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed May 1 15:35:09 2024 +0000 + + Bump golang.org/x/sync from 0.6.0 to 0.7.0 (#2101) + +commit 530d0f3628892c4d3bbb717930ce42118b00f146 +Author: Maksim An +Date: Mon Apr 29 10:25:00 2024 -0700 + + copy rootfs and hash VHD to bundle directory for SNP (#2110) + + Make sure that there's no potential race in accessing + rootfs.vhd and rootfs.hash.vhd when multiple SNP pods + are created concurrently with verity boot. + + Signed-off-by: Maksim An + +commit adfc9c0b04c66e0db9f45094e84dcbc4604258fb +Author: Maksim An +Date: Mon Apr 29 09:53:19 2024 -0700 + + fix scsi attachment for verity boot (#2116) + + When a SCSI device is added to an LCOW UVM the controllers inside + the guest can be reliably mapped via their corresponding GUIDs. + Make sure that we are adding the rootfs and corresponding rootfs + hash device to the correct controller 0. + + Signed-off-by: Maksim An + +commit 74c8fdf8d5d099450d16b6ab182d8481df3a72cc +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Apr 25 15:29:51 2024 +0000 + + Bump golangci/golangci-lint-action from 4 to 5 (#2118) + +commit 99b45823b06f03d94b054b7cf54921ce9db987f2 +Author: Maksim An +Date: Sun Apr 21 22:07:56 2024 -0700 + + fix: set `ReadOnly` when unmounting LCOW mapped virtual disk (#2109) + + When unmounting LCOW read-only container layers with + layer integrity enabled, the guest checks whether the + unmount request is coming for a read-only SCSI device. + If that's the case, GCS also attempts to clear out the + corresponding verity targets. Current implementation + omits the `ReadOnly` setting in the guest request, which + results in verity targets to linger even though the target + has been unmounted. The security policy is also unaware + that the layer has been unmounted, since it's enforced + only when `ReadOnly` is set to `true`. + This PR fixes this on the host side, by ensuring that + the `ReadOnly` is set in the guest request. It seems, though, + we may need to revisit the enforcement logic to potentially + deny unmounting a read-only layer when the host is not + explicitly specifies it as read-only. + + Signed-off-by: Maksim An + +commit cc618c1d24746925bbd42a127a95e1652da9733b +Author: Kirtana Ashok +Date: Fri Apr 19 11:43:10 2024 -0700 + + Update go-winio to v0.6.2 & fix lint errors + + Signed-off-by: Kirtana Ashok + +commit 0f7d8de9948c3ebfd45911dc55b451d8902d48b2 +Author: PRINCE PEREIRA +Date: Mon Apr 15 08:26:12 2024 -0700 + + Adding support for loadbalancer policy update in hns. (#2085) + + Signed-off-by: Prince Pereira + +commit f9a5c7b37ad50be3dc8eda6f2510d81db27967dd +Author: Dominic Ayre +Date: Fri Apr 12 04:53:18 2024 +0100 + + Improve dmverity-vhd -d performance (#2089) + + The current implementation of dmverity-vhd -d has to make one of the + following tradeoffs: + + Runtime: By default this option calls the docker daemon to fetch the + entire image for each layer as it doesn't provide an endpoint to get + a specific layer + Memory: The user can include a -b option that makes this call buffered, + keeping the image in memory the whole time, this is much faster but + at the cost of keeping the whole image in memory, which is a problem + with runners with low memory + + #2086 Proposed a new tradeoff of disk space, by saving the image to + disk and accessing the layers locally, this is a problem for runners with + smaller disks as the image is stored twice. + + This solution makes a single request to the docker daemon, and + processes both the layer hashes and the manifest to assign layer + numbers in a single pass, making it performant in all three aspects. + + --------- + + Signed-off-by: Dominic Ayre + Signed-off-by: Dominic Ayre + +commit c09ae9d05abe69d3ad4d957547a46143652d8fa0 +Author: Maksim An +Date: Thu Apr 11 10:43:59 2024 -0700 + + split existing Makefile (#2096) + + The existing Makefile grew pretty large and now has a few + additional dependencies like python and crypto for SNP targets. + + The idea behind the split is that the new Makefile.bootfiles + can be used to create Linux boot files and it depends only + on `delta*.tar.gz`. This is useful in e.g. multi staged build + process, where `delta*.tar.gz` artifacts can be produced + separately from the final boot files. Since the delta can be + applied to any base image, the build job that does it, wouldn't + need go runtime or C compiler. + + Signed-off-by: Maksim An + +commit fd6185a54cf8f82c8435506c25a9af290d01d610 +Merge: 0db3bffb7 3ad4d7e87 +Author: Kathryn Baldauf +Date: Wed Apr 10 11:18:36 2024 -0700 + + Merge pull request #2104 from katiewasnothere/kabaldau/fully_physically_backed + + Remove requirement on initrd for fully physically backed UVM + +commit 3ad4d7e879b3326dc9b6d65fb963da2dcf6b35e1 +Author: Kathryn Baldauf +Date: Mon Apr 8 14:33:44 2024 -0700 + + Remove requirement on initrd for fully physically backed UVM + + Signed-off-by: Kathryn Baldauf + +commit 0db3bffb783a391436c3bd01158280cee2ab4966 +Merge: c248e5166 6ed2b432f +Author: Kathryn Baldauf +Date: Wed Apr 10 10:20:01 2024 -0700 + + Merge pull request #2097 from katiewasnothere/kabaldau/remove_gpu_no_cgroups + + Remove no-cgroups option in gpu code path + +commit c248e516653406d3be399a48dd8bc012f0ac3f09 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Apr 8 15:36:53 2024 +0000 + + Bump golang.org/x/sync from 0.6.0 to 0.7.0 in /test + + Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.6.0 to 0.7.0. + - [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sync + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit 38d960de25660592f662bbcc4f64d847030b2ae4 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Apr 8 15:07:16 2024 +0000 + + Bump golang.org/x/sys from 0.18.0 to 0.19.0 in /test + + Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.18.0 to 0.19.0. + - [Commits](https://github.com/golang/sys/compare/v0.18.0...v0.19.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sys + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit ad99b71729099afead68cff33527f2264244dc24 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Mar 28 20:52:38 2024 +0000 + + Bump github.com/google/go-containerregistry from 0.19.0 to 0.19.1 + + Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.0 to 0.19.1. + - [Release notes](https://github.com/google/go-containerregistry/releases) + - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) + - [Commits](https://github.com/google/go-containerregistry/compare/v0.19.0...v0.19.1) + + --- + updated-dependencies: + - dependency-name: github.com/google/go-containerregistry + dependency-type: direct:production + update-type: version-update:semver-patch + ... + + Signed-off-by: dependabot[bot] + +commit 0272d9bf9f88eff1d7a1ce6e573e7162d5e48910 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Mar 28 20:53:40 2024 +0000 + + Bump github.com/opencontainers/image-spec in /test + + Bumps [github.com/opencontainers/image-spec](https://github.com/opencontainers/image-spec) from 1.1.0-rc3 to 1.1.0. + - [Release notes](https://github.com/opencontainers/image-spec/releases) + - [Changelog](https://github.com/opencontainers/image-spec/blob/main/RELEASES.md) + - [Commits](https://github.com/opencontainers/image-spec/compare/v1.1.0-rc3...v1.1.0) + + --- + updated-dependencies: + - dependency-name: github.com/opencontainers/image-spec + dependency-type: direct:production + update-type: version-update:semver-patch + ... + + Signed-off-by: dependabot[bot] + +commit f0b44766d98c93b55ddc0e56286460ab044d87aa +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 31 03:34:23 2024 +0000 + + Bump github.com/urfave/cli/v2 from 2.25.7 to 2.27.1 in /test + + Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.25.7 to 2.27.1. + - [Release notes](https://github.com/urfave/cli/releases) + - [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md) + - [Commits](https://github.com/urfave/cli/compare/v2.25.7...v2.27.1) + + --- + updated-dependencies: + - dependency-name: github.com/urfave/cli/v2 + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit 6ed2b432f4c56e60690a99bcb37a4fe30c3cd5dc +Author: Kathryn Baldauf +Date: Wed Apr 3 17:40:28 2024 -0700 + + Remove no-cgroups option in gpu code path + + Signed-off-by: Kathryn Baldauf + +commit 42671b424b99461eb3dde4ed44f6f123092f656d +Author: Maksim An +Date: Tue Apr 2 10:38:35 2024 -0700 + + Update `JOB_OBJECT_ALL_ACCESS` and `OpenJobObject` (#2095) + + Update `JOB_OBJECT_ALL_ACCESS` value to the most recent one. + Update `winapi.OpenJobObject` to accept `inheritHandle` as + `bool`. The underlying syscall stays the same, but this allows + cleaner calls from go's perspective as it avoids `bool` to `uint32` + casting. + + Signed-off-by: Maksim An + +commit 71270a3d0e911941a24c419df4cc197a9ada0930 +Merge: 7df3b5fa9 d73645396 +Author: Kathryn Baldauf +Date: Mon Apr 1 13:21:06 2024 -0700 + + Merge pull request #2091 from katiewasnothere/kabaldau/revert_init_kmod + + Revert "Use kmod library to load modules" + +commit d73645396e31feedd11e029f2005a3d971c7c13e +Author: Kathryn Baldauf +Date: Fri Mar 29 16:10:17 2024 -0700 + + Revert "Use kmod library to load modules" + + This reverts commit 8c5f531c3502ed836f94b29b4fc0876c8f5e3be6. + + Signed-off-by: Kathryn Baldauf + +commit 7df3b5fa9e2b4d760d8fc60835299ac83712ea8f +Author: Maksim An +Date: Fri Mar 29 09:18:25 2024 -0700 + + gh-actions: prevent publishing release automatically (#2090) + + The release Github action will automatically publish + a release for each non-rc tag in a form `v*`, which is + not desired. This may lead to accidents like described in https://github.com/microsoft/hcsshim/issues/2084 + + Change the release action to instead create draft + releases, regardles of the tag being final or RC. + + It will be up to the maintainers to decide when to + publish an official release. + + Signed-off-by: Maksim An + +commit 95b3c28b981c22025336edb1be401e9fad8440c4 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Mar 28 16:51:26 2024 -0400 + + Omnibus dependency update (#2088) + + * Omnibus dependency updates + + - github.com/microsoft/hcsshim/pull/2087 + - github.com/microsoft/hcsshim/pull/2073 + - github.com/microsoft/hcsshim/pull/2072 + - github.com/microsoft/hcsshim/pull/2071 + - github.com/microsoft/hcsshim/pull/2064 + - github.com/microsoft/hcsshim/pull/2063 + - github.com/microsoft/hcsshim/pull/2062 + - github.com/microsoft/hcsshim/pull/2061 + - github.com/microsoft/hcsshim/pull/2058 + - github.com/microsoft/hcsshim/pull/2057 + + Signed-off-by: Hamza El-Saawy + + * update protofiles + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 1d406d0eac5573287ba7b46a04a58275410137ac +Merge: 3f5931a23 e0c52cd23 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Tue Mar 26 14:59:26 2024 -0700 + + Merge pull request #2029 from ambarve/layer_refactor + + Refactor layer management code. + +commit e0c52cd23b414706ac630ce3d4c9651c3e74c146 +Author: Amit Barve +Date: Fri Mar 1 01:59:33 2024 -0800 + + Remove unused CimFS related code + + CimFS is currently not supported with HyperV isolation. However, we still have code that + handles processing of UtilityVM layer during image import. After the layer refactoring + change we need to update this code as well. But since this code isn't being used anywhere + updating it doesn't make much sense. There are no tests for this either. This code is + removed for now and we can add it back later once the plan for running HyperV isolated + containers with CimFS is more solid. + + Signed-off-by: Amit Barve + +commit 5abf55c8119d77bbd6afd867ee8039ee3aadde18 +Author: Amit Barve +Date: Tue Feb 27 10:41:33 2024 -0800 + + Refactor layer writer interface + + Current layer writer interface forces us to calculate the CIM path from the layer path by + making assumptions about CIM storage. This isn't a very good approach, better way is to be + explicit about what information the layer writer needs from containerd. This change + updates the CIM layer writer to take in layer CIM & parent CIM paths as inputs. This also + means a corresponding changes needs to be made in containerd. + + Signed-off-by: Amit Barve + +commit 00ca088f41b4de5d438d3d0ab7bdfbb948e44024 +Author: Amit Barve +Date: Tue Feb 27 09:59:54 2024 -0800 + + Refactor layer mount functions + + This commit uses the newly added WCOW layer parsers and the new type for representing + mounted WCOW layers. LCOW functions are also moved around (and renamed) to follow similar + style as that of WCOW functions. + + Signed-off-by: Amit Barve + +commit 49ada2e138adc6e43dfc9b9c672daf0b8d457af4 +Author: Amit Barve +Date: Tue Feb 27 09:47:28 2024 -0800 + + Add WCOW RootFS Mount parsers + + Adds a set of functions that can parse layers or rootfs mounts provided by containerd into + structs that can be later used for mounting layers. Primary purpose of this change is to + remove restriction of always representing layers as an array of strings. + + Signed-off-by: Amit Barve + +commit 47a65a15819fb13236d780ec057f77eaddc8f367 +Author: Amit Barve +Date: Tue Jan 30 14:39:52 2024 -0800 + + Move LCOW & WCOW layer management functions to their own file + + As we refactor the layer management code, it is easier to keep LCOW & WCOW layer management code + in their own separate files. + + Signed-off-by: Amit Barve + +commit 3f5931a2319947029673ed615d23dfb0be401f53 +Author: Maksim An +Date: Mon Mar 25 09:53:46 2024 -0700 + + devicemapper: add `EBUSY` to the retriable errors (#2069) + + Testing revealed that creating device mapper targets sometimes + yields `device or resource busy` error (`EBUSY`). Add it to + the list of retriable errors and consolidate them into a single + slice. + + Add unit tests for `CreateDeviceWithRetryError`. + + Signed-off-by: Maksim An + +commit 3eeba905b4e0a408b372e3de326f00c70bdb442a +Author: Maksim An +Date: Fri Mar 22 16:27:19 2024 -0700 + + fix: move permissions to the correct job (#2080) + + The permissions block should be under `create_release` job, rather + than `build`. + + Signed-off-by: Maksim An + +commit a58b41457cca7c4f08f489e15ca1768ebfd84df5 +Author: Heather Garvison +Date: Fri Mar 22 17:07:14 2024 -0400 + + Updating permissions and github release action versions (#2078) + + Signed-off-by: Heather Garvison + +commit 4c5bf0d0436ddf023f2dabee361dcf6b069b9fae +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Mar 22 14:18:30 2024 -0400 + + Remove musl references (#2077) + + `libkmod` relies of `libc`, which means we no longer can build with + `musl`. + Remove reference to it. + + Signed-off-by: Hamza El-Saawy + +commit def0c29dd6d8be0c70a820e08ebe7eefaaf557a2 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Mar 21 15:05:55 2024 -0400 + + Use errors.As() (#2074) + + Signed-off-by: Hamza El-Saawy + +commit df34d1dc7c6b7dd49676869b021eb49047b25ecf +Merge: 6be41bcae 8c5f531c3 +Author: Kathryn Baldauf +Date: Wed Mar 20 13:46:13 2024 -0700 + + Merge pull request #2034 from katiewasnothere/kabaldau/kmod_load_modules_init + + Use kmod library to load modules in init script + +commit 6be41bcaed8d2dec828cf5c52ad05672c00c7828 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Mar 18 16:25:47 2024 -0400 + + Add hvsock service config annotation (#2056) + + Allow specifying the hyper-v configuration for specific service GUIDs + via an annotation to allow dedicated hvsocket communication from the + host to the guest + + Signed-off-by: Hamza El-Saawy + +commit 8c5f531c3502ed836f94b29b4fc0876c8f5e3be6 +Author: Kathryn Baldauf +Date: Wed Feb 7 15:39:24 2024 -0800 + + Use kmod library to load modules + - Update Makefile to use libkmod when building init and remove static compilation + + Signed-off-by: Kathryn Baldauf + +commit 02a899c7693a7783d3a5c2896452f493eddb9b3f +Merge: 7e32690db 3d466f91e +Author: Kathryn Baldauf +Date: Wed Mar 13 10:46:03 2024 -0700 + + Merge pull request #2040 from katiewasnothere/kabaldau/retry_find_dev_nodes + + Add the ability to retry when looking for hot added device nodes + +commit 7e32690dbfec42c476c0d0cbe6d6a9535a8c6c0e +Author: Maksim An +Date: Mon Mar 11 20:18:07 2024 -0700 + + upgrade open policy agent (#2059) + + Signed-off-by: Maksim An + +commit c91d82d2e8c5cad1034f17712391e0c76281e5aa +Author: Kirtana Ashok +Date: Tue Feb 13 19:46:01 2024 -0800 + + Add spans and drop large size high volume trace logs + + Signed-off-by: Kirtana Ashok + +commit 523fe7ba243047588b93cc5734669a3962be8899 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Mar 7 15:54:14 2024 -0500 + + Functional test housekeeping (#1964) + + Remove unused/legacy functional test flags/environment variables. + + Unify [TestMain] control flow, so there is only one exit call, and + `defer` is used to run cleanup after the tests are run. + + Standardize UVM `default[L|W]COWOptions` to accept a context, and add + context parameter to `namespacedContext` + + Remove all build tags aside from `functional`, since features are used + to select the tests to run. This standardizes the functional tests with + the cri-containerd tests, even though the feature names themselves are + different. + + Add `test/pkg/uvm.CreateWCOW` function to mirror `CreateLCOW`, and add + `Create` and `CreateAndStart` functions that pick LCOW or WCOW based on + the options provided. + + Have uVM scratch and image layers be created under a dedicated and + persisted folder within `%TEMP%` that is excluded from Windows defender. + (The folder will be removed during OS restart, regardless of contents.) + + Remove copied OCI spec options from `test/internal/oci`, add new + options for creating HostProcess containers. + + Add a `internal\sync.OnceValue`(`Ctx`) function that mirrors + `sync.OnceValues` (introduced in go1.21) to have a type-safe `Once` + function. + + Check that required privileges are held (only once) when unpacking + Windows layers. + + Fix LCOW tests in `lcow_test.go` that were setting `KernelDirect` + without also updating `KernelFile`. + + Add `util.Context` function to create context that times out before test + timeout, to help with timing issues and allow time for cleanup and + logging. + + Rename `cri_util` to `criutil`, since underscores are frowned upon in + package names. + Add a `test` prefix to `github.com/Microsoft/hcsshim/test/pkg/*` and + `github.com/Microsoft/hcsshim/test/internal/*` imports to be consistent + across all `test/functional/*` files. + + Signed-off-by: Hamza El-Saawy + +commit 3d466f91ecd9693cc733a4ec3fb0e105ec4e3063 +Author: Kathryn Baldauf +Date: Mon Feb 26 14:22:27 2024 -0800 + + Add the ability to retry when looking for hot added device nodes + + Signed-off-by: Kathryn Baldauf + +commit 67393b5dbf3e5ba34ca4f308183b3845dc099bbb +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Mar 6 13:58:22 2024 -0500 + + Update pre-go1.21 code (#2054) + + Signed-off-by: Hamza El-Saawy + +commit f317473b553f091ffa8259ca29b47ed77086aaa4 +Merge: 060de7cb9 6428d3dfe +Author: Kevin Parsons +Date: Tue Mar 5 13:19:08 2024 -0600 + + Merge pull request #2052 from qmuntal/fixalign + + fix SILOOBJECT_BASIC_INFORMATION alignment + +commit 6428d3dfe30097fcd1e03d969847be34e27f4b86 +Author: qmuntal +Date: Tue Mar 5 17:17:24 2024 +0100 + + mobve SILOOBJECT_BASIC_INFORMATION to winapi + + Signed-off-by: qmuntal + +commit f5066241551896b7e89690b7bc22ebc6ce42afa2 +Author: qmuntal +Date: Tue Mar 5 17:04:03 2024 +0100 + + fix SILOOBJECT_BASIC_INFORMATION alignment + + Signed-off-by: qmuntal + +commit 060de7cb9b4a420e824c50b299bf608cdda50ea6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Mar 5 10:58:41 2024 -0500 + + Omnibus dependency updates (#2051) + + Consolidate dependabot updates: + - github.com/microsoft/hcsshim/pull/2050 + - github.com/microsoft/hcsshim/pull/2048 + - github.com/microsoft/hcsshim/pull/2047 + - github.com/microsoft/hcsshim/pull/2046 + - github.com/microsoft/hcsshim/pull/2045 + - github.com/microsoft/hcsshim/pull/2044 + - github.com/microsoft/hcsshim/pull/2043 + - github.com/microsoft/hcsshim/pull/2042 + + Signed-off-by: Hamza El-Saawy + +commit fe8c673755dff71acc0e697feea129a149fa0055 (tag: v0.12.0) +Author: Maksim An +Date: Tue Feb 27 18:50:03 2024 -0800 + + update `newBinaryCmd` URL path handling (#2041) + + Signed-off-by: Maksim An + +commit 85086d759bed5fab0f539ba169d566489e733d98 +Author: Kirtana Ashok +Date: Wed Feb 21 13:41:56 2024 -0800 + + Upgrade to go1.21 + fix lint errors + + Signed-off-by: Kirtana Ashok + +commit 8039310a9c449836ba496082536d9f503ee7ba9b +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Feb 26 17:51:50 2024 -0500 + + [deps] Omni-bus dependency update (#2039) + + * [deps] Omni-bus dependency update + + Signed-off-by: Hamza El-Saawy + + * upgrade containerd to see if tests pass + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 7458e588af85def50ec522a8930ab604af4fd9d4 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Feb 20 13:56:17 2024 -0500 + + Update Cmd IO handling (#1937) + + Update `Cmd.Wait` to return a known error value if it times out waiting + on IO copy after the command exits (and update `TestCmdStuckIo` to check + for that error). + Prior, the test checked for an `io.ErrClosedPipe`, which: + 1. is not the best indicator that IO is stuck; and + 2. is now ignored as an error value raised during IO relay. + + Update `stuckIOProcess` logic in `cmd_test.go` to mirror logic in + `interal/exec.Exec`, using `os.Pipe` for std io that returns an `io.EOF` + (instead of `io.Pipe`, which does not). + + Signed-off-by: Hamza El-Saawy + +commit 5f9910ae0c4584fa694e27228e34d2ba9cf88e6e +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Feb 15 17:14:16 2024 -0500 + + Fix CodeQL pipeline failure (#2032) + + CodeQL Analyze job fails with:`Resource not accessible by integration`, + and logs show the following help: + + This run of the CodeQL Action does not have permission to access Code + Scanning API endpoints. + As a result, it will not be opted into any experimental features. + This could be because the Action is running on a pull request from a fork. + If not, please ensure the Action has the 'security-events: write' permission. + Details: Resource not accessible by integration + + Add `security-events: write`, along with default `contents` and + `packages` read permissions. + + Signed-off-by: Hamza El-Saawy + +commit c56a09c57629f8545b80a95a43b8b25f56c05f80 +Merge: c767380d6 bbbf09216 +Author: Yuanyuan Lei +Date: Thu Feb 15 10:24:13 2024 -0800 + + Merge pull request #1998 from yyatmsft/removeInternalTests2 + + Removing internal tests from hcsshim's cri-containerd tests + +commit c767380d69409110fc7d429cc0e08a3518767df4 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Thu Feb 15 10:21:15 2024 -0800 + + Don't create container scratch per base layer (#2002) + + For WCIFS based layers, a container scratch base VHD (and a differencing VHD) both are created per unique base + layer. However, with UnionFS we + don't add any reparse points and the VHD is empty, so we don't need to create a VHD per unique base layer. Now + the CimFS snapshotter will handle container scratch VHD creation and the LayerWriter will only create the VHD + for the UtilityVM. (The UtilityVM VHD still needs to be created per unique base layer since the BCD of that + layer is configured to boot from the UtilityVM VHD and the BCD is unique per image) + + Signed-off-by: Amit Barve + +commit 23e90564c20537f3bf04b5933a9b8b72c660aa6a +Author: Maksim An +Date: Thu Feb 15 09:28:17 2024 -0800 + + tests: update docker images. (#2012) + + Update docker image hashes to satisfy compliance requirements. + + The images have been rebuilt. + + Signed-off-by: Maksim An + +commit bbbf09216f9ee50813104d8814d5ad4e64bd2385 +Author: Yuanyuan Lei +Date: Wed Feb 14 17:23:01 2024 -0800 + + remove blanks + +commit 40f4a9104046c324c5899ac34330431599de5846 +Merge: ab6e48bfa 32b760c6d +Author: Kathryn Baldauf +Date: Wed Feb 14 14:47:12 2024 -0800 + + Merge pull request #2003 from katiewasnothere/kabaldau/assigned_devices_return_multi + + Allow mounting multiple dev nodes per assigned device + +commit 32b760c6dbdae98896f7541100bafe75a1529bb5 +Author: Kathryn Baldauf +Date: Fri Jan 19 17:17:06 2024 -0800 + + update code for assigned devices to allow mounting multiple dev nodes corresponding to device + + Signed-off-by: Kathryn Baldauf + +commit ab6e48bfae1efa56367a5cc085ad059afce42933 +Merge: b09fc1038 5eb195256 +Author: Kevin Parsons +Date: Mon Feb 12 11:09:58 2024 -0600 + + Merge pull request #2021 from kevpar/jc-fix + + internal/exec: Fix stdio pipe problems + +commit b09fc1038ac887465a64ca976c64dbb26f4d3644 +Merge: 9aabef846 b62535cdf +Author: Kevin Parsons +Date: Mon Feb 12 11:09:23 2024 -0600 + + Merge pull request #2023 from kevpar/revert-io-exp + + Revert "gcs: Support routing container stdio to sidecar" + +commit b62535cdfb5ba21b4a322fc531520fe28e389180 +Author: Kevin Parsons +Date: Thu Feb 8 17:09:22 2024 -0800 + + Revert "gcs: Support routing container stdio to sidecar" + + This reverts commit b1b07686425bd7e4594f46a153aa84bf224acf66. + + This work was done as an experiment, and is no longer being used. + + Signed-off-by: Kevin Parsons + +commit 9aabef846e62bec65fc7974dd98f342a5a80e433 +Merge: 5921abb65 976716ed6 +Author: Kevin Parsons +Date: Thu Feb 8 17:07:22 2024 -0600 + + Merge pull request #2020 from kevpar/jc-leak + + Fix process handle leak when launching a job container + +commit 5921abb65dd00751cbcbd40106144fa63cd1e223 +Author: Seth Hollandsworth +Date: Thu Feb 8 13:17:38 2024 -0500 + + adding option of using buffered image reader for faster dmverity hashing (#2013) + + Signed-off-by: Seth Hollandsworth + +commit 976716ed6294e3a641d80196dcb08ac5eefd4091 +Author: Kevin Parsons +Date: Wed Feb 7 08:08:19 2024 -0800 + + Fix process handle leak when launching a job container + + CreateProcess gives us back a handle to the newly created process. + Previously, we ignored this handle, which meant it was leaking every + time we created a new job container (or anything else that uses + internal/exec in the future). + + Process handle leaks can be bad as an exited process is left as a + "zombie" until all handles to it have closed, continuing to use memory. + + Fix this by closing the handle from CreateProcess. + + Signed-off-by: Kevin Parsons + +commit 5eb1952569fae966877a8c0828a9b82a17aca2d1 +Author: Kevin Parsons +Date: Tue Feb 6 17:36:20 2024 -0800 + + internal/exec: Fix stdio pipe problems + + exec today has two problems with how it handles stdio pipes: + + - When Wait completes, closeStdio() is called. + This closes the parent-side stdio pipes for receiving IO from the + process. This is a problem because once the process has completed, we + still need to be able to receive any final output. Today data from the + process could be lost because of this. + - The parent's handles to the child-side stdio pipes are not closed + after starting the process. Leaving duplicates of these handles in the + parent process means that the other ends of the pipes are never closed + when the process exits. + + This commit makes the following changes: + + - The parent's handles to the child-side stdio pipes are now closed + after the child is started. This is necessary so that once the child + exits, the parent-side pipes will return EOF once the remaining output + drains. + - When Wait completes, the parent-side stdio pipes are not closed. The + responsibility for this is now left to the client of the exec package. + Currently the only user of exec is jobcontainers.JobProcess, which + closes handles these when Close is called. + + Additionally, the ProcThreadAttributeList is now allocated and used only + in Start. Previously it was saved on the Exec object, even though it was + not needed elsewhere. This makes the code cleaner, simplifies the Wait + logic, and eliminates the chance of leaking memory if an Exec object + is GC'd without being Wait'd. + + Signed-off-by: Kevin Parsons + +commit 788484094c585bf860986f42ccdb4ad5c1f59aa1 +Author: Yuanyuan Lei +Date: Mon Feb 5 10:19:56 2024 -0800 + + removed unused file and code + +commit ede135266b523bddd720cecd5a738b9e5296244a +Merge: 0c34909cc b0d91fb30 +Author: Yuanyuan Lei +Date: Fri Feb 2 16:50:27 2024 -0800 + + Merge branch 'mainshim_main' into removeInternalTests2 + +commit 0c34909ccdea3a8b2577100f65591f2a9f07d241 +Author: Yuanyuan Lei +Date: Fri Feb 2 16:44:12 2024 -0800 + + Addressed comments + +commit b0d91fb30c4f8cc812d9e78d2fedd54c983c343a (tag: v0.12.0-rc.3) +Author: Kirtana Ashok +Date: Wed Jan 31 16:54:25 2024 -0800 + + Switch to using new errdefs repo + + Signed-off-by: Kirtana Ashok + +commit a1319d51465c4503b30625df5bb45291d7a4600b +Merge: d4494c785 4283479a5 +Author: Kathryn Baldauf +Date: Tue Jan 30 19:24:45 2024 -0800 + + Merge pull request #1999 from microsoft/kabaldau/nvidia_log_files + + Update nvidia hook log file paths to use container bundle path as base dir + +commit d4494c78561b9ff7738d51856847ce43d1bf515b +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Thu Jan 25 14:10:11 2024 -0800 + + Add CodeQL suppression for tar extraction code (#2006) + + CodeQL is generating a warning for tar extraction code suggesting that the tar file entries are used in an + unsanitized way and that could lead to file system traversal attacks. However, during tar extraction all the + files are written to the disk using the `internal/safefile` package which ensures all the filesystem + operations during layer extraction happen under the layer root directory. So this warning can be safely + suppressed. + + Signed-off-by: Amit Barve + +commit 4283479a53be6d6a3f84caf224213f1e33c147a1 +Author: Kathryn Baldauf +Date: Wed Jan 3 14:06:41 2024 -0800 + + Update nvidia hook log file paths to use container bundle path as base dir + + Signed-off-by: Kathryn Baldauf + +commit c25f9030b8f42dd13a67b183cab96dc352bda611 +Author: Yuanyuan Lei +Date: Sat Dec 30 01:16:24 2023 -0800 + + minor fixes + +commit f30bade7f82da6b97267ac89ff1d501f37b18418 +Author: Yuanyuan Lei +Date: Sat Dec 30 01:07:25 2023 -0800 + + removed lcow tests + +commit 0285b8b2bff391202ef0918b423509efea76bb89 +Author: Maksim An +Date: Thu Dec 28 09:29:25 2023 -0800 + + tests: update test images used for cri-containerd tests (#1991) + + Signed-off-by: Maksim An + +commit 4fd5f02bee35b4f1d7488d8fe801fea7b18f2c01 +Author: Joe Powell <56188788+darracott@users.noreply.github.com> +Date: Thu Dec 28 17:13:43 2023 +0000 + + SNP Direct DM-Verity Boot (#1952) + + * Working DM-Verity boot using 5..15 kernel + + Signed-off-by: Ken Gordon + Signed-off-by: Joe Powell + + * Working to boot 6.1 or 5.15 kernels with vhd supplied userland and merkle tree. + + Signed-off-by: Ken Gordon + Signed-off-by: Joe Powell + + * PR https://github.com/microsoft/hcsshim/pull/1886 changes which are required or gcs cannot start on 6.1 + + Signed-off-by: Ken Gordon + Signed-off-by: Joe Powell + + * Use "modern" igvm tooling from github repo. + + Signed-off-by: Ken Gordon + Signed-off-by: Joe Powell + + * Clean up Makefile + + Signed-off-by: Joe Powell + + * Add boot doc + + Signed-off-by: Joe Powell + + * Remove startup_2 as it is now redundant + + Signed-off-by: Joe Powell + + * Tidying + + Signed-off-by: Joe Powell + + * print opts + + Signed-off-by: Joe Powell + + * debug + + Signed-off-by: Joe Powell + + * debug + + Signed-off-by: Joe Powell + + * Remove extra err + + Signed-off-by: Joe Powell + + * Rm fmt + + Signed-off-by: Joe Powell + + * Clean up startups + + Signed-off-by: Joe Powell + + * Kick CI + + Signed-off-by: Joe Powell + + * Add HvSock port annotation + + Signed-off-by: Joe Powell + + * Clean up merge + + Signed-off-by: Joe Powell + + * Mark ups pre-rebasing + + Signed-off-by: Joe Powell + + * gofmt + + Signed-off-by: Joe Powell + + * More concise Makefile snp target + + Signed-off-by: Joe Powell + + * Apply nits + + Signed-off-by: Joe Powell + + --------- + + Signed-off-by: Ken Gordon + Signed-off-by: Joe Powell + Co-authored-by: Ken Gordon + +commit 6901c20d697451893f847dc1d76949e999f054fe (tag: v0.12.0-rc.2) +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Wed Dec 20 08:17:29 2023 -0800 + + Minor CimFS bug fixes (#1980) + + * Minor fixes for cimfs writer + + Adds minor fixes like updating the Windows build which supports CimFS, using safefile for creating directories in CimFS writer etc. + + + * Always expand volume when expanding sandbox VHD + + Currently, ExpandScratchSize or ExpandSandboxSize functions expand the VHD itself but don't expand the volume + on that VHD (unless we are on 19H1 & build < 19020). This works because for legacy layers the PrepareLayer + call made just before starting the container will automatically expand the volume to match the size of the + VHD. However, in case of CimFS layers we don't call PrepareLayer at all, so in that case we need to expand the + volume at the time of expanding the VHD. + + This also means in case of legacy layers, we might have a small perf hit because the VHD is mounted twice for + expansion (once here and once during the PrepareLayer call). But as long as the perf hit is minimal, we should + be okay. + + Signed-off-by: Amit Barve + +commit c59eb6936378de5da0ff35fc15f4c4d7304f2616 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Mon Dec 18 09:42:05 2023 -0800 + + Use CimFS layers for Process isolated WCOW (#1971) + + Signed-off-by: Amit Barve + +commit 0bb445eba15130b20be3a26484367533896a1f43 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Dec 18 11:09:50 2023 -0500 + + Bump actions/download-artifact from 3 to 4 (#1984) + + Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. + - [Release notes](https://github.com/actions/download-artifact/releases) + - [Commits](https://github.com/actions/download-artifact/compare/v3...v4) + + --- + updated-dependencies: + - dependency-name: actions/download-artifact + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit ab53ed9282498833afe95666373ff1cf83472759 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Dec 18 11:06:57 2023 -0500 + + Bump github/codeql-action from 2 to 3 (#1983) + + Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. + - [Release notes](https://github.com/github/codeql-action/releases) + - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) + - [Commits](https://github.com/github/codeql-action/compare/v2...v3) + + --- + updated-dependencies: + - dependency-name: github/codeql-action + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 8f2121683a59459ee581ad0a6db41a433f0ea952 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Dec 18 11:06:37 2023 -0500 + + Bump actions/upload-artifact from 3 to 4 (#1985) + + Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. + - [Release notes](https://github.com/actions/upload-artifact/releases) + - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) + + --- + updated-dependencies: + - dependency-name: actions/upload-artifact + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 7ec8848592cbf11ee7305bca8a52604dbf887053 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Dec 11 13:57:32 2023 -0500 + + Lint common error wrapping issues, update README (#1969) + + * Lint common error wrapping issues, update README + + Enable `errorlint` to catch common issues with wrapping and testing for errors. + + Wherever possible, switched to using `errors.Is` and `errors.As`. + Exceptions: + - function is defined in the same package and explicitly returns a + know error variable + - returns from functions in `io`, `binary`, `context`, `syscall`, + `golang.org/x/sys/windows`, or `golang.org/x/sys/unix` that are + (relatively) stable in error return value and type + - conversion would interact with with `github.com/pkg/errors` + - conversion would be non-trivial and require additional + testing/validation + - specifically, legacy code in `runhcs` and the root of the repo + + Rename `context` to `ctx` in `pkg\go-runhcs\*.go` to avoid + overshadowing `context` package. + + Update `README.md`: + - run markdown formatter (spaces around code blocks and headers, raw link URLS) + - add section on linter and go generate (similar to go-winio's) + + Signed-off-by: Hamza El-Saawy + + * PR: hcserrors(+tests), README + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 9fb788158b3588a1c97071f3b81fc7707f4254cd +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Dec 7 09:56:27 2023 -0500 + + Bump actions/setup-go from 4 to 5 (#1978) + + Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5. + - [Release notes](https://github.com/actions/setup-go/releases) + - [Commits](https://github.com/actions/setup-go/compare/v4...v5) + + --- + updated-dependencies: + - dependency-name: actions/setup-go + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit cff5c86900cd630ba8bcbfcf0f4b642c9a83d63c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Dec 6 11:01:56 2023 -0500 + + [test] Update manifest; go generate (#1919) + + Update description in manifest used for `test/` binaries. + + Add `test/tools.go` (similar to `tools/tools.go`), to track + `goversioninfo` command. + + Update `.github/workflows/ci.yml` to run `go generate` from within + `test/`. + + Signed-off-by: Hamza El-Saawy + +commit 04f386f4435049b1b32106c6b652ddfef1f505b7 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Dec 5 16:16:16 2023 -0500 + + Remove vSMB uses the wrong hostPath for file shares (#1974) + + When attaching a file, `foo/bar`, `uvm.AddVSMB` adds the `VSMBShare`to + `uvm.vsmbFileShares` as `foo/`, and then also sets `VSMBShare.HostPath` + to `foo/`. + So, when `(*VSMBShare).Release` calls `uvm.RemoveVSMB`, it uses `foo/` + as the `hostPath`, which, it then assumes is a directory share (stored + in `uvm.vsmbDirShares`) instead of a file share (stored in + `uvm.vsmbFileShares`) since `foo/` is a directory. + This then fails since it cannot find the VSMBShare in `uvm.vsmbDirShares`. + + Fix this by adding a `VSMBShare.isDirShare` field to indicate which + `uvm.vsmb*Shares` map it is stored under. + + Signed-off-by: Hamza El-Saawy + +commit 8570c66ca1d40bd95e6ed3e7d7b3abae8ba7a018 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Dec 5 14:42:50 2023 -0500 + + Fix CodeQL coode scanning alerts (#1972) + + Fix CodeQL alerts for unchecked downcasts from `int`s are to + `(u)int32` (or `uintptr`) without checking for overflow. + This can (potentially) cause incorrect behavior due to the value + wrapping around to an unexpected value. + + Alerts: + https://github.com/microsoft/hcsshim/security/code-scanning?query=branch%3Amain+rule%3Ago%2Fincorrect-integer-conversion + + Issue description: + https://cwe.mitre.org/data/definitions/190.html + https://cwe.mitre.org/data/definitions/681.html + + Signed-off-by: Hamza El-Saawy + +commit ecf62f22885880928a77dd7a2d5f8d141f7dd754 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Dec 4 13:45:38 2023 -0500 + + [deps] Omnibus dependency updates (#1977) + + Consolidate dependabot updates and run `go mod tidy` across modules. + PRs: + - https://github.com/microsoft/hcsshim/pull/1935 + - https://github.com/microsoft/hcsshim/pull/1942 + - https://github.com/microsoft/hcsshim/pull/1944 + - https://github.com/microsoft/hcsshim/pull/1950 + - https://github.com/microsoft/hcsshim/pull/1953 + - https://github.com/microsoft/hcsshim/pull/1954 + - https://github.com/microsoft/hcsshim/pull/1959 + - https://github.com/microsoft/hcsshim/pull/1960 + - https://github.com/microsoft/hcsshim/pull/1961 + - https://github.com/microsoft/hcsshim/pull/1975 + + Signed-off-by: Hamza El-Saawy + +commit 5c75f29c1f5cb4d3498d66228637d07477bcb6a1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Nov 14 14:52:01 2023 -0500 + + Build components in CodeQL pipeline (#1970) + + Need to build binaries for CodeQL to work: + + > For the compiled languages C/C++, C#, Go, Java, and Swift, the process of populating + > this database involves building the code and extracting data. + + docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-the-codeql-analysis-workflow-and-compiled-languages + + Without explicit build commands between CodeQL `init` and `analyze` + steps, CodeQL will attempt to automatically build go code using the + following logic: + docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#autobuild-for-go + + This can be see in the `CodeQL Analyze` step in out pipelines: + + ``` + Attempting to automatically build go code + Autobuilder was built with go1.21.3, environment has go1.20.10 + LGTM_SRC is /home/runner/work/hcsshim/hcsshim + Found go.mod, enabling go modules + Import path is 'github.com/microsoft/hcsshim' + Makefile found. + Trying build command make [] + make: *** No rule to make target 'base.tar.gz', needed by 'out/initrd.img'. Stop. + Running /usr/bin/make failed, continuing anyway: exit status 2 + Build failed, continuing to install dependencies. + Skipping dependency installation because a Go vendor directory was found. + Running extractor command '/opt/hostedtoolcache/CodeQL/2.15.2/x64/codeql/go/tools/linux64/go-extractor [-mod=vendor ./...]' from directory '.'. + <...> + ``` + + Rather than rely on autobuild, explicitly configure CodeQL and build + necessary targets. + + Skip running CodeQL on PRs if no code is changed. + + Based on workflow: + github.com/github/codeql/blob/0342b3eba242476cea815e601942021092d0bc10/.github/workflows/codeql-analysis.yml + + Signed-off-by: Hamza El-Saawy + +commit c2a7ff62d6ef5c9f22f88f851f7e0aab17db47ac +Author: Joe Powell <56188788+darracott@users.noreply.github.com> +Date: Tue Nov 14 16:59:54 2023 +0000 + + Check for SNP before fetching SNP report (#1967) + + Signed-off-by: Joe Powell + +commit 522ec33ec68a4afa78992b7c65b35058b65a6764 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Nov 13 16:13:18 2023 -0500 + + Update build tags, lint entire repo for Linux (#1968) + + Add (Windows) build tags to necessary files, and add + `internal\vhdx\doc.go` so that go language server does not complain that + package is missing on Linux. + + Not all updated files are Windows specific. Some (eg, + `internal\gcs\iochannel.go`) are only used by Windows code, so the go + build tag prevents `unused` lint errors when `GOOS=linux`. + + Export the `parseAnnotations(Uint32|Uint64|String)` functions in + `internal\oci\annotations.go` since other functions in the + file are used in Linux files and that was the only way to avoid `unused` + lint errors. + + Finally updated lint (in `.github\workflows\ci.yml`) and codeql + (in `.github\workflows\codeql.yml`) jobs to run on entire repo for + Linux, rather then specific directories. + + Signed-off-by: Hamza El-Saawy + +commit b9a845a091fe1f40fc2dc936490423844e0b9b63 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Mon Nov 13 09:51:22 2023 -0800 + + cimfs: Add cim layer mount/unmount functionality. (#1955) + + Signed-off-by: Amit Barve + +commit 654620c7003404bc741920b3692f82e76d882c8c +Author: Takuro Sato <79583855+takuro-sato@users.noreply.github.com> +Date: Mon Nov 13 15:59:29 2023 +0000 + + Add support for Linux kernel 6.x to fetch attestation report (#1886) + + * Add support for Linux kernel 6.x to fetch attestation report + + Signed-off-by: Takuro Sato + + * Hard code ioctl code + + Signed-off-by: Takuro Sato + + --------- + + Signed-off-by: Takuro Sato + +commit 79ab3ee7cbd85017a81a9c7390f865e64f7b182f +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Nov 10 14:58:03 2023 -0500 + + uvmboot and gcs.test bug fix (#1966) + + Fix bugs: + - Using `boot-files-path` flag name instead of value + - Explicitly passing open door policy instead of empty string + + Functional gcs tests also passed in encoded open door policy string, + which is no longer necessary. + + Remove unnecessary else blocks. + + Pass context through calls. + Use `log.G(ctx)` instead of `logrus`. + + Rename variables `cmd` and `scsi` to avoid overshadowing package names. + + Signed-off-by: Hamza El-Saawy + +commit 73c8f5ea5832a7838819900b43618d9d0d210f85 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Nov 10 14:42:22 2023 -0500 + + Add additional registry values to uVM via annotation (#1963) + + Allow callers to specify additional registry values in the WCOW OS via + the `io.microsoft.virtualmachine.wcow.additional-reg-keys` annotation. + + The intent is to test and validate bug fixes or debug uVM behavior + (eg, via setting values in `SYSTEM\CurrentControlSet\Services\wcifs`, + `SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides\*`) + without requiring a new package. + + The annotation is under `internal/annotations`, since it is not + suitable for end users to rely on. + Additionally, limit the settable registry keys to prevent it being used + (abused) as a catch all mechanism to arbitrarily modify uVM behavior. + + Additionally, add + [RegistryValueType](https://learn.microsoft.com/en-us/virtualization/api/hcs/schemareference#RegistryValueType) + and + [RegistryHive](https://learn.microsoft.com/en-us/virtualization/api/hcs/schemareference#RegistryHive) + enum types for HCS v2 schema. + + Signed-off-by: Hamza El-Saawy + +commit a27618474e0bc32622fc2890bceb77161f7e90fc +Author: Maksim An +Date: Mon Nov 6 10:54:54 2023 -0800 + + CI: add CodeQL workflow and schedule (#1962) + + Signed-off-by: Maksim An + +commit 5370edac0ee96208ba0625c558d8c7f7df0131d1 (tag: v0.12.0-rc.1) +Merge: 0af576d29 b6dde270c +Author: Kevin Parsons +Date: Thu Nov 2 15:52:28 2023 -0700 + + Merge pull request #1938 from jayanthAP/patch-1 + + Adding a new "DisableHostPort" network flag + +commit b6dde270c21a7ed344ff2e75ebb31addf136dc52 +Author: jayanthAP +Date: Thu Oct 19 09:52:18 2023 +0530 + + Add new "DisableHostPort" network flag + + When this flag is set in the network creation request, a host-port + is not created for the network. This change also includes the below: + - Added Version info for DisableHostPort flag. + - Added DisableHostPort to SupportedFeatures struct. + - Added feature check function for DisableHostPort flag. + - Added Test function for DisableHostPortSupported API. + - Since EnableNonPersistent flag was the only network flag until now, + the flag check in TestNetworkFlags() was a simple != check. + However, after the addition of DisableHostPort flag, flag + check is now done using the bitwise '&' operator. + + Signed-off-by: Jayanth Ananthapadmanaban + +commit 0af576d29d462afc6bc7fa11b83023d2226dad51 +Author: Kirtana Ashok +Date: Mon Oct 9 10:26:06 2023 -0700 + + Create container subdirectories for process dumps + if "{container_id}" suffix is specified + + Signed-off-by: Kirtana Ashok + +commit 2feaacb46cf42e17ab81bfe6341d3529ef4cb897 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Wed Nov 1 11:11:46 2023 -0700 + + cimfs: Add a LayerWriter for writing cim layers (#1873) + + Adds a new CimLayerWriter that implements the same LayerWriter interface that the legacy layer writer + implements. This CimLayerWriter can be used in containerd to pull images into the cimfs format. + + Signed-off-by: Amit Barve + +commit ab22a617d1e516baea49b8a78b54c8a74201e9c6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Oct 30 11:19:38 2023 -0400 + + Standardize LCOW uVM bootfiles update (#1861) + + `NewDefaultOptionsLCOW` sets `RootFSFile` and `KernelFile` depending + on the contents of the (default) `BootFilesPath` directory and + `KerenelDirect` field. + However, if `BootFilesPath` is subsequently updated, those fields are + not updated. + This can result in inconsistent behavior, where (depending on if the + default `BootFilesPath` contains `vmlinux` and `rootfs.vhd` files), a + uVM created with an overridden `BootFilesPath` may either use `initrd` + (`kernel`) or `vmlinux` (`rootfs.vhd`), respectively. + + Add a `UpdateBootFilesPath` function to consistently change the + `BootFilesPath` and associated options. + Update annotation handling to use `UpdateBootFilesPath`. + Security policy is still performed after the update, so settings will be + re-overridden for the confidential case, or by other annotations, so + existing (normal) behavior is persisted. + + Signed-off-by: Hamza El-Saawy + +commit a3be979527f4deefec23ec4416a34a8434e2763d +Author: Maksim An +Date: Thu Oct 26 17:48:50 2023 -0700 + + minor refactor in dmverity-vhd tool (#1948) + + Use `errors` package instead of the `github.com/pkg/errors`. + + `createVHD` accepts layer number to avoid calling `layer.DiffID()` + twice. + + Signed-off-by: Maksim An + +commit d8547ee4794c01f293410d502730d61556008b48 +Author: Heather Garvison +Date: Wed Oct 25 20:05:20 2023 -0400 + + update go_version in release ci (#1945) + + Signed-off-by: Heather Garvison + +commit baaec85ee8a91e5e5669cb65cbd4b768b1dec011 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Oct 25 12:49:52 2023 -0400 + + Also use `test/go.sum` for caching go dependencies (#1895) + + * Also use `test/go.sum` for caching go dependencies + + Update CI to look at both `go.sum` and `test/go.sum` when caching go + modules. + Update initial CI josb (`protos`, `verify-vendor`, and `go-gen`) to + download all module dependencies (that are not already vendored) to + pre-fill the cache and speed up future runs. + + Also, add `$LASTEXITCODE` check when running `go mod tidy` (and + `go mod test`) to catch errors early on. + + Finally, disable git checkout progress, which spams logs with + `Updating files:` messages (new to `actions/checkout@v4`). + + Signed-off-by: Hamza El-Saawy + + * PR: separate out go mod tidy and vendor + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit a32b15f187af0db32fe8ca62fa086ef1c5be0091 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Oct 25 11:07:12 2023 -0400 + + [test] Log to ETW for benchmarks; retry layer removal (#1947) + + Write logs to ETW instead of stdout when running benchmarks to mimic + actual deployments. + Add log level to `Run-Test.ps1` helper script. + + Add `RemoveAll` function that wraps and retries `os.RemoveAll` (waiting + in between attempts) since the OS may take a while to remove locks on a + directory after handles are closed. + + Bug: defer uVM cleanup after creation (not start) during tests. + + Signed-off-by: Hamza El-Saawy + +commit a02b3b225e25629a3e07b9a810fa5d90999f6528 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Oct 24 12:18:56 2023 -0400 + + Add Close/WaitCtx to UtilityVM & System (#1876) + + * Add `Close`/`WaitCtx` to `UtilityVM` & `System` + + Add `CloseCtx` and `WaitCtx` methods to `UtilityVM` and `System`, which + accept a context parameter and return if the context is canceled. + + This is intended to allow benchmark iterations to time out and prevent + them from spending the majority of their time waiting. + + However, the added benefit is that tracing information (trace and span + ID) will now be passed along to the `Wait` and `Close` logs (and + underlying HCS call spans). + + Additionally, fix a bug in `(*UtilityVM).Close`, where, if the uVM was + created but not started, then the `(*UtilityVM).Wait` call will + hang indefinitely. + Fix is to wait initially on the system to close, close the IO output + handler, and then wait on the uVM. + + Combine LCOW uVM benchmarks together (similar to LCOW container) to + simplify benchmark name formatting. + + Relies on https://github.com/microsoft/hcsshim/pull/1875 + + Signed-off-by: Hamza El-Saawy + + * PR: uvm.Wait err handling; doc comments + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 434adf355ffe69c80b929462d2edb86156159fc1 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Oct 23 15:10:41 2023 -0400 + + Bump golang.org/x/net from 0.10.0 to 0.17.0 (#1931) + + * Bump golang.org/x/net from 0.10.0 to 0.17.0 + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. + - [Commits](https://github.com/golang/net/compare/v0.10.0...v0.17.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + + * tidy ./test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 725bceed5e6a192b47aaab193c6b72ea75e7f2bf +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Oct 23 14:00:07 2023 -0400 + + Embed version info; print benchmark config (#1874) + + Update how we set/read the version and commit information, so that it + can be set via writing to files instead of needing to update all `go + build` commands to add (or update) `-ldflags` with + `-X main.version=... -X manin.gitCommit=...". + + Augment benchmark configuration with additional information, such as the + go version, number of CPUs available, start time, version, and git + branch and commit. + + This allows standardizing the configuration data across different + benchmarking suites. + + Benchmark config follow the benchmark raw data format: + https://go.googlesource.com/proposal/+/master/design/14313-benchmark-format.md + + Signed-off-by: Hamza El-Saawy + +commit cff94732c5efd9838d8354bd6f8fe16145f4712c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Oct 18 12:15:02 2023 -0400 + + Use `"hcsschema"` in `internal/hcs` (#1901) + + Use `hcsschema.ProcessModifyRequest` (and associated structs) in + `internal/hcs/process` when making modify requests and getting process + properties. + + Update `hcschema` structs to match documentation (swagger seems to + default to `int32` for generated fields regardless of the type specified + in the documentation). + + Signed-off-by: Hamza El-Saawy + +commit aad7467e620da7c4958945bb68e2f10bb0ea26b2 +Author: Kirtana Ashok +Date: Thu Sep 7 17:35:07 2023 -0700 + + Support adding mount to running containers + - Extend hcsTask.Update() to process and add + mount for running process isolated and hyperV + wcow containers + + Signed-off-by: Kirtana Ashok + +commit 6f2929c212396b3ba102fa0c958dbf88a8822f08 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Oct 12 15:18:47 2023 -0400 + + Bump go.uber.org/mock from 0.2.0 to 0.3.0 (#1907) + + * Bump go.uber.org/mock from 0.2.0 to 0.3.0 + + Bumps [go.uber.org/mock](https://github.com/uber/mock) from 0.2.0 to 0.3.0. + - [Release notes](https://github.com/uber/mock/releases) + - [Changelog](https://github.com/uber-go/mock/blob/main/CHANGELOG.md) + - [Commits](https://github.com/uber/mock/compare/v0.2.0...v0.3.0) + + --- + updated-dependencies: + - dependency-name: go.uber.org/mock + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + * go gen and go tidy + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 11700d2711d371b01e9f149d07a83b3f818bc343 +Author: Kirtana Ashok +Date: Thu Sep 28 11:49:49 2023 -0700 + + Add constants for mount types + + Signed-off-by: Kirtana Ashok + +commit a4b45456e2b45c5246222c1471e7634f7a4e454e +Merge: 4dc2c8b9f 8b69b76d3 +Author: Kevin Parsons +Date: Fri Sep 29 14:41:31 2023 -0700 + + Merge pull request #1898 from dmcgowan/update-containerd-log-dependency + + Update containerd log dependency + +commit 8b69b76d30cd3bdc9e1825bd5b8126c7b7268015 +Author: Derek McGowan +Date: Tue Sep 12 17:39:23 2023 -0700 + + Remove log package dependency + + Signed-off-by: Derek McGowan + +commit 4dc2c8b9f720ccfce9b86cd0dab5101099ec6849 (upstream-hcshsim/pullimagefailurefix, origin/pullimagefailurefix) +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Sep 25 12:58:00 2023 -0400 + + Bump actions/checkout from 3 to 4 (#1885) + + Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. + - [Release notes](https://github.com/actions/checkout/releases) + - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) + - [Commits](https://github.com/actions/checkout/compare/v3...v4) + + --- + updated-dependencies: + - dependency-name: actions/checkout + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 27df1b95b69faaeca97de86d25d68f48f89bc0b9 +Author: Djordje Lukic +Date: Thu Sep 14 19:50:59 2023 +0200 + + Fix closing stdin (#1899) + + Send the modify request even if stdin is nil, let the process handle it + + Signed-off-by: Djordje Lukic + +commit e7509cc6636d89ad8e748bb4c127f83af7131b05 +Author: Seth Hollandsworth +Date: Wed Sep 13 18:48:50 2023 -0400 + + defaulting to unbuffered reader for dmverity hashing (#1887) + + Signed-off-by: Seth Hollandsworth + Co-authored-by: ksayid + +commit 23d6d0199bc77f4c53da2da725887a189ca765e6 +Author: Maksim An +Date: Wed Sep 13 14:16:30 2023 -0700 + + add support for verity checking partitioned disks (#1810) + + Add an option to mount partitioned disks with dmverity. + + Additionally add support for reading verity information from + within the guest. The expectation is that verity hash device + is appended to the read-only file system. The functionality + can be enabled by passing a container annotation. + + Host no longer reads verity superblock and as a result + the `DeviceVerityInfo` protocol message is being + deprecated. The guest will always attempt to read verity + super-block when non-empty security policy is passed. + Security policy is expected to be empty only in regular + LCOW scenarios. + + Signed-off-by: Maksim An + +commit dd45838a9bf9ff8f431847aaf3e4421763c15c49 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Sep 8 15:39:09 2023 -0400 + + Skip shim tests if shim binary is not found (#1893) + + Rather than failing tests when attempting to exec the shim executable, + look up its path first and skip if it is not found. + + Most testing binaries require that other binaries be located in the same + directory as them (see `require.Binary`), but since the CI runs the shim + tests directly, add `require.BinaryInPath`, which looks for the binary + in the path or current working directory first. + + Signed-off-by: Hamza El-Saawy + +commit 2bba98f3388e886d5d1052c753e9dee304be3062 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Sep 6 12:56:13 2023 -0400 + + [test]Exclude features, add any feature check (#1853) + + * test: Exclude features, add any feature check + + Add `-exclude` flag to be able to specify all but a certain set of + flags to run, since it is common (especially locally) to want to run all + but a certain subset of tests. + eg, `functional.test.exe -exclude LCOWIntegrity` will run all test except + for those that require rego enforcement. + + Add `require.AnyFeature` function to check that at least one of the listed + feature is specified. + This allows skipping a test that with subtests that individually require + non-overlapping features, which avoids running generalized test setup + + Moved `"test/cri-containerd".requireBinary` to + `"test/pkg/require".Binary". + + Signed-off-by: Hamza El-Saawy + + * PR: docs, comments, naming + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 07353f917c34d5de4d7c6bd439ba8f349d8740c1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Sep 6 11:26:54 2023 -0400 + + Add `OutputHandlerCreator` type for uVMs (#1875) + + Currently, `NewDefaultOptionsLCOW` creates a logrus output handler using + the provided uVM ID, but if the `ID` field is changed, the `parseLogrus` + `OutputHandler` still uses the old ID. + + Change `OptionsLCOW` to take `OutputHandlerCreator`, which is a + `func(*Options) OutputHandler`, so creating the output handler is + delayed until LCOW creation, and uses the latest uVM ID specified. + + Signed-off-by: Hamza El-Saawy + +commit a143d91a77cb5e3f066d05495b74924e7867c882 +Merge: 3d1810ee7 ee73d4747 +Author: Kathryn Baldauf +Date: Tue Sep 5 12:22:43 2023 -0700 + + Merge pull request #1879 from katiewasnothere/kabaldau/clean_up_nvidia_hook + + Clean up NVIDIA hook + +commit ee73d47479e819e7c9a73753227e0b0016940907 +Author: Kathryn Baldauf +Date: Wed Aug 23 10:16:22 2023 -0700 + + Clean up GPU functional tests + + Signed-off-by: Kathryn Baldauf + +commit 496fde2f8b3dd39840dfdcb74d860620627bc6d9 +Author: Kathryn Baldauf +Date: Wed Aug 23 10:16:02 2023 -0700 + + Clean up shim code paths for nvidia gpu + + Signed-off-by: Kathryn Baldauf + +commit f302b82dae5f4855998a6a0bb34755c36f469094 +Author: Kathryn Baldauf +Date: Fri Aug 18 14:38:17 2023 -0700 + + Clean up nvidia hook, assume drivers are already present in the UVM + + Signed-off-by: Kathryn Baldauf + +commit 3d1810ee769c230938b57c20b151e6ba762c3e28 (tag: v0.12.0-rc.0) +Author: Bryce Fisher +Date: Thu Aug 24 15:53:08 2023 -0400 + + Fix SVN reference in policy readme (#1877) + + Signed-off-by: Bryce Fisher + +commit b5c7ec2cc8bca44f369f696573236c5572d7be70 +Author: Joe Powell <56188788+darracott@users.noreply.github.com> +Date: Thu Aug 24 17:10:40 2023 +0100 + + Allow setting HclEnabled to false (#1862) + + * Allow setting HclEnabled to false + + Signed-off-by: Joe Powell + + * Ensure HclEnabled field can still be omitted + + Signed-off-by: Joe Powell + + --------- + + Signed-off-by: Joe Powell + +commit 5751c1b796505d6064807461b2986c5fa2cbca41 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Aug 17 17:45:02 2023 -0400 + + Add more go vet checks (#1849) + + * Enable all go vet checks + + Turn on all [go vet](https://pkg.go.dev/cmd/vet) checks (except for + `fieldalignment`, and ignore shadowing `err` variables. + + Caught a couple minor bugs: + - ncproxy did not set the panic file for the service + - `nil`-field access in logs + - not updating `processorLimits` in `(*UtilityVM).Update` + + Simplified a couple `if` statements clauses where + [conditional evaluation](https://go.dev/ref/spec#Logical_operators) + made `!= nil` checks redundant. + + Signed-off-by: Hamza El-Saawy + + * PR: err name; decl + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit bc8097c5332f70a51d0652967fa95d3aaeeeaadf +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Tue Aug 15 10:06:31 2023 -0700 + + cimfs: Add helpers for retrieving partition information from a vhdx (#1850) + + CimFS layer import requires that we do the base scratch VHD processing without calling the HCS APIs (since + those APIs do not understand the CimFS format). This processing involves fetching the partitioning information + of the scratch VHD. This commit adds a package that adds new Go wrappers around the IOCTLs that fetch + partitions information of a device. + + Signed-off-by: Amit Barve + +commit 816f1d1201cf7e01371d4a268e1e24966ed255f3 +Merge: 0423eec16 797be573e +Author: Kevin Parsons +Date: Tue Aug 15 09:54:26 2023 -0700 + + Merge pull request #1872 from kevpar/destory + + computestorage: Fix incorrect syscall in DestroyLayer + +commit 797be573ee5a2bae6f3f66251685178c1b0d24f7 +Author: Kevin Parsons +Date: Mon Aug 14 23:11:37 2023 -0700 + + computestorage: Fix incorrect syscall in DestroyLayer + + HcsDestoryLayer -> HcsDestroyLayer + + Signed-off-by: Kevin Parsons + +commit 0423eec163d5493770569945c371011e090ab94c +Author: Maksim An +Date: Mon Aug 7 10:44:23 2023 -0700 + + retry device mapper and cryptsetup errors (#1721) + + Occasionally /dev/sd* devices arrive late and not available at the + time when verity or dm-crypt targets are created. This commit + introduces a `CreateDevice` wrapper which can retry the operation + on specific errors and always retries cryptsetup once, but with + a large retry timeout. + + Signed-off-by: Maksim An + +commit 7dfb07b1e3cc889fe128e4457ab0ac6581772e13 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 7 15:29:30 2023 +0000 + + Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#1856) + +commit c9a9ba0bae45971752bddef14106b8c2aa84652e +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 7 15:28:31 2023 +0000 + + Bump golang.org/x/sys from 0.10.0 to 0.11.0 in /test (#1868) + +commit 2e1fc1caf4b8250cb8e1bbbf7fa3debcb2c534bf +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Aug 7 15:28:04 2023 +0000 + + Bump github.com/google/go-containerregistry in /test (#1869) + +commit c8eb8236f56948f9050bd890dd39da1a5aa23652 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Aug 3 17:25:55 2023 -0400 + + [ci] Update testing job (#1854) + + Don't need `-mod=mod` flag when running tests in root repo. + + Running tests in `internal/regopolicyinterpreter/` on Windows is + redundant, since tests are already run with `./...`. + + Switch from running tests in `test/internal` to `test/...` on Windows, + since, without `-tag functional` flag, it will not run + `test/functional`, `test/cri-containerd`, and related tests, but will + encompass other tests defined. + + Signed-off-by: Hamza El-Saawy + +commit 1665e4efb97db87731c9e997aeca88c65c8a28b6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Aug 3 13:55:34 2023 -0400 + + Fall back on json encoding from protojson (#1864) + + If `protojson.Marshal` fails, fall back on `json.Marshal`. + + Failure arose when marshalling containerd's `task.ExecProcessRequest`, + since the `Spec` field is an `anypb.Any` encoded via `typeurl/v2`, which + standard protobuf unmarhsalling cannot handle. + + Also, downgrade logging about failures with formatting during logging to + Debug level, since they do not warrant always being output. + + Signed-off-by: Hamza El-Saawy + +commit fa3b77dcc71664d0594e3d0459c17e439b005fec +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jul 31 15:31:49 2023 +0000 + + Bump google.golang.org/grpc from 1.56.2 to 1.57.0 in /test (#1859) + +commit e8208853ff0f7f23fa5d2e018deddff2249d35c8 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Jul 28 14:39:56 2023 -0400 + + Add exec benchmarks (#1855) + + Add benchmarks to measure (LCOW) exec performance to functional test + suite. + + Additionally, remove helper testing functions from benchmark section + (between `b.StartTimer()` and `b.StopTimer()`), since helper functions + will call `"testing".(TB).Helper()`, which involves mutex (un)lock + operations as well as parsing stack frames. + + Signed-off-by: Hamza El-Saawy + +commit 1e6fc28c2f57d666f91269fc82d7b66c7d0d9093 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Fri Jul 28 10:09:57 2023 -0700 + + Use RtlGetVersion instead of GetVersion (#1846) + + GetVersion API returns correct OS version values only if the calling binary is manifested. Hcsshim is + manifested. However, other binaries using the osversion package from hcsshim (like containerd) are not + manifested and so they are not able to get the accurate OS version information. RtlGetVersion doesn't need + the binary to be manifested so this commit replaces the use of GetVersion with RtlGetVersion. + + Note that hcsshim is still manifested even if we aren't using GetVersion anymore. This is because there are + some other advantages of using a manifest as described here: + https://learn.microsoft.com/en-us/windows/win32/w8cookbook/application--executable--manifest. The use of a + default thread pool for RPC and the fix for a race condition in GetOverlappedResult are relevant to + hcsshim. So in order to keep these behaviors same we want to keep hcsshim binary manifested. + + Signed-off-by: Amit Barve + +commit 909134fbb702d228c5e0d4428de975aedac65783 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Jul 26 19:54:56 2023 +0000 + + Bump github.com/opencontainers/runtime-spec from 1.1.0-rc.3 to 1.1.0 (#1852) + +commit c22ab6137765d168e0eff439f6ddf2e9df9ea728 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Jul 26 15:36:06 2023 -0400 + + disable fail fast on windows tests (#1851) + + Signed-off-by: Hamza El-Saawy + +commit df195679db00b3051fceffce86c7319d11bd7929 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Jul 26 18:58:43 2023 +0000 + + Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#1845) + +commit 40d5fde4c96b27ca651f14f007ded0ee3bccc8d0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Jul 26 13:43:42 2023 -0400 + + Update tar2ext4 to convert forward slashes (#1847) + + Both `\` and `/` are valid paths on Windows, so Linux layer tar files + generated on Windows may potentially use either. + Update `tar2ext4` to convert `\` to `/` in paths when on Windows to + avoid creating invalid ext4 file systems. + + Signed-off-by: Hamza El-Saawy + +commit 34febc89b9420f8986911582f8ce6c609fffc755 +Merge: ff23f4625 bed7a8be4 +Author: Kathryn Baldauf +Date: Wed Jul 26 10:33:34 2023 -0700 + + Merge pull request #1824 from katiewasnothere/kabaldau/networkagent_v0 + + Add support for nodenetsvc v0 and readme to test network agent + +commit ff23f4625236dfdf1941ab7d1ddc436e7604a907 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Wed Jul 26 10:32:18 2023 -0700 + + cimfs: Add Offline registry API wrappers and export constants (#1842) + + offline registry API is required during CimFS layer import. This commit adds Go wrappers around it. It also + exports some constants from the wclayer package so that those constants can be used by the cim layer package + + Signed-off-by: Amit Barve + +commit 55417ac87e5dc9357bf0f6c3728539f04fd62da4 +Author: Maksim An +Date: Mon Jul 24 14:23:52 2023 -0700 + + tests: rego `get_properties` functional test (#1803) + + Update test images package to support image extract decorators + as an easy way to extend the logic if we need to chain a few + steps, in this case appending verity hashes to an ext4 fs. + + Add default mount extension logic to standalone container path + as well to enable functional tests. + + Add new `securitypolicy` package under `test/pkg` to share + some logic between cri-containerd and functional tests. + + Add lower level `get_properties` test with rego policies. + + Signed-off-by: Maksim An + +commit bed7a8be42d98d9a4748033004e4c484be27b50f +Author: Kathryn Baldauf +Date: Tue Jun 27 15:18:01 2023 -0700 + + Add linter exclusion for test networkagent + + Signed-off-by: Kathryn Baldauf + +commit 3955d351f91c91fb9d85e23ff1c0315db1455027 +Author: Kathryn Baldauf +Date: Tue Jun 27 14:57:47 2023 -0700 + + Add support for nodenetsvc v0 and readme to test network agent + + Signed-off-by: Kathryn Baldauf + +commit 28cce9cea720462e4b84498f9f79fdb836454ba0 (tag: v0.10.0) +Author: Maksim An +Date: Thu Jul 20 13:35:51 2023 -0700 + + policy: extend default networking mounts for standalone containers (#1826) + + Signed-off-by: Maksim An + +commit d71606e9f79996502ce59c01b02e60f3984674b1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Jul 20 16:01:32 2023 -0400 + + use protojson when formatting for logs (#1844) + + Signed-off-by: Hamza El-Saawy + +commit 567f6bd9538ef3b06a22e3411eb34ab409eb48f7 +Author: Maksim An +Date: Wed Jul 19 12:36:21 2023 -0700 + + make sure to close files in dmverity-vhd tool (#1770) + + Currently we're not closing output VHD files and read closers + when creating layer VHDs with dmverity-vhd tool. + + Refactor error wrapping. + + Signed-off-by: Maksim An + +commit 95c604793ea60b5e93952300c92470bf253213e1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jul 18 11:39:36 2023 -0400 + + Create tools package to isolate dependencies (#1840) + + Using a dedicated package for tools.go prevents callers who import hcshim + from adding the tools to their package's dependencies, while still + allowing us to track and vendor them.t p + + Signed-off-by: Hamza El-Saawy + +commit 5e97eb33987f69fb392dc0b650d3d4dfa2cc15e4 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Fri Jul 14 17:24:43 2023 -0700 + + cimfs: Add cimfs writer (#927) + + Add go wrappers over cimfs writer functions exported by cimfs.dll. + + Signed-off-by: Amit Barve + +commit 43d7af349640a818b3e29a475cb6ba8da082d282 +Author: Mahati Chamarthy +Date: Fri Jul 14 18:05:21 2023 +0200 + + Replace cosesign1 and didx509 resolver (#1805) + + ... with their independent pkgs + + Signed-off-by: Mahati Chamarthy + +commit 619018cdb91b75b4e29c190bad346aea75137508 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jul 11 18:23:27 2023 -0400 + + Replace deprecated github.com/golang/mock (#1839) + + Signed-off-by: Hamza El-Saawy + +commit 492992ffc1ef1cc59766e3927e1131c4ea2d85eb +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jul 11 17:18:52 2023 -0400 + + [deps]Omni-bus dependency upgrade (#1837) + + Combine several dependabot PRs to deal with `test/go.mod` module issues: + + - https://github.com/microsoft/hcsshim/pull/1834 + - https://github.com/microsoft/hcsshim/pull/1833 + - https://github.com/microsoft/hcsshim/pull/1832 + - https://github.com/microsoft/hcsshim/pull/1831 + - https://github.com/microsoft/hcsshim/pull/1830 + - https://github.com/microsoft/hcsshim/pull/1829 + - https://github.com/microsoft/hcsshim/pull/1828 + - https://github.com/microsoft/hcsshim/pull/1819 + - https://github.com/microsoft/hcsshim/pull/1808 + + Regenerate proto files since `protoc-gen-go` is updated. + + Signed-off-by: Hamza El-Saawy + +commit dbbf3b9e00c23406cec7956bbd3f106ad3a7ebe6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Jul 10 14:23:05 2023 -0400 + + [ci]Remove `Verify-GoModules.ps1` (#1836) + + `.\scripts\Verify-GoModules.ps1` does not surface roots cause of + inconsisteny and does not match local mod tidy/vendor steps. + + Replace with explicit commands, which also matches rest of `ci.yml` + jobs. + + Signed-off-by: Hamza El-Saawy + +commit decae4b80eb238cef869f382e14267f01da75ac4 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Jul 10 11:25:50 2023 -0400 + + Updated containerd1.7; google.golang.org/protobuf (#1706) + + * Update containerd1.7; google.golang.org/protobuf + + Update to containerd 1.7 and move to `google.golang.org/protobuf` + from `github.com/gogo/protobuf/gogoproto`. + + These two changes are intertwined, since containerd 1.7 changes its + ttrpc task server definitions and protobuff generation (as well as some + other API changes). + Additionally, the task server gRPC code is imported from containerd + directly, rather than being generated here, and that code now explicitly + imports `google.golang.org/protobuf` instead of + `github.com/gogo/protobuf/gogoproto`. + Upgrading to `google.golang.org/protobuf` also requires updating + the `containerd/cgroups` dependency to v3 + (`github.com/containerd/cgroups/v3/cgroup1/stats/`). + + The new `protoc-gen-go-grpc` generators do not allow directives such as + `gogoproto.customname`, so the `go-fix-acronym` command is used to + update acronym customization (which is what containerd does). + + Updated `Protobuild.toml` to specify new generators. + + Added an `Update-Proto.ps1` script to re-generate protobuf files locally + and in GitHub CI. + + Add `protobuild` and protobuff `grpc` and `ttrpc` generators to + `tools.go` so they are tracked and vendored, and can be trivially + installed via `go install`. + + Signed-off-by: Hamza El-Saawy + + * Vendor protobuf import changes + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 640a5606a855a275cda5b8862221ae32b09b6a35 (tag: v0.10.0-rc.9, adoshim/dev/kiashok/v0.10.0-rc.9) +Author: kiashok <99994218+kiashok@users.noreply.github.com> +Date: Wed Jul 5 09:51:20 2023 -0700 + + Add support for platform compatibility check for windows (#1821) + + Signed-off-by: Kirtana Ashok + +commit 6eea50b71ec863d5a82048c90ba3b1db7a7309c5 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jun 19 18:29:19 2023 -0400 + + Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (#1812) + + * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 + + Bumps [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) from 1.2.25 to 1.2.26. + - [Release notes](https://github.com/lestrrat-go/jwx/releases) + - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.26/Changes) + - [Commits](https://github.com/lestrrat-go/jwx/compare/v1.2.25...v1.2.26) + + --- + updated-dependencies: + - dependency-name: github.com/lestrrat-go/jwx + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + + * tidy test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 73986cab0b2d3a6f87289a77c74aeac97351e071 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jun 19 17:44:12 2023 -0400 + + Bump golang.org/x/sync from 0.2.0 to 0.3.0 (#1817) + + * Bump golang.org/x/sync from 0.2.0 to 0.3.0 + + Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.2.0 to 0.3.0. + - [Commits](https://github.com/golang/sync/compare/v0.2.0...v0.3.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sync + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + * tidy test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 74521d4d5f0e88b426115a8c305123858f6d8f28 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jun 19 16:43:43 2023 -0400 + + Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#1818) + + * Bump golang.org/x/sys from 0.8.0 to 0.9.0 + + Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0. + - [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.9.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sys + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + * tidy test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 4ede1fde8a886ed0f61da514a643ea5ee72ec86e +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Jun 19 16:01:39 2023 -0400 + + skip failing test, use gotestsum (#1820) + + Signed-off-by: Hamza El-Saawy + +commit d8cf194fc9d6fcb8483af567da41956e9adf55b7 +Merge: c197eb56a 2095093fd +Author: Kathryn Baldauf +Date: Thu Jun 15 14:20:29 2023 -0700 + + Merge pull request #1807 from jsturtevant/fix-pids-query + + When fetching the pid counts for the container the state can be invalid sometimes + +commit c197eb56a29ef047285124260e4677850740dd36 +Merge: 4daa33439 46d8160d3 +Author: Kathryn Baldauf +Date: Mon Jun 12 14:14:20 2023 -0700 + + Merge pull request #1809 from katiewasnothere/kabaldau/ncproxy_v0_deprecated_tag + + Add deprecated option to all types and fields for ncproxy v0 apis + +commit 46d8160d38573d77bd4d5fea5ad798c8e9401163 +Author: Kathryn Baldauf +Date: Mon Jun 12 12:30:24 2023 -0700 + + Add new entries in golangci.yml to prevent linter errors from deprecated ncproxy api use + + Signed-off-by: Kathryn Baldauf + +commit 10a43090449146d45d2f944d4526b0888746f5ef +Author: Kathryn Baldauf +Date: Mon Jun 12 11:40:42 2023 -0700 + + Add deprecated option to all types and fields for ncproxy v0 apis + + Signed-off-by: Kathryn Baldauf + +commit 4daa33439536d55fbe5f7c7faba9a48472e6ebbb +Merge: cc9303b32 10c29fc7b +Author: Kathryn Baldauf +Date: Mon Jun 12 11:26:01 2023 -0700 + + Merge pull request #1806 from katiewasnothere/kabaldau/ncproxy_nodenetsvc + + Support v0 and v1 nodenetsvc api for ncproxy + +commit 2095093fd2d41faff65cd3a9cff7af9e9b9c9f7b +Author: James Sturtevant +Date: Fri Jun 9 17:17:30 2023 -0700 + + When fetch pid counts the contianer can be in an invalid state sometimes + + Signed-off-by: James Sturtevant + +commit 10c29fc7b15f2e93343add9683fdaaea58ebf855 +Author: Kathryn Baldauf +Date: Tue Jun 6 10:22:58 2023 -0700 + + Create a v0 nodenetsvc api and plumb through ncproxy code + + Signed-off-by: Kathryn Baldauf + +commit cc9303b3238eaee98c4cf64bdc2382a0da6b655f +Merge: b8cf9e776 37cd9df9f +Author: Kathryn Baldauf +Date: Fri Jun 9 13:15:48 2023 -0700 + + Merge pull request #1797 from katiewasnothere/kabaldau/ncproxy_v1_api + + Add support for NetworkConfigProxy v0 and v1 api + +commit 37cd9df9f1d5d3fe1956027f2833247268b04d20 +Author: Kathryn Baldauf +Date: Fri Jun 9 10:44:33 2023 -0700 + + Add file wide deprecated option to ncproxygrpc v0 api + + Signed-off-by: Kathryn Baldauf + +commit cbb43e5a5bd46e998b39acb341c4a2cc74a665a3 +Author: Kathryn Baldauf +Date: Thu Jun 1 17:02:30 2023 -0700 + + Add support for NetworkConfigProxy v0 and v1 api + * Add tests for NetworkConfigProxy v0 support + + Signed-off-by: Kathryn Baldauf + +commit b8cf9e776457b1d73dc918cf465775ffc4f89af6 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Tue Jun 6 04:06:08 2023 -0700 + + Revert image name change in the ArgsEscaped test (#1804) + + In a previous commit, the image used in the ArgsEscaped test was changed incorrectly. This fixes that. + + Signed-off-by: Amit Barve + +commit 61e011211ff579041c92e529da5d39db3ec4a553 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Jun 5 18:19:52 2023 -0400 + + Version control and vendor mockgen (#1802) + + Explicitly track `github.com/golang/mock/mockgen` as a go dependency. + (There is no change in our go.mod or go.sum, since the package is + already being used by the generated code and elsewhere). + + Add `//go:generate` directives to create the mocked files and ensure the + results are always up to date. + + Signed-off-by: Hamza El-Saawy + +commit 7193878344b2c0014095c6c99d64612a6316a7a6 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jun 5 14:26:22 2023 -0400 + + Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#1800) + + * Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 + + Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. + - [Release notes](https://github.com/sirupsen/logrus/releases) + - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) + - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) + + --- + updated-dependencies: + - dependency-name: github.com/sirupsen/logrus + dependency-type: direct:production + update-type: version-update:semver-patch + ... + + Signed-off-by: dependabot[bot] + + * tidy test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit f5c5797f78896320e92d76dede481b540da3d4cf +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Jun 2 20:38:06 2023 -0400 + + fix integration test failure (#1799) + + Signed-off-by: Hamza El-Saawy + +commit 25b6855925d2148b69cbd14a5d081921d9f59b7f +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Jun 2 15:43:56 2023 -0400 + + [ci] Enable caching for proto and integration jobs (#1755) + + Caching is enabled by default in `actions/setup-go@v4` + (https://githut b.com/actions/setup-go#caching-dependency-files-and-build-outputs) + so update the `go.sum` path when checking out hcsshim to a non-default + path. + + Additionally, disable for linting, since that often causes errors. + Without caching, wont need to explicitly delete the module cache. + + Relies on: https://github.com/microsoft/hcsshim/pull/1752 + + Signed-off-by: Hamza El-Saawy + +commit 8d4a20c4f5543300de2c0e639e935a93d3421489 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Fri Jun 2 10:17:45 2023 -0700 + + Minor fixes to SCSI mount operation (#1798) + + During a recent refactor SCSI mount operation code removed a retry logic that is needed when examining the + filesystem type on a SCSI device. Retry is needed because sometimes attempting to open a SCSI devices + immediately after attaching it results in ENXIO/ENOENT errors. This adds the retry logic back. + + Names of some images used in the tests had changed, this commit updates those names too. + + Signed-off-by: Amit Barve + +commit 8a094aee4469e4a0b3b84d83259f842e3554bd99 +Author: Maksim An +Date: Thu Jun 1 17:24:26 2023 -0700 + + tests: add rego e2e tests for dump_stacks and get_properties (#1793) + + Signed-off-by: Maksim An + +commit 4f8d26f7d627ffa68809c4f695c53bb6673d0fd1 +Author: Maksim An +Date: Tue May 30 17:09:51 2023 -0700 + + tests: fix uvm resources update tests (#1796) + + inject fragment logic has been added and the uvm resource + update tests are failing for a completely different reason. + Update the tests to check for specific "invalid resource" + message. + + Signed-off-by: Maksim An + +commit 566a34db6bbce112fb9cfa2bd582dc546a7d10cd +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 30 18:55:36 2023 -0400 + + [func.test]update lcow layer processing (#1795) + + Signed-off-by: Hamza El-Saawy + +commit 9fd0e723a603b0c144ca94199791c9774b96ad2d +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 30 18:07:59 2023 -0400 + + [gcs.test] update scratch space cleanup order (#1794) + + Signed-off-by: Hamza El-Saawy + +commit e322ac59f779cb9af5fa0c58c56374b2e99d46f6 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Tue May 30 10:55:20 2023 -0700 + + Add test for support of NFS mount (#1726) + + LCOW kernel needs to be built with certain config options(`CONFIG_NFS_FS=y`, `CONFIG_NFS_V4=y` & + `CONFIG_NFS_V4_1=y`)_in order to be able to successfully run a NFS client and mount a NFS inside a + container. This test attempts to mount a (fake) NFS server to ensure that the kernel has the capabilities of + running a NFS client. + + We don't mount a real NFS server because creating a real NFS server that will work in all kinds of test + environments is not simple. Instead, we look at the error returned by the NFS mount operation and decide if + the failure is because the server wasn't available (i.e a `Connection refused` error) or because the kernel + doesn't support NFS clients (`No Device` error). + + Limitations on different approaches of starting a real NFS server: + 1. Starting another LCOW container that runs a NFS server: By default on Linux the NFS server runs in the + kernel and to enable that the kernel must be built with `NFSD_*` config options (note that the config options + for running NFS server are different than the config options required for NFS client), which we don't + currently do and it doesn't make sense to just enable these options for a test. + 2. Running a userspace NFS server: There are a few userspace NFS server projects but getting them to run + inside the UtilityVM wasn't very easy. We didn't want to spend a lot of time on this test. + 3. Running NFS server on the windows host: Not all builds of windows support this so the test won't run in all + environments. + + Signed-off-by: Amit Barve + +commit f1a271103bcd47fe4602344f906feb02ea094072 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 30 13:34:04 2023 -0400 + + Use `gh` cli to download releases (#1792) + + Use official github cli tool to download releases, instead of manually + creating URLs. + + Signed-off-by: Hamza El-Saawy + +commit 933d9b169632ed09de95aa16017da88ae621d7aa +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Tue May 30 13:32:50 2023 -0400 + + Bump github.com/containerd/ttrpc from 1.1.1 to 1.1.2 (#1791) + + * Bump github.com/containerd/ttrpc from 1.1.1 to 1.1.2 + + Bumps [github.com/containerd/ttrpc](https://github.com/containerd/ttrpc) from 1.1.1 to 1.1.2. + - [Release notes](https://github.com/containerd/ttrpc/releases) + - [Commits](https://github.com/containerd/ttrpc/compare/v1.1.1...v1.1.2) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/ttrpc + dependency-type: direct:production + update-type: version-update:semver-patch + ... + + Signed-off-by: dependabot[bot] + + * tidy ./test + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 36359c002b0df048ea65a4c7fd27d5a4ec1310c5 +Author: Maksim An +Date: Tue May 23 13:38:16 2023 -0700 + + update tar2ext4 package (#1785) + + Add another `ReadExt4SuperBlockReadSeeker` implementation + to work with `io.ReadSeeker` in addition to working with + files directly. This way we'll be able to work with e.g. + ext4 GPT partitions. The existing `ReadExt4SuperBlock` works + the same, but has been updated to call `ReadExt4SuperBlockReadSeeker`. + + Add `ReadDMVerityInfoReader` that reads dmverity superblock + from an `io.Reader` and update `ReadDMVerityInfo` accordingly. + + Additionally write verity superblock directly without `io.SeekEnd`, + assumming that the writer is already set at correct offset. + `ComputeAndWriteHashDevice` parameters have been updated + accordingly. + + Add `Ext4FileSystemSize` function that reads ext4 superblock + from a given `io.ReadSeeker` and returns the underlying + ext4 filesystem size and its superblock. + + Signed-off-by: Maksim An + +commit c271b98fe67231d55c81fff84e42d5d2585482de +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 23 12:54:46 2023 -0400 + + [deps] combine and tidy `\test` (#1790) + + - https://github.com/microsoft/hcsshim/pull/1780 + - https://github.com/microsoft/hcsshim/pull/1781 + - https://github.com/microsoft/hcsshim/pull/1787 + - https://github.com/microsoft/hcsshim/pull/1788 + + Signed-off-by: Hamza El-Saawy + +commit 55f8c428a2d9b6f0aeced9d5dc497095160817d6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 16 18:11:54 2023 -0400 + + Update containerd-shim-runhcs-v1 tests (#1783) + + Update shim tests to match current shim behavior. + Run shim tests in GitHub CI. + + Signed-off-by: Hamza El-Saawy + +commit 7769a64af74d7608bb91e04885b337b51c8878b2 +Merge: e5af8fb8f af8c44436 +Author: Kathryn Baldauf +Date: Mon May 15 16:01:16 2023 -0700 + + Merge pull request #1757 from katiewasnothere/kabaldau/scsi_ensure_filesystem + + SCSI ensure filesystem + +commit af8c44436dd2a87f4b6852ecbff5bbc7c7a148f2 +Author: Kathryn Baldauf +Date: Thu May 4 17:56:59 2023 -0700 + + Add feature to ensure scsi device is formatted with target filesystem + * Add new `EnsureFilesystem` and `Filesystem` options on + LCOWMappedVirtualDisk + * Add matching `EnsureFilesystem` and `Filesystem` options on scsi + MountConfig + * Set `EnsureFilesystem` and `Filesystem` when attaching scratch devices + * Add plumbing in guest scsi package to support `EnsureFilesystem` and + `Filesystem`. + * Create new `Config` type in guest scsi package for passing in + setup/cleanup configuration settings + * Add new call to get a device's filesystem by reading its superblock + * Add new scsi unit tests for new features and update existing tests + * New package for formatting using xfs + * Move xfs formatting for encrypted devices out of crypt pkg into scsi + + Signed-off-by: Kathryn Baldauf + +commit e5af8fb8f605c7a6b0a70a482e24af8d7cfb4f55 +Merge: 94df0f31d 1a2aca350 +Author: Kathryn Baldauf +Date: Mon May 15 14:35:12 2023 -0700 + + Merge pull request #1747 from katiewasnothere/kabaldau/scsi_partition_guest + + Guest agent support for partitions on SCSI devices + +commit 1a2aca35078ffefe4f2970cec4e661bbe26f1d1c +Author: Kathryn Baldauf +Date: Sun Apr 30 23:08:54 2023 -0700 + + Guest agent support for partitions on SCSI devices + * Update `ControllerLunToName` to `GetDevicePath` and take in partition + as an additional param + * Wait for partition subdirectory to appear for the devices + * Update device encryption and verity device names with partition index + * Update device encryption and verity device tests + * Add new unit tests for `GetDevicePath` + + Signed-off-by: Kathryn Baldauf + +commit 94df0f31d13bd1c08bea9ab245314c94e0c71eb9 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 15 16:10:30 2023 -0400 + + [deps] weekly update (#1779) + + PRs: + - https://github.com/microsoft/hcsshim/pull/1775 + - https://github.com/microsoft/hcsshim/pull/1777 + - https://github.com/microsoft/hcsshim/pull/1778 + + (needed to update `test/go.mod` as well). + + Update dependabot.yml to avoid automated major/minor updates in + containerd-related dependencies. + + Revert `github.com/containerd/ttrpc` in `test/` to `1.1.1`, since it is + used to communicate with shim in `containerd-shim-runhcs-v1` tests, and + the versions should match. + + Signed-off-by: Hamza El-Saawy + +commit 22bf0b5fb9c8b42f9e62a6802dbe833512635557 +Merge: 5c5d85cb4 776be9a96 +Author: Kevin Parsons +Date: Mon May 15 12:26:20 2023 -0700 + + Merge pull request #1745 from kevpar/lcow-layers + + Support flexible LCOW layer parsing and partitioned layers + +commit 776be9a967974764e3ede660329ef5f50ba79298 +Author: Kevin Parsons +Date: Tue Apr 18 10:56:00 2023 -0700 + + Add lcow-partitioned-layer mount type + + Adds support for a new type of LCOW mount that can use individual disk + partitions for each read-only layer. This change adds the work to parse + the new layer type and pass it through the shim, as well as the support + to the shim-side SCSI package to send the partition index in the guest + request. + + This change does not add the GCS-side work to actually mount the + specified partition. That will come in a future change. + + This change also does not handle formatting the scratch disk. It it + desired to be able to format it on the fly when creating the container, + but that will also come in a future change. + + Signed-off-by: Kevin Parsons + +commit 76b945454adf7053f5bcae1e59ffeda8e05bd0ed +Author: Kevin Parsons +Date: Sun Apr 23 01:10:58 2023 -0700 + + Support more flexible LCOW layer parsing + + Previously, layer information for both Windows and Linux containers was + passed throughout the shim through the OCI runtime spec's + Windows.LayerFolders field. This was used to store the set of + directories used for the layers, including the scratch. The exact + semantics of what is expected in these directories differed between + Windows and Linux. This approach worked okay, but had a few annoying + limitations. For instance, there was no way to represent more complex + layer data, such as a VHD path as well as a partition index on that VHD. + + This change removes the use of Windows.LayerFolders completely for Linux + containers, and instead creates a new layers.LCOWLayers type that is + used to represent Linux layer configuration. This new type is passed + into hcsoci.CreateContainer, and from there is passed into + layers.MountLCOWLayers where it is actually used to set up the + filesystem for the container. + + The new layers.LCOWLayers type is currently quite simple, but having + this as a proper Go type allows us a lot of flexibility in the future. + We can add more fields on this struct, but we could also change out the + nested LCOWLayer type for an interface, for instance, if we wanted to + support new types of layers that have drastically different + representation. + + This change does not aim to touch the way Windows container layers are + handled, nor how the Windows UVM root filesystem is set up. These would + be good things to improve in the future, but the Windows container + layers are more complicated in how they are used, so this is left for + future work. + + Signed-off-by: Kevin Parsons + +commit 5c5d85cb4fa2afbd1d390d7cf30edd1ee1313e77 +Merge: 497a34686 d98a2ef2a +Author: Kevin Parsons +Date: Mon May 15 12:25:14 2023 -0700 + + Merge pull request #1744 from kevpar/new-scsi + + Rewrite SCSI support in new package + +commit d98a2ef2acdd75c53c72913280360f0f4ecc2c3b +Author: Kevin Parsons +Date: Thu Apr 20 15:51:39 2023 -0700 + + Rewrite SCSI support in new package + + The existing SCSI implementation in internal/uvm has evolved organically + over time into what it is today. This creates unecessary difficulty when + adding new features to the code, makes it harder to maintain, and has + been a source of bugs. + + Additionally, there is a significant functional issue that the current + scsi code tightly couples the idea of attaching a SCSI device to a VM, + with the use/mounting of that device inside the VM. This creates + difficulty when we want to re-use the same SCSI attachment multiple + times, especially in the future when we will need to mount multiple + partitions from a device. + + This is addressed here by largely rewriting the shim's SCSI code, and + moving it to a new internal/uvm/scsi package. The new code features a + main Manager type, which delegates to attachManager and mountManager for + tracking of attachments to the VM, and mounting of devices inside the + VM, respectively. attachManager and mountManager also rely on a set of + interfaces for the actual backend implementation of interacting with a + VM. This will also allow for easier testing of the scsi package in + isolation in the future. + + One consequence of this change is it is no longer possible for the + caller to request a specific UVM path for a SCSI mount. The support for + this was already kind of a sham, because if the disk was already + mounted, you would get back its existing mount path instead of the one + you wanted, so the caller already had to handle that case. Additionally, + I'm not aware of any reason why the specific location the disk is + mounted is actually relevant. Because of these reasons, and to simplify + the overall package interface, the mount path is determined by the scsi + package, using a format string passed to the Manager at creation time. + + Signed-off-by: Kevin Parsons + +commit 497a346867c8e3b72eeb956c9c9eff9c749539f3 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 15 11:51:09 2023 -0400 + + formalize ignored (test) dependency updates (#1769) + + Signed-off-by: Hamza El-Saawy + +commit 889236e0dfb1a8700be744dc71217e77fe166370 +Merge: 5d2fe12bd 655649b34 +Author: Kathryn Baldauf +Date: Fri May 12 11:44:24 2023 -0700 + + Merge pull request #1773 from katiewasnothere/kabaldau/run_guest_unit_tests + + Enable guest agent unit tests in the CI + +commit 5d2fe12bdc5ecefd15095ddd8e462ed1ed64e423 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu May 11 18:10:53 2023 -0400 + + Bump github.com/docker/distribution (#1772) + + Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. + - [Release notes](https://github.com/docker/distribution/releases) + - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) + + --- + updated-dependencies: + - dependency-name: github.com/docker/distribution + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 154f8772df06c02711b2119bc3aac49a94778ca1 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu May 11 17:34:36 2023 -0400 + + Bump github.com/docker/distribution in /test (#1771) + + Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. + - [Release notes](https://github.com/docker/distribution/releases) + - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) + + --- + updated-dependencies: + - dependency-name: github.com/docker/distribution + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 655649b34d6c522d593062edfbeaf5c0bd37a8ca +Author: Kathryn Baldauf +Date: Thu May 11 14:19:48 2023 -0700 + + Enable guest agent unit tests in the ci + + Signed-off-by: Kathryn Baldauf + +commit a1d874ae0425505d469e0efc0a594c68a9e0b436 +Merge: de0e11619 b1b076864 +Author: Kevin Parsons +Date: Tue May 9 16:15:34 2023 -0700 + + Merge pull request #1728 from ashishsachdeva/asachdev/logsredirection + + gcs: Support routing container stdio to sidecar + +commit b1b07686425bd7e4594f46a153aa84bf224acf66 +Author: Ashish Sachdeva +Date: Wed Apr 12 10:49:13 2023 -0700 + + gcs: Support routing container stdio to sidecar + + Signed-off-by: Ashish Sachdeva + +commit de0e11619bf99d277aad558061a514f16bcb57b8 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 8 18:30:56 2023 -0400 + + Checkout appropriate containerd ref (#1752) + + Use containerd version from go.mod when checking out and building + upstream containerd for testing. + + containerd integration tests updated in 1.6.20 to work on windows. + + Signed-off-by: Hamza El-Saawy + +commit 478b6da9f5f5a579c2815e32ca1729be5a346f40 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 8 13:42:06 2023 -0400 + + omnibus dependency updates (#1767) + + Update dependencies and vendor (and update `test/go.mod`, as + appropriate) for: + + - 1758 + - 1759 + - 1760 + - 1761 + - 1762 + - 1763 + - 1764 + - 1765 + + Signed-off-by: Hamza El-Saawy + +commit a452efa21cb50f4d209c2fb9843b8bd1a0500273 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 8 10:32:38 2023 -0400 + + Allow patch dependabot updates (#1756) + + Patch updates can be disabled for most dependencies, but ignoring + all patch-fixes has caused errors (notably containerd). + + Signed-off-by: Hamza El-Saawy + +commit 8fa2489ff65feba90a32e7bee6e9eea2d79957d3 (tag: v0.10.0-rc.8, upstream-hcshsim/hcsshim-v0.10.0-rc.8, origin/hcsshim-v0.10.0-rc.8) +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu May 4 17:57:01 2023 -0400 + + slice bounds and nil VM access fix (#1754) + + Signed-off-by: Hamza El-Saawy + +commit a8ec8c8bb9db41572ab4122f603531376c82399d +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu May 4 16:07:42 2023 -0400 + + Remove godeps from makefile (#1750) + + Go already relies on its own internal caching, and replicating that in + make adds unnecessary complexity, and is error prone, since the makefile + doesn't recognize if new files are added, and isn't aware of build + constraints. + + Remove `*.gomake` and `*.godeps` portion of makefile and invoke go directly. + Remove `hack/gomakedeps.sh` file + + Signed-off-by: Hamza El-Saawy + +commit d1b45c5f02fc5f47a0c283bf3cf166eb86f213d8 +Merge: 4c7925c23 d37e4c6f1 +Author: Kevin Parsons +Date: Thu May 4 10:13:22 2023 -0700 + + Merge pull request #1743 from kevpar/layers-rework + + Rework layer handling to return a ResourceCloser + +commit d37e4c6f13918fcac3211f864b33c75d54b278d2 +Author: Kevin Parsons +Date: Tue Apr 18 21:14:12 2023 -0700 + + Rework layer handling to return a ResourceCloser + + Currently, the layers package relies on the caller of Mount*COWLayers to + subsequently call NewImageLayers, which constructs a special ImageLayers + object that can be used to later clean up the layer mounts. However, + this requires the caller to know too much about the internals of the + layer mounting process. + + A cleaner approach, which I take here, is to instead return a standard + ResourceCloser from Mount*COWLayers which then knows how to clean up + whatever mounts were done. I have also changed the layers code to use + ResourceCloser in more places internally. + + There is a new check in resources_*cow.go, such that the layers closer + is only stored if the container is not a hypervisor-isolated sandbox + container. This duplicates the logic that was previously in + (*ImageLayers).Release. + + Signed-off-by: Kevin Parsons + +commit 4c7925c23e6f2c843793ac836d0ceb1d4533c0ae +Merge: d446b24c6 1dd217b51 +Author: Kevin Parsons +Date: Thu May 4 01:27:32 2023 -0700 + + Merge pull request #1742 from kevpar/getscsiuvmpath + + Remove dependence on GetScsiUvmPath function + +commit 1dd217b51877613500216948cec52959a3a9c676 +Author: Kevin Parsons +Date: Tue Apr 18 02:34:37 2023 -0700 + + Remove dependency on GetScsiUvmPath from WCOW-isolated mounts + + The WCOW-isolated SCSI mount process currently works as follows: + - In resources_wcow.go, go through each mount on the OCI spec, and if it + is a SCSI mount, add a mount to the UVM for it. + - in hcsdoc_wcow.go, go through each mount on the OCI spec, use + GetScsiUvmPath to determine the guest path it was mounted to, and add + an entry to the container doc for it. + + This is quite hacky, as it relies on a 1:1 mapping between host VHDs and + mounts in the guest, and also because it requires us to re-query + information we've already been given. The SCSIMount object returned when + we mounted to the guest can already tell us the guest path. + + This change resolves this problem by instead determing the set of guest + mounts that should be added to the container doc at the time when the + SCSI mounts are done, and saving it in the creation options. Then, when + we construct the actual container doc, we just grab those mounts and add + them in. + + Signed-off-by: Kevin Parsons + +commit d42948347a208dfd9ce76335f7b80e546f252f61 +Author: Kevin Parsons +Date: Tue Apr 18 14:59:50 2023 -0700 + + Remove dependency on GetScsiUvmPath from driver installation + + Currently, when installing drivers on LCOW, we use GetScsiUvmPath to + check if the VHD is already mounted, and if it is, we assume the drivers + have already been installed, so we can skip doing it again. This check + has a few problems: + + - It relies on GetScsiUvmPath, which assumes a single mount-point in the + guest for a given VHD. This assumption is not safe to make in the face + of future changes, where we could mount a device (or partitions on it) + multiple times. + - It assumes the disk has stayed attached the whole time after drivers + were installed. This may be a safe assumption today, but can be + fragile in the future. + - It does not work in the case of a VHD containing multiple sets of + drivers, or a VHD being changed/updated to newer content after first + install. Again, this is safe given the current overall design today, + but could break in the future. + + This change is still mostly a bandaid fix. Probably what is most correct + is to track driver installation in something with state (the GCS) rather + than using a separately invoked binary to do the in-guest install. + However, this change does address the first issue above, removing the + dependency on GetScsiUvmPath. I do this in the following way: + + - Change install-drivers to check if the overlay path exists already, + and exit with a no-op if it does. This encodes the assumption that the + overlay path will be consistent for a given driver set. + - Change InstallDrivers in the shim to compute a V5 GUID from the VHD + path, and use that as part of the overlay path given to the guest. + This ensures there is a unique guest overlay path for each unique host + driver VHD path. + + Signed-off-by: Kevin Parsons + +commit d446b24c6daca256e77071ba6b723c2abbe141c6 +Merge: fe4a458be cbe5c3305 +Author: Kevin Parsons +Date: Wed May 3 01:56:20 2023 -0700 + + Merge pull request #1741 from kevpar/scsidevice + + gcs: Add SCSIDevice type with remove operation + +commit cbe5c33052a1b05a8d4036a6598acf691a404b6b +Author: Kevin Parsons +Date: Mon Apr 17 13:50:24 2023 -0700 + + gcs: Add SCSIDevice type with remove operation + + SCSI devices must be unplugged by the guest before removal on the host + side, to ensure smooth operation. Previously a SCSI device was unplugged + when a LCOWMappedVirtualDisk entry was removed. However, we want to + support multiple mounts per disk, which means we need to decouple unplug + from unmount. + + This change introduces a new SCSIDevice resource type that has a remove + operation that can be used by the host to trigger an explicit unplug via + SCSI. + + This is a breaking change to the bridge protocol: + - With new host/old guest, the host will attempt a SCSIDevice remove + which will fail due to being unsupported by the guest. + - With old host/new guest, the host will expect the device to be + unplugged when the disk is removed, which will no longer occur. + + Signed-off-by: Kevin Parsons + +commit fe4a458befb13d891417ff730d1f3e6f3537053d +Merge: 4eb7dfa41 5591091fe +Author: Kevin Parsons +Date: Wed May 3 01:05:46 2023 -0700 + + Merge pull request #1740 from kevpar/remove-clone + + Remove UVM/container cloning functionality + +commit 4eb7dfa41fb9d311d764fc57e0afeef139577450 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 1 15:04:46 2023 -0400 + + [bug] Consolidate dependabot updates (#1749) + + Follow up to: https://github.com/microsoft/hcsshim/pull/1748 + Updated wrong docker dependency. + Fixes: + https://github.com/microsoft/hcsshim/pull/1732 + https://github.com/microsoft/hcsshim/pull/1733 + + Signed-off-by: Hamza El-Saawy + +commit 3d35c7b44271c9a3526686f9f6814e473c8fb977 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 1 13:27:22 2023 -0400 + + Consolidate dependabot updates (#1748) + + Easier to omni-bus updates to deal with test/go.mod update issues. + + https://github.com/microsoft/hcsshim/pull/1702 + https://github.com/microsoft/hcsshim/pull/1703 + https://github.com/microsoft/hcsshim/pull/1709 + https://github.com/microsoft/hcsshim/pull/1723 + https://github.com/microsoft/hcsshim/pull/1724 + https://github.com/microsoft/hcsshim/pull/1732 + https://github.com/microsoft/hcsshim/pull/1733 + + Signed-off-by: Hamza El-Saawy + +commit c15066271e5a8e7523f31fad1d44c783937d596d +Author: Maksim An +Date: Wed Apr 26 15:31:43 2023 -0700 + + fix: few bugs with error shadowing (#1737) + + Signed-off-by: Maksim An + +commit 5591091fe58519db0b9658bf8bb7bd444a7b101d +Author: Kevin Parsons +Date: Thu Apr 20 16:17:18 2023 -0700 + + Remove UVM/container cloning functionality + + This change completely removes the support for cloning/late cloning that + was added a few years ago. The reasoning behind this is as follows: + - There are no plans to utilize cloning at this point in time. + - The cloning support required extensive/invasive changes across many + parts of the shim. This has made future changes and refactorings more + difficult in some cases. While these changes are still possible, it + seems like an unnecessary burden if we are not going to use cloning. + - The cloning functionality was never actually utilized, and thus may + still have had fixes needed to be production-ready. + + If cloning is needed again in the future, we will be able to revert this + commit to add it back. + + Signed-off-by: Kevin Parsons + +commit d816cbe89e4deae51c0b0044e7834f9068a3f9b2 +Author: Matthew A Johnson +Date: Thu Apr 20 18:20:26 2023 +0100 + + Adding padding to base64 encoded policy decisions (#1738) + + Switching to standard encoding + + Signed-off-by: Matthew A Johnson + +commit 11439346ddf0877c71475f92c182b5807d2d527f +Merge: 792a588a3 daa723fc4 +Author: Kathryn Baldauf +Date: Wed Apr 19 11:59:51 2023 -0700 + + Merge pull request #1717 from katiewasnothere/kabaldau/add_back_ext4_formatting + + Add code to format disk as ext4 in guest + +commit daa723fc49543a1341fec30e871fa85c240a5714 +Author: Kathryn Baldauf +Date: Tue Apr 4 12:47:43 2023 -0700 + + Add code to format source as ext4 + + Signed-off-by: Kathryn Baldauf + +commit 792a588a335e09a242bada07974b5491201f2a44 +Author: Maksim An +Date: Mon Apr 17 17:22:02 2023 -0700 + + tests: write seccomp profile to a temporary file (#1736) + + Signed-off-by: Maksim An + +commit 52eee9916647740afb5e49241f88e45f93aa9c4d +Author: Matthew A Johnson +Date: Mon Apr 17 20:02:38 2023 +0100 + + Fixing the errors for missing enforcement points (#1735) + + Signed-off-by: Matthew A Johnson + +commit 61e491d7afcbbea75b52b73a79448ab2419bc30d +Author: Matthew A Johnson +Date: Sat Apr 15 01:13:05 2023 +0100 + + Policy decision truncation. (#1731) + + In some circumstances, the policy decision object returned from a policy + denial causes the resulting error message to exceed the maximum error length + imposed by Service Fabric. This PR adds some truncation logic to reduce the + size of the decision object so it first into the limit. Firstly, all standard + capability sets (privileged and unprivileged) are replaced with a placeholder. + Then, if the message is above the length limit then the following things are + truncated until the message is below the threshold: + + 1. `reason.error_objects` + 2. `input` + 3. `reason` (the rest of the reason object returned from the policy) + + Signed-off-by: Matthew A Johnson + +commit d483254a7118d1e80e1ff327ef9b7d5819345f28 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Apr 14 17:48:01 2023 -0400 + + switch from filepath.EvalSymlinks to fs.ResolvePath (#1644) + + Signed-off-by: Hamza El-Saawy + +commit b6806f37572d8570090c8c259c22b678c289eaef +Author: Julien Maffre <42961061+jumaffre@users.noreply.github.com> +Date: Fri Apr 14 18:34:06 2023 +0100 + + Make sure that security context files are readable by all (#1729) + + Update internal/guest/runtime/hcsv2/uvm.go + + Make sure that security-context directory has `0755` permissions. + + Signed-off-by: Julien Maffre + +commit b2acb03aaf23420883b109dd6659b439aa6adb99 +Merge: c9f052d90 8cb4a1f54 +Author: Kathryn Baldauf +Date: Thu Apr 13 14:12:25 2023 -0700 + + Merge pull request #1704 from katiewasnothere/kabaldau/new_exported_test_funcs + + Create new test packages that reference internal packages + +commit 8cb4a1f54f3a53b80fc0f35cfd667473e53b9b0c +Author: Kathryn Baldauf +Date: Thu Apr 13 13:17:46 2023 -0700 + + Add doc file to describe test/pkg package + + Signed-off-by: Kathryn Baldauf + +commit 815de8d38401e4ee6288a48368ad1f105034c6f8 +Author: Kathryn Baldauf +Date: Mon Mar 20 15:30:11 2023 -0700 + + Create new test packages that reference internal packages + + Signed-off-by: Kathryn Baldauf + +commit c9f052d90b83b7099c7ecfafc9fd12ada0ec5bb7 +Author: Maksim An +Date: Tue Apr 11 13:42:21 2023 -0700 + + tests: fix error assertion and container layer sha256 (#1725) + + Rego error messages are now returned base64 encoded, so direct + error message assertions don't work and we need to decode the + policy decision string first. One of the tests was missing this. + + Additionally alpine container has been updated and the layer + digest has changed, so the policy used to check backward compat + is now broken. Update it to have a valid digest. + + Signed-off-by: Maksim An + +commit f4bcf0972a0bce12a1316b77304ac60001dd0f35 +Author: Maksim An +Date: Tue Apr 11 10:08:35 2023 -0700 + + negative rego cri-integration tests (#1719) + + Enable a few negative tests for rego enforcer. Since JSON policies + will be dropped soon, replace existing negative JSON policy tests + with negative rego policy tests. + + Signed-off-by: Maksim An + +commit 8b2e3c425bbad8a2c1544fa797cec25325029331 +Author: Maksim An +Date: Mon Apr 10 10:36:07 2023 -0700 + + hack: add blanket retries on device-mapper failures with SCSI (#1720) + + After moving to 5.10+ we started seeing occasional failures when + creating verity/crypt device-mapper targets. + Longer term fix should be adding retries on particular errors + at lower level e.g. in devicemapper/crypt packages. + + Signed-off-by: Maksim An + +commit 8f5f651f39b388d0e072aeb87e74950a442e095a +Author: Matthew A Johnson +Date: Mon Apr 10 01:46:06 2023 +0100 + + Moving to structured JSON policy decisions. (#1718) + + This commit makes two major changes: + + 1. All policy enforcement points now receive a context objects and use it + to log policy errors and denial decisions. + 2. Policy denials are now conveyed as structured JSON objects. + + Whereas previously policy denial was surfaced as a text error message, + the policy now generates a bracketed base64 encoded string: + + policydecision< (base64) >policydecision + + When decoded, this will be a JSON object with the following structure: + + ```json + { + "input": , + "decision": "deny", + "reason": , + "policyError": + } + ``` + + NB: the `"policyError"` field above is only present if the denial was + triggered by an actual error in the Rego policy. + + Signed-off-by: Matthew A Johnson + +commit b0a82cb8ecbd5ce57423368b66a54674f4fd9063 +Author: Maksim An +Date: Wed Apr 5 09:04:23 2023 -0700 + + con-con: write policy, reference info and cert to container's rootfs (#1708) + + Due to `execve` limitation on the size of environment variable, write the + base64 encoded security policy, UVM reference info and host AMD certificate + to container's rootfs. + + Update existing test accordingly. + + Signed-off-by: Maksim An + +commit bf05781e4fa0276e3785e45d1700022877ecc97f +Author: Maksim An +Date: Mon Apr 3 16:09:57 2023 -0700 + + tests: Add rego cri-integration tests for plan9 mount policy. (#1651) + + Signed-off-by: Maksim An + +commit 79331e628a535296558e09f75a1c3b13f75ebe6b +Author: Maksim An +Date: Mon Apr 3 10:43:17 2023 -0700 + + sev-snp: add SEV device when security policy is present (#1679) + + This change adds SEV device to linux container spec whenever security + policy isn't empty. + + Signed-off-by: Maksim An + +commit 50e1059ca8c254a70bc3d44d46917cf7b41518d5 +Author: Matthew A Johnson +Date: Fri Mar 31 16:05:56 2023 +0100 + + Clarifying SVN vs. Version. (#1715) + +commit e7b0eab484b277ab1a30a282b7232744a34e6624 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Mar 29 13:57:55 2023 -0400 + + upgrade runc dependency (#1714) + + Signed-off-by: Hamza El-Saawy + +commit ff268a2c451cd74f865c2fc94d6a9d9780c0dc18 +Author: Matthew A Johnson +Date: Tue Mar 28 20:23:56 2023 +0100 + + Seccomp profile policy enforcement. (#1705) + + This commit adds enforcement over the seccomp profile associated with a container. The + policy author can measure their seccomp profile and include this measurement in the + policy. Subsequently, they can provided that same seccomp profile to the orchestrator + (e.g. via an annotation) and GCS will measure the provided profile and provide this as + input to the policy engine. + + This commit also adds a series of CRI tests for security context enforcement. + + Fixing error with privileged exec_in_container + Adding CRI test for privileged exec in container + + Signed-off-by: Matthew A Johnson + +commit 144a58796678fc3c0360f41bb636516d92c297c2 +Merge: 5c373d575 8fb834552 +Author: Kathryn Baldauf +Date: Thu Mar 23 16:20:55 2023 -0700 + + Merge pull request #1707 from katiewasnothere/kabaldau/clean_mod_cache + + Update golangci linter and clean go mod cache + +commit 8fb8345521071dbddffebde44148be56f7113fc8 +Author: Hamza El-Saawy +Date: Thu Mar 23 18:10:25 2023 -0400 + + Fix linter issues. + + Remove `//nolint` directives for varcheck, deadcode, and + structcheck; they were deprecated in golangci-lint v1.49. + + Removed `//nolint` directives for `unused`; it appears a new version of + that linter is less false-positive prone. + + Fix instance of loop variable being captured in closure for + `Test_RunPodSandbox_Concurrently` in `policy_test.go`. + + Signed-off-by: Hamza El-Saawy + +commit 6e2711165aa1267cc412ff8613f58cfffe9e707c +Author: Kathryn Baldauf +Date: Thu Mar 23 14:24:40 2023 -0700 + + Update golangci linter and clean go mod cache + + Signed-off-by: Kathryn Baldauf + +commit 5c373d5754c0a7faf501bf56a3d88621eb7afa7c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Mar 21 11:03:14 2023 -0400 + + NCProxy: attach to host and macpool (#1591) + + * NCProxy: attach to host and macpool + + Allow NCProxy to attach endpoints to default host namespace. + Return MAC pool information for networks. + + Signed-off-by: Hamza El-Saawy + + * pr: debug to warn + + Signed-off-by: Hamza El-Saawy + + * added tests + + Signed-off-by: Hamza El-Saawy + + * PR: test cases, end MAC addr check + + Signed-off-by: Hamza El-Saawy + + * PR: hostdefault namespace test + + Bug where `AttachToHost` field was always false. + + Test now uses `Host` namespace, instead of `HostDefault` and checks that + attaching an endpoint to the host works properly + + Simplified control flow/logic in `AddEndpoint`. + + Signed-off-by: Hamza El-Saawy + + * PR: test failure + + Signed-off-by: Hamza El-Saawy + + * PR: namespace ID, test comments + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 4cf46addd62d199d3153bce49f6eab2ecd8c149e +Author: Matthew A Johnson +Date: Mon Mar 20 23:41:20 2023 +0000 + + Adding policy for Linux capabilities. (#1683) + + This commit adds enforcement of policy over the capabilities provided to a process, + either the init process of the container, or a process being executed inside a + container (*i.e.* this affects the `EnforceCreateContainerPolicy` and + `EnforceExecInContainerPolicy` enforcement points). Linux capabilities enumerate + the things a process can do, and as such a malicious host could grant or deny + specific capabilities to processes to create an unexpected and potentially + compromised state for the container group. Users can now specify an exact + list of capabilities for each of the five sets (bounding, effective, inheritable, + permitted, and ambient). + + Users can also specify that they wish to enable *capabilities dropping*, whereby + any extraneous capabilities which are granted by the host can be dropped down to a + minimum set of needed capabilities. + + Signed-off-by: Matthew A Johnson + Signed-off-by: Sean T. Allen + +commit e05e3aa04e92571ac1479150d92538a90dc4dfc2 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Mar 20 22:07:24 2023 +0000 + + Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 (#1701) + +commit d5c1acc447e50a50985cba9ef8da0fa0e623f769 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Mar 20 18:33:53 2023 +0000 + + Bump github.com/google/go-containerregistry in /test (#1700) + +commit 8aee7cdd92b14769bfd8376c06cb27cbb3c78c57 +Author: Maksim An +Date: Mon Mar 20 09:25:28 2023 -0700 + + tests: add tests for concurrent pod startup (#1639) + + Signed-off-by: Maksim An + +commit 973a4ba52332ce5bd9a428c8569f3c52ed05f86b +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Mar 16 21:30:13 2023 -0400 + + Update dependencies (#1697) + + Consolidate dependabot PRs and update ./test/go.mod accordingly: + - https://github.com/microsoft/hcsshim/pull/1675 + - https://github.com/microsoft/hcsshim/pull/1686 + + Signed-off-by: Hamza El-Saawy + +commit 2c8ae3f42d13cd411054d2c8386816a076d7968b +Author: Sean T Allen +Date: Thu Mar 16 20:14:54 2023 -0400 + + Fix "no matches" test that can somewhat easily match (#1684) + + The number of values that a generated umask can have it rather small + and as such, will eventually be generated for both a container that + is part of a generated policy and as the "bad value" in our no match + test for umask. + + This already happened to me. + + This commit changes to using a value that can't be generated and + therefore is guaranteed to be a bad match which is all we care about + for our test. + + This change removes the spurious test failures we would otherwise get. + + Matt and I are working towards having the ability to generate unique values + per test for such things but at the moment, the infrastructure isn't in + place for it, so this change will do for now. + + Signed-off-by: Sean T. Allen + +commit 13465d5a4a51cadc377776e07b149d7e87cebe5a +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Mar 16 15:59:21 2023 +0000 + + Bump actions/setup-go from 3 to 4 (#1696) + +commit 178111d9cfe32aaab22ac70cb872c1e2299a9aff +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Mar 15 15:12:21 2023 -0400 + + Logging (JSON) formatting; span export (#1364) + + * Log (JSON) formatting hook; span export + + Added formatting for logrus export hook to marshal structs as JSON + strings, as well as format other known types (eg, time.Time). + + Updated span export to: + * include span kind + * include status code + * log if span attributes were dropped + + Added helper `log.Format*` functions to format Time and other structs + to JSON. This is already done by the logging hook, but allows spans + format their attributes consistently, since they must be converted to + strings before being exported. + + Signed-off-by: Hamza El-Saawy + + * PR: docs, un-exported func, vestigial code + + Remove unused commented out code and left-over function. + + Signed-off-by: Hamza El-Saawy + + * PR: docs, defaults, AddSpanContext/EncodeError bug + + Clarified documentation. + + Disable JSON encoding by default. + + Bug: `AddSpanContext` wasn't checked when adding span information. + Bug: `EncodeError` was unneeded. + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit 5e3a6dfa5fdcb695748e19f03d5ffb5127a7588a +Author: kiashok <99994218+kiashok@users.noreply.github.com> +Date: Tue Mar 14 13:25:06 2023 -0700 + + Fix graceful termination test errors (#1687) + + - Loosen the time interval check that measures the time taken to + stop the container with -t command to account for cloud test delays + - Add to check that OS version is V21H2Server since the graceful + termination test images are based on servercore and nanoserver 2022. + + Signed-off-by: Kirtana Ashok + Co-authored-by: Kirtana Ashok + +commit 69815bcbb5c01bdca37682c687e6eb85b869b439 +Author: Maksim An +Date: Mon Mar 13 23:02:43 2023 -0700 + + tests: rego exec in uvm cri integration tests (#1648) + + add another wrapper for shim diag. + + Signed-off-by: Maksim An + +commit 2cd8784ac82d9e7874f21bb3a9256e522376e2b3 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Mar 13 19:50:20 2023 +0000 + + Bump github.com/containerd/ttrpc from 1.1.0 to 1.2.1 in /test (#1693) + +commit 66fe5f7f91d753070ed352ce1edc1f437fe468e9 +Author: Maksim An +Date: Mon Mar 13 09:33:16 2023 -0800 + + github-ci: use go1.19.x (#1689) + + rerun protobuild + + fix: check for `exec.ErrDot` + + Signed-off-by: Maksim An + +commit 1bc5798c25aa9fe0dc790537f637949e10874f96 +Author: KenGordon +Date: Mon Mar 13 16:45:02 2023 +0000 + + Fix silly error whereby a chain was required although unnecessary. (#1682) + + Signed-off-by: Ken Gordon + +commit dd669924dbbfda544ebafe3f94a3b5d2a0e4412f +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Mar 6 18:39:13 2023 +0000 + + Bump golang.org/x/sys from 0.5.0 to 0.6.0 in /test (#1685) + +commit 8994d86322d465305157cccb0dc04dd3d27f629c +Author: Matthew A Johnson +Date: Fri Mar 3 05:57:03 2023 +0000 + + Adding policy enforcement for User. (#1669) + + This PR adds policy enforcement for the User property of container processes. + Policy authors can now explicitly allow and deny users, groups, and umasks + associated with the init process and exec processes that they define on + containers. + + Signed-off-by: Matthew A Johnson + +commit 5871d0c4436f131c377655a3eb09fc9b5065f11d (tag: v0.10.0-rc.7) +Author: Gabriel +Date: Tue Feb 28 19:47:03 2023 +0200 + + Base layer manipulation (#1637) + + * Simple baseLayerReader to export parentless layers + + This is the inverse of the baseLayerWriter: It walks Files/ and + UtilityVM/Files/ (if present) and ignores the rest of the layer data, + as it will be recreated when the layer is imported. + + Signed-off-by: Paul "TBBle" Hampson + + * Introduce hcsshim.ConvertToBaseLayer + + This API allows turning any collection of files into a WCOW base layer. + + It will create the necessary files in Files/ for + hcsshim.ProcessBaseLayer to function, validate the necessary files for + hcsshim.ProcessUtilityVMImage if UtilityVM/ exists, and then call those + two APIs to complete the process. + + Calling this on a directory containing an untarred base layer OCI + tarball, gives a very similar outcome to passing the tar stream through + ociwclayer.ImportLayer. + + The new API is used in `TestSCSIAddRemoveWCOW` to create nearly-empty + base layers for the scratch layers attached and removed from the utility + VM. + + A wclayer command is also introduced: `makebaselayer` for testing and + validation purposes. + + Signed-off-by: Paul "TBBle" Hampson + + * Include hard-linked files as hard-links in the tarstream + + Signed-off-by: Paul "TBBle" Hampson + + * Use offline registry library to generate min hive + + This change adds functions to generate valid, empty hives. + + Signed-off-by: Gabriel Adrian Samfira + + * Rename ofreg.go and close key + + Signed-off-by: Gabriel Adrian Samfira + + * Fix temp dir creation + + Signed-off-by: Gabriel Adrian Samfira + + * Cleanup tests + + Signed-off-by: Gabriel Adrian Samfira + + * Fix ORCloseHive definition + + Signed-off-by: Gabriel Adrian Samfira + + * Remove unused ctx from baseLayerReader + + Signed-off-by: Gabriel Adrian Samfira + + * Use string in sys definition and check for err + + * We can use string instead of *uint16 in the //sys definition and allow + mksyscall to generate the proper boilerplate. + * do not shadow err if it's not nil + + Signed-off-by: Gabriel Adrian Samfira + + * Close the r.proceed channel + + Signed-off-by: Gabriel Adrian Samfira + + * Return if backup reader is nil + + Signed-off-by: Gabriel Adrian Samfira + + --------- + + Signed-off-by: Paul "TBBle" Hampson + Signed-off-by: Gabriel Adrian Samfira + Co-authored-by: Paul "TBBle" Hampson + +commit 38a2b199820739a0f0c5620ba32afa355a009a3b +Author: Maksim An +Date: Mon Feb 27 22:01:52 2023 -0800 + + simplify zeroDevice to just zero first block (#1672) + + Signed-off-by: Maksim An + +commit 411a1832c3f57794d6ebbe7007491fb0317a51c0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Feb 27 16:03:34 2023 -0500 + + use gotestsum to get test summary (#1678) + + Signed-off-by: Hamza El-Saawy + +commit b759125ec521193f9e310ccf529d08fcf37e22d7 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 27 17:11:56 2023 +0000 + + Bump github.com/opencontainers/runtime-tools in /test (#1674) + +commit 8283b8e8ea5e7a6fbd695da01f5bfe62b0f1610c +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 27 17:06:59 2023 +0000 + + Bump actions/checkout from 2 to 3 (#1676) + +commit 6556516642980510752e419da65d5c85b1d1279c +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 27 16:38:43 2023 +0000 + + Bump actions/upload-artifact from 2 to 3 (#1677) + +commit 276c4354f6bd7d4fe6f0445f716c88f64355922e +Author: Sebastiaan van Stijn +Date: Fri Feb 24 20:14:06 2023 +0100 + + osversion: implement stringer interface, deprecate ToString() (#1547) + + This allows the type to be used with fm.Sprintf() and similar uses. + + Signed-off-by: Sebastiaan van Stijn + +commit b9dbd860edb053fccca0e16318191c231ecd0a3c +Author: Sean T Allen +Date: Fri Feb 24 13:03:21 2023 -0500 + + Wait longer before trying to install mingw after failing to install (#1670) + + I've been watching the mingw failures I get and I've been checking + "successes" to see if I can see the current 2 second back off being + successful. I regularly see the short retry period not working and + I've seen only once or twice that it it worked. + + This commit ups the time to retry to a longer 60 seconds which + should give a better chance at success. + + Signed-off-by: Sean T. Allen + +commit 889c53a4fdc78d30645bf32ee1706525e8e7ea65 +Author: KenGordon +Date: Wed Feb 22 21:53:51 2023 +0000 + + Format encrypted scratch disk as xfs rather than ext4fs (#1665) + + * Format encrypted scratch disk as xfs rather than ext4s to avoid + ioerror detected by the integrity layer. + + Mount the correct type of scratch FS - xfs if encrypted. + + Remove sparse file tests as EncryptDevice does not invoke it. + + Signed-off-by: Ken Gordon + + * minor cleanup + + Signed-off-by: Maksim An + + --------- + + Signed-off-by: Ken Gordon + Signed-off-by: Maksim An + Co-authored-by: Maksim An + +commit 164f75307fe1a7d6bbd2eaf9b459ebc21e985555 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Tue Feb 21 19:20:47 2023 +0000 + + Bump golang.org/x/net from 0.1.0 to 0.7.0 (#1667) + +commit 06ecd9983cb94f5a75de2ff85bf152a239fb5603 +Author: Matthew A Johnson +Date: Tue Feb 21 16:49:44 2023 +0000 + + Adding policy enforcement for NoNewPrivileges. (#1652) + + This PR adds enforcement of `NoNewPrivileges` for `CreateContainer` and + `ExecInContainer`. + + Signed-off-by: Matthew A Johnson + +commit 39e9887201f0dce8105f38a9c6cc456bf38a2651 +Author: Sean T Allen +Date: Mon Feb 20 23:52:44 2023 -0500 + + Fix compilation error caused by "PRs crossing in the night" (#1668) + + Two recent PRs of mine had an unfortunate interaction. Both passed + they should have. Bunt one was refactoring that removed a method that + the second PR relied and when they were both merged to main, compilation + error! + + Refactor commit: + + https://github.com/microsoft/hcsshim/commit/2c33d3d83a1e447e129b7487bf04c3144d14f4a9 + + Commit that didn't take the above changes into account: + + https://github.com/microsoft/hcsshim/commit/c97246d11f19a4f178f1a82fe8b2caa0b404b472 + + Signed-off-by: Sean T. Allen + +commit 0b63055437a56c5d30f3808ddc19825a6bf88e17 +Author: Maksim An +Date: Mon Feb 20 20:13:37 2023 -0800 + + tests: rego policy exec in container tests (#1635) + + Add CRI integration tests to validate rego policy enforcement + around container execs. + Additionally introduce new `PolicyConfigOpt` type for easier + policy config generation, update policy tests to use the opts. + + Add `sev-snp` flag to cri-containerd executable, which indicates + that the tests are running on hardware with SEV-SNP support. + + Signed-off-by: Maksim An + +commit c97246d11f19a4f178f1a82fe8b2caa0b404b472 +Author: Sean T Allen +Date: Sat Feb 18 23:52:10 2023 -0500 + + Provide error message when the lack of required environment variables causes policy denial (#1661) + + This commit handles the simplest case of error reporting and doesn't inform as the the + particular variables or the group them into sets based on container/process. + + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + +commit 6521a23ef84a400b676fcea45170c60131a677cf +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sat Feb 18 00:23:47 2023 +0000 + + Bump golang.org/x/net from 0.5.0 to 0.7.0 in /test (#1666) + +commit 2c33d3d83a1e447e129b7487bf04c3144d14f4a9 +Author: Sean T Allen +Date: Thu Feb 16 16:40:47 2023 -0500 + + Update selectContainerFromConstraints to work on a container list (#1645) + + A small point of improvement that we saved away was to take a list of containers + rather than constraints when selecting a container. This will make the function + more usable elsewhere in tests. + + This change doesn't do anything but the refactoring. Future usage of the more + generally useful function can be done as needed. + + Signed-off-by: Sean T. Allen + +commit a00dee33a6415da8e2e5ec3e6b90eab61b0d3d34 +Author: Sean T Allen +Date: Thu Feb 16 11:41:08 2023 -0500 + + Make a couple tests match the naming convention around them (#1664) + + A couple of tests had a _ between Enforce and CreateContainer that + isn't part of the naming scheme we came up with for the rego + policy tests. This commit fixes those variances. + + Signed-off-by: Sean T. Allen + +commit 730efda45860d32fbe8ba4965f8f3f67fe8ae4f8 +Author: Sean T Allen +Date: Wed Feb 15 14:08:10 2023 -0500 + + Provide error message when allow_stdio_access creates and undecideable error (#1662) + + If two containers are indistinguishable at create_container or exec_external + time except for their `allow_stdio_access` value, then we are unable to proceed + as we don't know if access should be allowed or not. + + Prior to this commit, no error message at all was displayed when this was + hit making it almost impossible for someone not "in the know" to diagnose. + + This first version gives a very simple error message that will be improved + with more information in later commits. + + Signed-off-by: Sean T. Allen + +commit 69927ff7cb136a12ef95ed541fc951214a4fe439 (tag: v0.10.0-rc.6) +Author: Maksim An +Date: Tue Feb 14 00:47:33 2023 -0800 + + fix: temp file leak during hash computation (#1641) + + Fix a temp file leak when computing dmverity root hash. This + mainly affects `dmverity-vhd` tool and users may see their temp + storage filling up. + + Signed-off-by: Maksim An + +commit a996c74b98f0930bbf5c2371994da2ba2c6e50f4 +Author: Maksim An +Date: Tue Feb 14 00:43:04 2023 -0800 + + dmverity: fix padding (#1659) + + Due to a missing check for whether padding is needed or not, for + certain images we may end up with an extra 4096 zero-byte padding + in the merkle tree. Fix this by checking if padding is needed. + + Signed-off-by: Maksim An + +commit c7a0aef0f8a0cf80d9b5063e13c198e72b0cd384 +Author: Sean T Allen +Date: Mon Feb 13 20:16:55 2023 -0500 + + Fix false positive error messages on exec_external policy denial (#1658) + + Due to errors in the logic for detecting errors when exec_external + was denied, if it was denied, env list and working directory errors + would always appear because the error checks were incorrect. + + This commit fixes those errors. + + At the moment, checking to make sure we don't have false positives + in tests is difficult. Work to add those tests is planned but will + take a bit. In the meantime, this change will fix the issue that + is live in production. + + Signed-off-by: Sean T. Allen + +commit 3489fc4eec96fc0ea6d363dfcb0c725ba8117827 +Author: Sean T Allen +Date: Mon Feb 13 18:32:57 2023 -0500 + + Fix unintended data modification when redacted environment variables (#1657) + + When I did the change to redact environment variable values in policy + engine error messages, I create a "false positive error message" bug. + + If any policy check were to be denied that involved environment variables + in the check, then environment variables would be listed as a cause even + if they weren't. This was because the previous redacting code was changing + the data object used to determine the errors. + + The updated data object had the redacted environment variables which would + never match so all error messages would include that the envs were invalid. + + This commit fixes that issue but creating a new object when redacting, the + original object is still used to data checking and if redaction has been done, + the new data object is used for generating the error message. + + The current test system makes this somewhat hard to test for. I will be adding + tests to cover "false positive error messages" in the not so distant future. + In the meantime, this commit addresses the bug before it makes to production. + + Signed-off-by: Sean T. Allen + +commit 53bc3f1fe32ccb8969c123d3b111a85928e35ef4 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 13 19:02:06 2023 +0000 + + Bump golang.org/x/sys from 0.1.0 to 0.5.0 (#1655) + +commit b00804b75cda51ccf5f7b32344301eb18efa6d7a +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 13 17:49:21 2023 +0000 + + Bump google.golang.org/grpc from 1.52.3 to 1.53.0 in /test (#1656) + +commit 387c546a03dc9b6377680b1427cc2cf3b5bb72f0 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Feb 13 15:54:50 2023 +0000 + + Bump golang.org/x/sys from 0.4.0 to 0.5.0 in /test (#1654) + +commit 6a1649a4b45abe759c5aaff8b3812854e8253227 +Author: Maksim An +Date: Fri Feb 10 12:16:37 2023 -0800 + + policy: add plan9 mount type handling when generating policy (#1650) + + Signed-off-by: Maksim An + +commit 9aa3217cbe084094bfae29960c006c9c94cd38b9 +Author: Matthew A Johnson +Date: Fri Feb 10 16:21:25 2023 +0000 + + Adding a default error message. (#1647) + + If the policy does not return an error, this means that an unexpected error + has occurred. We want to signal this to the user by throwing a generic + error which will indicate to them the general nature of what has gone + wrong, i.e. that their Rego is invalid. + + Signed-off-by: Matthew A Johnson + +commit 05254393814ef6e6318ff314361f02dcc67ea89f +Author: Sean T Allen +Date: Thu Feb 9 18:22:50 2023 -0500 + + Redact environment variable values in policy error output (#1649) + + Environment variable values might contain sensitive information. This + commit scrubs those values from appearing in policy error messages. + + In any error messages "Input" section, the value of the environment + variables is replaced with "<>". + + In the errors list, only the key of the environment variable is + listed as not matching rather than the full "KEY=VALUE" string. + + Signed-off-by: Sean T. Allen + +commit 8d301cb3353ddcb1b5bc63a116295e982686f80f +Author: Maksim An +Date: Tue Feb 7 14:44:02 2023 -0800 + + fix: treat VMGS file as template when launching multiple UVMs (#1646) + + This PR fixes an issue when multiple UVMs are started in a + concurrent fashion, which results in an access denied error from + HCS when trying to load VMGS while another UVM start is using it. + + The fix is to treat the VMGS file as template and create a temporary + copy in pod's OCI bundle directory for the lifetime of the UVM. + The copy is deleted when UVM is terminated. + + Signed-off-by: Maksim An + +commit 420d7fa852e08c17575a1df467497a1929829ed6 +Author: Amit Barve <57150885+ambarve@users.noreply.github.com> +Date: Fri Feb 3 14:46:15 2023 -0800 + + Fix SCSI mount error handling (#1642) + + SCSI mount operation used to check for ENOENT ("no such file or directory") error and used to retry the mount + operation because the SCSI device sometimes takes a bit of a time to show up. However, in the recent version + of the Linux kernel the error it returns seems to have changed from ENOENT to ENXIO ("no such device or + address"). This commit updates the retry logic to retry for either of those errors. + + This also updates a test that used to specifically look for 2000 bits of entropy inside the guest. + However, Linux kernel 5.15 has changed the entropy behavior and now it only has 256 bits of entropy (with + increased security and performance). + + Signed-off-by: Amit Barve + +commit db7a679aef40e648c836b20d6b1c3bc090042747 (tag: v0.10.0-rc.5) +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jan 31 17:01:09 2023 -0500 + + test: Add CRI benchmarks for container operations (#1569) + + * test: Add CRI benchmarks for container operations + + Add CRI API benchmarks to `cri-containerd.test.exe`, and update helper + functions in `cri-containerd` to accept `tb testing.TB` instead of + `t *testing.T`. + + Switched `cri-containerd` to `test\internal\flag` so that + `test\internal\require` can be used to check if features are present + since that implementation already mirrors what `cri-containerd` does, + but accepts a `testing.TB`, and deleted old + `test/internal/stringsetflag.go` file. + + Renamed `scripts/Test-Functionl.ps1` to `scripts/Run-Tests.ps1`, and + updated it to run both functional and CRI tests and benchmarks. + + Signed-off-by: Hamza El-Saawy + + * PR: clarifying comment + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: Hamza El-Saawy + +commit d3102137a8e134b22466f058a104548b3c3142b8 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jan 31 14:50:40 2023 -0500 + + Add retry to install mingw (#1636) + + Integration test often fails because of mingw installation failure, + which in turn appears to be a web-request issues. + Adding rety and backoff/sleep to resolve issue. + + Signed-off-by: Hamza El-Saawy + +commit 9f4ddc6b7bab336b2b7475dc54469565be070081 +Author: Sebastiaan van Stijn +Date: Mon Jan 30 23:05:35 2023 +0100 + + internal/tools/securitypolicy: switch to github.com/pelletier/go-toml (#1620) + + The BurntSushi/toml module was unmaintained for a long time, and most + projects switched over to using pelletier/go-toml. While it appears + that maintenance was handed over to a new maintainer, switching to + the most commonly used implementation to simplify dependency management. + + Signed-off-by: Sebastiaan van Stijn + +commit 118344bdd83ad33a0128e9eaaafe40016186c89b +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 30 18:34:33 2023 +0000 + + Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 (#1629) + +commit 3c21b610943f2f62de13b99c2047bcd8604c3356 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 30 13:34:10 2023 -0500 + + Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 (#1630) + + * Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 + + Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0. + - [Release notes](https://github.com/containerd/cgroups/releases) + - [Commits](https://github.com/containerd/cgroups/compare/v1.0.3...v1.1.0) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/cgroups + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + * fix test mod + + Signed-off-by: Hamza El-Saawy + + --------- + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 7a8d6bbe9d5348fd748df70cc1be8b2abeead803 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 30 13:33:35 2023 -0500 + + Bump golang.org/x/sys from 0.3.0 to 0.4.0 in /test (#1612) + + Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.3.0 to 0.4.0. + - [Release notes](https://github.com/golang/sys/releases) + - [Commits](https://github.com/golang/sys/compare/v0.3.0...v0.4.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sys + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit a31ee4ed0684b2718cb8e32833000b24e6620b64 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Jan 29 03:05:45 2023 +0000 + + Bump google.golang.org/grpc from 1.51.0 to 1.52.3 in /test + + Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.51.0 to 1.52.3. + - [Release notes](https://github.com/grpc/grpc-go/releases) + - [Commits](https://github.com/grpc/grpc-go/compare/v1.51.0...v1.52.3) + + --- + updated-dependencies: + - dependency-name: google.golang.org/grpc + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit 73b75398dfae7547ba7e7c3a9155e105bdffe063 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Jan 29 03:05:21 2023 +0000 + + Bump github.com/google/go-containerregistry in /test + + Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0. + - [Release notes](https://github.com/google/go-containerregistry/releases) + - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) + - [Commits](https://github.com/google/go-containerregistry/compare/v0.12.1...v0.13.0) + + --- + updated-dependencies: + - dependency-name: github.com/google/go-containerregistry + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit 80d9eb0a41e557e1ece044a7a6ce258427ffb491 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 30 12:11:09 2023 -0500 + + Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 in /test (#1631) + + Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0. + - [Release notes](https://github.com/containerd/cgroups/releases) + - [Commits](https://github.com/containerd/cgroups/compare/v1.0.3...v1.1.0) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/cgroups + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit fbcafad3b2dd750153596683b9661d140455c6a8 +Author: KenGordon +Date: Sat Jan 28 05:40:34 2023 +0000 + + Fragment COSE Sign1 support. Allows for a fragment presented by the host (#1575) + + to be checked for a good cert chain and a valid issuer DID that matches + the certs and so the signature. Includes DID and COSE Sign1 packages and + tooling. + + Support extracting a DID directly from a COSE Sign1 document and also + support single cert COSE Sign document checking, but not DID generation. + + `signutil` is a debug tool that allows generating valid DID given a + COSE Sign1 document and provides other utility functions like printing + cert chain, leaf certs, displaying COSE Sign1 document content etc. + + Signed-off-by: Ken Gordon + +commit 97875f7585b84c659df80c64e5d6136a0cf6fb9c +Author: Maksim An +Date: Fri Jan 27 17:48:06 2023 -0800 + + rego: fix slightly incorrect sandbox and hugepage mounts enforcement (#1625) + + Sandbox and hugepage mounts come via CRI config in the form: + `sandbox://`, however the existing enforcement and tests + expect it to be `sandbox://` which causes a problem during + mount enforcement, when the sandbox prefix is replaced with an additional + path separator in the end. + + Additionally update policy tests. + + Signed-off-by: Maksim An + +commit de1480ae0adaa72945168743f67526730f1de6ca +Author: Matthew A Johnson +Date: Sat Jan 28 00:01:23 2023 +0000 + + API Data and Framework Versioning. (#1622) + + * API Data and Framework Versioning. + + This change adds several features that are necessary to provide stable backwards + compatibility. + + The first deals with how API defaults are specified. + Previously, API default behavior was given in terms of allow/deny, i.e. + + ``` rego + "create_container": {"introducedVersion": "0.1.0", + "allowedByDefault": false} + ``` + + This does not reflect how the API has evolved, in particular the fact that GCS + expects the API to return objects and not a single boolean value. Thus, the + defaults have been updated to be default object values: + + ``` rego + "create_container": {"introducedVersion": "0.1.0", + "default_results": {"allowed": false, + "env_list": null, + "allow_stdio_access": true}}, + ``` + + The resulting default object is then combined with the value returned by the + (older) policy using an object union operation. For example, if the + default is: + + ``` json + { + "allowed": false, + "env_list": null, + "allow_stdio_access": true + } + ``` + + and the value returned by an older policy is: + + ``` json + { + "allowed": true, + } + ``` + + then then the fields of the policy result overwrite the fields of the default + to create the final result: + + ``` json + { + "allowed": true, + "env_list": null, + "allow_stdio_access": true + } + ``` + + As the API stabilizes, it will increasingly be the case that the Framework will + change independently of the API and will need its own SVN. The second major + change this PR incorporates is to add a Framework SVN to fragments and policies + which use the provided framework. This allows us to provide Framework-specific + backwards compatibility behavior. In particular, this allows us to specify + policy object versioning via the new `framework_objects.json` file. For example, + the format of the external process object is defined as: + + ``` json + "external_process": { + "command": { + "introduced_version": "0.1.0", + "default_value": null + }, + "env_rules": { + "introduced_version": "0.1.0", + "default_value": null + }, + "working_dir": { + "introduced_version": "0.1.0", + "default_value": null + }, + "allow_stdio_access": { + "introduced_version": "0.1.0", + "default_value": null + } + }, + ``` + + As new elements are added to framework policy objects, reasonable defaults can + be provided here. This has repercussions on policies in a few cases: + + 1. **`framework_svn` is missing.** If the policy or fragment does not define a + Framework SVN, then the framework must thrown an error for any rule which + uses the object defaults, as the behavior is undefined. + 2. **`framework_svn` is ahead of the executing Framework SVN**. Similarly, if + a policy or fragment specifies an SVN which is greater than that of the + executing Framework, they are indicating that they expect a different set of + constraints to be executing and thus we must thrown an error when rules + that uses object defaults are executed. + + Implementing and testing these changes required some minor alterations and + refactoring to the `regopolicyinterpreter`, in particular a method to make + raw Rego queries to facilitate testing the default application process for + candidate policy objects. + + Signed-off-by: Matthew A Johnson + +commit 5bc3c727457b1cbf451579be23efb774d233234e +Author: Maksim An +Date: Fri Jan 27 15:41:59 2023 -0800 + + fix snp-report: fake-report flag is now correctly parsed (#1626) + + Previously `fake-report` flag of `snp-report` binary was incorrectly + handled when report was requested in `binary` format. This PR fixes + the logic. + + Signed-off-by: Maksim An + +commit 3d37452b4863b510f09c2d0d7e89d1134ba69e50 +Author: Sean T Allen +Date: Fri Jan 27 18:04:08 2023 -0500 + + Make LCOWPrivileged annotation more resilient to change (#1628) + + A change to one of these two checks was requested by Hamza as part + of https://github.com/microsoft/hcsshim/pull/1624. It was decided + to get both instances in their own PR as the change was unrelated + to the work in 1624. + + Signed-off-by: Sean T. Allen + +commit 9ac9c8b5e511670845d270f98e6361c7bcdfd41a +Author: Maksim An +Date: Fri Jan 27 14:53:33 2023 -0800 + + rego enforcer: trim whitespaces from fragment namespace name (#1627) + + Signed-off-by: Maksim An + +commit aee13c81204ec10db790a947abf57418e117d6d3 +Author: Sean T Allen +Date: Thu Jan 26 21:36:58 2023 -0500 + + Add missing AllowElevated policy check when creating a container (#1624) + + * Add missing AllowElevated policy check when creating a container + + When we added AllowElevated and checked it was working correctly, we + got it slightly wrong. When a container is started, we were adding in + expected mounts that only happen for privileged containers and + using those are mounts that are allowed. + + During testing, if AllowElevated was left off, a privileged container + would fail to start seemingly indicating that all was good. However, + all was not good. + + A malicious orchestrator with control of the API could create a container + privileged that didn't contain any extra "privileged mounts" and the + container would start as privileged with everything else that being + privileged entails except for the mounts. + + This commit adds an explicit check as part of crete container to verify + that is the container is attempting to be started as privileged that it + has AllowElevated. + + Maksim and I both thought that this had been implemented. I remember it + being implemented. Apparently that memory is incorrect. Either way, it + was noticed last Thursday and here's the fix. + + Signed-off-by: Sean T. Allen + +commit 6cd5572970cf7c82813e9c29bf41d9b0bd435977 +Author: kiashok <99994218+kiashok@users.noreply.github.com> +Date: Thu Jan 26 12:43:52 2023 -0800 + + Retain pause.exe as entrypoint for default pause images (#1615) + + Signed-off-by: Kirtana Ashok + + Signed-off-by: Kirtana Ashok + Co-authored-by: Kirtana Ashok + +commit d6dd825d55450c53167018cbb010546c3aed813f +Merge: 793fcc58d b74c09ee4 +Author: Kathryn Baldauf +Date: Tue Jan 17 11:39:24 2023 -0800 + + Merge pull request #1597 from katiewasnothere/kabaldau/cleanup_shared_scratch_root_dir + + Add logic to cleanup the oci bundle root dir on container delete + +commit 793fcc58ddf5f57d1aa664f2ad87405d07645af5 (tag: v0.10.0-rc.4) +Author: Seth Hollandsworth +Date: Tue Jan 10 21:20:11 2023 -0500 + + adding tarball support for generating root layer hashes (#1600) + + This will be used in a "clean-room" scenario for use to security policy generation. Clean-room in this instance is for generating a security policy on computers without internet access or the docker daemon (or similar) running. + + The &tag passed in defaults to "latest" if only the image name is passed in. If the value of the tag is nil, the tarball must only have one image in it. Otherwise, many images can be stored in the tarball and be searched by their image name and tag. + + Signed-off-by: Seth Hollandsworth + +commit 939de61409982fb7f242a0b89c675c3519f8acbf +Author: Matthew A Johnson +Date: Tue Jan 10 23:46:46 2023 +0000 + + Adding a simulator + regopolicyinterpreter. (#1558) + + * Adding a simulator + regopolicyinterpreter. + + This PR separates all the interaction with Rego into its own extractable package + called `regopolicyinterpreter`. Instead of calling Rego directly, + the `securitypolicy` package now uses this package to implement Rego policies. + Separating out the Rego interpreter behavior in this way allows the same + code to be used by a new `policyenginesimulator` tool, which provides the + ability to simulate security policy execution on the command line. + + `regopolicyinterpreter` exposes various Rego things like modules and metadata + in a typed way to make them easier to work with: + - `RegoPolicyInterpreter` is the main interface + - `RegoModule` is a standalone Rego module that can be included in the + policy execution. There are `AddModule` and `RemoveModule` methods for + modifying the interpreter to include various modules. + - `RegoQueryResult` wraps the results that come from the Rego policy with + some useful methods for extracting scalar data types + (i.e. `bool`/`int`/`float`/`string`) + - `EnableLogging` provides a way to get multiple levels of policy logging + for debugging purposes, ranging from `Info`, which will output prints that + come from the Rego policy itself, to `Metadata`, which will dump the + entire policy metadata structure to the log with each interaction. This is + primarily intended for offline use (e.g. by the simulator). + + The `policyenginesimulator` tool uses `RegoPolicyInterpreter` to simulate + policy enforcement. Usage: + + ``` + -commands string + commands JSON + -data string + initial data state + -log string + log path + -logLevel string + None|Info|Results|Metadata (default "Info") + -policy string + policy Rego + ``` + + The commands JSON allows the user to specify the type and order of the commands + send by the host to the guest that will interact with the simulated policy, for + example: + + ``` json + [ + { + "name": "load_fragment", + "input": { + "issuer": "did:web:contoso.github.io", + "feed": "contoso.azurecr.io/custom", + "namespace": "custom", + "local_path": "custom.rego" + } + }, + { + "name": "mount_device", + "input": { + "target": "/mnt/layer0", + "deviceHash": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415" + } + }, + { + "name": "mount_overlay", + "input": { + "target": "/mnt/overlay0", + "containerID": "container0", + "layerPaths": [ + "/mnt/layer0" + ] + } + }, + { + "name": "create_container", + "input": { + "containerID": "container0", + "argList": [ + "/pause" + ], + "envList": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "mounts": [], + "workingDir": "/", + "sandboxDir": "/sandbox", + "hugePagesDir": "/hugepages" + } + } + ] + ``` + + Signed-off-by: Matthew A Johnson + +commit cbdbb48891f7980fddd944dff754d5b6ada8763b +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jan 10 16:32:21 2023 -0500 + + Remove goversioninfo from tools.go (#1616) + + Go includes dependencies in tools.go as an indirect + dependency when other packages import hcsshim. + Remove `github.com/josephspurrier/goversioninfo/cmd/goversioninfo` + since upstream consumers shouldn't need it. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit ec4f89691a6115ad0c70ec9c224703c8809cfe9c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jan 10 15:47:01 2023 -0500 + + Add 20H2 container image to test constants (#1611) + + Add 20H2 container to testing constants for completeness, since mcr has + corresponding nanoserver and servercore images. + + Add test constants with codenames (RS5, 20H1, etc.) and server LTSC + builds to make selection easier. + + Update `"osversion"` constants with 22H2 for Windows 10 & 11. + + Add aliases in `"osversion"` for version numbers and LTSC server builds + to ease confusion between build code names and versions. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 5cfbc2ac27e4aa4c2559a1bc7d0e4687e9279352 +Author: kiashok <99994218+kiashok@users.noreply.github.com> +Date: Mon Jan 9 09:45:11 2023 -0800 + + wcow: support graceful termination of servercore containers (#1416) + + * This commit includes the changes to enable graceful termination of WCOW containers + + Signed-off-by: Kirtana Ashok + + * Added regression tests for nanoserver and servercore base images + + Signed-off-by: Kirtana Ashok + + * Worked on Kevin's review comments + + Signed-off-by: Kirtana Ashok + + * Fixed lint failures + + Fixed lint errors caused by spelling mistakes in hcsdoc_wcow.go and stopcontainer_test.go + + Signed-off-by: Kirtana Ashok + + * Addresses Kevin's review comments + + Signed-off-by: Kirtana Ashok + + Signed-off-by: Kirtana Ashok + + Signed-off-by: Kirtana Ashok + Co-authored-by: Kirtana Ashok + +commit 6547959343d65e0cf431dd9d589f45ee2b98172c +Author: Maksim An +Date: Wed Jan 4 16:37:21 2023 -0800 + + policy: do not set policy to open door if none is provided (#1572) + + Currently hcsshim is setting an allow all open door policy if + no security policy has been provided. + On the host side, the security policy is hashed and used as + HostData when starting an SNP-uVM. However, guest receives the + aforementioned "open_door" policy and computes hash over it. + As a result, this has doesn't match the LaunchData which is + returned by the attestation report and rightfully so, GCS + rejects the security policy. + + Fix this by not special handling empty security policy on the + host side and let the guest decide what to do with it, thus + ensuring that both host and guest compute the hash over the + same thing. + + Signed-off-by: Maksim An + +commit 5d23454aac07459fe9c614709d98e65a4958d7dd +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Dec 28 13:27:14 2022 -0500 + + Updating dependencies (#1607) + + Combination of dependabot PRs: mostly to deal with running `go tidy` in + test updating root `go.mod`. + + PRs: + 1579 + 1580 + 1587 + 1598 + 1602 + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 0b8319a721ceef568157c20e5b75db88a9f6570c (tag: v0.10.0-rc.3) +Merge: 9782dee21 5fc00c5ee +Author: kiashok <99994218+kiashok@users.noreply.github.com> +Date: Mon Dec 12 10:08:32 2022 -0800 + + Merge pull request #1601 from kiashok/memLeakShim + + Remove blocking on container exit for every new exec created + +commit 5fc00c5eeb3a6e909be65bfdb7df6e26575dd182 (hcsshim/memLeakShim) +Author: Kirtana Ashok +Date: Fri Dec 9 12:16:51 2022 -0800 + + Remove blocking wait on container exit for every exec created + + Commit fixes the memory leak seen in the shim. + It removes creation of channel that waits on container exit + for every new exec. Instead, the container wait channel is exposed + through WaitChannel() function which callers can use to decide + if container has exited or not. + + Signed-off-by: Kirtana Ashok + +commit 9782dee21cf90d55a6fff7e8744d53603f9a2b57 +Author: Matthew A Johnson +Date: Wed Dec 7 18:26:16 2022 +0000 + + Add ability in policy to allow/disallow access to stdio (#1594) + + This commit adds the ability of policy at the time of create container to + allow or disallow access to standard io for that container. And on the + external process side, if an external process is allowed to access standard + io. + + This is done in the same way as dropping environment variables is implemented. + At policy enforcement time, policy will indicate if standard io access is + allowed as part of the create being allowed. So like with environment variables + where it is "allow, but only with these environment variables" now we also have + "allow, but do not allow standard io access". + + Turning off standard io for containers in a way that didn't break some expectation + within the hcs/gcs relationship turned out to be remarkably difficult. Maksim and + I tried a couple different approaches before settling on the approach of creating + a new transport for handling the disallowed standard io access case. + + One of the things we had attempted was to have special TTY and PipeRelays. However, + we abandonded that approach as it resulted in a ton of duplicated code. + + The "devnull transport approach" that this commit implements doesn't result in + duplicated code. And most importantly, has been able to pass testing and not + result in bugs somewhere else in the gcs/hcs relationship. + + When work was started on this, we expected this to take a few days to get correct. + It turned out to take several weeks because the hcs/gcs standard io relationship + is filled with expectations and invariants that aren't documented and are spread + throughtout the code. Maksim and I settled on this approach as we felt it had the + lowest overhead for maintenance and was the least likely going forward to introduce + sublte bugs while passing current testing. + + Signed-off-by: Sean T. Allen + +commit 3e090b05a82c0e226e26c0d1e2ae89d336d7ff69 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Dec 6 21:04:03 2022 -0500 + + Prevent stopping exited HCS systems and processes (#1567) + + Add checks to `hcs.System` to prevent attempting to shutdown or + terminate a compute system that has already been stopped. + The same checks could be added to other operations (eg, pause, start, + resume) but it is unclear what error should be returned in those + situations, so those operations are left untouched. + + Add checks to `hcs.Process` to prevent attempting to kill a + stopped process. + Although `hcs.Process` differs from `hcs.System` in that the latter + returns an error if the system is already stopped or closed, but the + former does not. + Therefore, `(*Process).Kill` returns `ErrProcessAlreadyStopped`, which + is the expected error in `(*hcsExec).Kill`. + + Finally, an additional check is added to `(*Process).CloseStdin` to skip + sending a modify request to the process to close stdin if the process + has already been stopped. + (And creating a span, similar to `(*Process).CloseStd(out|err)`). + + The motivation for this came from `(*UtilityVM).Close()` calling + `Terminate` on the compute system, even if the uVM was already killed + prior. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 734a0ed8dff0112ce3a12a0f4b892e1a5095eca6 (tag: v0.10.0-rc.2) +Author: Maksim An +Date: Mon Dec 5 17:05:25 2022 -0800 + + plumb AMD certs to workload containers (#1549) + + confidential containers: Add AMD cert plumbing + + Add logic to plumb AMD certificates to workload containers. The + assumption is that the certificates will be "fresh enough" for + necessary attestation and key release by the workflow and third + party services. + + Additionally add error logging when UVM reference info file + is not found + + Signed-off-by: Maksim An + +commit b74c09ee4282811c8274887dc9ecd4c43de1473d +Author: Kathryn Baldauf +Date: Tue Nov 29 14:19:40 2022 -0800 + + Add logic to cleanup the oci bundle root dir on container delete + + Signed-off-by: Kathryn Baldauf + +commit 1233dd1ef26f501dd94e1690efa3d906fd4ebbf9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Dec 5 11:37:20 2022 -0500 + + Bump golang.org/x/sys from 0.1.0 to 0.2.0 in /test (#1596) + + Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.1.0 to 0.2.0. + - [Release notes](https://github.com/golang/sys/releases) + - [Commits](https://github.com/golang/sys/compare/v0.1.0...v0.2.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/sys + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit e4e797810bf5487cb2ee8e4fdc7d32e5e9e7c02d +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri Dec 2 15:12:53 2022 -0500 + + Bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 (#1583) + + * Bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 + + Bumps [github.com/cenkalti/backoff/v4](https://github.com/cenkalti/backoff) from 4.1.3 to 4.2.0. + - [Release notes](https://github.com/cenkalti/backoff/releases) + - [Commits](https://github.com/cenkalti/backoff/compare/v4.1.3...v4.2.0) + + --- + updated-dependencies: + - dependency-name: github.com/cenkalti/backoff/v4 + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + * test vendor + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: dependabot[bot] + Signed-off-by: Hamza El-Saawy + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Hamza El-Saawy + +commit 73c4f943560f36d949c42714f529d735c7aad7b5 +Author: Hamza El-Saawy +Date: Fri Dec 2 13:55:48 2022 -0500 + + test vendor + + Signed-off-by: Hamza El-Saawy + +commit 6758a4803abd5cc90b888357cb6c9737648ce800 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Nov 30 16:50:01 2022 +0000 + + Bump github.com/BurntSushi/toml from 0.4.1 to 1.2.1 + + Bumps [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) from 0.4.1 to 1.2.1. + - [Release notes](https://github.com/BurntSushi/toml/releases) + - [Commits](https://github.com/BurntSushi/toml/compare/v0.4.1...v1.2.1) + + --- + updated-dependencies: + - dependency-name: github.com/BurntSushi/toml + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + +commit b4e97dfcfa02d77674b3e8b25e93ca9716e0f307 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Dec 2 13:39:36 2022 -0500 + + Upgrade test module to go1.18 (#1593) + + Keeping test module at 1.17 causes issues when running `go mod tidy`, + due to incompatibilities with how go 1.17 and 1.18 resolve dependencies. + + Upgrading to 1.18 resolves this. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit fee9b0316c6d598883b3651f08cee75165d2e1a1 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Dec 1 15:51:21 2022 +0000 + + Bump github.com/google/go-containerregistry in /test + + Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.11.0 to 0.12.1. + - [Release notes](https://github.com/google/go-containerregistry/releases) + - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) + - [Commits](https://github.com/google/go-containerregistry/compare/v0.11.0...v0.12.1) + + --- + updated-dependencies: + - dependency-name: github.com/google/go-containerregistry + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + +commit 241d35108fd98c5d686040db6c16c72a4f1acc62 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Dec 1 10:50:09 2022 -0500 + + Bump go.opencensus.io from 0.23.0 to 0.24.0 in /test (#1578) + + Bumps [go.opencensus.io](https://github.com/census-instrumentation/opencensus-go) from 0.23.0 to 0.24.0. + - [Release notes](https://github.com/census-instrumentation/opencensus-go/releases) + - [Commits](https://github.com/census-instrumentation/opencensus-go/compare/v0.23.0...v0.24.0) + + --- + updated-dependencies: + - dependency-name: go.opencensus.io + dependency-type: direct:production + update-type: version-update:semver-minor + ... + + Signed-off-by: dependabot[bot] + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 47fbd9fbac3653d9163db9209fddadfcc0a6807b +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Dec 1 10:48:40 2022 -0500 + + Bump actions/download-artifact from 2 to 3 (#1577) + + Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2 to 3. + - [Release notes](https://github.com/actions/download-artifact/releases) + - [Commits](https://github.com/actions/download-artifact/compare/v2...v3) + + --- + updated-dependencies: + - dependency-name: actions/download-artifact + dependency-type: direct:production + update-type: version-update:semver-major + ... + + Signed-off-by: dependabot[bot] + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 2084da8634cc910e763f1feb4d9b4f962a0bcb2d +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Nov 30 11:49:00 2022 -0500 + + Reduce dependabot update schedule (#1588) + + Change dependebot to only check for updates on Sundays, and to ignore + patch version updates (ie, `a.b.c` -> `a.b.d` will not trigger a PR). + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit be0124affc16011cc8173db4d6ea435dd6887348 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Nov 30 15:23:32 2022 +0000 + + Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 in /test + + Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. + - [Release notes](https://github.com/stretchr/testify/releases) + - [Commits](https://github.com/stretchr/testify/compare/v1.8.0...v1.8.1) + + --- + updated-dependencies: + - dependency-name: github.com/stretchr/testify + dependency-type: direct:production + update-type: version-update:semver-patch + ... + + Signed-off-by: dependabot[bot] + +commit eb84160fba24bdbee1170055c284bd27008c858e +Author: Marat Radchenko +Date: Wed Nov 30 18:22:11 2022 +0300 + + Set up dependabot (#1319) + + Dependabot automatically creates PRs for updated dependencies and tracks security vulnerabilities. + + Signed-off-by: Marat Radchenko + + Signed-off-by: Marat Radchenko + +commit 07a19e32a69b71f2bb8a6dc32311a5d1dbe32dc3 +Author: Matthew A Johnson +Date: Tue Nov 29 07:47:29 2022 +0000 + + Adding some missing policy elements from the templates. (#1571) + + When encrypted scratch was added the policy and open door templates were + not updated properly, i.e. the SVN was not incremented and + `scratch_mount` and `scratch_unmount` were not added to the open + door template. I've added a test which will keep this from happening + in the future. + + Signed-off-by: Matthew A Johnson + +commit b8d0273e29cd938cf3fba70f8fd10ae591153b9c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Nov 21 14:40:44 2022 -0500 + + [test]CRI initialization (#1566) + + Add function for restart tests to wait for CRI plugin to be fully + initialized before continuing to prevent subsequent tests failing with: + + `rpc error: code = Unknown desc = server is not initialized yet` + + `waitForCRI` waits for a specified timeout, periodically sending `Version` + gRPC requests until either a successful response returns, timeout is + reached, or another error besides `not initialized yet` is returned. + + cri-containerd restart tests pass + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit f83cc58000f01497bbf6d057f0b29b6889235fc6 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Nov 17 17:29:27 2022 -0500 + + [test]Add feature for CRI plugins (#1565) + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit a67a79a3bbc8cc16100163b9bd5edcf9ab6d4648 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Nov 16 08:52:20 2022 -0500 + + [test]logging and tracing to stdout (#1563) + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 838b9412700cce69d7439ad9138c3f74c9dbb617 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Nov 16 08:50:34 2022 -0500 + + Update CI actions (#1564) + + Update `actions/checkout`, `actions/setup-go`, and + `actions/upload-artifact` to version 3. + Version 2 of the actions uses a deprecated version of node.js, + and raises the following warning in the CI: + + ``` + Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. + ``` + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 1d141fa345d7aee273d20cace71639a1aa20cf14 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Nov 14 21:05:46 2022 -0500 + + test/functional: Add flag for container layer paths, remove containerd dependence (#1536) + + * Add flag for container layer paths + + Add lcow/wcow layer paths flag to allow providing image layer paths + instead of requiring containerd to pull and unpack it. + + The goal is to allow functional tests to be run without requiring + containerd to be installed. + + Signed-off-by: Hamza El-Saawy + + * PR: logging, cleanup, naming. + + Changed `(LazyImageLayers).ImageLayers` to `(LazyImageLayers).Layers`. + `(LazyImageLayers).Close` now returns an error. + Comment cleanup. + + Signed-off-by: Hamza El-Saawy + + * PR: replace LayerFolders and docker + + Signed-off-by: Hamza El-Saawy + + * PR: unpack individual LCOW layers, comments + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit acd87d590bb7b382fdb6d78128b705314205f8ba +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Nov 14 17:22:00 2022 -0500 + + race condition with exitCh in `(*UtilityVM).Start()` (#1562) + + `(*UtilityVM).acceptAndClose()` waits on `(*UtilityVM).exitCh`, but + `exitCh` is not created until after the goroutines with the + `acceptAndClose` calls are launched, causing a potential race + condition. + + Functional and cri-containerd tests pass. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 60598f8aa3e703c39b65d5fc3176c81c8a0937f9 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Nov 11 15:01:41 2022 -0500 + + uVM timeout handling and logging improvement (#1561) + + `(*UtilityVM).Start` was using a potentially timed-out context for its + terminate, which can cause the terminate to immediately error and not + log the correct status of the operation. + + Additionally `(*UtilityVM).Start` sets a 2 minute timeout on the context + it ultimately passes to `"vmcompute".execute`, which silently overrides + the timeout execute uses. + Improved logs to report correct timeout. + + Spelling fix. + Shortened long lines. + + Signed-off-by: Hamza El-Saawy + +commit 0a55db758b045b9a9d4d005edcb169e0febbe2a1 +Author: Maksim An +Date: Sun Nov 6 14:18:50 2022 -0800 + + rego and hardening: add enforcement and hardening for encrypted scratch (#1538) + + * rego and hardening: add enforcement and hardening for encrypted scratch + + The request to encrypt scratch comes from the host, but in confidential + scenario, the host cannot be trusted and it may attempt to mount the + read-write overlay of a container under an unencrypted path or omit the + encryption request altogether. + + To address the issue, add `scratch_mount`, `scratch_unmount` enforcement + points and `allow_unencrypted_scratch` policy config, which can be used + to (you guessed it) allow containers to run with unencrypted scratch. + + Since the request to add encrypted read-write scratch disk and mounting + container overlayfs come at different times, we also introduced minimal + (for now) hardening around adding read-write devices to the UVM. We + record the mounted read-write devices when they arrive and at the time + of adding overlayfs we check if the scratch path encrypted or not and + validate against the policy before enforcing overlay policy. + + The policy config can be set at the top level, e.g.: + ``` + allow_unencrypted_scratch := true + + containers := [...] + ``` + + The `scratch_mount` enforcement point takes an input with the following + members: + ``` + { + "target": "", + "encrypted": [true|false], + } + ``` + + Add `/internal/guest/runtime/hcsv2/uvm_state.go`, which adds a new + `hostMounts` struct which keeps track of mounted RW devices. This can + be extended in the future for more GCS hardening purposes, e.g. overlay, + RO layer mounts and other container lifecycle management. + + * crypt package refactor and adding more unit tests + + * tests: add e2e tests for scratch encryption policy + + * export and rename fetchActualControllerNumber + + As part of enforcing encrypted scratch policy, we need to make + sure that the source matches. To figure out the source for a + SCSI attachment we need to first find the actual controller number + where the SCSI is presented, which can be different from what hcsshim + has requested originally. + Rename and export `fetchActualControllerNumber` as `ActualControllerNumber` + and figure out the correct controller before calling to scsi Mount/Unmount. + Remove wrappers and update unit tests. + + Signed-off-by: Maksim An + +commit eb6202703fe4d42af0941c64ae8c46178c6cd7e5 +Author: Maksim An +Date: Thu Nov 3 08:25:57 2022 -0700 + + fix: wrong assignment after enforcing a policy (#1559) + + Signed-off-by: Maksim An + +commit 0f0c8949fd2a6633d32c8ff27740a402174dc93f +Author: Matthew A Johnson +Date: Tue Nov 1 15:10:22 2022 +0000 + + Drop unmatched environment variables. (#1550) + + * Drop unmatched environment variables. + + This adds a `allow_environment_variable_dropping` flag to `data.policy` + which allows the framework, if set, to try to drop environment variables + if there are no matching containers/processes. This is an important + aspect of serviceability, as it will allow customer policies to be + robust to the addition of extraneous environment variables which are + unused by their containers. Note throughout this that the existing logic + of `required` environment variables holds. The logic used is the + following: + + 1. Produce a set $A$ of valid environment variable subsets for each + entity (e.g. container, process) + 2. All subsets which share the maximum cardinality from $A$ form a + subset $B \subseteq A$ + 3. If $\bigcup B = \bigcap B$, return $B$ + 4. Else, return undefined + + The resulting subset of environment variables is then used to determine + the matching containers. This may be best explained via an example. + We have three containers with the following sets of environment + variables: + + $$ + c_0 = \{a, b\} \\ + c_1 = \{a, b, c\} \\ + c_2 = \{a, b, c, d\} + $$ + + If the host requests to start a container with $[a, b, c, d, e]$ then, + without dropping environment variables, the request will be denied. + However, if variables are allowed to be dropped, then we could + potentially match any of these containers: + + $$ + A = \{[a, b], [a, b, c], [a, b, c, d]\} \\ + $$ + + however, the cardinality rule means that we will choose: + + $$ + B = \{[a, b, c, d]\} + $$ + + As (in this case) $\bigcup B = \bigcap B$ is trivially true, we return + $[a, b, c, d]$ as the new set of environment variables, which will then + match with $c_2$. + + If, however, we had one more conatainer: + + $$ + c_3 = \{a, b, c, e\} + $$ + + Then we get a very different result. As before, the request would be + denied if dropping environment variables is allowed. If allowed, though, + we get the following: + + $$ + A = \{[a, b], [a, b, c], [a, b, c, d], [a, b, c, e]\} \\ + B = \{[a, b, c, d], [a, b, c, e]\} \\ + \bigcup B = [a, b, c, d, e] \\ + \bigcap B = [a, b, c] \\ + $$ + + As we can see, $\bigcup B \neq \bigcap B$ and so the result is + undefined. This is because, at this stage, we cannot choose between + these two containers fairly. + + Signed-off-by: Matthew A Johnson + Signed-off-by: Matthew Johnson (MSRC) + +commit 89ce12811f39d37f14282e3b9726c5fa61590332 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Oct 31 19:12:24 2022 -0400 + + Update LCOW boot file paths used in tests (#1551) + + * Update LCOW boot file paths + + Tests may run in a folder other than `C:\ContainerPlat`. + Update default LCOW Options generated for tests to look for directory + `containerd.exe` is in (or look for `C:\ContainerPlat\LinuxBootFiles` + and prefer those over `C:\Program Files\LinuxBootFiles`. + + This was causing `Test_RunPodSandbox_MultipleContainersSameVhd_LCOW` + tests to fail. + + Also, separated out uVM/hcshim debug logs from verbose test settings, so + enabling `test.v` only affects test `Log` statements and does not cause + all internal (logrus`) logs to be output. + + Signed-off-by: Hamza El-Saawy + + * PR: check paths, remove LazyString + + Signed-off-by: Hamza El-Saawy + + * adding VM cleanup + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 6c21874b5ea7d058ba978f0aca67de5808370d2a +Author: Maksim An +Date: Sat Oct 29 13:45:33 2022 -0700 + + Change the default policy stance to "allow" and fix logging (#1553) + + logrus uses `os.Stderr` by default, so setting output to + `os.Stdout` resulted in no GCS logs being relayed. + + Signed-off-by: Maksim An + +commit febe69b1d5e715e8d9694d504cd76f28971ce752 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Oct 28 19:30:31 2022 -0400 + + Pass ipv6 address information to Linux GCS (#1552) + + * Pass ipv6 address information to Linux GCS + + Currently, HCN endpoint ipv6 settings are not passed into the Linux + guest, so containers will not be assigned their ipv6 addresses. + + Update shim to forward that information into the guest, add updates + the guest to assign both sets of addresses. + Added tests for ipv6 functionality. + + Signed-off-by: Hamza El-Saawy + + * PR: vestigial comment, logging + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 2eafb0bf5fdd74e2911a20d3e11fe75f02c54a64 +Author: Matthew A Johnson +Date: Mon Oct 24 20:36:57 2022 +0100 + + Adding policy fragments. (#1539) + + * Adding policy fragments. + + This PR adds the ability for an authored security policy to be expanded at + runtime with policy fragments. It focuses purely on the policy enforcement + aspect, which assumes that the fragments which the guest is asking to load have + been verified to have been obtained from the issuer and feed specified. + + The `load_fragment` enforcement point takes an input with the following members: + + ``` json + { + "issuer": "", + "feed": "" + } + ``` + + Also, for the purpose of this call, the fragment is loaded as a module. + The result is of the form: + + ``` json + { + "allowed": true + "add_module": true + } + ``` + + If the value of `add_module` is `true`, then the fragment will continue to be + loaded as a module for all future executions. + + In the case that the authored security policy uses the framework, there are a + variety of ways in which a policy can quickly and easily incorporate elements + from fragments. First, the policy defines a list of `fragments` which they + are willing to include: + + ``` rego + fragments := [ + { + "iss": "", + "feed": "", + "minimum_svn": "", + "includes": [] + }, + # ...other fragments + ] + ``` + + This allows the author to quickly indicate the fragments they are willing to + use, what minimum version of that fragment is required, and further specify + what to include: + + - `containers`: include all of the containers in the fragment for use in policy + enforcement + - `fragments`: include all of the fragments in the fragment. This allows + fragments to themselves include fragments (with the policy + author's explicit consent) + - `external_processes`: include the external processes from the fragment + - `namespace`: this indicates that `add_module` should be set to true + + For most common use cases, this means that the fragment only needs to be loaded + once (during the call to `load_fragment`) so that the included entities can be + extracted, after which the policy can execute without them. + + Signed-off-by: Matthew A Johnson + +commit a1b68c584e9b91e82f78ede14bb05a172d92bb07 +Author: Sean T Allen +Date: Wed Oct 19 12:02:14 2022 -0400 + + Add enforcement of logging from the GCS runtime (#1545) + + In order to provide a confidential environment for confidential containers, + we need to provide a means for customers to control information that will + leave the UVM running their code. A key means for information to leave the + UVM is via logging. + + There's no guarantee that logging will leak information that the customer + considers confidential. There's no guarantee that it won't. To address this + issue, we are adding 2 additional enforcement points for policy related to + logging. + + The first, which is this commit, is to allow control over logging coming + from GCS itself. The second which will come in another commit is to + allow control over logging from containers. + + For GCS logging, we have exposed it in policy as the name "runtime logging" + as we don't feel that "GCS" will be particularly meaningful to the average + policy writer. + + The new enforcement point is used to decide if logging is allowed at all. + Once we receive a policy, we check to see if GCS logging is allowed or denied. + If denied, then we set the logging output for the logrus object used by GCS + to be a blackhole. Otherwise, we set it to either stdout or a file depending + on the options that GCS was started with. + + Logging before we receive policy is controlled via a flag that is set on + GCS startup for what our default policy position should be before a policy + arrives, either "allow" or "deny". This initial policy stance flag is used + to set the initial logrus output target and to create the "default" policy + enforcer used until a policy arrives over the standard GCS API. + + In GCS's main method, we do not use the enforcer but instead select an enforcer + and the logging target based on the flag. We made this design decision as + Maksim felt strongly that the ideal goal for policy is as "middleware" that + operates only at the bridge/host level of GCS and not elsewhere including not + prior to the bridge and host objects being created. + + Signed-off-by: Sean T. Allen + +commit a78617af6795e76452f91a51ad032595959ee9b0 +Author: Maksim An +Date: Tue Oct 18 09:22:41 2022 -0700 + + remove pod startup fragment functionality (#1544) + + This reverts changes introduced in microsoft/hcsshim#1521. + + Signed-off-by: Maksim An + +commit 875a40e6b05f63a66b1ebecd6f23cbac811946db +Author: Matthew A Johnson +Date: Thu Oct 13 22:51:36 2022 +0100 + + Adding DumpStacks policy enforcement point. (#1543) + + DumpStacks allows access to guest stacks. Can be used for debugging etc. + This gates it with a simple yes/no for policy. + + Signed-off-by: Matthew A Johnson + Co-authored-by: Sean T. Allen + +commit a72cbcd1ca7372a9ce3916b6e2b2c473d762df52 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Oct 12 17:53:14 2022 -0400 + + lint ext4 folder for linux (#1537) + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 53faf237449d725a32d6be39385bb09e384f6273 +Author: Matthew A Johnson +Date: Wed Oct 12 06:57:45 2022 +0100 + + Adding GetProperties policy enforcement point. (#1542) + + GetProperties allows getting information about what is running. This is related to debugging + etc. This gates it with a simple yes/no for policy. This might be used for getting stats. + + Signed-off-by: Sean T. Allen + Co-authored-by: Sean T. Allen + +commit c2a1cd9a8ff9f9dd0095bd4065456792b9905e71 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue Oct 11 11:17:50 2022 -0700 + + Add support for generating guest crash dumps (#1516) + + * Add support for generating guest crash dumps + + Adds a new annotation that can provide a path of the directory in which the guest crash dumps will be + generated if the guest crashes. Just providing a valid path for this annotation will automatically enable the + crash dumps. The dump files for each UVM will be created with the UVM ID as the prefix in the filename for + easier identification. + + Signed-off-by: Amit Barve + +commit 5e27a9bba1c44e248962c8bb347c611c90ccf89e +Author: Matthew A Johnson +Date: Fri Oct 7 02:54:32 2022 +0100 + + Add policy enforcement for overlay unmounting (#1535) + + We previously weren't doing any enforcement around whether an overlay should be allowed + to be unmounted. The initial logic is very simple and matches our device unmounting logic: + + only allow an unmount if we've seen a mount. + + When we get to the hardening PRs, we'll want to revisit this basic rule and decide if + we want to make it more vigorous in policy or if we want to put all hardening in GCS + or some mixture in-between. That's a design discussion we'll need to have. + + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + Co-authored-by: Sean T. Allen + +commit a6859d95a45b5b3c9a5c01c1f8e79e6c9d1fdd9b +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Oct 6 17:49:30 2022 -0400 + + Add `t.Helper` calls, testing linter (#1534) + + Add `t.Helper()` calls to testing helpers so the correct test name and + line number is shown during logs + [ref](https://pkg.go.dev/testing#B.Helper). + + Add [`thelper`](https://github.com/kulti/thelper) linter to settings to + make sure testing helpers correctly call `t.Helper`. + + Renamed `t testing.TB` to `tb testing.TB` to satisfy `thelper`. + + Signed-off-by: Hamza El-Saawy + +commit 7fe1fa68839d222986385dabf7f8bd1fe7afa9a9 +Author: Matthew A Johnson +Date: Thu Oct 6 06:31:55 2022 +0100 + + Add policy enforcement of mounting and unmounting plan9 devices (#1531) + + Plan9 mounts affect two separate enforcement points. The first is the point + at which a plan9 mount is mounted from the host to the guest. These mount points + (called `uvmPathForShare`) have a very constrained format. The enforcement point + for this (which is being added by this PR) is `plan9_mount`, with a matching + `plan9_unmount`. The second is `create_container`, which can contain mounts + which use a plan9 `uvmPathForShare` as a source and make it available to the + container. + + The `plan9_mount` enforcment point determines if the `target` is a valid + `uvmPathForShare`. The `plan9_unmount` enforcement point checks that the + item to be unmounted is currently mounted. Finally, there is a new + `mount_ok` rule which handles the plan9 case. + + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + Co-authored-by: Sean T. Allen + +commit 05b973dcfd091fbdd9c6c2f2aea7b75c2b91afd6 +Author: Maksim An +Date: Wed Oct 5 10:10:20 2022 -0700 + + set confidential UVM options during UVM start (#1533) + + To make the interface cleaner for cases when security policy isn't + required, call to `SetConfidentialUVMOptions` within `Start`. + When no enforcer or policy are supplied GCS will initialize an + open door enforcer. + + UtilityVM object now holds the confidential options to use them + during `Start`. + + By default the UVM reference is expected to be located at the + directory as the shim executable rather than under linux boot files. + This has been done to avoid holding this information on the UVM + object. + + `uvmboot` has been updated to take a `security-policy-enforcer` + parameter. + + Signed-off-by: Maksim An + +commit ad0d5a7b6315e777c88e7adb013be46aac7b83fb +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Sep 30 16:47:00 2022 -0400 + + Vendor go generate binaries, update CI (#1433) + + Added `go generate` job to the CI to verify that generated files are up + to date. + + Added `goversioninfo` to `tools.go` so that it is also vendored and run + locally. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit a2a86cef70a85e7b9a3597d3f6dca6523e40b2b4 +Author: Matthew A Johnson +Date: Thu Sep 29 16:28:51 2022 +0100 + + Ignoring unneeded fields in JSON policy marshalling. (#1530) + + The `ExecProcesses` and `Signals` fields on `Container`, which are needed for newly added enforcement points, + were not being ignored during JSON marshalling. These values should not be included in the marshalled object + because the new enforcement points that require them are not implemented for the + `StandardSecurityPolicyEnforcer` which uses the JSON representation for policies. + + Signed-off-by: Matthew A Johnson + + Signed-off-by: Matthew A Johnson + +commit 045973d3f378819cd50219b19c5be6484c8d7952 +Merge: a30ed8c66 e4d9824e8 +Author: Kathryn Baldauf +Date: Thu Sep 29 00:29:04 2022 -0700 + + Merge pull request #1452 from katiewasnothere/ipv6_ncproxy + + Changes to support ipv6 in ncproxy + +commit e4d9824e84ccbae8ebbc3b54282d2feecee81921 +Author: Kathryn Baldauf +Date: Mon Aug 29 22:13:51 2022 -0700 + + Add syso files for ncproxy + + Signed-off-by: Kathryn Baldauf + +commit 7f82411f9ad110259d1350fa28cc81b4802a3bc1 +Author: Kathryn Baldauf +Date: Thu Mar 10 22:22:29 2022 -0800 + + Changes to support ipv6 in ncproxy + * Update proto file and dependencies + * Update hcn code paths to return dual stack info + * Update hcn ncproxy tests with dual stack scenarios + + Signed-off-by: Kathryn Baldauf + +commit a30ed8c6664b284d28e3a895a2ea8dbd7d341e2e +Author: Maksim An +Date: Wed Sep 28 22:15:02 2022 -0700 + + fix create-scratch and other `runhcs` subucommands (#1528) + + `runhcs` subcommands were missing a call to `SetConfidentialUVMOptions` + after the uVM has been booted. This results in closed door policy + to be set for all UVM operations, including (now) execs into UVM. + Previously the exec would succeed, UVM exited and we had our scratch. + + Additionally GCS has been updated to set the policy to "open door" when + both enforcer and security policy options are empty. + + Signed-off-by: Maksim An + +commit d7e725c6d9541bc1d5384f22d6205b7cb7240503 +Author: Matthew A Johnson +Date: Thu Sep 29 06:13:02 2022 +0100 + + Device mounting and unmounting updates (#1526) + + Maksim and I agreed that as part of the confidential containers serviceability work that + the SCSI and PMem enforcer usage that occurred down in the depths of each subsystem would + be moved into the Host type in uvm.go. + + This change would put device mount and unmount enforcement in the same file with all + our new enforcement points being added during the servicability project. The idea being + that it will make it easy to see what is being enforced where and provide an overall + level of consistency. + + This commit makes that change. In the process, it removes the MountMonitoringSecurityEnforcer + as it no longer serves and purpose. The tests that used that specialized test enforcer were + also removed as they make no sense within the contex of the new design. + + While making these changes, I discovered that umount enforcement was not being done for SCSI + devices. This is ironic as the reason that Ken Gordon and I argued for the old design was so + that someone couldn't accidentally not do enforcement, yet, here we are; an enforcement point + was missed. Unmount enforcement for SCSI devices is included in this change. + + Signed-off-by: Sean T. Allen + + Signed-off-by: Sean T. Allen + Co-authored-by: Sean T. Allen + +commit f7a3edefff71aa1c82368e99d21fab22db5f94e5 +Author: Maksim An +Date: Wed Sep 28 10:46:34 2022 -0700 + + Add pod startup security policy fragment injection (#1521) + + In general case the fragment injection will happen via sandbox task + update request. However, we may need to inject fragments before the + pod is created and ready to accept the update request. One of the + examples is the pause container, which holds the pod network + namespace. + + This PR addresses this issue by adding functionality to read an + arbitrary security policy fragment from UVM's file system. + The assumption is that the fragment will be embedded into the UVM + and the path will be supplied as part of confidential UVM options + together with security policy and UVM reference. + + The actual calling into fragment validation and injection could be + changed in the future. + + Signed-off-by: Maksim An + +commit 65acc497d786688dfe9bd964d5f391685342b1a6 +Author: Maksim An +Date: Wed Sep 28 09:51:31 2022 -0700 + + fix release.yml trigger for real now (#1529) + + https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push + + Signed-off-by: Maksim An + +commit ffa3d31ee8037a3bd75b432876a6e17a7143637f +Author: Maksim An +Date: Tue Sep 27 17:51:52 2022 -0700 + + fix release.yml push trigger expecting a map. (#1527) + + + Signed-off-by: Maksim An + +commit 9028ad0ecc457eaa01933a4e96bce1f07711fcf4 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Sep 26 15:56:48 2022 -0400 + + Switch to go-winio/tools/mkwinsyscall (#1409) + + * Switch to go-winio/tools/mkwinsyscall + + Added `.\tools.go" file to add mkwinsyscall to `go.mod` and track as a + dependency, as recommended by the + [go wiki](https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module). + + Using `-sort=false` flag to make changes easier to see. + (Will be undone in next commit.) + + Signed-off-by: Hamza El-Saawy + + * undoing sort=false + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 2b143a0136d3ac5302511cd20b6bd294f7f1d9b9 +Author: Maksim An +Date: Fri Sep 23 12:05:36 2022 -0700 + + fix wrong parameters passed to EnforceExecExternalProcessPolicy (#1523) + + Fixes GCS panic, because OCIProcess for exec external is nil. + + For exec external process we don't use OCIProcess field of + ProcessParameters, but instead use the top level CommandArgs, + Environment and WorkingDirectory. + + Signed-off-by: Maksim An + + Signed-off-by: Maksim An + +commit b2c8eb9da862522036368d1ef797b18bf8770dd9 +Author: Matthew A Johnson +Date: Fri Sep 23 18:52:18 2022 +0100 + + Add enforcement of sending signals to arbitrary processes in a container (#1525) + + Most people tend to think of a container as thing that does a single thing + and by extension, as a thing that is a single process. This isn't the case + but it is the mental model that people bring to containers. It also happens + to be an incredibly common scenario where a container "equals" a single process. + + Our model for representing "container constraints" in the policy engine in GCS + doesn't break out the init process of a container into a process representation. + Instead, signals going to an init process are represented as signals "on the + container" and signals going to other processes in the container are represented + as signals on an "exec_process". + + This makes understanding how to apply constraints to a container easier for + folks getting started with confidential containers. It also means that we + need to have two different bits of code for enforcing signal constraints on + processes in GCS. + + For any pid and container id combo we do the following: + + If the pid is for the init process of a container, then we know to use the + container signal list for determining if sending the signal is allowed. + + If the pid isn't for an init process, then we have a bit more work to do. + We don't have any mapping of a pid to policy entry if the pid isn't for + the init process of a container. But, we can still map from the incoming + pid to set of 0 or more valid policy exec_process entries. + + GCS stores a collection, on a per container basis, of all processes that were + started including the OCI Spec for each process started. We can match the + pid to the OCI Spec used to start the process with said pid. We can then use + the command from that process to find any valid exec process entries in the + policy for the container and see if any of them allow the signal in question. + Any matching exec process entries can then be used to do further narrowing on + possible container matches in the policy for the given container id. + + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + Co-authored-by: Sean T. Allen + +commit 1ee5cd338663c200d80070edc0aa3c4665274a75 +Author: Seth Hollandsworth +Date: Thu Sep 22 14:45:00 2022 -0400 + + updating error message to say policy does not allow restarts (#1524) + + Signed-off-by: Seth Hollandsworth + + Signed-off-by: Seth Hollandsworth + +commit be9d388f866ad278bafe5738ac21791e9190ca56 +Author: Matthew A Johnson +Date: Thu Sep 22 02:21:43 2022 +0100 + + Add policy enforcement for shutting down a container (#1518) + + Adds policy enforcement around shutting down a container. In the supplied framework, shutting down a container is always + allowed. We update metadata based on the change in state that will be used by other framework rules. This enforcement point + is important for custom policies for metadata tracking and also for allowing the creation of rules like "this container + isn't allowed to shutdown if some other container is running". + + This commit rewrites `signalContainerV2` and gives it a new name. `signalContainerV2` was only called from the kill and + shutdown container functions. Despite only having 2 possible signals it could receive, it accepted any signal. There's a + replacement method called `signalContainerShutdownV2` that has "the same functionality" as `signalContainerV2`. + `signalContainerShutdownV2` doesn't accept arbitrary signals. Instead, it takes a boolean for whether the shutdown should be + graceful (aka `SIGTERM`) or if we should do a non-graceful shutdown of `SIGKILL`. + + This commit aims to keep things "as they are" except for changes that are required for proper and non-evadable policy + enforcement. + + Actual policy enforcement is in a new method `ShutdownContainer` on the `Host` type in `uvm.go`. It is our design goal to + have all enforcement functions called from within methods in `uvm.go`. + + There's an additional new method on the `Host` as well: `SignalContainerProcess`. `SignalContainerProcess` allows for the sending + of arbitrary signals from the untrusted host computer to the UVM. The code has been extracted from `signalProcessV2` in the + bridge and moved onto the `Host` type. The move was required in order to add additional logic to `SignalContainerProcess` that + `signalProcessV2` lacked. + + `SignalContainerProcess` will check to see if the process being signaled is the init process of the container. If it is and the signal + is `SIGTERM` or `SIGKILL` then the shutdown container enforcement rule will be used. We create this "special case" as shutting + down a container is the process of sending `SIGTERM` or `SIGKILL` to the container's init process. The information for whether + a process is the init process for a container is available, but not from the module that bridge is part of, thus the move of + functionality into `Host`. + + The creation of `SignalContainerProcess` was going to be required for when we add support for enforcing policy around + sending arbitrary signals to processes. The current `SignalContainerProcess` was written with that forthcoming changing in + mind, but doesn't include any logic for the additional enforcement as that will be coming in a commit that will arrive "in + the not so distant future". + + Shutdown container policy, because it is always allowed by our framework, doesn't require changing the `securitypolicy` policy + generation tool as there's no user provided input to the new policy rule `shutdown_container`. + + When not using an open door policy, a "container not started" error will be returned if a shutdown is attempted on a container + identifier that wasn't used to start a container. + Signed-off-by: Sean T. Allen + Signed-off-by: Matthew A Johnson + + Co-authored-by: Sean T. Allen + +commit 61f9e98ee96a43083ab5c420957ad650395c7425 +Merge: f83d2f6d9 c9176f642 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Sep 21 11:29:06 2022 -0700 + + Merge pull request #1522 from dcantah/processor-spelling-fix + + Fix 'ProcessorCount' comment + +commit c9176f6427b22c127a8d504dec5469e52bd174bf +Author: Daniel Canter +Date: Wed Sep 21 09:44:14 2022 -0700 + + Fix 'ProcessorCount' comment + + GetMaximumProcessorCount -> GetActiveProcessorCount + + Signed-off-by: Daniel Canter + +commit f83d2f6d97242b3e86589989c055ef0cb91ff771 +Author: Maksim An +Date: Tue Sep 20 09:44:59 2022 -0700 + + rename SecurityPolicyEnv annotation to UVMSecurityPolicyEnv (#1517) + + Signed-off-by: Maksim An + +commit 2a2bfdd7a42b23dc0cb7e4ee7fe375346d70639d +Author: Heather Garvison +Date: Mon Sep 19 18:57:05 2022 -0400 + + update dmverity-vhd tool to accept local images (#1494) + + Updated cmd/dmverity-vhd tool to accept local images using + the local docker daemon so that the tool can be used without + internet access and added a release workflow that creates + `dmverity-vhd` Windows and Linux executables whenever a push + with a tag starting `"v"` is created -- a pre-release is created if the + tag includes `"rc"` + + Signed-off-by: Heather Garvison + +commit 92d68904c95ed65918f49d316057a61b2f56b6c7 +Author: Matthew A Johnson +Date: Mon Sep 19 17:49:09 2022 +0100 + + Adding the `exec_external` enforcement point. (#1512) + + The `exec_external` enforcement point adds policy enforcement around the running + of processes inside the UVM, *i.e.* independent of any individual container. + In order to support this change, a new list of external process constraints + has been added at the policy level, like so: + + ``` rego + package policy + + containers := [/*some containers*/] + external_processes := [ + { + "command": [/*arglist*/], + "env_rules": [/*envList*/], + "working_dir": "", + } + ] + ``` + + This change required a update to our testing fixtures to generate + all constraints (*i.e.* containers and external processes) instead of just + containers. As a result we updated all of our tests to use `generateConstraints` + instead of `generateContainers` and similar renamings for clarity. The test + functionality has not changed as a result of these renamings. + + Adding a new enforcement point requires making a lot of little changes in + several places. To ensure this process goes smoothly moving forward, we + have added a checklist to the `securitypolicy` README. In the course of writing + the checklist, we found that we had missed a few error messages for + `mount_device`, `unmount_device`, and `mount_overlay` which we have now added. + + Signed-off-by: Matthew A Johnson + +commit ed3277365e85650b652427eb1132050493d06f3a +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Sep 16 09:17:19 2022 -0400 + + Linux GCS tests and benchmarks (#1352) + + * Added GCS tests and benchmarks + + Added testing suite that can built and run directly on the Linux uVM + by sharing or adding it to the rootfs. + It primarily focuses on container (standalone and CRI) management. + + Signed-off-by: Hamza El-Saawy + + * PR: rebase, comments, bugs, cleanup, security policy, linting + + Fixed bug with calling `*hcsv2.Host.GetContainer` instead of + `*hcsv2.Host.GetCreatedContainer`. + + Removed left over comments, added clarifying comments to + `assertNumberContainers` and `listContaienrStates` interactions. + + Reordered namespace and rootfs cleanup. + + Removed underscore from consts + Removed unneeded constants + Added flag to test-lcow-uvm script to change boot type from vhd to + initrd. + + Update security policy code to use enforcer. + Updated script for changes to `uvmboot` and to use default executable + name (`gcs.test`), as produced by `go test -c`. + + Linting issues: + - `switch` to `if` + - unused `getContainer()` + - unused receivers + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 0e5cdff9b5759d6159217dfeffb583fbd4f4733a +Author: Maksim An +Date: Thu Sep 15 10:04:34 2022 -0700 + + update security policy and uvm reference env var names (#1514) + + Make sure the naming of security policy and uvm reference + env vars are consistent. Drop `HCSSHIM_` prefix and use `UVM_` + instead. The env vars now become `UVM_SECURITY_POLICY` and + `UVM_REFERENCE_INFO`. + + Signed-off-by: Maksim An + +commit 77c787d2bdbbfa3080817fa5535c3312c9dbab6c +Author: Maksim An +Date: Thu Sep 15 09:51:33 2022 -0700 + + Use alpine and pause images from MSFT mirrors in tests (#1515) + + Occasionally we've started seeing issues with docker rate limiting + image pulls when running cri-containerd tests locally. Switch to + MSFT mirrors. + + Signed-off-by: Maksim An + +commit c3f6bb7f7022c0e5bad8e847016d617fab115904 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Sep 15 10:20:44 2022 -0400 + + Update hcs errors to gov1.13 style (#1450) + + * Update hcs errors to gov1.13 style + + Add `.Is(` and `.Unwrap(` to `internal\hcs\errors.go` to using them with + `errors.Is(`, as well as `internal\gcs\bridge.go`. + + Signed-off-by: Hamza El-Saawy + + * PR: logic bug, declaration style + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 17fd158ba9ceb5078998dfeb913626e2cbc0f32e +Author: Matthew A Johnson +Date: Thu Sep 15 00:46:52 2022 +0100 + + Refactor of metadata operations. (#1513) + + Adds typing for `metadataOperation` and a enumeration of `metadataAction`. + No functionality changes as a result of this, but the code is easier to + read and support. + + Signed-off-by: Matthew A Johnson + + Signed-off-by: Matthew A Johnson + +commit 900bb74fdb4308cfa7ac12ad6b412cd25ec34163 +Author: Matthew A Johnson +Date: Wed Sep 14 02:33:53 2022 +0100 + + Adding the exec_in_container enforcement point (#1506) + + This commit adds the exec_in_container enforcement point, but as part of this change we must also perform a + refactoring of the framework to enable supporting this and other additional enforcement points which come + after creating a container. Due to the number of possible matches and the way in which each subsequent + enforcement point narrows the list of matches, we need to maintain for each container ID a list of potentially + matching containers. + + As part of making this change to the framework, we took the opportunity to build a more flexible system for a + policy to store data for use in evaluating later rules. This has the beneficial side effect of removing more policy + logic from the Go code while also creating a far more powerful and flexible system for policy authoring. + + Before, a policy would define a simple true/false rule for something like mount_device. Now, the mount_device rule + (along with all others) is expected to return an object, as seen below: + + ```rego + device_mounted(target) { + data.metadata.devices[target] + } + + default mount_device := {"allowed": false} + + mount_device := {"devices": devices, "allowed": true} { + not device_mounted(input.target) + some container in data.policy.containers + some layer in container.layers + input.deviceHash == layer + devices := { + "action": "add", + "key": input.target, + "value": input.deviceHash + } + } + This object contains a member called allowed which indicates whether the operation should proceed, but also includes one or more "metadata" commands, of the following form: + + { + "": { + "action": "", + "key": "", + "value": "" + } + } + ``` + + These metadata commands alter a special metadata namespace. The Go code, which previously contained logic for maintaining + various data structures for use by the framework, now executes these metadata commands instead. This both means that the + Go code contains almost no policy logic at this point, but also that authored policies can take advantage of all the same + kinds of data caching logic upon which the framework is based. + + A consequence of this change is that unmount_device is now a new enforcement point, allowing policy authors to have control + from the Rego side of how devices are unmounted (as they do with mounting devices at the moment). + + Signed-off-by: Sean T. Allen + + Signed-off-by: Sean T. Allen + Co-authored-by: Sean T. Allen + +commit 57c4342271e8b57818e9ed1513d27522ff18cef4 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Sep 12 18:16:05 2022 -0400 + + remove spelling linter (#1509) + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit b363b0d99bd15764fa5f3940c49a3e08c27268bf +Author: Sean T Allen +Date: Mon Sep 12 15:39:07 2022 -0400 + + Fix seeding for generative policy tests (#1508) + + We are seeding the `testRand` module level variable. However, testing/quick + was not set to use that seeded random number generator. The testing/quick + configuration has a field `Rand` which is not set, will result in a + random number generator being created and used. This created generator + hasn't been seeded so our seeding had no impact on any of our `Generate` + functions. + + This commit updates all testing/quick tests to initialize `Rand` in the + configuration to be set to our seeded `testRand`. + + Signed-off-by: Sean T. Allen + + Signed-off-by: Sean T. Allen + +commit 9f5b8f975cf75eaaf74adf6a7a4eb69e0bb63bff +Merge: 74c416d6f d84966551 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 9 10:52:26 2022 -0700 + + Merge pull request #1505 from SeanTAllen/required-rules-2 + + Adding required environment variable rules logic. + +commit 74c416d6fcbba48e678364a015d543186a1ed294 +Author: Sean T Allen +Date: Fri Sep 9 12:08:14 2022 -0400 + + Remove unused open/closed door enforcement methods (#1507) + + I did an automated refactoring a while ago and it left to unused + methods hanging around when enforce mount logic was moved into + create container enforcement logic. + + Signed-off-by: Sean T. Allen + + Signed-off-by: Sean T. Allen + +commit d84966551534fdba311e6b35ebff6d2273632f87 +Author: Matthew A Johnson +Date: Thu Sep 8 16:53:42 2022 +0100 + + Adding required environment variable rules logic. + + If an environment variable rule is marked as "required", then it must be defined in the container. + This is enforced in the Rego in the following way: + + ``` rego + env_ok(pattern, "string", value) { + pattern == value + } + + env_ok(pattern, "re2", value) { + regex.match(pattern, value) + } + + rule_ok(rule, env) { + not rule.required + } + + rule_ok(rule, env) { + rule.required + env_ok(rule.pattern, rule.strategy, env) + } + + envList_ok(container) { + every env in input.envList { + some rule in container.env_rules + env_ok(rule.pattern, rule.strategy, env) + } + + every rule in container.env_rules { + some env in input.envList + rule_ok(rule, env) + } + } + ``` + + Signed-off-by: Matthew A Johnson + +commit e374b8d4f8dad974b961ac50ea252262136851cc +Author: Maksim An +Date: Thu Sep 8 13:36:25 2022 -0700 + + Add new `ctrdtaskapi` package for shim task API support. (#1485) + + Add new typeurl registered data structure to represent + additional security policy constraint fragments, which + can be passed as part of shim's task Update request. + + Rename `UpdateContainerConstraints` to `Update` and + change the behavior to return an error when an invalid + resource is passed. + + Make sure hcsshim can consume the new resource as part + of task Update request handling and new GCS protocol + message can be properly accepted by the guest. + + Signed-off-by: Maksim An + +commit 7555bd5153043fb1bccd6d7ccbbb7ec84c1b1e37 +Merge: 92687ae90 e364ad4e5 +Author: Kathryn Baldauf +Date: Thu Sep 8 13:04:11 2022 -0700 + + Merge pull request #1383 from katiewasnothere/remove_nvidia_boot_files + + Update lcow driver installation path + +commit 92687ae90aaec0998a148f85602a2b3d19baca7b +Author: Maksim An +Date: Thu Sep 8 10:48:00 2022 -0700 + + Set HCSSHIM_UVM_REFERENCE_INFO env for workload containers (#1499) + + * Set HCSSHIM_UVM_REFERENCE_INFO env for workload containers + + Workload containers need to be aware of the reference UVM measurement + they are currently running on. The expectation is that the signed UVM + measurement file will be a part of the package and located in the + same directory as the rest of the boot files (e.g. kernel, initrd + or VMGS). The file itself is a COSE_Sign1 document containing the + measurement and related information. + The content of the file will be plumbed to the UVM as + part of setting the security policy request and can later be + presented to the containers via an environment variable. + + Signed-off-by: Maksim An + +commit 0f26f8db1b7c46d4b283391fac75f97661c8a493 +Author: Matthew A Johnson +Date: Thu Sep 8 18:46:00 2022 +0100 + + Returning OpenDoorSecurityPolicyEnforcer (when appropriate) for Rego policies. (#1504) + + Signed-off-by: Matthew A Johnson + + Signed-off-by: Matthew A Johnson + +commit 46db6ffecfbed9453cb2d3c2ebac03a414e0985b +Author: Matthew A Johnson +Date: Thu Sep 8 18:43:27 2022 +0100 + + Moving rego api test fixtures to a separate file (#1503) + + Signed-off-by: Matthew A Johnson + + Signed-off-by: Matthew A Johnson + +commit e364ad4e5d40238b3d10c041c2484525067444c7 +Author: Kathryn Baldauf +Date: Mon Jul 25 12:56:44 2022 -0700 + + Update go modules + + Signed-off-by: Kathryn Baldauf + +commit ea36a2799745eda858d4dbbebb977d8d2b179d8d +Author: Kathryn Baldauf +Date: Wed Apr 27 19:48:14 2022 -0700 + + Update test modules + + Signed-off-by: Kathryn Baldauf + +commit fac8ff6a94ded29fd24d3dbfa6d906d0147552af +Author: Kathryn Baldauf +Date: Wed Apr 27 19:24:50 2022 -0700 + + Update lcow driver installation path + - update `install-drivers` tool to take in additional parameter for + driver read/write path + - update call to `install-drivers` to take in new param + - update nvidia hook to use CreateRuntime instead of Prestart hook + + Signed-off-by: Kathryn Baldauf + +commit 2b2bd8fd24ba472a31754f1385f8dbbf15212102 +Author: Sean T Allen +Date: Thu Sep 8 01:46:38 2022 -0400 + + Move rego only test fixtures into the rego tests file (#1502) + + This will avoid linter errors. + + Signed-off-by: Sean T. Allen + +commit 04d537c9785b63bf7b8284e346cfe8516a18da1f +Author: Sean T Allen +Date: Wed Sep 7 19:35:36 2022 -0400 + + Adds versioning to the framework (and policies). (#1496) + + This enables backwards compatibility and fine-tuned behavioral logic based upon version + comparisons. Every enforcement point will now be explicitly linked to a introduced version + and given a default behavior (allow/not allow) which should be applied automatically below that + version. The logic looks like this: + + ```go + func (policy *regoEnforcer) allowed(enforcementPoint string, input map[string]interface{}) (bool, error) { + results, err := policy.query(enforcementPoint, input) + if err != nil { + // Rego execution error + return false, err + } + + if len(results) == 0 { + info, err := policy.queryEnforcementPoint(enforcementPoint) + if err != nil { + return false, err + } + + if info.availableByPolicyVersion { + // policy should define this rule but it is missing + return false, fmt.Errorf("rule for %s is missing from policy", enforcementPoint) + } else { + // rule added after policy was authored + return info.allowedByDefault, nil + } + } + + return results.Allowed(), nil + } + ``` + + A Rego query for a rule that doesn't exist returns an empty result set. + If we receive no results, we first check to see if the rule _should_ be there + by checking whether it was introduced after the policy was authored. If the + enforcement point should be defined (*i.e.* it was added before the policy was + authored), we raise an error. If it is new, then we use the default behavior. + If there are results, then the rule was present and we proceed as normal. + + The enforcement point info is provided by a new Rego namespace called `api`: + + ```rego + package api + + svn := "0.1.0" + + enforcement_points := { + "mount_device": {"introducedVersion": "0.1.0", "allowedByDefault": false}, + "mount_overlay": {"introducedVersion": "0.1.0", "allowedByDefault": false}, + "create_container": {"introducedVersion": "0.1.0", "allowedByDefault": false}, + } + + default enforcement_point_info := {"available": false, "allowed": false, "unknown": true, "invalid": false} + + enforcement_point_info := {"available": available, "allowed": allowed, "unknown": false, "invalid": false} { + enforcement_point := enforcement_points[input.name] + semver.compare(svn, enforcement_point.introducedVersion) >= 0 + available := semver.compare(data.policy.api_svn, enforcement_point.introducedVersion) >= 0 + allowed := enforcement_point.allowedByDefault + } + + enforcement_point_info := {"available": false, "allowed": false, "unknown": false, "invalid": true} { + enforcement_point := enforcement_points[input.name] + semver.compare(svn, enforcement_point.introducedVersion) < 0 + } + ``` + + This namespace provides a way for us to express in Rego and expose to policy authors + the current API, which at the time being consists of a series of enforcement + points. + + Signed-off-by: Matthew A Johnson + + Signed-off-by: Matthew A Johnson + Co-authored-by: Matthew A Johnson + +commit 213a02e7a6aa8c2dabe22d9cc123d9d6764b3956 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Sep 7 19:01:02 2022 -0400 + + Add step to check test/go.mod, updated test/go.mod (#1501) + + Pipeline does not check that `./test/go.mod` is up to date, which can + cause issues with linting and other stages. + + Combined verifying `test/go.mod` and `./go.mod` into one stage. + Simplified the job ordering to increase the number of possible parallel + runs. + + Removed `build_gcs` dependence on vendoring stage, since that is + subsumed by `test-linux`. + + Removed `build_gcs` and `build` dependence on `integration-tests`, since + those fail frequently and ideally integration testing requires + successfully building executables. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 44a2b278ce93b7c5bb3287f386f8fa822d0c8e90 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Sep 7 11:21:09 2022 -0400 + + Enable linting on test directory (#1491) + + * Enabling linting for tests and linux files + + Updated CI to lint from within test directory. Currently, it does not + since it is a different module. + Additionally, golangci-lint uses `GOOS` to decide what files to + evaluate, so matrix was upddated with GOOS. + + Updated lint config to analyze test files, both within `./test` with + `functional` tag, and unit tests with `integration` tag. + + Signed-off-by: Hamza El-Saawy + + * Fix linting issues + + Removed unnecessary code, added exceptions for most issues. + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 895853a43cdbe18c9a08faa7368c0f8d2dd3615e +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu Sep 1 15:23:18 2022 -0700 + + Fix nil pointer dereference in addSCSI (#1497) + + The new change that we added to fix a race condition in addSCSI introduced a bug where the code ends up accessing a + nil pointer in certain situations. For example, the deferred function to unblock any waiters of the attach + SCSI operation accesses the scsi mount object to propagate any errors. However, this pointer is a named return + value of the function and is set to `nil` when returning an error. In those cases the deferred function panics + with the nil pointer dereference error. To fix this we don't use the named return value for the scsi mount + object anymore. + This change also removes the check for zero SCSI controllers since that check is done by the + `allocateSCSIMount` function. + + Signed-off-by: Amit Barve + + Signed-off-by: Amit Barve + +commit 435a376a0fa864030f8139ec95332f93ec3ce4be +Author: Matthew A Johnson +Date: Thu Sep 1 18:04:37 2022 +0100 + + Add support for accepting Rego policy code. (#1495) + + * Add support for accepting Rego policy code. + + Refactors (due to build tags): + - Internal classes (needed for Rego marshaling) moved to `securitypolicy_internal.go` + - Marshal code (needed for Rego marshaling) moved to `securitypolicy_marshal.go`. Once the JSON input/output is removed, this code can safely be moved to the `securitypolicy` tool + - Rego error logic has been moved to `framework.rego` + - `open_door.rego` added as Rego alternative to OpenDoor, and the `allow_all` logic has been removed from `policy.rego` + + New Features: + - `MarshalPolicy` method which supports turning a policy into either JSON or Rego + - `securitypolicy` now takes a `t` parameter that can be equal to either `rego` or `json` and a `r` parameter which indicates whether it should output the raw output in addition to the base64 encoded policy + - `createRegoEnforcer` can now handle either a JSON policy or a Rego policy as input + + Signed-off-by: Matthew A Johnson + + * tests: add cri-containerd test coverage for positive rego scenarios + + Rename a few tests under cri-containerd/policy_test.go for easier + wildcard matching. + + Negative test cases will come in a subsequent PR. + + Signed-off-by: Maksim An + + Signed-off-by: Matthew A Johnson + Signed-off-by: Maksim An + Co-authored-by: Maksim An + +commit af624d9287c323cd692a4a24a8ae7e02e15bf661 +Merge: e88b487ec 239225bf0 +Author: KenGordon +Date: Wed Aug 31 09:43:54 2022 +0100 + + Merge pull request #1493 from SeanTAllen/rego-policy-enforcer + + Adding a Rego Policy Enforcer. + +commit 239225bf0df6fb8939ebf79c5abee37b84126e62 +Author: Sean T. Allen +Date: Tue Aug 30 18:03:57 2022 -0400 + + Adding a Rego Policy Enforcer + + The standard policy enforcer is a domain-specific logical language implemented in go over JSON. In the future, policy enforcement will need to increase in complexity and coverage. Instead of increasing the complexity of the DSL in turn to address these needs, it is preferable to use a policy language designed to express these constraints, such as Rego. This PR adds an alternate Rego policy enforcer which expresses the same logic as the StandardPolicyEnforcer entirely in Rego. + + We've added a RegoPolicy which implements SecurityPolicyEnforcer in securitypolicyenforcer_rego.go and a full test suite in regopolicy_test.go. The main design idea is that there are three elements which are used for evaluating the policy: + + Policy objects (i.e., containers) which are translated into Rego from our existing JSON format. + Policy behavior, which is Rego that is in source control (policy.rego) which translates the enforcement logic currently in securitypolicyenforcer.go. + Policy data (i.e., state) which is maintained over the course of enforcement and fed into the Rego during a query + There is an additional element, namely the Microsoft Policy Framework (in framework.rego) which contains the majority of the enforcement logic. While at the moment this is used by the static policy.rego file, in the future it can be made available to customers who can choose to author their own policies. + + To add some details on the implementation, for each Enforce* method, we query the Rego policy with a set input. On success, we modify the data object. For a simple example, see how EnforceDeviceMount works: + + ```golang + func (policy *RegoEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) error { + policy.mutex.Lock() + defer policy.mutex.Unlock() + + input := map[string]interface{}{ + "name": "mount_device", + "target": target, + "deviceHash": deviceHash, + } + result, err := policy.Query(input) + if err != nil { + return err + } + + if !result.Allowed() { + input_json, err := json.Marshal(input) + if err != nil { + return fmt.Errorf("Unable to marshal the Rego input data.") + } + + return fmt.Errorf("device mount not allowed by policy.\ninput: %s", string(input_json)) + } + + deviceMap := policy.data["devices"].(map[string]string) + if _, found := deviceMap[target]; found { + input_json, err := json.Marshal(input) + if err != nil { + return fmt.Errorf("Unable to marshal the Rego input data.") + } + + return fmt.Errorf("device %s already mounted.\ninput: %s", target, string(input_json)) + } + + deviceMap[target] = deviceHash + return nil + } + ``` + + The corresponding Rego for this is: + + ```rego + default mount_device := false + mount_device := true { + some container in data.policy.containers + some layer in container.layers + input.deviceHash == layer + } + ``` + + We believe that this logic is much easier to reason about and maintain over time as opposed to the current system, while also allowing for a straightforward expansion in coverage over time. + + Note: This PR was intended to be additive and non-invasive, but in order to add the Rego dependencies + multiple package revs appeared to be required. This is the source of the vast majority of the files + that have been touched (i.e., in the vendor directory). + + Signed-off-by: Sean T. Allen + +commit e88b487ec04322b5b116c1ac2204adedcd10ee22 +Merge: b295b1a86 6f6e1c8cb +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 26 18:08:10 2022 -0700 + + Merge pull request #1462 from dcantah/hpc-mounts-ro + + Readonly option for hostprocess mounts + +commit 6f6e1c8cb58a261cb56c3b5161f3fc2d0aa53d0d +Author: Daniel Canter +Date: Tue Jul 19 22:08:57 2022 -0700 + + Readonly option for hostprocess mounts + + Add in ability to parse read only mount options for hostprocess mounts. + Change the API of ApplyFileBinding to take in a readOnly bool instead of + it signifying a merged binding. We don't have any use for merged bindings + as the default for containers is to shadow the directory we're binding + to. We could alternatively pass in a set of options/flags as this argument, + but readonly seems to be the only thing needed as of now. + + Signed-off-by: Daniel Canter + +commit b295b1a866b1263ddede4f00dddf7a129b96c114 +Merge: 338bb2c6a 6f55abc15 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 26 13:53:38 2022 -0700 + + Merge pull request #1486 from dcantah/shimdiag-tasks + + Add Tasks command to shimdiag + +commit 338bb2c6a01c496ef169cc61be4adb625b06f121 +Author: Maksim An +Date: Thu Aug 25 08:57:04 2022 -0700 + + add test utility func that waits for particular container state (#1492) + + additionally refactor some of the existing tests to use the new func + + Signed-off-by: Maksim An + +commit f12cf48c6ea7a6ebd389c8d5824cc5760fd3dfd8 +Merge: ab849cf06 cae120b42 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Aug 24 10:59:15 2022 -0700 + + Merge pull request #1488 from dcantah/timeout-terminate + + Call container.Terminate() on shutdown timeouts + +commit ab849cf065b3e43f97fe420b7f72b7073afa1c6f +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Aug 24 13:26:26 2022 -0400 + + Linux/LCOW bugs (#1489) + + Container/runc commands used `runcCommandLog` instead of `runcCommand`, + which fails to run properly. + Since they do not need to use a log file, the latter call is correct. + + Bug with how `uvmboot` sets security policy arg. + + Missing windows build tag. + + Linting/style changes: + - unnecessary `if err != nil { return err }` statement + - simplified nested if statments + - unused method receivers + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit c089b49e828225e4e60dbfa6b67f763786c48060 +Author: Maksim An +Date: Wed Aug 24 06:57:17 2022 -0700 + + fix unmarshaling of LCOWSecurityPolicyEnforcer (#1487) + + + Signed-off-by: Maksim An + +commit cae120b42536adea72101e6a358183c74a0bdac5 +Author: Daniel Canter +Date: Tue Aug 23 19:31:11 2022 -0700 + + Call container.Terminate() on shutdown timeouts + + We were logging if HcsShutdownComputeSystem failed, but we weren't + trying to force kill the container via Terminate after if we timed + out waiting for it to complete. Shutdown is async and we wait for + a notification for success, so most of the time the call itself will + return nil, but it doesn't indicate indicate success until we can + see that the system exited. So now we will fallback to Terminate for: + + 1. Shutdown returning an error that doesn't indicate the result is + to be waited on. + 2. The async result of shutdown was non-nil + 3. Waiting for the result passed the timeout we set. + + Signed-off-by: Daniel Canter + +commit feaf10a0803e62aaa2afd640c00f91c373d0cf6d +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Aug 23 16:22:24 2022 -0400 + + Added LCOW functional tests and benchmarks for uVMs and containers. (#1351) + + * Added LCOW functional tests and benchmarks + + Split out utility functions from `test/functional` into an internal package, + separate from functional tests. + Updated code to use containerd instead of docker. + + Added new functional tests and benchmarks for LCOW uVM containers, and + updated other LCOW tests as well. Not all (LCOW) functional tests were + updated, and most others are now explicitly skipped. + + Updated `k8s.io/cri-api` to v0.22 to include `WindowsPodSandboxConfig` + struct + + Signed-off-by: Hamza El-Saawy + + * Updating tests to use new test\internal package + + Signed-off-by: Hamza El-Saawy + + * PR: doc, simplified signatures + + Added deprecated warning to `layers.LayerFolders`, which relies on + docker. + Added doc comment to functional tests to clarify overlap with other + tests. + Removed unnecessary parameter in `WaitForError`. + Updated snapshotter logic + + Signed-off-by: Hamza El-Saawy + + * PR: refactor, updated image names in cri tests + + Signed-off-by: Hamza El-Saawy + + Signed-off-by: Hamza El-Saawy + +commit 6f55abc153a9124821d78070512147d0e13faa24 +Author: Daniel Canter +Date: Tue Aug 23 12:14:34 2022 -0700 + + pr feedback + + Signed-off-by: Daniel Canter + +commit 86e98693ee196a88aa7414fa872ac378cb39afac +Author: Daniel Canter +Date: Mon Aug 22 21:59:11 2022 -0700 + + Add Tasks command to shimdiag + + This command prints the tasks that are currently being managed + by a given shim instance, and optionally the execs in each task. + + There've been a couple times where our shim and containerd have + seemingly disagreed on what tasks are still running.. This should + make it easy to see the state of the world from our shims point + of view. + + Signed-off-by: Daniel Canter + +commit 477d5b40ba3a4e2b209967679d3f8cd4020f8078 +Author: Sean T Allen +Date: Thu Aug 18 17:00:35 2022 -0400 + + Remove wait mounts functionality (#1474) + + Wait mounts was originally added as a synchronization mechanic that + allows to build dependencies between containers via security policy. + + Some issues: + + - Only available via policy so, you can't use in a non-confidential scenario + - Mixes configuration into policy enforcement + - Completely bespoke + + With our moving to a rego based policy engine, we've decided to stop doing + anything that is "include configuration in policy" and instead switch to + "policy controls if a bit of configuration is allowed to be changed". This + approach eliminates wait mounts as a possibility to move over even if we + decided that the issues listed above weren't problematic. + + We expect that any customer using wait mounts functionality via policy + will switch to handling dependencies amongst containers as they usually + would. Allow the container that is missing a dependency to fail in a fashion + that will get the orchestrator to restart it until such time as the dependency + is available. For wait mounts, this means exiting if the mounted drive is + missing a known good file that is expected to exist thereby indicating that + the drive in question wasn't available at the time the container started and + instead, an empty directory was mounted. + + These changes are a prerequisite for the soon to arrive change to switch from + the bespoke JSON based policy language I wrote to using Rego. + + Signed-off-by: Sean T. Allen + +commit 83511587d71dff3acff8c9f43b487c7311c81e3e +Author: Maksim An +Date: Thu Aug 18 10:44:45 2022 -0700 + + securitypolicy: add security policy enforcer registration and defaults (#1476) + + * Stub out Rego policy enforcer and hide it behind a build tag. + + Add enforcer registration logic and support for default enforcer. + The host can request which security policy enforcer to use with + supplied policy, if none supplied, GCS code tries to make a "guess" + as to which enforcer should be used: "allow all" or "default". + Default enforcer is set to `StandardSecurityPolicyEnforcer` unless + GCS is built with "rego" tag present. In that case, the default + enforcer will be set to `RegoEnforcer`. + + New annotation has been added that allows callers to pick which + enforcer to use, e.g. + ```pod.json + { + ... + "annotations": { + "io.microsoft.virtualmachine.lcow.enforcer": "rego" + }, + ... + } + ``` + + Signed-off-by: Maksim An + +commit dca430eb856bad1992391dcc48a5d7f60b526697 +Merge: 09cb21116 7ef9edefd +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Aug 18 10:27:50 2022 -0700 + + Merge pull request #1484 from dcantah/shortcircuit-stats + + Short circuit Properties calls if NULL handle + +commit 7ef9edefd0fc4c9fa98c7c95347103246035b0d9 +Author: Daniel Canter +Date: Wed Aug 17 12:39:42 2022 -0700 + + Short circuit Properties calls if NULL handle + + The only two methods on a compute system that didn't short circuit if + the system was already closed were Properties and PropertiesV2. + + Signed-off-by: Daniel Canter + +commit 09cb211165157283efd5eef4da372eabac466423 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue Aug 16 14:38:24 2022 -0700 + + Fix a race condition in addSCSI (#1483) + + addSCSI currently uses the mutex only to check if a disk is already attached to the UVM. However, no mutex is + held when actually attaching the disk to the UVM. Because of this if two goroutines try to add the same SCSI + disk to a UVM at the same time, one of them will see that the disk is not already attached, will add an entry + into the controller/LUN map and continue with the attach process. The other goroutine will just see the entry + in the map and returns thinking that the SCSI disk is already attached to the UVM. At this point the disk + attach operation from the first goroutine is still in progress so if the second goroutine tries to use that + disk inside the UVM it fails with cryptic errors from overlayfs (or whatever other component in the guest that + tries to use this disk). + + To get around this problem, we now include a channel in each SCSIMount struct that should be used by all the + goroutines (except for the very first goroutine that adds this disk) to wait until the mounting of that SCSI + disk is complete. Only the very first goroutine that adds this disk should close it. + + Signed-off-by: Amit Barve + + Signed-off-by: Amit Barve + +commit 298b31d151ab799c1d7686f8ee9eec1cb4213926 +Merge: 774ce8fed bf8bdb0fa +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Aug 16 00:33:19 2022 -0700 + + Merge pull request #1480 from dcantah/fix-lint-issues + + Fix golangci-lint issues + +commit bf8bdb0fa5befb4e0e36d50b8e43f3880bc74416 +Author: Daniel Canter +Date: Fri Aug 12 04:53:42 2022 -0700 + + Update lint/setup-go setup in CI + + v3 golangci-lint action removed the skip-go-installation flag + and now explicitly requires using the setup-go action to function. + + - Get rid of skip-go-installation + - Swap to v3 of setup-go + - Remove only-new-issues usage + + Signed-off-by: Daniel Canter + +commit 9364e4c0bb457f4f1746a9cc877738450419c8dd +Author: Daniel Canter +Date: Fri Aug 12 04:52:00 2022 -0700 + + gofmt -s the world + + gofmt -s on go 1.19 + + Signed-off-by: Daniel Canter + +commit b6cd0c39099976da6544336981624a75671e3cc6 +Author: Daniel Canter +Date: Fri Aug 12 04:02:20 2022 -0700 + + Don't lint neterror.Temporary + + We're reworking the hcs/errors package soon, but in the meantime + don't lint the use of the deprecated err.Temporary. + + Signed-off-by: Daniel Canter + +commit 030e864800ed47cc9b35cfaef3fe6d04bef6e912 +Author: Daniel Canter +Date: Fri Aug 12 03:36:32 2022 -0700 + + Move CopyFileW definition to /internal/winapi + + We had a stray use of syscall.Syscall that should be in winapi with the + rest of our defs. + + Signed-off-by: Daniel Canter + +commit 483afe927baef6eea344667aaf575b60e52ffda4 +Author: Daniel Canter +Date: Thu Aug 11 21:03:40 2022 -0700 + + Get rid of io/ioutil usage + + Gets rid of io/ioutil usage in favor of the os and io replacements. + ioutil has been deprecated since 1.16. + + This additionally starts to use t.TestDir() in some tests instead which + is a nice side effect. + + Signed-off-by: Daniel Canter + +commit 774ce8fedebe45e870ccb8d4ab40a9280a499ff9 +Author: Maksim An +Date: Mon Aug 15 17:14:31 2022 -0700 + + tests: add test coverage for https://github.com/microsoft/hcsshim/pull/1456 (#1482) + + + Signed-off-by: Maksim An + +commit 3cf65d16bcfb08bc0b316e12af4e01dfdc6af147 (tag: v0.10.0-rc.1) +Merge: 5f3659a22 e3845fe6b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 12 16:26:07 2022 -0400 + + Merge pull request #1481 from dcantah/fix-jobobj-def + + Fix OpenJobObject definition + +commit e3845fe6be054ae42ee4e78f59f42be228c16689 +Author: Daniel Canter +Date: Fri Aug 12 06:06:11 2022 -0700 + + Fix OpenJobObject definition + + BOOL is a typedef for int not a boolean + + Signed-off-by: Daniel Canter + +commit 5f3659a22c22fc16f458e1cd32e11c6c4ec4522f +Merge: 0de9beec5 f7f0a24ae +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Aug 11 21:25:55 2022 -0400 + + Merge pull request #1478 from dcantah/fix-logentry + + Properly assign logrus entry for fallback queries + +commit f7f0a24ae26b02352c95b76d0238394a6e63be99 +Author: Daniel Canter +Date: Thu Aug 11 11:14:03 2022 -0700 + + Properly assign logEntry for fallback queries + + I didn't reassign the logEntry that contained the error reason if + querying for stats in the shim failed + + Signed-off-by: Daniel Canter + +commit 0de9beec519bfe0fd0b50558219a212261da1f4a +Merge: 2a9d2d99a 7b51f8ddf +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Aug 11 20:34:38 2022 -0400 + + Merge pull request #1479 from dcantah/pin-gover + + Update to Go 1.18 + +commit 7b51f8ddfe8ce46807d0b4c47bded28e44638a03 +Author: Daniel Canter +Date: Thu Aug 11 15:19:08 2022 -0700 + + Update golangci-lint to v3 and newer version + + Might as well stay up to date, and the version we were using I + believe didn't support linting generics + + Signed-off-by: Daniel Canter + +commit 2a2380bc4a05521210f3937a8eccf9380f94bd8e +Author: Daniel Canter +Date: Thu Aug 11 14:55:12 2022 -0700 + + Pin CI to 1.18.x + + This change pins the CI to a patch release of 1.18. Prior we were + using a caret specifier set to ^1.17.0 which matches to + + >= 1.17.0 but <2.0.0 + + Additionally move all go-version calls to read from a global environment + variable so we only need to edit one spot to change the go version. + + Signed-off-by: Daniel Canter + +commit dbbbd14069af0aef1ccc7aa79d07882cfd99bfa5 +Author: Daniel Canter +Date: Thu Aug 11 14:38:12 2022 -0700 + + go.mod: Upgrade to 1.18 + + 1.17 is out of support as of 1.19's release and there's no real pressing + need to stay on 1.17. 1.18 apparently has a smarter traversal of deps as + quite a few entries get plucked out. + + Signed-off-by: Daniel Canter + +commit 2a9d2d99a9f7713590bc9a8049e1aa25f0ff9b7e +Merge: ba4bfca3f 2c82abd0b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Aug 10 09:32:09 2022 -0400 + + Merge pull request #1463 from dcantah/computestorage-ver-fixes + + Remove osversion usage in computestorage APIs + +commit ba4bfca3fdbe5421395db4a5d65788646c780adf +Author: Maksim An +Date: Mon Aug 8 11:15:58 2022 -0700 + + enforcement: fix use case when the same target has different hashes (#1469) + + Fix an issue when the same mount target could have different hashes + during device mount policy enforcement. + Although it's possible to mount different devices at the same mount + location, this doesn't make sense for read-only container layers. + The device mount enforcement logic has been updated to cover this + case. + This was discovered by randomized security policy unit tests. + + The tests have been updated, to minimize the chance of it happening + by adding a minimal length for a random string and appropriate unit + test has been added to cover the change. + + Signed-off-by: Maksim An + +commit 2c82abd0bf732a08de4882653ec93b0318a36482 +Author: Daniel Canter +Date: Mon Aug 1 14:05:55 2022 -0700 + + Document breaking change in HcsFormatWritableLayerVhd + + Add a comment on our wrapper of HcsFormatWritableLayerVhd to describe that + it expects a different handle on anything above ws2019. Additionally add + a comment above SetupBaseOSVolume stating what build it's supported on + and that the application must be manifested + + Signed-off-by: Daniel Canter + +commit a177a5acecf4d27751aa91ba0d6d1191d09de2ec +Author: Daniel Canter +Date: Mon Aug 1 13:54:15 2022 -0700 + + Revert "Pass disk handle for computestorage.FormatWritableLayerVhd on RS5 (#1204)" + + This reverts commit aaf5db90ef6961e767a4d5ca4bcf7f1f6465bcca. + + We'd added a change to FormatWritableLayerVhd to help the caller work around + a breaking change in the OS, but this would actually cause a breaking change + in our wrapper of it if the caller was already working around the issue + themselves. To avoid this scenario, revert the commit that added the + "friendly" behavior. + + Signed-off-by: Daniel Canter + +commit a244751aa576c193c22d490f6de22291ddd24e1f +Merge: fcf074dcb 5cfa86d4e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Aug 3 15:33:17 2022 -0700 + + Merge pull request #1473 from dcantah/hpc-pshell-path + + Add powershell to hostprocess container paths + +commit 5cfa86d4e726888f8ddd13b555623eec65b3d29d +Author: Daniel Canter +Date: Wed Aug 3 06:54:56 2022 -0700 + + Add powershell to hostprocess container paths + + A large use case for these containers is to get a shell onto a node or + to carry out administrative tasks via powershell commands, but a lot + of images have a PATH defined in the docker file that only includes system32. + + Before any sort of slim image is available for these that doesn't have a + PATH set (so it will just use the hosts) add in powershell and the system32/wbem + dir for wmic to alleviate some "what is going on" moments. Additionally + rearrange some code closer together that was a bit too spread for no reason. + + Signed-off-by: Daniel Canter + +commit fcf074dcb6f50a82964047432a7e4e1217318708 +Author: Maksim An +Date: Thu Jul 28 00:31:08 2022 -0700 + + tests: run securitypolicy tests in github CI (#1470) + + Add new "test-linux" job and update existing "test" + job to "test-windows". Also update job dependencies. + + Signed-off-by: Maksim An + +commit 176bb0601a2e5c613f586bae0c5fb6ea71bd10b0 +Author: Maksim An +Date: Thu Jul 21 17:50:37 2022 -0700 + + VPMem device unmap VHD, don't remove VPMem itself. (#1456) + + When using VPMem multi-mapping feature, we can end up in a + situation when a VHD at offset 0 is not the last VHD that + is being removed: + 1. Add the very first VHD (vhd1) and essentially VPMem + (vpmem1) device itself will add the vhd1 at offset `0`. + Mapped VHD count: `1` + 2. Add second VHD (vhd2), which be mapped at offset `N`. + Mapped VHD count: `2` + 3. Remove vhd1 at offset `0`. Mapped VHD count: `1` + 4. Try removing vhd2 will result in removing the VPMem + device itself, however, HCS API doesn't allow that. + Which is most likely a bug. Removing VPMem with 0 + mapped VHDs also doesn't work. + + As a work-around, keep the VPMem "intact" and just remove the + last mapped VHD. The VPMem can still be used later to map new + VHDs. + + Signed-off-by: Maksim An + +commit 41d8f5a2fead90a08b280c1728cc354d16f08475 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jul 21 14:40:51 2022 -0700 + + Remove uneccessary use of silos in jobobject tests (#1464) + + Two tests added recently by yours truly don't need to be running as + silos. Remove the silo field set to true. Was running into this when + trying to backport a fix to a branch that doesn't have the silo work. + + Signed-off-by: Daniel Canter + +commit 598ea471a75ced1cdb74f33b6e6afb4179cd521c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jul 20 14:02:50 2022 -0700 + + Add IO tracking option for job objects (#1459) + + * Add IO tracking option for job objects + + HCS enables this to get more in depth IO stats for the silo of the + container. I'd swapped hostprocess containers to querying for + these stats but without the prerequisite of actually enabling them :) + + This change adds a new option on jobobject.Options{} to enable this + functionality and adds a new test to ensure we can actually call + StorageStats now. + + Signed-off-by: Daniel Canter + +commit 84e0f9d19bffe65c26c2f54c3d318b309ea5c683 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jul 20 01:32:21 2022 -0700 + + Add annotations passthrough for host process containers (#1423) + + * Add annotations passthrough for host process containers + + This changes adds in a way for annotations specified for a sandbox + container to be passed through to every container in the pod. + K8s only passes annotations to the RunPodSandbox call and not to individual + containers unfortunately. To accomplish this I cache the pod sandboxes OCI + spec on the pod object as well as expose a method that passes through + specific annotations from the pod spec through to an individual containers. + + This is useful for a couple of host process containers annotations, like + microsoft.com/hostprocess-rootfs-location which specifies a non-default + path for the rootfs of the container to show up at. + + Signed-off-by: Daniel Canter + +commit 9ad494a1f57f7d72119eac2e046d55c821863a09 (tag: v0.10.0-rc.0) +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jul 18 15:28:00 2022 -0700 + + Backwards compat for hostprocess cntrs mounts (#1458) + + In beta, mounts couldn't be unique per silo so they were mounted + to a relative path under the rootfs for the container. There's a + bunch of pod specs/apps floating around that were written with that + in mind so as to make a smooth transition, additionally keep mounting + them under the rootfs for now via the same approach (symlink the dir/file). + + Signed-off-by: Daniel Canter + +commit f59b1f249e6584cc535e7eecfe1829c17f5434d1 +Author: Maksim An +Date: Thu Jul 14 12:31:55 2022 -0700 + + Add vpmem mount capability to uvmboot (#1455) + + Signed-off-by: Maksim An + +commit 873b8e122faae117e6daaa2df7244dd40a7080cd +Author: Maksim An +Date: Thu Jul 14 12:12:00 2022 -0700 + + linter: fix linting issues (#1457) + + Additionally fix the queue tests logic. + + Signed-off-by: Maksim An + +commit 12d4cd8f9abaf895ee4a2daa6c5837554b92e33d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jul 12 22:56:53 2022 -0700 + + Rework /internal/queue package (#1449) + + * Rework /internal/queue package + + Given our use cases for this package, we don't need methods that don't block + on reads if there's no value to be read. Due to this, I've removed the + ReadOrWait function and did a small redesign of the methods to be more + in line with standard queue method naming. + + * Change Read/Write/IsEmpty to Dequeue/Enqueue/Size and remove ReadOrWait. + Now there is no version of Read/Dequeue that doesn't block if the queue + is empty. + * Fix up tests to be in line with this removal of the non-blocking read + and simplified most of the tests. + + Signed-off-by: Daniel Canter + +commit 94f78da96a60b45258ca27bf82d2d5e392b0b0cc +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Jul 12 12:54:58 2022 -0400 + + Add CI stage dependencies (#1453) + + * Add CI stage dependencies + + Reorganize CI to run in stages, so lint and protobuild are dependencies + for vendoring, which in turn is required for testing then building. + + This allows issues to be caught early on, and prevents long-running + test stages to run before lint or vendor issues fail CI. + + Ran YML formatter on ci.yml file. + + Added `if` condition to uploading test binary artifices for non PR + runs, to avoid unnecessary uploading and storage. + + Signed-off-by: Hamza El-Saawy + + * PR: job names + + Github branch protection is confused by names, so remove them + + Signed-off-by: Hamza El-Saawy + +commit a6e48768b57d2e5242da835d5252e91c26c2fecc +Author: Gabriel +Date: Fri Jul 8 03:45:02 2022 +0300 + + Fix access denied when killing stopped container (#1447) + + This change fixes access denied errors when killing an already stopped + host process container. + + This change also uses errors.Is() to compare errors in various functions + of the hcs error package. This allows error wrapping while still + properly validating that a wrapped error is of a certain type. + + Signed-off-by: Gabriel Adrian Samfira + +commit 70499977f085dd880592c5b925963464910369a5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jun 29 13:48:06 2022 -0700 + + Correctly set silo field when opening job object (#1437) + + * Correctly set silo field when opening job object + + We don't set the silo field on Open of an existing job object today. + This is useful if once opening a job we want to bind a file that only + that silo can see as it relies on atomically checking the `silo` u32 + field to determine if we can carry out the operation. + + The manner in which we check if the job is a silo is by using a new + jobobject information class with QueryInformationJobObject that fails + unless the job is a silo. + + Signed-off-by: Daniel Canter + +commit aa4005736c4e03e3182c5a877d6bb3db1d94dbf3 +Merge: 362e3d254 e6ee5669a +Author: Maksim An +Date: Tue Jun 28 14:16:47 2022 -0700 + + Merge pull request #1441 from anmaxvl/policy-duplicate-layers + + Fix policy enforcement to handle identical layers. + +commit e6ee5669a36470dc596173d3db7b4cb8f0c7c985 +Author: Maksim An +Date: Tue Jun 28 13:46:56 2022 -0700 + + Use single testRand instance for the entire test run. + + Signed-off-by: Maksim An + +commit 57a1f7e742f847c7328a6993fe0f7f8ee756610b +Author: Maksim An +Date: Tue Jun 28 13:31:08 2022 -0700 + + Add unit test to validate that overlay with duplicate layers can be mounted. + + Signed-off-by: Maksim An + +commit f6b45ccb15b9944b0e5e2bcc6c16247adad14739 +Author: Maksim An +Date: Mon Jun 27 18:17:05 2022 -0700 + + Update `StandardSecurityPolicyEnforcer` docs. + + Signed-off-by: Maksim An + +commit 3f1f195dc3a05e8c9c1d4bb7772f7e00bb6cf65c +Author: Maksim An +Date: Thu Jun 23 11:59:16 2022 -0700 + + Fix policy enforcement to handle identical layers. + + Read-only container layer enforcement currently tracks which layers + have been mounted for each container. The state is being tracked + by maintaining a 2D slice of device targets and each slice represents + a potential overlay FS that can be used for a given container. + Index `i` in the Devices slice corresponds to container at index `i` + in the policy. For example for containers with the following hashes: + ``` + [ + [hash1, hash2, hash3], + [hash1, hash4], + ] + ``` + The corresponding Devices slice will look something like: + ``` + [ + [/mnt/target1, /mnt/target2, /mnt/target3], + [/mnt/target1, /mnt/target4], + ] + ``` + + Each individual slice then corresponds to a potential overlay fs: + - overlay1: `[/mnt/target1, /mnt/target2, /mnt/target3]` + - overlay2: `[/mnt/target1, /mnt/target4]` + + The issue arises when container contains duplicate layers like: + ``` + [ + [hash1, hash2, hash2], + [hash1, hash4], + ] + ``` + The potential overlays will be computed as following: + ``` + [ + [/mnt/target1, /mnt/target2, /mnt/target2], + [/mnt/target1, /mnt/target4], + ] + ``` + Instead of: + ``` + [ + [/mnt/target1, /mnt/target2, /mnt/target3], + [/mnt/target1, /mnt/target4], + ] + ``` + The issue is reproducable by the following Dockerfile: + ``` + FROM ubuntu:latest + COPY script.sh . + RUN chmod +x script.sh + ``` + where `script.sh` already has executable permission flag set. + + To address the issue, the logic to track currently mounted devices + and enforcing the overlay has been updated. + Instead of tracking potential overlays, we track the devices that + have been mounted and their hashes: + ``` + { + /mnt/target1: hash1, + /mnt/target2: hash2, + /mnt/target3: hash2, + } + ``` + During overlay, we map the mount targets to the hashes and check + the resulting hash chain against the ones in the policy. + + Signed-off-by: Maksim An + +commit 362e3d25472f3142a5ab2ec592a962a2ff44f2c9 +Merge: 9d94ed916 85c80e30d +Author: Maksim An +Date: Mon Jun 27 14:53:56 2022 -0700 + + Merge pull request #1442 from douglasmaciver/domac/secpol-unittest-a + + Fixed securitypolicy unit tests: AllowElevated and struct references. + +commit 85c80e30deb25d04ee3cbef4dc71bb6cdeec7f84 +Author: Douglas MacIver <62668331+douglasmaciver@users.noreply.github.com> +Date: Sun Jun 26 15:52:27 2022 -0800 + + Fixed securitypolicy unit tests: AllowElevated and struct references. + + Signed-off-by: Douglas MacIver <62668331+douglasmaciver@users.noreply.github.com> + +commit 9d94ed91682e0b3fcf41f6e30aaee4739b0e9a38 +Author: Maksim An +Date: Fri Jun 24 10:00:23 2022 -0700 + + Always set SECURITY_POLICY env var, even for open door policy. (#1397) + + Previously SECURITY_POLICY env var was set for container init process + only when StandardSecurityPolicyEnforcer was in use, however the + environment variable is useful even with OpenDoor enforcer. + + Address this gap by updating enforcers and adding an accessor + method. + + Add annotation to set SECURITY_POLICY env for containers. + + Export oci.ParseAnnotationsBool + + Update tests + + Signed-off-by: Maksim An + +commit 0d44ba488b03437176dadd16ee2a55ca91f5af8b +Author: Maksim An +Date: Fri Jun 24 07:39:39 2022 -0700 + + downgrade mingw to 10.2.0 (#1440) + + For more context on the reason for the downgrade containerd/containerd#7062 + + Signed-off-by: Maksim An + +commit 2c31b1ac6f70ad3c79ff5c457ed46c0a5c04074d +Merge: 1ec8cadfb 138c05c21 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jun 23 22:34:17 2022 -0700 + + Merge pull request #1434 from dcantah/upgrade-test-criapi + + Fix up hostprocess integration tests + +commit 1ec8cadfb2b85b2de2e3c8a5128fb16f7f9822d9 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jun 23 07:51:18 2022 -0700 + + Fix unsafe uses of unsafe.Pointer (#1438) + + Per rule 4 of unsafe.Pointer usage, conversion of a unsafe.Pointer + to a uinptr to pass to the syscall.Syscall family should only be done in + the argument list. We had a couple spots where we were passing it in as + an argument to a small wrapper function until it reached the underlying + syscall.Syscall*. + + https://pkg.go.dev/unsafe#Pointer + + Signed-off-by: Daniel Canter + +commit bc3b951b6ed926bc34a8fd319125cecbe2e302c1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Jun 22 17:22:30 2022 -0400 + + Remove log file from runc commands (#1436) + + Certain runc commands (eg, Delete, State) do not need to use a log file + since they do not pass stdio to the container. + This PR switches the commands to consume the error directly from stderr, + without needing to parse from a file. + + This fixes a bug where the directory containing the runc log file for a + container is deleted before the container itself can be deleted via the + runc command. + + Signed-off-by: Hamza El-Saawy + +commit 6a191649836d428adcc5dafcbb7cd61f1f4da8e7 +Merge: 06ce0c3c3 f128b6050 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jun 22 11:45:28 2022 -0700 + + Merge pull request #1427 from gabriel-samfira/add-cri-integration-job + + Adds cri-integration job + +commit f128b60500c5d636e76b5489369fe60f0284f1d6 +Author: Gabriel Adrian Samfira +Date: Thu Jun 9 17:48:25 2022 +0300 + + Add integration tests + + This change adds integration tests to hcsshim. We currently run only the + containerd tests, with tasks already written (but disabled) to run the + cri-containerd tests in this repo. + + Signed-off-by: Gabriel Adrian Samfira + +commit 06ce0c3c367904ee6e27130344b021bb66007c7c +Author: Maksim An +Date: Fri Jun 17 17:22:22 2022 -0500 + + fix shared scratch scenario (#1435) + + When mounting container layers we override containerScratchPathInUVM + with scsiMount.UVMPath after calling into vm.AddSCSI(...), which is + fine in scenarios when scratch disk isn't shared. In case when scratch + sharing is enabled, the scsiMount returned has sandbox container's + scratch path and we end up mounting all of the workload containers' + overlay at `/run/gcs/c//container_` instead of + `/run/gcs/c//container_` and `/run/gcs/c//container_`. + + Fix by removing the unnecessary assignment. + + Signed-off-by: Maksim An + +commit 138c05c21febfd09364e9df0563d6165d7eab2e2 +Author: Daniel Canter +Date: Fri Jun 17 11:01:50 2022 -0700 + + Fix up hostprocess integration tests + + This fixes a couple issues with the host process integration tests. + + - Instead of passing the annotation to ask for a host process pod, use the + hostprocess CRI fields instead. The annotations used to work, however + containerd now overrides these with the value of the hostprocess CRI field + so this is the only way to ask for hpc now. + + - The VHD test would hit a "Paramter is incorrect" error on attaching the vhd. + Not sure what's causing this but it's probably the set of flags used to open + the vhd inside AttachVhd, as supplying no flags has the open succeed. + + - Now that there's new behavior for mounts for hpc if the bindflt dll is + available, gate some of the tests that tested the old behavior behind + rs5 for now. + + Signed-off-by: Daniel Canter + +commit 087198148867e51a55b3bea60f7d32899b734a8c +Author: Daniel Canter +Date: Fri Jun 17 10:58:28 2022 -0700 + + go.mod /test: Upgrade CRI API to 0.24.1 + + Upgrades CRI api dep to the same containerd depends on at the moment. This + is mostly to get access to the HostProcess fields that were added in 1.22. + + Signed-off-by: Daniel Canter + +commit d7b9771ff6ffb2a0ca10bb643c15a91cf2c227c3 +Author: Maksim An +Date: Fri Jun 17 12:16:24 2022 -0500 + + Add Plan9 support when booting from VMGS (#1429) + + Signed-off-by: Maksim An + +commit c50f2afc8dce88f47669a22b079d8be92e4241b8 +Merge: 5fcd02ca0 38880f85d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jun 16 10:57:56 2022 -0700 + + Merge pull request #1407 from microsoft/users/GitHubPolicyService/a8cc929d-2f10-430a-915d-ceb313709830 + + Adding Microsoft SECURITY.MD + +commit 5fcd02ca0e53d3332bf31308029fb6bfca13a928 +Author: Maksim An +Date: Fri Jun 10 11:23:56 2022 -0500 + + update docs for security policy tool (#1426) + + After adding "allow_elevated" config to contianer policy the + docs hasn't been updated. + + Signed-off-by: Maksim An + +commit bebc7447316b33a2be4efdbd30e306f2c30681a5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jun 8 15:03:25 2022 -0700 + + Change bind filter API used (#1424) + + Change to using BfSetupFilter instead of BfSetupFilterEx. The Ex variant is + only useful if you want to pass a SID to perform the bind as a specific + user. We don't use this functionality, and it didn't exist on some + versions of Windows as well. + + Signed-off-by: Daniel Canter + +commit c7b6cdd44a00b3dbc11d65e86c7303db51e9374f +Merge: 671ec23d7 de43d1348 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jun 7 16:14:13 2022 -0700 + + Merge pull request #1422 from dcantah/remove-testvendor-again + + Remove /test/vendor.. again + +commit de43d1348676d5d043624e29aadd49a80be6b160 +Author: Daniel Canter +Date: Tue Jun 7 15:41:32 2022 -0700 + + Remove /test/vendor.. again + + Think a bad rebase on my previous commit to remove this + brought back portions of the vendor dir. This should get rid of + all of it. + + Signed-off-by: Daniel Canter + +commit 671ec23d733d9ea1592b7dec246d644cf8efe7b8 +Merge: 360c32048 baf9ebe4c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jun 7 10:19:01 2022 -0700 + + Merge pull request #1420 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.13 + + Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 in /test + +commit 38880f85d59de94ef43f3d18a9d897d2ef0d533b +Author: microsoft-github-policy-service[bot] <77245923+microsoft-github-policy-service[bot]@users.noreply.github.com> +Date: Fri May 20 14:51:16 2022 +0000 + + Microsoft mandatory file + +commit baf9ebe4c7b78f862ad7598f26c69b8a9de69424 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Tue Jun 7 17:07:33 2022 +0000 + + Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 in /test + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.10 to 1.5.13. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.10...v1.5.13) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 360c32048f55688fce22fcfde2e53bbb5a56c644 +Merge: 4e602397a 19ddef516 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jun 7 10:06:36 2022 -0700 + + Merge pull request #1421 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.13 + + Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 + +commit 19ddef516daffd47c56f0ef15ef67845a7e339f7 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jun 6 22:12:59 2022 +0000 + + Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.10 to 1.5.13. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.10...v1.5.13) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 4e602397ae0a3cf1f1df4f06929c5175e2c61d65 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 3 16:30:47 2022 -0700 + + Remove vendor dir in /test (#1417) + + Given this slows down development both for us and external contributors + as for most changes one would need to run `go mod vendor` in /test to + bring in the latest local hcsshim changes, I think it's time we removed + this. + + Pros: + 1. Easier for automated tooling like dependabot, and more recently a + Microsoft security bot, to make PRs that can just be checked in. + All of these automated PRs tend to fail as the bot doesn't know it would + need to run go mod vendor in /test as well for our repo. The approach today + to check these in is typically someone manually checks out the branch + dependabot (or whatever other bot) made, vendor to test, and then push a + new commit to those automated PRs and then we can check them in. + + 2. Speeds up development flow as we don't need to go mod vendor in test + before pushing almost every change. + + 3. Speeds up external contributions as well as there's no extra step to + follow to make a change to most things in /internal anymore. We state that + this needs to be done in our README, but it's probably a testament to how + odd our setup is that it's missed here and there. + + Cons: + 1. We lose the main selling point of vendoring for our test dependencies + which is that if one of our dependencies is no longer accessible + (deleted, renamed, whatever else) we don't have a local copy included + in our repo. This will increase our dependence on the Go modules proxy + server which seems like a fair tradeoff, and I think we're fine with this for + test dependencies at least. + + I've removed the references to this extra step in the README as well as + got rid of the CI step verifying that the vendor dir was up to date. I + don't think we needed the mod=vendor env var either, as since go 1.14 if + there's a top level vendor folder I believe the flag is transparently set + for commands that accept it. + + Signed-off-by: Daniel Canter + +commit 37ceff70a2725065af2379bf675d9648141fb21b +Author: Maksim An +Date: Fri Jun 3 15:30:58 2022 -0500 + + Rename ExpectedMounts to WaitMountPoints (#1413) + + `ExpectedMounts` was a poor name choice and was confusing in the + context of mount policy enforcement. + + Signed-off-by: Maksim An + +commit 5f581714d3b1c5d0359469385c1b0b0cdd01ee43 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 3 11:02:15 2022 -0700 + + Fix spelling mistake in runhcs options (#1415) + + protentially -> potentially + + Signed-off-by: Daniel Canter + +commit a4ae0fa29340bbfae4f6f01b4cc491806b4fe575 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 3 10:44:34 2022 -0700 + + Fix nil deref in Windows layer setup (#1418) + + The OS of the UVM was being checked by a pointer method at the start + of the function when passing in a UVM object is optional. For process + isolated and host process containers nil would be passed where this + would be hit. + + Signed-off-by: Daniel Canter + +commit 883146dddbf92a0875adb60acab9eee22c889697 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 3 09:55:57 2022 -0700 + + Implement file binding support for host process containers (#1344) + + * Implement file binding support for host process containers + + This change adds in file binding support for host process containers + if the host has the functionality available (bindfltapi.dll exists). + This makes it so mounts in the runtime spec actually show up in the + container at mount.Destination instead of simply being symlinks to a + relative path, as well as are completely unique per container. This is + achieved by upgrading the job object to a silo and making use of silo + local file bindings that the Bind Filter supports. + + This support additionally opens up the opportunity for the rootfs for the + container to be container local and unique. So instead of the rootfs showing + up to any process on the host and being located at C:\C\, it + now (by default at least) will be present at C:\hpc and be unique in + each container as well. In a similar fashion to the mount changes, this + only takes affect if the host has file binding support available. + + Signed-off-by: Daniel Canter + +commit a750a7fa43a5c93e736d3e1cc12d8b6b04ca60fe +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri May 27 08:59:58 2022 -0700 + + Cleanup for shared container scratch (#1414) + + * Cleanup for shared container scratch + + Normally, container scratch is a separate VHD that is mounted at `/run/gcs/c/` The + mount vhd call to gcs creates this directory and mounts the disk at that path. The modify + combined layers call creates the `upper` & `work` directories at `/run/gcs/c//upper` + & `/run/gcs/c//work` and also creates the rootfs directory at + `/run/gcs/c//rootfs`. Finally, overlayfs is mounted at `/run/gcs/c//rootfs` for + the container to run. The remove combined layers call will remove the + `/run/gcs/c//rootfs` directory. The unmount VHD will remove the `/run/gcs/c/` + directory. The `upper` & `work` directories continue to live on the container sandbox VHD + until that snapshot is removed. + + However, when the container scratch VHD is shared with the UVM (the UVM scratch is mounted + at /run/gcs/c/) the container scratch vhd mount doesn't do anything since the VHD + is already mounted. It just increases the ref count of this VHD by 1. Hcsshim sets the + container scratch as `/run/gcs/c//container_` and makes the combine layers + call. The modify combine layers call creates the `upper` & `work` directories at + `/run/gcs/c//container_/uppper`, `/run/gcs/c//container_/work` and + the rootfs is created at `/run/gcs/c//rootfs`. (Note that all of these are mkdirAll + calls so they create any non-existing parent directories too). The remove combined layers + call removes the `/run/gcs/c//rootfs` directory but the unmount VHD call doesn't + actually do anything, it just reduces the ref count by 1. So, in this case, the + `/run/gcs/c//container_` directory never gets cleaned up and continues to + occupy space on the UVM scratch VHD. + + GCS currently doesn't know anything about the container scratch directory path, so it + never cleans it up. Even when `DeleteContainerState` request is made. This is okay when + the scratch is not shared since the container scratch VHD is separate and it will be + cleaned up when containerd removes the container snapshot. However, in the shared scratch + case these scratch directories are leaked. + + To correctly handle this case, we need to cleanup the container scratch directory during + the `DeleteTask` call. This commit updates the container creation request doc to also + include the container scratch directory path so that gcs has this path when the + `DeleteContainerState` request is made to the GCS. Also, previously we called + `DeleteContainerState` during `ReleaseResources` call. However, `ReleaseResources` is + called during `KillTask`/`ShutdownTask` request and shouldn't delete any resources that + belong to the container so that call is removed. + + + Signed-off-by: Amit Barve + +commit bf98c3da3c4385f8f30468847146898891f044c3 +Author: Maksim An +Date: Wed May 25 11:15:42 2022 -0700 + + Add security policy config to allow containers to run in privileged mode (#1366) + + Add new container security policy config "AllowElevated", which when set + allows running container in privileged mode. As an initial implementation + this adds sysfs and cgroup mount constraints with "rw" mount option to + the container's mount policy. Later, more thorough container spec validation + for privileged containers should be added (e.g. validating capabilities in + container spec). + Introduce `standardEnforcerOpt` type which allows updating internal + security policy representation and add an opt to append mount constraints for + privileged container mounts,`NewSecurityPolicy` now accepts enforcer options. + securitypolicy.Containers.toInternal now returns a slice of pointers rather + than objects. This makes sure that modification through enforcer options are + presereved. + + Add CRI tests to cover the new functionality. + + Signed-off-by: Maksim An + +commit 96c81335c6102ce3dc46584becbdd0b75cad1947 +Author: Maksim An +Date: Tue May 24 17:08:25 2022 -0700 + + fix unused commandArgs (#1411) + + Signed-off-by: Maksim An + +commit ffc59370a9227ce9b6284f55004d70d038f9ca2a +Author: Maksim An +Date: Mon May 23 13:19:33 2022 -0700 + + Add handling of ENTRYPOINT and CMD when "command" not in policy (#1304) + + Container images may contain ENTRYPOINT and CMD directives and in + the case when "command" is missing in policy config, that information + needs to be inferred from the image itself. + + Signed-off-by: Maksim An + +commit ce36677c16415736a1cb3cc51e80b6dc69dc4107 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 23 10:39:35 2022 -0400 + + Pass span context in ociwclayer (#1402) + + Bypass function in base packaged (layers.go) and use layer functions + defined in `internal/wclayer`, since those allow propagating (span) + context. + + Signed-off-by: Hamza El-Saawy + +commit 5c518f1f0f5530e1bb92b3c6ea02af011154e8f7 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 20 13:50:27 2022 -0700 + + Fix nil deref if no shim options were specified (#1398) + + * Fix nil deref if no shim options were specified + + This fixes a nil deref possible if no shim options for the runtime + specified were supplied. For example: + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options] + + vs. + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options] + SandboxIsolation = 0 + + Signed-off-by: Daniel Canter + +commit be02f1d1ce8a826ac864a3d907066aa1b7c2e9a0 +Merge: ed5d58e0d 9ef6876c8 +Author: Maksim An +Date: Fri May 20 10:17:16 2022 -0700 + + Merge pull request #1404 from edef1c/dm-verity-unsafe + + Don't use unsafe.Sizeof where encoding/binary.Size suffices + +commit ed5d58e0d8ee26b1db324ee075fb92233602cf9b +Author: Sean T Allen +Date: Fri May 20 10:51:11 2022 -0400 + + Fix typo in comment (#1406) + + Signed-off-by: Sean T Allen + +commit 9ef6876c8df48928895f590e8a33090c94ee99f1 +Author: edef +Date: Thu May 19 21:05:05 2022 +0200 + + Don't use unsafe.Sizeof where encoding/binary.Size suffices + + unsafe.Sizeof depends on ABI details, but we're not actually using the + raw memory layout of dmveritySuperblock. We're just writing it out with + encoding/binary.Write, so encoding/binary.Size gives the relevant size. + + Signed-off-by: edef + +commit 0b7e02b6b5a035fda83846c29c6fdacf2d95dacd +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed May 18 13:46:30 2022 -0400 + + extra ` (#1401) + + Signed-off-by: Hamza El-Saawy + +commit 2e6e81a2bb55044402f32705c94e4feb966c4004 +Author: Maksim An +Date: Wed May 18 10:16:58 2022 -0700 + + Add secure hardware support for uvmboot (#1390) + + Fix a bug where resource modifications are not rejected when running + in non-snp mode by setting a default open door policy when no + security policy is passed and making sure that security policy is + always set for UVM. Additionally, don't assume that security hardware + is present when a security policy is set explicitly. + + Add a flag to boot from VMGS file. + + Signed-off-by: Maksim An + +commit c6aa049302f737aec2f1bbd093af3ee4fdf50b01 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue May 17 10:23:00 2022 -0700 + + Fix Hyper-V check in late clone spec comparisons (#1400) + + In the function that handles checking if the cloned containers spec + retrieved from the registry matches the current spec, it was comparing + the hyperv field on the runtime spec using the != operator which won't + work as the hyperv field is a pointer so it would just be comparing the + addr. Swap to reflect.DeepEqual. + + This became an 'issue' as we set the hyperv field now if in our shim + options SandboxIsolation is set to the HYPERVISOR option. This doesn't + have much of an effect being set for containers that are going to be launched + IN the UVM, so this is mostly just a bug that was surfaced from a field + that didn't use to be set. + + This additionally changes to errors.New instead of fmt.Errorf where + there was no formatting in the error. + + Signed-off-by: Daniel Canter + +commit 4a1216ae5debefa6411171b12cfe467bd49eaaf3 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 13 14:40:01 2022 -0700 + + wcow-process: Query Stats directly from shim (#1362) + + This change adds in functionality to query statistics directly in the shim instead of reaching out to HCS. One of the main motivators behind this was poor performance for tallying up the private working set total for the container in HCS. + + HCS calls NtQuerySystemInformation with the class SystemProcessInformation which returns an array containing system information for every process running on the machine. They then grab the pids that are running in the container and filter down the entries in the array to only what's running in that silo and start tallying up the total. This doesn't work well as performance should get worse if more processes are running on the machine in general and not just in the container. All of the additional information besides the WorkingSetPrivateSize field is ignored as well which isn't great and is wasted work to fetch. + + HCS only let's you grab statistics in an all or nothing fashion, so we can't just grab the private working set ourselves and ask for everything else separately. We can open the silo ourselves and do the same queries for the rest of the info, as well as calculating the private working set in a more efficient manner by: + + 1. Find the pids running in the silo + 2. Get a process handle for every process (only need + PROCESS_QUERY_LIMITED_INFORMATION access) + 3. Call NtQueryInformationProcess on each process with the class + ProcessVmCounters + 4. Tally up the total using the field PrivateWorkingSetSize in + VM_COUNTERS_EX2. + + This change additionally: + - Changes the jobcontainers package to use this new way to calculate the + private working set. + - Change the query the StorageStats method in the jobobject package uses + to grab IO counters to match what HCS queries. + + + Signed-off-by: Daniel Canter + +commit d4f0f15fbf75e0d3494a906563889bce7019b0a7 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed May 11 13:57:12 2022 -0400 + + Add _test suffix (#1395) + + Signed-off-by: Hamza El-Saawy + +commit bf5045eb3a69ec5a2474253854ab0da7d8729032 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed May 11 10:26:32 2022 -0700 + + Remove vsock consts (#1396) + + They're defined in the vsock package we use, and we never used the CidAny + const anywhere. + + Signed-off-by: Daniel Canter + +commit 25b67340dfe7eb35a4591fddf97025cf7e417f69 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 10 15:30:15 2022 -0400 + + testing bugs (#1394) + + Process-isolated tests used the wrong runtime constant. + + Renamed CRI plugin file to have `_test` suffix so language server does + not complain about undefined functions and values. + + Signed-off-by: Hamza El-Saawy + +commit 2bc1cc03b6a7871694380cd73a410b790c5ac4e0 +Merge: ebe034c66 521aae8a0 +Author: Kathryn Baldauf +Date: Mon May 9 17:34:15 2022 -0700 + + Merge pull request #1393 from katiewasnothere/gitattributes_update + + Unset text attribute for vendored files in gitattributes + +commit 521aae8a021d43f225b9e1c35cad1d60d512f1d4 +Author: Kathryn Baldauf +Date: Mon May 9 17:07:06 2022 -0700 + + Unset text attribute for vendored files in gitattributes + + Signed-off-by: Kathryn Baldauf + +commit ebe034c666dba0b11ef7319e0b7cd16bc578c873 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 9 14:31:28 2022 -0400 + + rpc string conversion (#1391) + + Signed-off-by: Hamza El-Saawy + +commit 9efc65486d7ab7599b751a5035e718c4330ec8f0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 9 11:11:28 2022 -0400 + + Log context integration changes (#1382) + + Log integration changes + + Changed `internal\log` functions interacts with context. + `log.G` no longer adds trace/span IDs to entry. + + Added logrus hook to add trace/span ID to entry when exporting log + entry. + + Added `log.S()` to set the log entry stored in the context with + provided fields. `log.G()` now checks the context for a stored + context. + + Added `log.Copy()` to add log entry and trace span from source context + to destination, allowing for duplicating contexts but not cancellation. + + Added `log.U()` to update the context an entry (in the context) points + to, allowing it to reference the latest span and other information. + + Added `oc.StartSpan[WithRemoteParent]` to set the context for log entries + to reference the newly created context. + + Switch to oc.StartSpan to update log context + + Signed-off-by: Hamza El-Saawy + +commit 18f47614a2a08233b53edc47d27a7c68d4802c9f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 6 11:05:49 2022 -0700 + + Fill in HyperV field if sandbox option is set (#1388) + + As part of the work to get WCOW-Hypervisor working for the upstream + Containerd CRI plugin, parse our shims SandboxIsolation field here and + set the HyperV runtime spec field if it's set to the HYPERVISOR option. + This avoids us needing to parse our shim specific options in upstream + Containerd which is always a plus. + + Signed-off-by: Daniel Canter + +commit d12d411f94902528faa9d4f7dae9093585e713a7 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri May 6 13:07:53 2022 -0400 + + Change file path for restart tests to avoid permission issue (#1389) + + Signed-off-by: Hamza El-Saawy + +commit 840593a9fa94b4d272dd913fb9f5debc584648ad +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu May 5 11:24:45 2022 -0400 + + Only pull appropriate images for testing (#1387) + + Signed-off-by: Hamza El-Saawy + +commit 1c049f10a81675e5b869187b263244ddd0b17ac2 +Author: Maksim An +Date: Wed May 4 14:56:01 2022 -0700 + + tests: add tests for wait-paths (#1384) + + Follow up PR to add tests for wait-paths after initial PR #1258 + was merged. + + Signed-off-by: Maksim An + +commit 1e01dcce30b86bbc22c8abc9f582a742fe2e9914 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue May 3 18:42:09 2022 -0400 + + GCS tests and features/bugfixes to support them (#1360) + + Exposed data and functionality for testing GCS: + * `internal\guest\runtime\hcsv2.Container.InitProcess()` + * `internal\guest\runtime\hcsv2.GetOrAddNetworkNamespace()` + * `internal\guest\runtime\hcsv2.RemoveNetworkNamespace()` + * `internal\guest\runtime\hcsv2.Host.SecurityPolicyEnforcer()` + * `internal\guest\runtime\hcsv2.Host.Transport()` + + Fixed bug where `host.RemoveContainer` did not remove the network + namespace for standalone and pod containers. + + Updated go-winio version to include bugfixes for closing hvsockets, + specifically to close a socket for writing (needed by internal\cmd + to signal that the stdin stream has finished). + + Added doc.go files to guest packages to prevent linter/compiler errors + under windows. + + The tests themselves are broken out here: + https://github.com/microsoft/hcsshim/pull/1352 + https://github.com/microsoft/hcsshim/pull/1351 + + Signed-off-by: Hamza El-Saawy + +commit 2b176abe98b8509382195f3428fd1eeda39602d0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon May 2 17:08:35 2022 -0400 + + Tests for task and sandbox reset/restart (#1273) + + * Tests for task and sandbox reset/restart + + Adds tests for resetting tasks and containers explicitly with CRI + plugin API, and implicitly using annotations and start/stop commands. + + PR relies on accompanying CRI PR (https://github.com/kevpar/cri/pull/13) being merged. + + Signed-off-by: Hamza El-Saawy + + * PR: wrappers, annotation, comments + + Signed-off-by: Hamza El-Saawy + +commit a783367ca0827c5772215217bec25fdb48f9e0fe +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Apr 27 17:00:49 2022 -0400 + + Adding more logfield entries (#1380) + + Signed-off-by: Hamza El-Saawy + +commit 24d486642f7de89e419a24d5e19f189f1f2b894f +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Apr 27 16:57:40 2022 -0400 + + Missing constraint, doc.go (#1381) + + Signed-off-by: Hamza El-Saawy + +commit b6a97d81dd1ffe8f7f397c9d2affac3e2eddd8bf +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Apr 27 09:50:23 2022 -0700 + + Fix wrong word use (#1377) + + Manor -> manner + + Signed-off-by: Daniel Canter + +commit fc593904017098b7f925d95852cb35cc2a4e5924 +Merge: 544a27de1 be9ebd6c5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Apr 27 09:49:48 2022 -0700 + + Merge pull request #1374 from TBBle/random-fixes-broken-out-of-base-layer-work + + Random fixes broken out of base layer work + +commit be9ebd6c5a745ab55021637be58a0f210b981a92 +Author: Paul "TBBle" Hampson +Date: Sat Mar 26 16:29:02 2022 +1100 + + Include all the built binaries in the archive + + I also sorted the archive step list of binaries to match the calls to + `go build` so that it's clear when a binary has been overlooked. + + Signed-off-by: Paul "TBBle" Hampson + +commit 8c2391d8fe389fb03269551667e715bcb73620a3 +Author: Paul "TBBle" Hampson +Date: Sat Dec 12 23:31:58 2020 +1100 + + Fix a typo in a comment + + Signed-off-by: Paul "TBBle" Hampson + +commit af4457cf3fcb4015bb7589c0bc8b8c14ef4c17e8 +Author: Paul "TBBle" Hampson +Date: Wed Feb 17 18:38:48 2021 +1100 + + Introduce safefile.MkdirAllRelative, like os.MkdirAll + + Signed-off-by: Paul "TBBle" Hampson + +commit 76119123d40006a8472d28f56a5f4e12dcda1777 +Author: Paul "TBBle" Hampson +Date: Thu Dec 3 00:30:47 2020 +1100 + + Typo fix contaler->container + + Signed-off-by: Paul "TBBle" Hampson + +commit 298101e0e9642e18146a60c40cbb912747be10f3 +Author: Paul "TBBle" Hampson +Date: Thu Dec 3 00:30:07 2020 +1100 + + Document LayerReader interface + + Signed-off-by: Paul "TBBle" Hampson + +commit 544a27de1237516bf1fe3948a8bd7558cf6a332d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Apr 26 20:30:27 2022 -0700 + + Add ArgsEscaped exec test (#1372) + + This adds a test to validate execs work with ArgsEscaped images. + ArgsEscaped refers to a non-standard OCI image spec field + that indicates that the command line for Windows Containers + should be used from args[0] without escaping. This behavior + comes into play with images that use a shell-form ENTRYPOINT + or CMD in their Dockerfile. The behavior that the test is testing + is that execs work properly with these images. Hcsshim prefers + the commandline field on the OCI runtime spec and will ignore + Args if this is filled in, which ArgsEscaped does. In Containerd/cri + plugin the containers runtime spec is used as a base for the execs + spec as well, so if commandline isn't cleared out then we'll end up + launching the init process again instead of what the user requested. + + Signed-off-by: Daniel Canter + +commit 12a54a377658a5f83ece3acb8fde848d3b40c289 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Apr 26 19:55:31 2022 -0400 + + uvmboot functionality (#1359) + + * uvmboot functionality + + Added functionality to internal\tools\uvmboot for LCOW: + * specifying boot file path; + * picking kernel or vmlinux file; + * mounting SCSI VHDS and sharing files into the uVM; + * disabling the time sync; + * setting the uVM security policy. + + Added `IsElevated() bool` function to `internal/winapi` to quite early + if the command is not run with admin privileges rather than returning a + cryptic error. + + This is to support testing and benchmarking the Linux GCS. + + Signed-off-by: Hamza El-Saawy + + * PR: math + + Signed-off-by: Hamza El-Saawy + + * PR: spelling + + Signed-off-by: Hamza El-Saawy + +commit f6694adc15afcceddce576c74abe2aec10891ed3 +Author: Justin +Date: Tue Apr 26 15:14:16 2022 -0700 + + Include CommandLine in CreateProcess errors (#1363) + + Signed-off-by: Justin Terry + +commit a3a8aa19626adb296221a0dd23513e6935c06a7d +Author: Maksim An +Date: Tue Apr 26 14:16:30 2022 -0700 + + Hold lock when updating DefaultMounts (#1367) + + Signed-off-by: Maksim An + +commit dbb347e403747f0eb470bf9f17bf7ec32da14b0a +Author: Ameya Gawde +Date: Mon Apr 25 09:27:32 2022 -0700 + + Adding ExternalPortReserved flag to NatPolicy for HNS API V1. THis is a flag exposed for docker to avoid port reservation conflict with external port (#1370) + + HNS API V2 will use NatFlags to check and see if ExternalPortReserved is set + + (cherry picked from commit b85f3fdc17dad534a2cebbc67e0c18f77fb0fca8) + Signed-off-by: Ameya Gawde + + Co-authored-by: Kendall Stratton + +commit 113a929df3c22a23ce19be4e64c5ec1e19f03785 +Merge: 4a33ed557 6b9204445 +Author: Maksim An +Date: Fri Apr 22 17:08:56 2022 -0700 + + Merge pull request #1347 from anmaxvl/port-grantvmgroupaccess-code + + Port grantvmgroupaccess code from go-winio and extend functionality. + +commit 6b920444509e2cd25ff44f5f918cf7fbc8ae438d +Author: Maksim An +Date: Wed Apr 6 18:59:51 2022 -0700 + + Extend GrantVmGroupAccess to support write/execute/all permissions + + Add masks for GENERIC_WRITE, GENERIC_EXECUTE and GENERIC_ALL and update + function signatures accordingly. + Update grantvmgroupaccess tool to support granting permissions from above. + + Ignore various linter errors resurfaced after code copy-paste. + Remove mksyscall_windows.go and update old unit tests and cleanup helper + functions and packages used. + + Add unit test coverage for new functionality. + + Signed-off-by: Maksim An + +commit fb706b397132bb9c5a44fcde461c00beb0af5cb7 +Author: Maksim An +Date: Wed Apr 6 18:28:15 2022 -0700 + + Port grantvmgroupaccess code from go-winio repo for further extension + + Signed-off-by: Maksim An + +commit 4a33ed55759ea267f3ebf4d33fef5a1d29f0c45a +Author: Maksim An +Date: Fri Apr 22 15:04:50 2022 -0700 + + Allow multiple CreateContainer operations at the same time. (#1355) + + Prior to this change, GCS allowed only one CreateContainer operation + at a time. This isn't an issue in general case, however this doesn't + work properly with synchronization via OCI runtime hook. + + Synchronization via runtime hook was introduced in: + https://github.com/microsoft/hcsshim/pull/1258 + It injects a `CreateRuntime` OCI hook, if security policy provides + wait paths. + This allows container-A to run after container-B, where container-B + writes to an empty directory volume shared between the two containers + to signal that it's done some setup container-A depends on. + In general case, container-A can be started before container-B which + results in a deadlock, because `CreateContainer` request holds a lock + to a map, which keeps track of running containers. + + To resolve the issue, the code has been updated to do a more granular + locking when reading/updating the containers map: + - Add a new "status" field to Container object and atomic setter/getter, + which can be either "Created" or "Creating". New `uint32` type alias + and constants were added to represent the values (`containerCreated` + and `containerCreating`) + - Remove locking from `CreateContainer` function + - Rework `GetContainer` to `GetCreatedContainer`, which returns + the container object only when it's in `containerCreated` state, + otherwise either `gcserr.HrVmcomputeSystemNotFound` or + `gcserr.HrVmcomputeInvalidState` error returned. + - Add new `AddContainer(id, container)` function, which updates the + containers map with new container instances. + - Rework `CreateContainer` to initially add new container objects into + the containers map and set the "status" to `containerCreating` at the + start of the function and set it to `containerCreated` only when the + container is successfully created in runtime. + + Reworking `GetContainer` to `GetCreatedContainer` seemed to be the least + invasive change, which allows us to limit updates in the affected places. + If `GetContainer` is left unchanged, then handling of containers in status + "Creating" needs to take place and this requires handling cases when (e.g.) + a modification request is sent to a container which isn't yet running. + + Additionally update synchronization CRI tests to use go routines + to properly reproduce the scenario. + + Signed-off-by: Maksim An + +commit 57bff8854d1a52a92315d3389de5a95b07694206 +Author: Maksim An +Date: Fri Apr 22 10:33:04 2022 -0700 + + Change receivers and returns for security policy enforcers (#1369) + + Signed-off-by: Maksim An + +commit 8e6c081423e3b9dda3c30c58b736edfe1b74a4f8 +Author: Maksim An +Date: Fri Apr 22 10:31:59 2022 -0700 + + Revert "Fix working_dir negative test error expectation (#1348)" (#1368) + + This reverts commit 2028de8b8d5e0516e0e65664f9085dab02a6a5e2. + + During local testing a gcs with an older version of security policy + was used when doing the fix: #1322. As we can see, the quotations + weren't there. However, later a PR was merged, which added them: #1311 + + Signed-off-by: Maksim An + +commit 51a69190b8f477b42265944f58ccff688b4caca7 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Apr 22 11:46:27 2022 -0400 + + spelling (#1365) + + Signed-off-by: Hamza El-Saawy + +commit db5e1b1743a3138bf211ad90eca7fdf23d0f326c +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Wed Apr 20 16:17:00 2022 -0400 + + Splitting out GCS test and build (#1361) + + Signed-off-by: Hamza El-Saawy + +commit 98519f22466ae73d3d7fdde81beaa84b79ce9ff3 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Apr 19 14:21:00 2022 -0400 + + Linux GCS flags use 1 -, not 2 (#1358) + + Signed-off-by: Hamza El-Saawy + +commit a4c9777c1fa101d581f8facd257281349853be29 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Apr 18 13:23:05 2022 -0700 + + Use /internal/memory constants (#1354) + + * Use /internal/memory constants + + We have a bunch of 1024 * 1024 or 1024 * 1024 * 1024 numerical constants + (or just other megabyte constants) lying around. This changes to using + the constants we have defined in the /internal/memory package. + + This additionally changes the names of the constants from MegaByte/GigaByte to MiB/GiB and + changes them to untyped constants. + + Signed-off-by: Daniel Canter + +commit 54a5ad86808d761e3e396aff3e2022840f39f9a8 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Apr 18 15:16:58 2022 -0400 + + Reorganizing makefile and adding info to rootfs (#1350) + + * Reorganizing makefile and adding info to rootfs + + Reorganized makefile to read from top to bottom, and added additional + files to LCOW rootfs that include the time stamp of of the vhd creation, + the image build date, and its full name (pulled from a *.testdata.json + file in the LSG release, that appears to be one of the only location + of that information). + + Signed-off-by: Hamza El-Saawy + + * PR: checking if jq is installed + + Signed-off-by: Hamza El-Saawy + +commit 2baf93b5ccc718a23627df219a66a8cda63d1c98 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Apr 15 12:25:05 2022 -0400 + + removing global setting dependence from shim publisher (#1343) + + Signed-off-by: Hamza El-Saawy + +commit 655b7e11fd2297529b21291cd7cce313a5d76b68 +Author: Maksim An +Date: Fri Apr 15 04:03:50 2022 -0700 + + Add support for mount policy enforcement. (#1311) + + * Add support for mount policy enforcement. + + It is possible that a malicious mount can be used to attack an LCOW pod. + If the attacker has knowleldge of the workload running, they could + possibly change the environment for a container and alter its execution. + + This PR adds support for describing and enforcing mount policy for a + given container. The mount policy closely follows OCI spec to be as + explicit as possible to the user. The policy can be made less explicit + in the future if needed. + + The dev tool has been updated to support mount configurations and the + configuration spec is similar to CRI config with the exception of + unsupported features (e.g., selinux config). + The tool translates CRI config to appropriate mount type and options in + mount policy. Initial implementation doesn't support any wildcards for + the Destination, but supports REGEX for the Source. + + CRI adds some default mounts for all Linux containers and they had to be + hardcoded in this codebase as well. Extra caution is needed in the + future, in case the list expands. + + Additional changes have been made to how sandbox and hugepages mounts + are generated to make sure that the same utility functions are used to + generate appropriate mount specs. + + Add positive and negative tests for security policy mount constraints + Hide mount enforcement behind a LCOWIntegrity feature flag + + Update securitypolicy tool docs + + Signed-off-by: Maksim An + +commit ccec73f6d54f32aa46ad8c3632162106946b6f7e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 14 16:21:18 2022 -0400 + + Swap to fmt.Errorf in jobobject package (#1353) + + * Swap to fmt.Errorf in jobobject package + + This change swaps to fmt.Errorf for wrapped errors in the jobobject package + from errors.Wrap. We'd had talks of moving this code to winio where we've + removed our pkg/errors dependency so this would make the port easier. + + Signed-off-by: Daniel Canter + +commit 13ceffd8e8ae1764ea0b0c526d371764b91e9b2a +Author: Maksim An +Date: Wed Apr 13 12:51:38 2022 -0700 + + Add guest package for fetching attestation report via syscall (#1341) + + Add `internal/guest/linux package`, which contains linux ioctl + definitions. Devicemapper code is refactored to use the new package. + Introduce new `amdsevsnp` package with Introduce ioctl wrappers and + structs required to fetch attestation report. + Validate that `LaunchData` provided to HCS during UVM boot and + `HostData` returned as part of attestation report match. + + Add utility binary to fetch SNP report and update Makefile to + support `DEV_BUILD` parameter, which includes test utilities inside + LCOW image. + Fake attestation report can be used when testing integrations. + + Signed-off-by: Maksim An + +commit 8af6c33eb931a5b926c4b831d648e18fb6e89cc4 +Author: Kazuyoshi Kato +Date: Mon Apr 11 17:02:11 2022 -0700 + + Specify go_package in its full path (#1345) + + The newer version of protoc-gen-go doesn't support the current form. + + Signed-off-by: Kazuyoshi Kato + +commit 2028de8b8d5e0516e0e65664f9085dab02a6a5e2 +Author: Maksim An +Date: Sun Apr 10 15:10:13 2022 -0700 + + Fix working_dir negative test error expectation (#1348) + + Signed-off-by: Maksim An + +commit 70b87e3d4b7ca6dd33335a01f2b8241178d1f686 +Author: Maksim An +Date: Thu Apr 7 18:07:52 2022 -0700 + + Add tests for security policy enforcement (#1325) + + Add basic positive and negative tests for security policy enforcement. + Hide policy tests behind LCOWIntegrity feature flag. + Add ContainerConfigOpt and builder functions for creating security + policy configs. + + Signed-off-by: Maksim An + +commit 2957199154505ce5b884004ed4fe51ca68df985e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 7 10:00:29 2022 -0700 + + Pin go version for linter to 1.17.x (#1346) + + Some of the tooling golangci-lint uses doesn't fully support 1.18 yet + resulting in a bunch of hard to decode errors. We were using ^1.17.0 + as our version listed so we ended up resolving to 1.18 a couple of days + ago and finally ran into this. v1.45.0 of golangci-lint has a + workaround for this which is disabling some of the problematic linters, + but these are some of our most used. This seems like a sane fix for + now until the kinks are worked out and things are working on 1.18. + + Signed-off-by: Daniel Canter + +commit 6b31cba6647165e2faa1a94e63a0818d6af07072 +Author: Kazuyoshi Kato +Date: Tue Apr 5 14:00:36 2022 -0700 + + Run Protobuild on GitHub Actions (#1302) + + containerd is planning to migrate off from github.com/gogo/protobuf + which will affect hcsshim. + See https://github.com/containerd/containerd/issues/6564 for + the overall progress. + + Before that, this commit runs Protobuild in GitHub Actions to + make sure all generated files are reproducible from .proto files. + + Signed-off-by: Kazuyoshi Kato + +commit 949e46a1260a6aca39c1b813a1ead2344ffe6199 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Apr 5 01:07:45 2022 -0400 + + Adding build constraints (#1340) + + * Adding build constraints + + Adding windows build constraints to code to allow tests and benchmarks + to be run on Linux. + + Added doc.go to modules (with doc string, where appropriate) to prevent + compiler/linter errors about broken imports. + In some cases (ie, winapi and wclayer), the package already had an + OS-agnostic file of the same name, along with a doc string. A doc.go + file was added to preempt situations where windows-specific code is + added to that file in the future. + + Signed-off-by: Hamza El-Saawy + + * Renaming test files + + Renaming files in `test\cri-containerd` to end with `_test.go` so they + can include variables and functions defined in other `_test.go`. For + example, `gmsa.go` imports `gmsaAccount`, which is defined in + `main_test.go`. + + Signed-off-by: Hamza El-Saawy + +commit bedca7475220426727ba4a0d11f042de6b8e73cc +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Apr 4 13:18:41 2022 -0700 + + Add Go bindflt/silo definitions (#1331) + + * Add Go bindflt/silo definitions + + This change adds a couple Go bindings for calls and constants from bindfltapi.dll + as well as some silo flags for job objects. Together these allow file bindings + (think bind mounts on Linux) to be performed for a specific job object. The bindings + are only viewable from processes within that specific job. + + This additionally adds a couple unit tests for this behavior. + + Signed-off-by: Daniel Canter + +commit 8c246952f89e1e0c7eb9e1dbb97249201b5a13b2 +Author: Maksim An +Date: Thu Mar 31 00:24:35 2022 -0700 + + Fix dm-verity target naming format in linux guest (#1338) + + When adding layer integrity checking feature for SCSI devices, + the dm-verity device format naming was inconsistent with the + already existing pmem based verity target. + Make the naming consistent by changing `verity-scsi-...` to + `dm-verity-scsi-...`. + + Signed-off-by: Maksim An + +commit d36cc7c2080c44fae477869f871a372def8988e0 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Mon Mar 28 16:04:53 2022 -0700 + + Support for multiple SCSI controllers (#1328) + + * Support for multiple SCSI controllers + + Enable using upto 4 SCSI controllers for LCOW UVMs. HCS currently doesn't respect the + SCSI controller number provided with the Add SCSI disk requests. Hence, the SCSI disk can + show up at some different controller inside the LCOW UVM. To avoid this, now we use GUIDs + to represent each controller and use that GUID with the Add SCSI disk request. + GCS code is also modified to identify the controller number from the controller GUID. Now if a LCOW pod is created with an annotation that sets VPMEM device count to 0, we will automatically enable 4 SCSI controllers. Even the rootfs.vhd will be attached via SCSI in that scenario. + + Signed-off-by: Amit Barve + +commit 6dd7225ec1f7d929d1f83f16a4cc9b4f92fe524f +Author: Paul "TBBle" Hampson +Date: Tue Mar 29 07:57:50 2022 +1100 + + Go 1.17 is the minimum version in all cases (#1337) + + This ensures: + - CI explicitly requires Go 1.17 + - README specifies Go 1.17 + - Tests also depend on Go 1.17 + + The go.mod already specifies 1.17 as the minimum Go version, so this + shouldn't be a difference in practice. + + GitHub Actions setup-go was installing Go 1.17 already, presumably + honouring the value in go.mod. + + One interesting change is that in 1.17, go.mod lists indirect + dependencies, and vendoring does not capture go.mod/go.sum, so the + test/vendor directory got slightly less noisy. + + Signed-off-by: Paul "TBBle" Hampson + +commit 93505d7b473eeae3b44f575fc7552be40e290f3a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Mar 23 18:34:15 2022 -0700 + + Fix up job object options for unit tests (#1335) + + Most of the `jobobject` package tests we have ask for options that aren't + actually needed/used. This change makes it so that any test that doesn't need + a named job object doesn't ask for one and any test that doesn't plan on + using the iocp messages doesn't flip the notifications field either. This + wasn't causing any issues, but it's probably best to filter down what's + being tested to only what's needed. + + Additionally fixes TestExecsWithJob that used log.Fatal instead of t.Fatal + in the test. + + Signed-off-by: Daniel Canter + +commit dfe9b5e1a35047a2080e8fe0282026a2ccd23955 +Author: Maksim An +Date: Tue Mar 22 08:59:57 2022 -0700 + + Fix gcs init args wrapping when ConsolePipe is enabled (#1334) + + GCS init fails to parse the entropy socket when enabling ConsolePipe. + Fix by separating entropy parameters from the rest init args and + wrapping only init args with `sh -c`. + + Changes: + `/init sh -c "-e 1 /bin/vsockexec -e 109 /bin/gcs -v4 -log-format json -loglevel debug & exec sh"` + to + `/init -e 1 sh -c "/bin/vsockexec -e 109 /bin/gcs -v4 -log-format json -loglevel debug & exec sh"` + + Signed-off-by: Maksim An + +commit 7adccbbc6b0f02fa2ce65e44fb6b5827ea8e3ca1 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Mar 22 11:34:58 2022 -0400 + + rootfs make target (#1333) + + New makefile target to create rootfs.vhd from rootfs.tar using tar2ext4. + Requires building cmd/tar2ext4 locally. + + Signed-off-by: Hamza El-Saawy + +commit 51aee6bd9e4da920dd6473137929370606402ad1 +Author: Maksim An +Date: Mon Mar 21 21:45:17 2022 -0700 + + Add new gcs hooks, add expected mounts to security policy (#1258) + + Introduce a new `wait-paths` binary, which polls file system + until requested paths are available or a timeout is reached. + + Security policy has been updated to have `ExpectedMounts` entries, + which will be used in conjunction with "wait-paths" hook for + synchronization purposes. + + Refactor oci-hook logic into its own internal package and update + existing code to use that package. Copy runc HookName and constants + definitions to break dependency on runc + + Introduce `ExpectedMounts` as part of security policy language and + the logic to enforce the policy, which resolves the expected mounts + in the UVM and adds a wait-paths hook to the spec. + + Add positive and negative CRI tests. + + Signed-off-by: Maksim An + +commit a2ed14ceef9ece8176f962cec75ffe85527b1c42 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Mar 17 16:44:23 2022 -0400 + + scrubbing bugfix: incorrect return variable (#1332) + + Signed-off-by: Hamza El-Saawy + +commit cf6b2c91e41a2ed9c355151eb9c5a0a4316e14de +Author: Maksim An +Date: Tue Mar 15 23:26:54 2022 -0700 + + Default to deny all security policy. (#1320) + + When bringing up the UVM default to closed door security policy + to reject any modification requests prior to security policy is set + inside GCS. + When security policy is empty, default to open door policy. + + Signed-off-by: Maksim An + +commit abf92f5a8ebccda04b1ee53c9fb3d443342bac84 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Mar 15 14:35:10 2022 -0700 + + Respect console size for hostprocess containers (#1326) + + Previously the values in the spec weren't being used. + + This change additionally changes the defaults to an 80 width and 25 height + to match what cexecsvc/hcs sets. + + Signed-off-by: Daniel Canter + +commit 326001d24d36fb52ef7466525a5eabd81c84f245 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Mon Mar 14 14:02:34 2022 -0400 + + Scrubbing annotations from logs (#1324) + + Updated scrubbing for guest side, and added scrubbing for annotations + +commit e1ee40b64358dd1b7482cc3eeb9f9c1511e00a4b +Author: Maksim An +Date: Fri Mar 11 10:28:13 2022 -0800 + + Fix WorkingDir missing in securityPolicyContainer (#1321) + + When creating internal representation of security policy for a container + WorkingDir field wasn't properly initialized, which broke the policy + enforcement. + + Update README.md for security policy tool. + + Signed-off-by: Maksim An + +commit 041d23c6f46e3cec142f99d15a13a4ce2eb97c7f +Author: KenGordon +Date: Fri Mar 11 17:47:34 2022 +0000 + + Revert to v2.5 schema GuestStateFileType to support release target OS (#1318) + + Signed-off-by: Ken Gordon + +commit 5f4ec160a744a86509b76e76c6b31c6857302bf5 +Author: Sean T Allen +Date: Thu Mar 10 13:26:34 2022 -0500 + + Fix typo in error message (#1322) + + Signed-off-by: Sean T. Allen + +commit 24ccf48759030888ce0e81b45555c21e635ef5cf +Author: Maksim An +Date: Wed Mar 9 19:06:57 2022 -0800 + + Add helper functions for generating security policy and setup CRI tests (#1309) + + Split dev tool logic to create security policy into several helper + functions, which can be reused in other places, e.g., integration tests. + Create a small helpers package under internal/tools/securitypolicy, + which hosts the above functions. Another option would be to put these + functions into securitypolicy package, however the dev-tool does + network requests, which didn't look like a good dependency to add for + the securitypolicy package itself, since creating a policy by itself + doesn't require any network access, given that caller knows all the + necessary information, mainly root hashes. + + Add simple integration tests for running a pod with container and + security policy passed via annotations. + + Signed-off-by: Maksim An + +commit d512c703e577ee85c4eabcffbe49f0d01f1e1af0 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Mar 8 16:48:53 2022 -0500 + + Scrubbing env vars from logs (#1315) + + Added code to remove environment variables from code path. + + Signed-off-by: Hamza El-Saawy + +commit f50f9750ce18de430c47bff1f16fa855daaf124e +Author: Maksim An +Date: Mon Mar 7 09:42:09 2022 -0800 + + Working directory enforcement (#1305) + + * Add current working directory enforcement. + + The working directory can be set as part of container image + by WORKINGDIR Dockerfile directive or could be explicitly + set inside CRI container config. Changing the CWD of container + can change the expected behavior of a container. + + If the working_dir config is not present or empty inside the + policy config, this information will be gathered from container + image spec. + + Add logic to enforce CWD enforcement inside GCS and extend + policy dev tool and policy structure to support this scenario. + The enforcement is an exact string match between what's in the + policy and what's in the generated container spec. If the paths + don't match, the container will fail to start. + + * Minor refactor of securitypolicy_test + + Add a utility funcion that picks a random container from an array + and generates a valid/invalid overlay for that container. Refactor + tests to use the new utility function. + + * Add unit tests for enforcing working directory + + Signed-off-by: Maksim An + +commit 3c1a37f636a392750f6851287f7b0465bfeb32aa +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri Mar 4 15:48:27 2022 -0800 + + Bump github.com/containerd/containerd from 1.5.9 to 1.5.10 (#1313) + + * Bump github.com/containerd/containerd from 1.5.9 to 1.5.10 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.9 to 1.5.10. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.9...v1.5.10) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + + * go mod tidy && go mod vendor test folder + + Signed-off-by: Maksim An + + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Maksim An + +commit 15d381cfaf1d21049c7e72231113e874a3df60bb +Author: Maksim An +Date: Thu Mar 3 16:59:55 2022 -0800 + + fix lint issue (#1314) + + Signed-off-by: Maksim An + +commit 47214119f46d2e745b48f5f03400da710d432e42 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Mar 3 10:35:57 2022 -0800 + + Replace winapi GetQueuedCompletionStatus bind with x/sys/windows (#1307) + + Previously we had our own definition for GetQueuedCompletionStatus as x/sys/windows + had an incorrect definition for it. This was remedied a bit ago in this change + https://github.com/golang/sys/commit/683adc9d29d7bd1f0f778e1f7f2eeb61b415f4d5 + so we're alright to remove our own at this point. + + Signed-off-by: Daniel Canter + +commit 643ef46feef41b347d2d8579247b4bc8e6c236a2 +Author: Eng Zer Jun +Date: Wed Mar 2 02:17:52 2022 +0800 + + test: use `T.TempDir` to create temporary test directory (#1308) + + * test: use `T.TempDir` to create temporary test directory + + The directory created by `T.TempDir` is automatically removed when the + test and all its subtests complete. + + Reference: https://pkg.go.dev/testing#T.TempDir + Signed-off-by: Eng Zer Jun + +commit b8f77342111c213926a0fa9d91a8152bad579e67 +Author: cui fliter +Date: Tue Mar 1 15:08:18 2022 +0800 + + all: fix typo (#1310) + + * all: fix typos + + Signed-off-by: cuishuang + +commit d0f3c8555210c33714e78787e3a039a61ad98523 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 25 22:31:13 2022 -0800 + + Add local user account creation for host process containers (#1286) + + * Add local user account creation for host process containers + + This allows a user the ability to pass a Windows group name as the username for the container. What happens in this + case is: + + 1. Client provides a Windows group name as the username for the container + 2. We validate that it's a group, and if so then make a temporary local + account. + 3. Add local account to the group passed in and run the container under the + account. + 4. On container exit delete the account. + + This allows a client to setup a group with whatever permissions/restrictions + needed on it and have any host process containers run as a user in the group. + The blocker for not just creating a user itself with the right permissions is + there's no cri field to pass a user password, and passwordless logon seems to be + blocked on Windows by default. + + Signed-off-by: Daniel Canter + +commit a483a5a66841af3c935da66084d495adc4cd8ecd +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Feb 24 11:39:18 2022 -0500 + + Disable unsafe container options (#1260) + + Add annotations to disable unsafe container operations, regardless of container spec: + * adding writable vSMB or plan9 file shares to hypervisor isolated containers' UVM + * using gMSAs for WCOW containers + (Annotation to disable vSMB direct maps already exists) + + Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com + +commit 14414dd562b1bf51cf2d3e3df8aa9be5e8804067 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Sat Feb 19 04:07:09 2022 -0800 + + Linux GCS: Log disk info on ENOSPC errors (#1297) + + * Linux GCS: Log disk info on ENOSPC errors + + We've had quite a few times where creating the upper or work directories in + the guest fails with ENOSPC but we don't have any view into what the mount + looks like at the time we get this. This change just catches any ENOSPC errors + when creating an overlayfs mount, calls statfs and logs the disk space and inode + info for the mount the failed directory is on. This should make investigating + these types of issues much easier. + + This may be followed up with a change to delete the upper and work directories + for a container, as this becomes troublesome with the model for sharing a scratch volume. + + Signed-off-by: Daniel Canter + +commit c7fa7edd431dd5f9861b3a4f4ba5d9b2a0a702c4 +Merge: bb3403c4e 53deaa71e +Author: Kathryn Baldauf +Date: Fri Feb 18 10:20:53 2022 -0800 + + Merge pull request #1298 from katiewasnothere/skip_cpu_group_tests + + Skip test for updating VM cpugroup membership for now + +commit bb3403c4e5c84fccd8c559d81c4eb962cffb9787 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Feb 17 17:00:10 2022 -0800 + + Put Linux build tag on /internal/guest/transport/vsock.go (#1301) + + Most of the code in /internal/guest has build tags as it's all Linux specific + so apply one for vsock.go as well as vsock.Dial is unimplemented on Windows. + + This also fixes a linter issue we've been seeing on the push trigger for + golangci-lint. It complains that the error check we're performing can + never be true (err == nil) because on linting this file with GOOS=windows + it will check the Windows implementation for vsock.Dial which is hard coded + to return an unimplemented error always. + + Signed-off-by: Daniel Canter + +commit 12b02a180881297d330d6261e166a97a79023fe2 +Author: Maksim An +Date: Tue Feb 15 14:02:28 2022 -0800 + + Fix bugs in network setup introduced by a refactor PR (#1299) + + When consolidating guest protocol into its own package + in https://github.com/microsoft/hcsshim/pull/1240 wrong constant + definition was used for adding a network namespace. Fix this by + using the correct constants. + + Signed-off-by: Maksim An + +commit 53deaa71ee22ddef2b56d095b2851b6d76e6614c +Author: Kathryn Baldauf +Date: Tue Feb 15 11:45:24 2022 -0800 + + Skip test for updating VM cpugroup membership for now + + Signed-off-by: Kathryn Baldauf + +commit 51f5ab825d8e45b852c48096a1b3dc3cfe665b98 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 11 17:31:01 2022 -0800 + + Cleanup 'getUserTokenInheritAnnotation' (#1294) + + This function used to just return a bool of whether the annotation was "true" + or not which is a bit diffferent than what the name implied. Change to inheritUserTokenIsSet + to be more clear. It also used to check if the annotation was set internally which + shouldn't be needed as we only cared about whether it was "true" or not. If the + value isn't in the map we should just get back the default value of a string which + is fine for what it was being used for. + + Additionally moves a comment that was mistakingly directly above the function body + to the top of the file. + + Signed-off-by: Daniel Canter + +commit afce23edcaf579d435d029ff69649e3aa4c605f2 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 11 14:05:58 2022 -0800 + + Fix comment placement for layers.MountContainerLayers (#1295) + + The comment had an empty line between it and the declaration so it didn't + show up for go doc. + + Signed-off-by: Daniel Canter + +commit 7fbdca16f91de8792371ba22b7305bf4ca84170a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Feb 9 15:38:21 2022 -0800 + + Fix Network Namespace Bug For Ctr (#1270) + + If you try and run a hypervisor isolated container through ctr + (.\ctr.exe run --runtime io.containerd.runhcs.v1 --rm --isolated + mcr.microsoft.com/windows/nanoserver:1809 xenon-test cmd /c "echo Hello + World!") currently you'll get "ctr: failure while creating namespace for + container: network namespace not found: unknown". The normal path through + ctr is no network namespace is passed, so our shim will try and make one. + The namespace was being created via `hns.CreateNamespace` which stores the + ID of the namespace in all caps, however later on in the process when we + go to add the namespace to the uvm we re-grab a namespace object via + `hcn.GetNamespaceByID` which populates the Id field in all lowercase. + + When we originally store the namespace in our map of known namespaces we use + the hns packages casing, and when we go to add any endpoints to the vm + (there shouldn't be any anyways if we went through ctr and didn't provide --cni) + then we'll fail to find the namespace due to a casing mismatch. We already create + the namespace for cri interactions with the hcn package so this truthfully + brings this fallback path in line. + + Signed-off-by: Daniel Canter + +commit 5a3c0efea7ccefbbda5b163facb48815fbf2bd8b +Author: Maksim An +Date: Wed Feb 9 09:45:08 2022 -0800 + + Add new guest request/resource packages (#1240) + + hcsshim and GCS redefine protocol messages. Any change to + the protocol requires redefinitions in both hcsshim and GCS. + This PR combines the two protocol definitions into one to + resolve this. + + Create new guestrequest and guestresource internal packages + and update references in code. + + Signed-off-by: Maksim An + +commit aa793a24d9a33f057ba9ec4ebb1a35813795981b +Merge: f9c0efaab 5e5baea6e +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Tue Feb 8 14:04:31 2022 -0500 + + Delete shim workloads tasks in pod. #1271 + + This commit supports restarting containers and pods using CRI: + kevpar/cri#13 + + This PR allows the service to remove tasks from a pods workloadTasks map after the task and associated execs have been shut down during in a delete task request, allowing for proper deletion of the task and freeing up associated resources when + received by the service. Namely, this frees up the deleted task's ID, so that new tasks can be created with that same ID after the original task has been deleted (ie, so a task can be restarted within a running pod). + + A DeleteTask function was added to the shimPod interface to implement most of this functionality. + + Additionally, the service, in deleteInternal, resets its internal reference to the init task (shimPod or shimTask) reference, taskOrPod, if the delete is issued for the init task, as a marker that the service is no longer operational and to prevent future operations from occurring. + + Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com + +commit 5e5baea6e70eb846dde3c0b11ef405a613b189f3 +Author: Hamza El-Saawy +Date: Mon Feb 7 19:24:31 2022 -0500 + + PR: error messages, docs, and formatting + + Signed-off-by: Hamza El-Saawy + +commit f9c0efaab4ed4a9435579be25d8467f56ab05407 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 4 15:48:58 2022 -0800 + + Enable gofmt in linter (#1293) + + Will be nice to have this on to catch go fmt offenders + + Signed-off-by: Daniel Canter + +commit c019e22aaddfb83405b8648a8c16427f89b00350 +Merge: e382e6d62 9d05b5b66 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 4 15:47:48 2022 -0800 + + Merge pull request #1292 from jsturtevant/expand-job-envs + + Expand env variables for job containers to job mount path + +commit 9d05b5b66d4cc3e678b4cd87b50a54977820101c +Author: James Sturtevant +Date: Thu Feb 3 16:17:35 2022 -0800 + + Add test case for job env expansion + + Signed-off-by: James Sturtevant + +commit e382e6d62466230d2cd11e7fd33ceba8d8c940c7 +Merge: 71baff48e 60d133f98 +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Fri Feb 4 11:39:30 2022 -0500 + + Shutdown hcsshim properly #1289 + + Currently, when a Shutdown request is received, service calls os.Exit to forcefully exits the binary without cleaning up resources and IO channels, ending spans, or flushing logs. Primarily this prevents logging of shim-wide or long running spans but can also leak un-closed system resources. + + For reference, the runc shim within containerd does not respect the ShutdownRequest.Now parameter, and calls several cleanup callbacks instead of exiting immediately via os.Exit + + Added .Done() and .IsShutdown() methods to service to signal that a service shutdown request from containerd for the init task was received, and updated the serve action to wait on a shutdown request to close the ttrpc servers and pipes. + + Added NewService method and creation options to properly initialize the service struct, namely to create the internal channel to signal shutdown. + + Added tests for shutdownInternal. + + Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com + +commit 014849a4b0dcf88831921f34ba751b0400716203 +Author: James Sturtevant +Date: Thu Feb 3 14:20:51 2022 -0800 + + Expand env variables to job mount path + + When installing tools into container it is sometimes desirable to have + those tools on the path for the current process. Since the Windows + doesn't support variable expansion on the PATH variable and the + job mount path as something that isn't know at runtime we need to expand + it for the passer. This could go away if the mount path is no longer + used in the future. + + Signed-off-by: James Sturtevant + +commit 71baff48e5c02e5cfa4c298845e5d6dc1ea3ba3f +Merge: c740798fb ebc1d85be +Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> +Date: Thu Feb 3 14:11:30 2022 -0500 + + Bug fix with runc container lifetime management #1272 + + Fixed bug where container is cast as a process, which then causes the + container to be deleted prematurely before when the container finishes + executing. + Currently, whenever an LCOW container is stopped, the logs show multiple + errors being raised that runc cannot find the container, which cause the + Kill command issued by containerd to exit unsuccessfully. + + Added conversion of runc log file error strings into error types that + wrap HResult error types. + Wrapped runc errors from log file, which is more informative that error + returned from cmd execution. + + Added traces to guest container operations, to trace low level container + operations. + + Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com + +commit 60d133f98161034dee5a161527168ced7b6fff9c +Author: Hamza El-Saawy +Date: Thu Feb 3 12:02:05 2022 -0500 + + PR: error messages, naming, tests + + Checking return value of `shutdownInternal` for cleanup in service + tests. + + Signed-off-by: Hamza El-Saawy + +commit 707bd112c9197f5e29d79af74a5ba43dbddd876d +Author: Hamza El-Saawy +Date: Wed Feb 2 19:11:51 2022 -0500 + + PR: ttrpc shutdown timeout + + ttrp.Shutdown( has a 200ms ticker, not a timeout. + Adding a proper timeout in case shutdown takes too long. + + Signed-off-by: Hamza El-Saawy + +commit 82f585374dd0acde9b8ff839f0e48cd93f83f359 +Author: Hamza El-Saawy +Date: Wed Feb 2 14:39:01 2022 -0500 + + Adding proper shim shutdown + + Currently, Shutdown requests forcefully exits the binary without + cleaning up resources and IO channels, or flushing logs. + + Added `.Done()` and `.IsShutdown()` methods to service watch for + service shutdown requests from containerd, and appropriately close + background servers and go routines. + + Added `NewService` method and creation options to properly initialize + the `service` struct. + + Signed-off-by: Hamza El-Saawy + +commit c740798fbba52170ca249d7b0fa839430d375423 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Wed Feb 2 13:48:30 2022 -0800 + + Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 (#1241) + + * Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 + + Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.2 to 1.0.3. + - [Release notes](https://github.com/opencontainers/runc/releases) + - [Commits](https://github.com/opencontainers/runc/compare/v1.0.2...v1.0.3) + + --- + updated-dependencies: + - dependency-name: github.com/opencontainers/runc + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + + * vendor test + + Signed-off-by: Maksim An + + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Maksim An + +commit b846a9aefb9ac57bfc7807e74113c89f14809f70 +Author: Hamza El-Saawy +Date: Tue Feb 1 18:14:35 2022 -0500 + + PR: .Wrapf( to .Wrap( + + Signed-off-by: Hamza El-Saawy + +commit 95e0bcc9c2c1b53f9fcea471a217b955a6a5257c +Merge: 3ac1cea98 a7ef15343 +Author: Kevin Parsons +Date: Tue Feb 1 14:49:53 2022 -0800 + + Merge pull request #1288 from microsoft/createpod-err-shadow + + shim: Don't shadow err return in createPod + +commit a7ef153433cc0fe33119883a106b4e87507380d3 (hcsshim/createpod-err-shadow) +Author: Kevin Parsons +Date: Tue Feb 1 14:31:45 2022 -0800 + + shim: Don't shadow err return in createPod + + Correctly uses a named return value on createPod. Previously if err was + redeclared in a nested scope and then returned, defers would not see the + returned error value. In particular this prevented the UVM cleanup defer + from working properly. + + Signed-off-by: Kevin Parsons + +commit 3ac1cea982c360f03c6fa22c299214c12a9220e4 +Author: Maksim An +Date: Fri Jan 28 14:47:58 2022 -0800 + + Refactor code for security policy (#1279) + + The current implementation exposes some internal structure, + which is unnecessary as well as some structs are duplicated + across security policy package and security policy tool. + This PR refactors code to de-duplicate exported structures + and hides internal implementation behind new factory methods. + + Signed-off-by: Maksim An + +commit d082725f6fc43269dd4adf659a3cd72e989c9783 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jan 25 22:11:04 2022 -0800 + + Fix checkptr error with > 1 process in job object (#1284) + + The `AllPids` method on JOBOBJECT_BASIC_PROCESS_ID_LIST would allocate a + very large array to store any pids in the job object, cast the memory to + this array, and then slice down to what elements it actually took up in + the array based off the value of what was in the NumberOfProcessIdsInList + field. The checkptr compile option doesn't like when slices don't have + an explicit length and capacity so this change updates the slicing to use + a three-index slice to set the capacity to the same as the length. + + Before for fmt.Println(len(arr), cap(arr)) -> 2, 134217727 + After: -> 2, 2 + + This change additionally adds a test in internal/jobobject and modifies the + TestExecWithJob test in internal/exec to verify that checkptr doesn't get angry + when we hit a codepath that performs the cast + + Signed-off-by: Daniel Canter + +commit 134fdfa81e5e1274d0493c465bed223dceb5bfc6 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jan 25 15:17:21 2022 -0800 + + Skip TestPseudoConsolePowershell for now (#1285) + + This test is fairly flaky on the Github CI but seems to run fine locally (maybe pure + luck). Skip this for now to let contributions continue without a hitch and until we + can replace this with a better suited test shortly. + + Signed-off-by: Daniel Canter + +commit ebc1d85be9556c8670a7146524ef4e9d2ebcaacb +Author: Hamza El-Saawy +Date: Sat Jan 22 21:30:21 2022 -0500 + + PR: idiomatic error names + + Signed-off-by: Hamza El-Saawy + +commit 61aa915d2f74e909b00e17ec3e4bdfddc768c0b0 +Merge: 48586c11d 256eaa74a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jan 21 15:41:22 2022 -0800 + + Merge pull request #1281 from dcantah/add-retrylayer-log + + Add logging to layer retry code path + +commit 48586c11d065047256890b183afb14912c8192c2 +Merge: 92d8d3643 37b27830c +Author: Kathryn Baldauf +Date: Thu Jan 20 14:53:10 2022 -0800 + + Merge pull request #1239 from katiewasnothere/ncproxy_network_endpoint + + Update ncproxy to include new ncproxy network and endpoint types + +commit 92d8d3643ff75771f541c26bc060fa9fe0ff314e +Merge: 040cbe5e2 3a44b8dc8 +Author: Kathryn Baldauf +Date: Thu Jan 20 14:52:09 2022 -0800 + + Merge pull request #1283 from anmaxvl/fix-extended-process-info-test + + Fix Test_ExtendedTask_ProcessorInfo CRI test + +commit 36b39fe23dcbd38df21a1422514563576a237c9e +Author: Hamza El-Saawy +Date: Thu Jan 20 17:49:54 2022 -0500 + + PR: log message + + Signed-off-by: Hamza El-Saawy + +commit 3a44b8dc8790ed02efe2e8e7e4d70f532e2db34f +Author: Maksim An +Date: Thu Jan 20 09:50:38 2022 -0800 + + Fix Test_ExtendedTask_ProcessorInfo CRI test + + Test_ExtendedTask_ProcessorInfo had a minor bug, when the + processor info request would return an error and the error was + expected. The test would still proceed to check the processor + count from the response in whicn case the response is nil and + the check results in nil point dereference. + + Signed-off-by: Maksim An + +commit 256eaa74a9ee112d528d0e05f0c3d8bfeed2aeaf +Author: Daniel Canter +Date: Wed Jan 19 15:01:55 2022 -0800 + + Use timeout in .golangci.yml + + We have a timeout defined in the golangci.yml file but it doesn't get honored + as the commandline flags have higher priority. This change removes the --timeout + specified for args so the timeout from the config will be used. + + Signed-off-by: Daniel Canter + +commit 2c7d2d70ee502d7e97c4e65446d7fb0747df2a8b +Author: Daniel Canter +Date: Wed Jan 19 14:27:53 2022 -0800 + + Add logging to layer retry path + + This change adds a small log to the code path that handles retrying layer + setup if we encountered a set of known error codes that we'd observed on + ws2019. This is mostly just so we can tell how often we're actually hitting + this and see which error is most prevalent. + + Signed-off-by: Daniel Canter + +commit 040cbe5e2578a2741d33e7de1e8969aa95cc2255 +Merge: 05093b3d5 1ff2dd2a3 +Author: Kathryn Baldauf +Date: Wed Jan 19 14:13:32 2022 -0800 + + Merge pull request #1243 from katiewasnothere/querycompute + + Add new service for querying compute systems' information + +commit 37b27830c38678e7ae0ebe55bb9b114f2117c3d7 +Author: Kathryn Baldauf +Date: Wed Jan 19 14:09:21 2022 -0800 + + Add log statements when querying ncproxy database fails + + Signed-off-by: Kathryn Baldauf + +commit 1ff2dd2a36765c73115b7f319ed8b9653b13cca2 +Author: Kathryn Baldauf +Date: Wed Jan 19 13:33:14 2022 -0800 + + Rename service internal call to match naming scheme + + Signed-off-by: Kathryn Baldauf + +commit 05093b3d521603ae81d89692dc7b5b4610d2a842 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jan 14 19:43:33 2022 -0800 + + Update Go module version to 1.17 (#1222) + + Update Go module version to 1.17 + + This change does three things: + + 1. Runs gofmt on Go 1.17 in /internal, /cmd, /hcn, and /test. Go 1.17 added a new syntax for build tags that gofmt automatically applies. The new format will just be ignored on older builds and 1.17 and up will prefer the new syntax (which is much nicer if I may add), so this should be harmless. + + 2. Updates the go directive in our go.mod to be 1.17. We don't currently make use of any 1.17 features but we plan to (as well as the 1.16 io/fs additions). + + 3. Runs go mod vendor in the root of the repo and in /test for the new module graph pruning (https://go.dev/ref/mod#graph-pruning) + + Signed-off-by: Daniel Canter + +commit 617d439d8cb0da67cbd9fb24ba74ce811c779dc4 +Author: Maksim An +Date: Thu Jan 13 12:12:27 2022 -0800 + + Fix ReadDMVeritySuperBlock function (#1257) + + Make sure to assert the value of dmveritySuperblock.Signature before + trying to read the root hash. Without the check, any valid footer with + with valid size would be treated as a dm-verity superblock. + + Additionally wrap original Read errors, rather than custom errors. + In some places when returning an error from ReadDMVeritySuperBlock, + a custom error was wrapped, rather than the original error, which + complicates assertions with errors.Cause/errors.Unwrap. + + Add unit tests to cover other edge cases. + + Signed-off-by: Maksim An + +commit 790bcae4c9e9734f4ca50d0e17b03ed749f2b4d9 +Author: Gabriel +Date: Thu Jan 13 20:13:48 2022 +0200 + + Add ErrInvalidHandle and fix list stats (#1276) + + When querying the stats of a container that is in the process of being + stopped, an ERROR_INVALID_HANDLE (0x6) may be returned. This change + ignores that error and returns an empty stats object. + + This change also fixes the return values of Stats() when encountering + one of the expected errors. Returning nil stats when error is nil will + break caller assumptions of finding a valid value when error is nil. + Instead, an ErrNotFound is returned. + + Signed-off-by: Gabriel Adrian Samfira + +commit fae5736ce67dfbcfceea4d475f59ca798baafb79 +Author: Kathryn Baldauf +Date: Wed Jan 12 13:55:50 2022 -0800 + + Address PR feedback + * Clean up GetEndpoints and GetNetworks calls + * Use individual testing object for tests with subtests + * Misc clean up + + Signed-off-by: Kathryn Baldauf + +commit b70f091776c2a9ee8e18907fbfbaf07a3c61203b +Author: Kathryn Baldauf +Date: Tue Jan 4 17:03:14 2022 -0800 + + Address PR feedback + * Move ncproxy related package to unified location + * Add manifest to ncproxy binary + + Signed-off-by: Kathryn Baldauf + +commit 03f5839bd04e976e8d62790f42547740de5798fb +Author: Kathryn Baldauf +Date: Thu Oct 28 20:18:03 2021 -0700 + + Update ncproxy to include new ncproxy network and endpoint types + + Signed-off-by: Kathryn Baldauf + +commit 6aad8d45ed44bf98bfc0a68c6d97bcbd2051e6d4 +Author: Kathryn Baldauf +Date: Tue Jan 11 16:26:10 2022 -0800 + + Update service name to ExtendedTask + + Signed-off-by: Kathryn Baldauf + +commit 13de685dfc51e9710aabe5fd0487158a6c891dbf +Author: Kathryn Baldauf +Date: Tue Jan 11 16:11:54 2022 -0800 + + Add cri-containerd tests for Query Compute service + + Signed-off-by: Kathryn Baldauf + +commit 9bc8d28a2a1ff27d2712ef7ac7bee5842524ec7e +Author: Kathryn Baldauf +Date: Mon Dec 13 13:38:06 2021 -0800 + + Add new service for querying compute systems' information + * Motivation: SRIOV enabled network endpoints need information about + the target compute system's CPU count to determine appropriate settings, + specifically the number of queue pairs to use. Since the network + agent sets up network endpoints via ncproxy, this information is + not readily available. + * This change creates a new service `QueryCompute` that the network + agent can query to get any necessary information about compute + systems. + * For now `QueryCompute` has a single message `ProcessorInfo` that's + only supported by a pod task to address the immediate motivation above. + * Create a test tool for dev testing. + + Signed-off-by: Kathryn Baldauf + +commit 5e7e3bbeb8a7cfcb5b7b8745e3ead4a94ea3578b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jan 10 17:02:24 2022 -0800 + + Rework process dump cri-containerd tests (#1267) + + * Rework process dump cri-containerd tests + + This change aims to deflake the Windows process dump test by continuously + checking for a .dmp instead of waiting some arbitrary amount of time and + then checking once. While we haven't seen any flakes with the Linux version + of this test for generating coredumps, the same logic is employed for the + LCOW test as well. + + Signed-off-by: Daniel Canter + +commit a46015228ff1115614e9e4d7859e7d91cb955458 +Merge: 77c027042 a8605ecca +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jan 10 16:56:12 2022 -0800 + + Merge pull request #1269 from gabriel-samfira/handle-process-already-stopped + + Make kill noop on second run + +commit b2e849f29bc224307a1dd528df48962db2ccdacd +Author: Hamza El-Saawy +Date: Mon Jan 10 11:42:25 2022 -0500 + + Bug fix with runc container lifetime management + + Fixed bug where container is cast as a process, which then causes the + container to be deleted prematurely before when the container finishes + executing. + + Added conversion of runc log file error strings into `error` types that + wrap HResult error types. + Wrapped runc errors from log file, which is more informative that error + returned from cmd execution. + + Added traces to guest container operations, to trace low level container + operations. + + Signed-off-by: Hamza El-Saawy + +commit 2b7d97888fff8e11ae040aa9642f245938667b56 +Author: Hamza El-Saawy +Date: Mon Jan 10 11:35:51 2022 -0500 + + Delete shim workloads tasks in pod. + + This commit supports restarting containers and pods using CRI. + + Delete task request now removes tasks from `pod`'s `workloadTasks` map, + and added `DeleteTask` function to `shimPod` interface so new tasks can + use the same ID (ie, so a task can be restarted in a running pod). + + Signed-off-by: Hamza El-Saawy + +commit a8605eccaa4bfdca42f199ab3b4d5901791dcab0 +Author: Gabriel Adrian Samfira +Date: Fri Jan 7 23:11:31 2022 +0200 + + Make kill noop on second run + + If a kill has already been delivered, ignore subsequent calls to + Kill() and simply return the previous status. + + This change also defines ErrProcessAlreadyStopped and ignores that + error if encountered during kill. + + Signed-off-by: Gabriel Adrian Samfira + +commit 77c0270424049ab4c850c076601add11882e7c1e +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Jan 6 16:00:41 2022 -0800 + + Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 (#1266) + + * Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.8 to 1.5.9. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.8...v1.5.9) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + + * revendor test + + Signed-off-by: Maksim An + + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Maksim An + +commit c285d152e802860615bd2d5d6561a15dd5885947 +Merge: 6241c53e0 876cf72b3 +Author: Maksim An +Date: Thu Jan 6 13:00:47 2022 -0800 + + Merge pull request #1265 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.9 + + Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 in /test + +commit 876cf72b385d28745f6b05bc8391901d02409600 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Jan 6 17:50:23 2022 +0000 + + Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 in /test + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.8 to 1.5.9. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.8...v1.5.9) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 6241c53e02a8fb9cbfb67d86ad583c31bf090caa +Merge: 422eb31c3 a6edb2596 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jan 5 23:00:32 2022 -0800 + + Merge pull request #1249 from gabriel-samfira/wait-for-init-exit + + Wait for waitInitExit() to return + +commit a6edb2596b408a6476e8a0b5b1b1b830423b4a55 +Author: Gabriel Adrian Samfira +Date: Mon Dec 20 17:57:58 2021 +0200 + + Wait for waitInitExit() to return + + This change gives waitInitExit() a chance to cleanup resource + when DeleteExec() is called, before returning. + + This should fix situations where the shim exits before releasing + container resources. + + Signed-off-by: Gabriel Adrian Samfira + +commit 76881a295eb81d774cc764ce33291b239d0ea731 +Author: Gabriel Adrian Samfira +Date: Thu Dec 23 13:19:57 2021 +0200 + + Fix Range() iteration + + The function passed into the Range function of sync.Map will stop the + iteration if false is returned. This commit makes sure we iterate + through all elements in the map. + + Signed-off-by: Gabriel Adrian Samfira + +commit 422eb31c36e8f3908bb4b1d6e5e001867d4dfac8 +Merge: e093fbd40 bfd638206 +Author: Kathryn Baldauf +Date: Wed Jan 5 17:57:14 2022 -0800 + + Merge pull request #1246 from katiewasnothere/endpoint_settings_add_nic + + Add endpoint settings to add nic call + +commit bfd63820696c509ff093e6def37541c4a77d51b4 +Author: Kathryn Baldauf +Date: Tue Jan 4 17:09:23 2022 -0800 + + Update AddNIC test to use correct expected error value + + Signed-off-by: Kathryn Baldauf + +commit e093fbd404aeaa51f9728dab1125bd48b52f3d5a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Dec 31 08:48:00 2021 -0800 + + Rework TestPseudoConsolePowershell (#1255) + + Before this test used to write something to the pty and then see if we + could read the same thing shortly afterwards. Really all we wanna test here + is just that we can write things in general, so the same thing that + TestExecStdinPowershell is currently doing should suffice. + + If the process exits then the 'exit' write went through so that should be + plenty for this test. This change additionally adds a timeout for waiting + for the process to exit for TestPseudoConsolePowershell as well as + TestExecStdinPowershell so we have some indicator for if the 'exit' write + didn't work. + + Signed-off-by: Daniel Canter + +commit 42d6961ef52bf324ddb4ffd9a108fb6a917efb1b +Author: Maksim An +Date: Thu Dec 30 13:04:52 2021 -0800 + + Fix deferred os.Umask usage in loops (#1256) + + Signed-off-by: Maksim An + +commit 3f2848ac3c9167f3a60b43385a6620c405227a03 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Dec 29 19:06:22 2021 -0800 + + Change redundant conpty.ConPTY struct name (#1259) + + This change renames the ConPTY struct in the conpty package to + Pty. + + Signed-off-by: Daniel Canter + +commit 58caeedaebd9cd721a74fafd2bdcbc274d8d21b9 +Author: Gabriel +Date: Wed Dec 29 20:52:26 2021 +0200 + + Ignore ERROR_ACCESS_DENIED on Kill (#1252) + + When calling HcsTerminateProcess on a process that has exited, but we + still have open handles to, an ERROR_ACCESS_DENIED may be returned. + + https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess#remarks + + Signed-off-by: Gabriel Adrian Samfira + +commit 0124eb3ce35da1d9946c02e9271627d8f2305511 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Dec 27 13:20:59 2021 -0500 + + Rename conpty.New to conpty.Create (#1254) + + This change renames conpty.New, the method used to create a new ConPTY + object, to Create instead. Mostly preference and to stay in line with what + we'd named the method for creating a job object. The windows API used to + create the pty is named 'CreatePseudoConsole' so to me it makes more sense. + + Signed-off-by: Daniel Canter + +commit e1ddd01d53d7167618ca1874d9d8da22d17cfe17 +Author: KenGordon +Date: Tue Dec 21 17:31:45 2021 +0000 + + HCS fixes for HclEnabled and guest state file type. (#1250) + + * HclEnabled is required or it SEEMS to work but the vmgs gets written on. + + * Match the regular code - adds HclEnabled and correct guest state file type. + + Signed-off-by: Ken Gordon + +commit 03803124b08fd910b12d7bf18e96b62d9c86f665 +Merge: 2314362e9 ba2abba88 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Dec 20 17:08:01 2021 -0500 + + Merge pull request #1248 from dcantah/hpc-tty + + Swap to the internal/exec pkg for host process containers + +commit ba2abba8840aeb9064cd177c6babfe8593cdc897 +Author: Daniel Canter +Date: Sun Dec 19 11:32:42 2021 -0500 + + Add tty support for host process containers + + This change adds in the necessary bits to get tty support for host + process containers working by leveraging the pseudo console APIs in + Windows and the new internal/exec package. + + Signed-off-by: Daniel Canter + +commit 11f91057913bc449893296cf8d0d9f6152dd7226 +Author: Daniel Canter +Date: Sun Dec 19 11:17:40 2021 -0500 + + Change to using internal/exec pkg for host process containers + + This change swaps to using the new internal/exec package for host process + containers to make use of the pseudo console functionality and ability to + launch a process in a job object at creation time instead of assigning + shortly after. This does not add in the implementation for pseudo console + usage, just changes to the package that allows the functionality. + + Signed-off-by: Daniel Canter + +commit 2314362e977aa03b3ed245a4beb12d00422af0e2 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Sat Dec 18 09:11:05 2021 -0500 + + Add new exec package for host process containers (#1233) + + * Add new exec package for host process containers + + This change adds a new exec package thats main goal is to run + external processes on Windows. Unfortunately due to a couple + things that can't be accomplished with the stdlib os/exec package, + this new package is meant to replace how processes for host process + containers are launched. + + The main shortcomings are not being able to pass in a pseudo console to use + for tty scenarios, and not being able to start a process assigned to a job object + instead of doing the Create -> Assign dance. Both of these issue are centered + around not having access to the process thread attribute list that is setup inside + of syscall.StartProcess. This is needed to be able to properly setup both cases, + as it requires calling UpdateProcThreadAttribute and passing in what's necessary + for both scenarios. + + This change ends up bumping x/sys/windows as well to grab some fixes for the attribute list functionality. + + Signed-off-by: Daniel Canter + +commit 27c40c68d50b5f65ab1508b8ebebebf68822d6fb +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Dec 16 22:52:16 2021 -0500 + + Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2 in /test (#1247) + + Bumps [github.com/opencontainers/image-spec](https://github.com/opencontainers/image-spec) from 1.0.1 to 1.0.2. + - [Release notes](https://github.com/opencontainers/image-spec/releases) + - [Changelog](https://github.com/opencontainers/image-spec/blob/main/RELEASES.md) + - [Commits](https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2) + + --- + updated-dependencies: + - dependency-name: github.com/opencontainers/image-spec + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 1d27d4ab2d07891c15accd6cc50a41046ce10095 +Merge: 3c6830393 b128cacc3 +Author: Kathryn Baldauf +Date: Thu Dec 16 13:20:52 2021 -0800 + + Merge pull request #1238 from ambarve/e2e_unordered_test + + Add E2E test for pulling images with unorderd tar + +commit 13e30f2df903f29eb8ee066a18c2faef558c40f1 +Author: Kathryn Baldauf +Date: Thu Dec 16 12:55:06 2021 -0800 + + Add endpoint settings to add nic call + + Signed-off-by: Kathryn Baldauf + +commit 3c68303936d7a6e751d7993b8667e3bd375f2ee2 +Merge: f8cbd0b11 0a92f8b9c +Author: Kathryn Baldauf +Date: Wed Dec 15 10:23:13 2021 -0800 + + Merge pull request #1244 from dcantah/fix-ci + + Revendor in /test and remove dead code + +commit 0a92f8b9c79808d798df34721b9fe8256edecd9c +Author: Daniel Canter +Date: Wed Dec 15 11:22:19 2021 -0500 + + Revendor in /test and remove deadcode + + Somehow after the last two check-in's the CI (specifically our linter) + started whining about ext4BlockSize being dead code. With the last check-in + to master our verify-test-vendor step also somehow didn't catch that + /internal/winapi/process.go was updated and needed to be pulled in. This + change fixes both of those issues. + + Signed-off-by: Daniel Canter + +commit f8cbd0b11c7ae5d6ab253851d6525aa745ed4f47 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Dec 15 08:01:54 2021 -0800 + + Add conpty (pseudo console) package (#1228) + + * Add conpty (pseudo console) package + + This change adds a conpty package that houses go friendly wrappers around + the Pseudo Console API in Windows. This will be used to support tty scenarios + for Host Process containers. + + There's not many tests I can add here as you need to hook this up to a running + process, where that work is coming. + + Signed-off-by: Daniel Canter + +commit 9238796d7764a588f26571d9a97b5c64b045c04b +Author: Maksim An +Date: Mon Dec 13 15:24:15 2021 -0800 + + Add function to write hash device (#1235) + + Split hash-device computation and writing into a separate function. + This allows to store hash device in a separate file, which (e.g.) can + be converted to VHDs and exposed inside VMs as separate block devices. + + Update `dmverity-vhd` command-line utility to support writing hash device + as a separate VHD + + Signed-off-by: Maksim An + +commit b128cacc3492b6bb354e4093d5ea4d87fda211fc +Author: Amit Barve +Date: Mon Dec 6 06:23:26 2021 -0800 + + Remove unused imports + + Signed-off-by: Amit Barve + +commit 719f012f64d7687c11bdb6df457365b50bfc8b50 +Merge: f099e3487 6d388654a +Author: Kathryn Baldauf +Date: Fri Dec 3 10:35:23 2021 -0800 + + Merge pull request #1212 from katiewasnothere/ncproxy_api_hcn_only + + Update ncproxy API and adjust hcn support + +commit 6d388654a52dbc5d1ebfb95c6c3fda74bedfbbbb +Author: Kathryn Baldauf +Date: Thu Oct 28 20:18:03 2021 -0700 + + Update ncproxy API and adjust hcn support + + Signed-off-by: Kathryn Baldauf + +commit f099e34878c260511ff37873b7231b5f2c769199 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Dec 1 11:47:06 2021 -0700 + + Add ws2022 image/build to cri-containerd tests (#1160) + + * Add ws2022 image/build to cri-integration tests + + This change adds a new case to the getWindowsServerCoreImage and + getWindowsNanoserverImage functions to return ws2022 on a ws2022 or higher + build. The higher case is because of some recent efforts to improve down-level + compatability for Windows container images. For reference, the ltsc2022 image + works on a win11 host without hypervisor isolation. + + Signed-off-by: Daniel Canter + +commit ae9f6139382b8ccffbb95c437eebd9c57cddc8a9 +Author: Amit Barve +Date: Wed Dec 1 08:18:41 2021 -0800 + + go mod vendor & go mod tidy + + Signed-off-by: Amit Barve + +commit b26965778521d8eb635665952c0d1c3156ef2f61 +Author: Amit Barve +Date: Tue Nov 30 23:17:21 2021 -0800 + + Add E2E test for pulling images with unorderd tar + + Signed-off-by: Amit Barve + +commit 7646525e7a4d2608288ac2bcc7137d71e21d5297 +Merge: f52c34677 80376f872 +Author: Kathryn Baldauf +Date: Mon Nov 29 16:59:40 2021 -0800 + + Merge pull request #1215 from katiewasnothere/support_lcow_assigned_device + + Support assigning devices into LCOW + +commit 80376f8726dea4ef55a531f30443135fd5c08049 +Author: Kathryn Baldauf +Date: Mon Nov 29 16:29:12 2021 -0800 + + respond to PR feedback + + Signed-off-by: Kathryn Baldauf + +commit f52c34677adb0fca2e912cf5ee35c00a14c293c2 +Author: Maksim An +Date: Tue Nov 23 11:40:30 2021 -0800 + + Fix ReadExt4SuperBlock function (#1229) + + Previously the function would read bytes from a given file + and convert them into internal ext4 super block object, + without checking that the read bytes are actually ext4 + super block. + Fix the behavior by checking ext4 super block magic. + + Signed-off-by: Maksim An + +commit dccc62d2dd2cc3dcf9df7bbe1ef4165443b6ed49 +Merge: 3b78eb38e 29eeb4306 +Author: Kathryn Baldauf +Date: Mon Nov 22 16:37:43 2021 -0800 + + Merge pull request #1216 from katiewasnothere/restructure_ncproxy_apis + + Restructure location of various ncproxy apis + +commit 29eeb43065c37042dbf790cc7a001b142a05e9e2 +Author: Kathryn Baldauf +Date: Mon Nov 22 15:06:48 2021 -0800 + + Update doc files to include package name + + Signed-off-by: Kathryn Baldauf + +commit c40eb70128db878b55998bab295d32aa93db42bf +Author: Kathryn Baldauf +Date: Wed Nov 3 16:09:19 2021 -0700 + + Restructure location of various ncproxy apis to accomodate future changes + + Signed-off-by: Kathryn Baldauf + +commit 3b78eb38eb8a933128189539e3ba44e6fb543715 +Merge: 0f39fc7d1 fa17cd83e +Author: Kathryn Baldauf +Date: Mon Nov 22 11:16:23 2021 -0800 + + Merge pull request #1231 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.8 + + Bump github.com/containerd/containerd from 1.5.7 to 1.5.8 + +commit fa17cd83e149344912edadce267a46d2340cdcc1 +Author: Kathryn Baldauf +Date: Fri Nov 19 15:09:13 2021 -0800 + + Update containerd from 1.5.7 to 1.5.8 in /test + + Signed-off-by: Kathryn Baldauf + +commit a152a19df9858e5ccceeef66431125436aa22cff +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Thu Nov 18 16:45:43 2021 +0000 + + Bump github.com/containerd/containerd from 1.5.7 to 1.5.8 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.7 to 1.5.8. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.7...v1.5.8) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 0f39fc7d19500769dcd4e5eb09800d9e5f448f9a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Nov 17 17:37:49 2021 -0800 + + Set default time zone for WCOW UVM (#1192) + + For the v2 hcs code paths it seems the only time a time zone is set is if + a new field on the guest connection settings is present (which we don't have) + while using the internal guest connection (shim -> hcs -> gcs). Otherwise + the guest is just left without a time zone set, so things like tzutil or + the get-timezone powershell cmdlet will return an invalid time zone set. + We swapped to always using the external guest connection we maintain in the + shim so we need to set a time zone explicitly. + + This change issues a request to the gcs to set a timezone via the same method that + hcs uses internally. It sets the guests time zone to whatever is present on + the host which is the docker behavior, and then all containers in the vm + should inherit this. Additionally expose an option to override this behavior and + just set the time zone to UTC. If the container wants to change its time zone + to something else, it is free to on supported images. + + See https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/virtual-time-zone + + Signed-off-by: Daniel Canter + +commit db9908f6da0f7da3590c25f4d0b24964d1f885ef +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri Nov 12 12:03:34 2021 -0800 + + Time synchronization inside LCOW UVM (#1119) + + Start time synchronization service in opengcs + + Changes to the opengcs to start the chronyd service after UVM boots. + + Signed-off-by: Amit Barve + + * + + Signed-off-by: Amit Barve + + * TimeSync service inside LCOW UVM. + + Add test to verify both chronyd running & disabled cases. Minor fixes in chronyd startup + code. + + Signed-off-by: Amit Barve + + * Run Chronyd with restart monitor + + Signed-off-by: Amit Barve + + * Force chronyd to step update time if difference is big + + Signed-off-by: Amit Barve + + * Fixes after rebase + + Signed-off-by: Amit Barve + + * go mod vendor & tidy + + Signed-off-by: Amit Barve + + * Use backoff package instead of manually calculating backoffs + + Signed-off-by: Amit Barve + + * Rename gcs cmdline params, use io.ReadFull instead of io.Read + + Minor other fixes. + + Signed-off-by: Amit Barve + + * go mod vendor + + Signed-off-by: Amit Barve + + * Ignore err if file doesn't exist + + Signed-off-by: Amit Barve + + * Use ioutil.ReadFile to read clock_name file + + Signed-off-by: Amit Barve + + * minor fix + + Signed-off-by: Amit Barve + + * Remove incorrect usage of backoff.MaxElapsedTime + + Signed-off-by: Amit Barve + +commit ddab09b33a352e5d66fe2419066a2858b337c544 +Author: Maksim An +Date: Thu Nov 11 15:55:03 2021 -0800 + + Rework merkle tree implementation to use io.Reader instead of byte array (#1209) + + MerkleTree implementation requires the entire content of ext4 file + system to be read into a byte array when computing cryptographic digest. + + This PR reworks the existing implementation to work with io.Reader + interface instead. + + Additionally update the existing usages of MerkleTree with the new + MerkleTreeWithReader implementation. + + Separate tar to ext4 logic of Convert into a ConvertTarToExt4 + function. + + Signed-off-by: Maksim An + +commit 3a8cd1e08c39c7efa59da94e349816da34a90359 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Nov 11 10:47:15 2021 -0800 + + Add 21H2 definitions to osversion package (#1205) + + * Add 21H2 definitions to osversion package + + This change adds three new definitions to the osversion package. All + three definitions are all of the 21H2 builds across Windows 10, Windows Server + and Windows 11, which all have different build numbers. + + The approach taken was to add a suffix to the definitions with Win10, Server and + Win11 respectively. + + Signed-off-by: Daniel Canter + +commit d230699f3b34933cb46281ceaedd1e61b6cce04a +Author: Stavros Volos +Date: Thu Nov 11 18:17:29 2021 +0000 + + security policy appended to container's environment variables (#1219) + + security policy appended to environment variables so that containers can have access to it at runtime + + Signed-off-by: Stavros Volos + +commit 041736614696a7394edcb733292688c2bab69ead +Author: Maksim An +Date: Wed Nov 10 15:34:10 2021 -0800 + + Add DefaultContainerAnnotations runhcs option (#1210) + + protos: Add default_container_annotations to runhcs options protos + + Assign default container annotations from runhcs options to + container spec Annotations, without overriding the ones that are + explicitly passed + + Signed-off-by: Maksim An + +commit 9e3ba9c8118307649b7839825cad06f236a3c5b9 +Author: Netal Gupta (negup) +Date: Wed Nov 10 15:29:13 2021 -0800 + + Add json struct tag to SetPolicyType's Type field (#1194) + + Add json struct tag to SetPolicyType's Type field + + The "Type" fieldname was interfering with an internal "Type" field. Added a struct tag to marshal it as "PolicyType" instead. + + Signed-off-by: netal + +commit 37ee929b0f0d80eed36fac7755bc7c90d3f96c75 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Nov 10 10:51:44 2021 -0800 + + go.mod: Bump ttrpc to 1.1.0 (#1223) + + This tag contains a fix for a deadlock we'd observed on Windows when multiple + requests were made in parallel. + + Signed-off-by: Daniel Canter + +commit aaf5db90ef6961e767a4d5ca4bcf7f1f6465bcca +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Nov 5 17:49:37 2021 -0700 + + Pass disk handle for computestorage.FormatWritableLayerVhd on RS5 (#1204) + + Pass disk handle for FormatWritableLayerVhd on RS5 + + On RS5 the HcsFormatWritableLayerVhd call expects to receive a disk handle. + On 19h1+ you can pass a vhd handle and internally they will do the same + work we're doing in this change to grab a disk handle to perform the format. + + Signed-off-by: Daniel Canter + +commit a1756afbc5e6d01acba33be06a7c6bf6832252a0 +Merge: 9c385bfd9 352791551 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Nov 5 16:38:19 2021 -0700 + + Merge pull request #1220 from dcantah/update-readme-goversion + + Update readme to list accurate go version + +commit 352791551847dbc62a8f880594664a4005468f5c +Author: Daniel Canter +Date: Fri Nov 5 16:31:33 2021 -0700 + + Update readme to list accurate go version + + Our README stated that you'd need go 1.9 or newer to build. Our go.mod + currently lists 1.13 however. + + Signed-off-by: Daniel Canter + +commit 9c385bfd904209184eca2b61b65b4ced32001f6c +Merge: 4230df2fb aea3b96d5 +Author: Kathryn Baldauf +Date: Thu Nov 4 22:59:56 2021 -0700 + + Merge pull request #1211 from katiewasnothere/sandbox_mounts_perm + + Fix permissions issues with sandbox mounts + +commit 4230df2fbfa9f0bf629c5aa60e27d04e15b29f36 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu Nov 4 15:15:04 2021 -0700 + + Handling of out-of-order whiteout files during tar expansion (#1218) + + Handling of out-of-order whiteout files during tar expansion + + When extracting a container image layer tar, some files can show in an out of order + fashion (i.e the file shows up first before its parent directory shows up). We already + handle this by creating these parent directories if they don't already exist. However, + that handling didn't apply to whiteout files. This commit fixes that. + + Signed-off-by: Amit Barve + +commit aea3b96d55b9ecd541427ecf523f9300c1b64c8e +Author: Kathryn Baldauf +Date: Thu Oct 28 15:40:29 2021 -0700 + + Fix permissions issues with sandbox mounts + + Signed-off-by: Kathryn Baldauf + +commit b8917e19cc175015248b327ed2ec74eb5e751ccb +Author: Maksim An +Date: Tue Nov 2 21:51:50 2021 -0700 + + Add retries when removing device mapper target (#1200) + + Add retries when removing device mapper target + + Additionally ignore the error from device mapper if target removal + still fails. The corresponding layer path is already unmounted + at that point and this avoids having an inconsistent state. + + Signed-off-by: Maksim An + +commit 3271c6eac70274d7b66bc2ecb1a5a36826456e50 +Author: Kathryn Baldauf +Date: Thu Oct 14 18:16:19 2021 -0700 + + Support assigning devices into containers + + Signed-off-by: Kathryn Baldauf + +commit 97ca2e099383e43b3a8f8f4bff1a4a3bb0ca40d8 +Merge: 47b617153 af37ae593 +Author: Kathryn Baldauf +Date: Tue Nov 2 10:47:23 2021 -0700 + + Merge pull request #1195 from katiewasnothere/lcow_install_modules + + Add tool to install modules in lcow and plumb through shim + +commit 47b6171536c0007446925be76619a507a7b6ea93 +Author: KenGordon +Date: Tue Nov 2 08:49:11 2021 -0700 + + Support booting isolated SNP from a GuestStateFile rather than separate kernel and userland (initrd.img) (#1206) + + Mainly this refactors the code that creates the hcs api json document into two paths. One is the previous + logic that will create a kernel command line and boot the kernel and userland from individual files using + the "LinuxKernelDirect" scheme. With isolation enabled this must be replaced with "GuestState/GuestStateFilePath" + etc to load from a vmgs file. + + There are updates and addition files in the schema2 directory to support the newer hcs API so that the existing + way where an object that represents the hcs api json is built and then serialised to json can be used with + isolation_setting etc. + + If a SecurityPolicy annotation is present it will boot the vmgs file unless + "io.microsoft.virtualmachine.lcow.no_security_hardware" is set to true. The various example pod.json files + will need to be updated for use with non SNP machines. + + Signed-off-by: Ken Gordon + +commit af37ae5930a29145b8200f944b7f8f6f6a0c6ec0 +Author: Kathryn Baldauf +Date: Mon Nov 1 12:57:54 2021 -0700 + + Move lcow install out of pnp file, remove unnecessary InstallWindowsDriver + + Signed-off-by: Kathryn Baldauf + +commit 7f72e50d237ad1413ef1b7fe400565e6a1d9a1fe +Merge: 27c580da3 1313fe1a1 +Author: Kathryn Baldauf +Date: Mon Nov 1 12:53:02 2021 -0700 + + Merge pull request #1196 from katiewasnothere/vpci_lcow_adapter + + Add support for finding net adapters that were assigned with vpci + +commit 27c580da303677f224d3d58de76da04f87fb3612 +Merge: 5f5e3ea28 573c1375f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Oct 29 08:39:11 2021 -0700 + + Merge pull request #1197 from dcantah/retry-stdio-conns2 + + Add reconnect logic for stdio pipes + +commit 1313fe1a1be58e765207beec3eb716019387570c +Author: Kathryn Baldauf +Date: Thu Oct 28 13:09:43 2021 -0700 + + Address inconsistent vmbus naming, use of io/fs, and style + + Signed-off-by: Kathryn Baldauf + +commit 573c1375f5d664c52a589f3b910e126fb54b7e4d +Author: Daniel Canter +Date: Wed Oct 20 06:20:09 2021 -0700 + + Add reconnect logic for stdio pipes + + This change adds retry logic on the stdio relay if the server end of the named pipe + disconnects. This is a common case if containerd restarts for example. + The current approach is to make a io.Writer wrapper that handles the + reconnection logic on a write failure if it can be determined that the error + is from a disconnect. A new shim config option is exposed to tailor the retry timeout. + + This changes also adds cenkalti/backoff/v4 as a dependency to be used for handling + exponential backoff logic for the stdio connection retry attempts. Retrying + at a fixed interval is a bit naive as all of the shims would potentially + be trying to reconnect to 3 pipes continuously all in bursts. + This allows us to space out the connections, set an upper limit on timeout + intervals and add an element of randomness to the retry attempts. + + Signed-off-by: Daniel Canter + +commit 9ed0296c1f540d0c647d4e47efe69c385e061751 +Author: Kathryn Baldauf +Date: Thu Oct 28 12:34:22 2021 -0700 + + Remove io/fs package in favor of filepath functions + + Signed-off-by: Kathryn Baldauf + +commit d76a8dc422de2d77c6d0e7162f0b602daccd13e5 +Author: Kathryn Baldauf +Date: Thu Oct 14 12:11:23 2021 -0700 + + Add tool to install modules in lcow and plumb through + + Signed-off-by: Kathryn Baldauf + +commit 5f5e3ea28e8098234348f33b586d831eb2fee3dd +Merge: 08a61726e ac4a76a71 +Author: Kathryn Baldauf +Date: Wed Oct 27 11:19:57 2021 -0700 + + Merge pull request #1202 from katiewasnothere/cpugroup_update + + Support updating cpugroup membership + +commit 08a61726edab7d21845e3649bf48a901003031b2 +Merge: f174aa8e2 bc5e91468 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Oct 26 18:15:44 2021 -0700 + + Merge pull request #1207 from dcantah/jobcontainer-cmdline-fix + + Fix commandline double quoting for job containers + +commit bc5e9146833ced319652576721db0f052ce4c882 +Author: Daniel Canter +Date: Mon Oct 25 09:46:13 2021 -0700 + + Add test for job container cmdline quoting behavior + + This change adds a test to verify that commandlines with quotes don't get + additional quotes added on to them when combining the arguments given. + + Signed-off-by: Daniel Canter + +commit 7cb95b67220468546e50086a05d0d46d1ed48640 +Author: Daniel Canter +Date: Fri Oct 22 15:11:15 2021 -0700 + + Fix commandline double quoting for job containers + + We already escape the arguments passed to us by Containerd to form a + Windows style commandline, however the commandline was being split back + into arguments and then passed to exec.Cmd from the go stdlib. exec.Cmd + internally also does escaping, which ended up applying some extra quotes + in some cases where the commandline had double/single quotes present. This change + just passes the commandline as is to the Cmdline field on the Windows + syscall.SysProcAttr. Go takes this field as is and doesn't do any further + processing on it which is the behavior we desire. + + Signed-off-by: Daniel Canter + +commit f174aa8e22dc25924943984ae74bafc238228f62 +Author: Maksim An +Date: Fri Oct 22 13:28:18 2021 -0700 + + tests: Add CRI tests for integrity protection of LCOW layers (#1193) + + Add tests that validate that integrity protection is checked when + LCOW layers have dm-verity hashes appended. + + Signed-off-by: Maksim An + +commit 821c9a91dd8b5f4c28d9578eee56f68e9fec98ba +Merge: 60b5fa7ee d244780dd +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Oct 22 04:23:31 2021 -0700 + + Merge pull request #1203 from dcantah/computestorage-fix-layerdata + + Fix LayerData not being usable for ComputeStorage package + +commit d244780dd3c493de08037cd591678d755e3919e5 +Author: Daniel Canter +Date: Thu Oct 21 09:27:53 2021 -0700 + + Fix LayerData not being usable for ComputeStorage package + + Previously the LayerData structure in the computestorage package used + definitions from the hcs schema from /internal so it was not actually possible + to create a LayerData structure for an outside caller. + + This just creates local type aliases for hcsschema.Version and hcsschema.Layer + so a client can create the structure now using computestorage.Version and + computestorage.Layer respectively. + + Signed-off-by: Daniel Canter + +commit ac4a76a71168cd35647f72f22ff729eedd07725f +Author: Kathryn Baldauf +Date: Wed Oct 20 10:49:26 2021 -0700 + + Support updating cpugroup membership + + Signed-off-by: Kathryn Baldauf + +commit 60b5fa7eea6f95295888d71b0621eb1c1291fb67 +Merge: af3d66091 510109ed5 +Author: Kathryn Baldauf +Date: Wed Oct 20 12:59:30 2021 -0700 + + Merge pull request #1187 from katiewasnothere/allow_hardlinks_to_symlinks + + Remove block preventing us from making hardlinks to symlinks + +commit 510109ed51dcfee02585800d255460645ac62db8 +Author: Kathryn Baldauf +Date: Mon Oct 4 14:23:11 2021 -0700 + + Remove block preventing us from making hardlinks to symlinks + + Signed-off-by: Kathryn Baldauf + +commit af3d660913acc6c7a852990fd6d28a0d76f872de +Author: Maksim An +Date: Tue Oct 19 17:16:03 2021 -0700 + + Extend integrity protection of LCOW layers to SCSI devices (#1170) + + * extend integrity protection of LCOW layers to SCSI devices + + LCOW layers can be added both as VPMem and as SCSI devices. + Previous work focused on enabling integrity protection for read + only VPMem layers, this change enables it for read-only SCSI + devices as well. + Just like in a VPMem scenario, create dm-verity target when + verity information is presented to the guest during SCSI device + mounting step. + + Additionally remove unnecessary unit test, since the guest logic + has changed. + + Add pmem and scsi unit tests for linear/verity device mapper + targets + + Signed-off-by: Maksim An + +commit 51ce91cb9f70b3db255fe5f3d57bd3c17cfe988a +Author: Maksim An +Date: Tue Oct 19 16:19:40 2021 -0700 + + Export hcsshim annotations into its own package (#1201) + + Previously hcsshim annotations were not exported, which lead to use + of hardcoded strings in various places (e.g. tests, guest code etc). + This change creates a package just for the hcsshim annotations. + + Signed-off-by: Maksim An + +commit b406abf17bf5ea869c827d84e9eb2cd30fb70fd2 +Merge: 1b1197ba4 5ec59dcbc +Author: Kevin Parsons +Date: Tue Oct 19 13:22:00 2021 -0700 + + Merge pull request #1188 from kevpar/restart-tests + + Support restarting containerd in tests, add restart test case + +commit 5ec59dcbcd73b81aa0cffb239eab0532b1ad9b63 +Author: Kevin Parsons +Date: Fri Oct 15 14:10:57 2021 -0700 + + Add TerminateOnRestart feature flag for new test + + Signed-off-by: Kevin Parsons + +commit 7b098b06f30281941fdfdcd22f3b5c8cb8b1960c +Author: Kevin Parsons +Date: Fri Oct 15 14:07:16 2021 -0700 + + Address PR feedback + + Signed-off-by: Kevin Parsons + +commit 007ec077b22f0dc2a164972c39fcdf6d6c823fde +Author: Kathryn Baldauf +Date: Thu Oct 14 12:40:11 2021 -0700 + + Add support for finding net adapters that were assigned with vpci + + Signed-off-by: Kathryn Baldauf + +commit 1b1197ba4bfeb47a66fff780e21d95609a728939 +Merge: 2a4f8142a 2d0978cf7 +Author: Kathryn Baldauf +Date: Fri Oct 8 16:46:49 2021 -0700 + + Merge pull request #1067 from katiewasnothere/test_network_agent + + Add test network agent for ncproxy dev work + +commit 2d0978cf76311a2512b0282b0bf7f60495c73b3b +Author: Kathryn Baldauf +Date: Fri Jul 9 11:05:44 2021 -0700 + + Add test network agent for ncproxy dev work + + Signed-off-by: Kathryn Baldauf + +commit 2d35b70f54af6e3306800c2bb565005900f7db39 +Author: Kevin Parsons +Date: Tue Oct 5 16:18:53 2021 -0700 + + cri-containerd.test: Add containerd restart test + + Adds a test case that runs a pod+container, restarts containerd, then + verifies that the pod+container were terminated. This validates the + change made in the CRI fork [1] to terminate containers when containerd + is restarted. + + [1]: https://github.com/kevpar/cri/commit/f8e83e63cc027d0e9c0c984f9db3cba58d3672d4 + + Signed-off-by: Kevin Parsons + +commit 2a4f8142a0da714dbb0da87eb8cd0d75486970d2 (tag: v0.9.0) +Merge: 8dacd2313 1628c8723 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Oct 6 13:21:45 2021 -0700 + + Merge pull request #1191 from dcantah/revert_21h2 + + Revert V21H2 osversion definition + +commit 1628c8723eee39deb2bb1e5a1736db0062109676 +Author: Daniel Canter +Date: Wed Oct 6 12:57:56 2021 -0700 + + Revert "Update windowsbuilds.go" + + This reverts commit 7b6e3dac2b3b0c2e06ab5d0bf2a0665fb80ae511. The reason + for this is because the tag 21h2 actually refers to a couple different + Windows builds now unfortunately. It's the tag for the latest Windows 10 + update, for Windows 11, and Windows Server 2022. We're looking into how + best to actually name these going forward if we're going to account for an + event like this again. + + Signed-off-by: Daniel Canter + +commit 8dacd2313fe9c6e9d2f0724c54e6cf173f9c0a83 +Merge: 4a1e168a4 6ad0944ea +Author: Kathryn Baldauf +Date: Wed Oct 6 10:01:26 2021 -0700 + + Merge pull request #1189 from katiewasnothere/update-ncproxy-resource-names + + Update names of ncproxy proxy resources with test name included + +commit f5ca517bd44f863fa7be07be9e249d3a1d866842 +Author: Kevin Parsons +Date: Wed Sep 8 09:49:13 2021 -0700 + + test: Add containerd start/stop support + + This change lets the cri-containerd tests start/stop containerd as + needed, rather than assuming it is always running. This is done through + the addition of startContainerd/stopContainerd functions which can be + called from tests. As all of the existing tests need containerd to be + running, this currently is not used in any tests. Future tests can take + advantage of this functionality. + + Tests assume that containerd is running when they start, and should not + need to explicitly start containerd before calling into it. This means + that if a test stops containerd, it needs to ensure containerd is + started again. If containerd crashes during a test, then subsequent + tests will fail, but that's the same as the current behavior. + + An unfortunate side effect of this change is that, due to a standing + issue with Go's service support and containerd, the service can + sometimes exit with ERROR_PROCESS_ABORTED when it is stopped. Combined + with the fact that recovery actions are used for containerd, this can + result in the service being restarted by the service control manager. To + work around this, we need to first disable recovery actions for the + service before running tests. This can be done with: + + sc failure containerd reset=0 actions= command= + + Signed-off-by: Kevin Parsons + +commit 4abfd066a5e0828bc55cd4abe35db100b11bd8bd +Author: Kevin Parsons +Date: Wed Sep 8 09:39:49 2021 -0700 + + test: Make main.go a test file + + Previously main.go didn't have _test suffix, so it was not considered a + test file. Notably this meant that TestMain was never actually invoked + because it must be in a test file. It seems we were fortunate that there + was nothing in TestMain that wasn't done automatically by the Go test + infrastructure. + + As the cri-containerd directory is all test code, it is probably safe + to rename all other files in the directory to be test code as well. + However, that is left for a future change. + + Signed-off-by: Kevin Parsons + +commit 6ad0944ea350fbf0c19ed70fc5c5944e11ae73f6 +Author: Kathryn Baldauf +Date: Tue Oct 5 16:24:02 2021 -0700 + + Update names of ncproxy proxy resources with test name included + + Signed-off-by: Kathryn Baldauf + +commit 4a1e168a4aecd0cce49347b2d7c9558c744205a5 +Merge: ab02b159f bf9daeedc +Author: Kathryn Baldauf +Date: Tue Oct 5 12:59:43 2021 -0700 + + Merge pull request #1097 from katiewasnothere/compute_agent_store + + Add compute agent store for ncproxy reconnect + +commit bf9daeedcb59dac1730800b77b98e629ce6d28b3 +Author: Kathryn Baldauf +Date: Fri Oct 1 15:14:59 2021 -0700 + + Update comments for database and reconnect, document failure cases + + Signed-off-by: Kathryn Baldauf + +commit ab02b159f6f11b5d91aa4e66afcba9f8f2698919 +Merge: 851b2a53d 9268c25e8 +Author: Kathryn Baldauf +Date: Mon Oct 4 16:01:00 2021 -0700 + + Merge pull request #1186 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.7 + + Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 + +commit 9268c25e8f6e1ef6db935f620c9912075235feb9 +Author: Kathryn Baldauf +Date: Mon Oct 4 15:40:28 2021 -0700 + + Update golangci build in ci pipeline + + Signed-off-by: Kathryn Baldauf + +commit 76a1b225a557ea5436935a3b5cad3333e476fb96 +Author: Kathryn Baldauf +Date: Mon Oct 4 14:42:48 2021 -0700 + + Remove deprecated runc configs device type + + Signed-off-by: Kathryn Baldauf + +commit 07d25d4a51fb95c9d493cc1ef507be93183fae3d +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Oct 4 21:02:13 2021 +0000 + + Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.4 to 1.5.7. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.4...v1.5.7) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 851b2a53de9ec3d8c9dabed3d73f8816f31c046f +Merge: 2304a1b2d 608375c86 +Author: Kathryn Baldauf +Date: Mon Oct 4 13:51:00 2021 -0700 + + Merge pull request #1185 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.7 + + Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test + +commit 608375c862617f2c1ff48e2907467339cf3093a4 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Oct 4 20:45:17 2021 +0000 + + Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.4 to 1.5.7. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.4...v1.5.7) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 3c6ebddee8d420dd23745111d3f007e28c81c0e1 +Author: Kathryn Baldauf +Date: Mon Aug 23 18:41:53 2021 -0700 + + Prevent client connection leaks, address feedback + + Signed-off-by: Kathryn Baldauf + +commit 71695fd99ba1a1a309ad5ac3aa9a8ed489d44a3f +Author: Kathryn Baldauf +Date: Fri Aug 6 12:01:11 2021 -0700 + + Add compute agent store for ncproxy reconnect + + Signed-off-by: Kathryn Baldauf + +commit 2304a1b2dd5087f7646671dcd40249ab5073192b +Merge: a0d87926d 8ab28b159 +Author: Kathryn Baldauf +Date: Fri Oct 1 14:39:16 2021 -0700 + + Merge pull request #1182 from katiewasnothere/add_compute_agent_unit_tests + + Add unit tests for computeagent + +commit a0d87926d7651eb7428a0e408d199574a51c3f94 +Author: Maksim An +Date: Fri Oct 1 14:09:47 2021 -0700 + + tests: Fix ExecUser LCOW tests using old function signature (#1184) + + Signed-off-by: Maksim An + +commit 8ab28b159b45a2753bd4a7c5c9512bacf24a32fd +Author: Kathryn Baldauf +Date: Fri Oct 1 14:00:15 2021 -0700 + + Add back containerID to computeagent requests + + Signed-off-by: Kathryn Baldauf + +commit f3d7b87e78e18f9518a5005978d53493994cada1 +Author: Paul "TBBle" Hampson +Date: Fri Oct 1 11:25:58 2021 +1000 + + Also run tests on Windows Server 2022 GitHub Runner (#1176) + + Signed-off-by: Paul "TBBle" Hampson + +commit d524163f9139be2604fa28b932814a0ab586394a +Author: Kathryn Baldauf +Date: Wed Sep 29 14:36:12 2021 -0700 + + Add unit tests for computeagent + + Signed-off-by: Kathryn Baldauf + +commit 7ed4bb01a0eeb0becbfe674b32c7173636110347 +Merge: 5cd83e58f 9d8ccad09 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Sep 30 15:11:09 2021 -0700 + + Merge pull request #1181 from dcantah/remove-unused-memory-winapi + + Remove unused definitions in winapi + +commit 5cd83e58fbaa5046ea56e7dfc2fd3857cfea4805 +Author: Maksim An +Date: Wed Sep 29 16:01:45 2021 -0700 + + tests: Fix tests that used old pullRequiredLCOWImages func name (#1183) + + Lack of rebase when merging + https://github.com/microsoft/hcsshim/pull/1180 resulted in some + test files being out of date and containing old helper function + name + + Signed-off-by: Maksim An + +commit 8debf44d62391eaebbc5d2a80999ab1221d31873 +Author: Maksim An +Date: Wed Sep 29 15:18:17 2021 -0700 + + Refactor pod config generation in tests (#1180) + + Add SandboxConfigOpt func type, which enables pluggable configuration + of PodSandboxConfig. + + Signed-off-by: Maksim An + +commit 057bebe3caf7811ed63efae5b83bf893f21648d4 +Merge: 3046e940b b3b21da84 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Sep 28 19:44:29 2021 -0700 + + Merge pull request #1178 from dcantah/exec-username + + Rework LCOW username setup/exec behavior + +commit b3b21da849b2e1c605c4684bf17edcebee7bd5d0 +Author: Daniel Canter +Date: Tue Sep 28 18:15:22 2021 -0700 + + Revert cri-containerd windows container image mistake + + A previous change I'd made that was just for local testing changed the panic + in our cri-containerd test suite to choose a set image. This simply reverts + that. + + Signed-off-by: Daniel Canter + +commit e0dc7053de42642bd8fadeefc270187eb26224d3 +Author: Daniel Canter +Date: Fri Sep 17 02:21:52 2021 -0700 + + Rework LCOW username setup/exec behavior + + This change swaps to checking the OCI specs username field instead of + our custom annotation to match upstream. The real change is in how what + user an exec runs as is handled. In most places in Containerd an execed process + gets assigned the process spec of the container it’s getting launched in + (so it will inherit anything set on the container spec), but due to the nature + of LCOW there’s some OCI spec fields we set in the UVM instead as they’re not + able to be handled on the host (in a clean manner at least). One of these is + the user for the container. + + On a Linux host, Containerd will check if the user exists in the filesystem for + the container before setting the user on the spec. On LCOW we just have vhd’s with + the contents of the layers when making the spec which makes this a bit infeasible, so + we defer that work until we’re in the guest and then edit the spec if the user exists. + This has the outcome that the user is never set on the containers spec on the host for + LCOW, but we do have the final amended spec in the UVM with whatever user was + requested (or was set in the image via USER and so on). + + The way this is handled is by setting the Username field on the spec and then + grabbing the uid:gid based on this string in the guest. The same is done for + an exec. If a custom user is specified, try and find the uid:gid for the string + provided. Otherwise, if Username is an empty string, just inherit whatever user + the container spec contained. + + Signed-off-by: Daniel Canter + +commit 9d8ccad09f1990f8951487599cfd6bf5290f57a3 +Author: Daniel Canter +Date: Tue Sep 28 05:46:34 2021 -0700 + + Remove unused definitions in winapi + + This change removes some unused memory related definitions in internal/winapi. + They were originally going to be used for stats for host process contaienrs + but NtQuerySystemInformation was used instead. + + Signed-off-by: Daniel Canter + +commit 3046e940be41002e8836ed07bea7bb63eaa242cd +Merge: 18e235657 7931c55ed +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Sep 28 05:05:57 2021 -0700 + + Merge pull request #1173 from SeanTAllen/switched-policy-json-format + + Update json format for security policy + +commit 7931c55edaf61ee3b1cd998d58f2687376159348 +Author: Sean T. Allen +Date: Tue Sep 21 10:50:50 2021 -0400 + + Update json format for security policy + + These changes come by way of a suggestion from Maksim who noted that this + new format keeps the same information as the previous format, but organizes + it in a way that makes it easier to maintain the creation code and can + allow for the usage of a custom JSON marshaller to remove a source + of possible bugs in keeping the number of elements and the field that + is the length of said elements in sync, + + Signed-off-by: Sean T. Allen + +commit 18e235657cc592b49db4a8fce98847e4a3dbdba7 +Merge: 50c48dea7 f964e2838 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 24 16:48:28 2021 -0700 + + Merge pull request #1062 from dcantah/coredump + + Add process dump functionality for WCOW/LCOW + +commit f964e283873cd13c1feec0c0d54b6e2e8dcfc920 +Author: Daniel Canter +Date: Fri Sep 24 15:57:43 2021 -0700 + + Add process dump cri-containerd testcases + + This change adds cri-containerd testcases that excercises the process dump + functionality. It sets up two containers, using images that stackoverflow/ + throw an exception shortly after starting. This should generate a dump + file in the sandbox mount location in the test. Then the second container + mounts the same sandbox mount and just verify that the core dump file generated + by the first is present. + + Signed-off-by: Daniel Canter + +commit e92d4009e7c8bc96b8982d1604caa80d31b15eba +Author: Daniel Canter +Date: Fri May 21 16:40:37 2021 -0700 + + Add process dump functionality for WCOW/LCOW + + This commit adds support for generating process dumps for hypervisor isolated containers. This includes + a new annotation to specify where process dumps should get placed on creation, which is global + to all containers. + + Signed-off-by: Daniel Canter + +commit 50c48dea7db638b29e65a978348e3ee433fb9bc7 +Merge: 2608ae21b 7a8989623 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 24 12:24:21 2021 -0700 + + Merge pull request #1174 from dcantah/jobcontainer-noextension-fix + + Set PATHEXT for job containers to handle binaries with no extension + +commit 2608ae21b2759e2df63e528900cc8a7345f435d2 +Merge: 1f8211a77 52d76e85a +Author: Kathryn Baldauf +Date: Fri Sep 24 10:46:19 2021 -0700 + + Merge pull request #1163 from katiewasnothere/virtual_function_vpci + + Add support for passing in a virtual function index to assign pci device + +commit 1f8211a77a20be7a196e31f49d007ccc61dd0981 +Merge: 4275e49e4 92004da68 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 24 03:38:03 2021 -0700 + + Merge pull request #1087 from dcantah/sandboxmount-wcow + + Add WCOW sandbox mount support + +commit 92004da684484c39ade5aa7d2c0b556d56e77fa4 +Author: Daniel Canter +Date: Fri Sep 24 02:37:59 2021 -0700 + + Add WCOW sandbox mount tests + + This change adds two cri-containerd tests to test WCOW sandbox mounts. + One test verifies the general functionality by having two containers + supply the same sandbox:// mount and validating that each container + can see whats in the mount. Another tests verifies that if we don't supply + the sandbox:/// mount for another container in the pod, it doesn't have access + to the mount. + + Signed-off-by: Daniel Canter + +commit 3c9e4ff7d9e290b385698a20c2934155166ccb89 +Author: Daniel Canter +Date: Fri Sep 24 02:11:47 2021 -0700 + + Add WCOW sandbox mount support + + This change adds sandbox mount like support for WCOW. Sandboxmounts are our LCOW + solution similar to a k8s empty dir mount. We create a directory that will house + various other subdirectories that a user can specify by supplying a sandbox:// prefix + for the host path of a mount. In the usual case the hostpath of a mount is in the context of the + physical host (e.g. I want C:\path on my machine mapped to C:\containerpath in my container), + however for sandbox mounts the host path is treated as relative to this directory we have + made in the VM. The root directory for these sandbox mounts I defined as C:\SandboxMounts + + Example: + "mounts": [ + { + "container_path": "C:\\test", + "host_path": "sandbox:///test" + } + ] + + The above will make a directory at C:\SandboxMounts\test in the Utility VM that will be mapped to + C:\\test in the container. If another container in the same pod supplied the same mount then + you would end up "sharing" this directory with the other container, meaning you would + both see anything placed/modified in this directory. + + The backing storage for these mounts will be the UVMs scratch disk, which currently is always 10GB + (8.5 actually usable) as that's whats hardcoded in HCS for the call we use that generates the vhd. + For some reason the expand vhd function from HCS doesn't function for the VM scratch disk which needs + some investigation :( + + Signed-off-by: Daniel Canter + +commit 4275e49e499d21186a2a75e05e85a4f760b3215c +Merge: 369c47426 9518added +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 24 01:10:20 2021 -0700 + + Merge pull request #1137 from dcantah/jobcontainer-fixworkdir + + Rework how working directories function for job containers + +commit 7a89896235fd80d8128dbb6809951b9c08215bc2 +Author: Daniel Canter +Date: Thu Sep 23 17:40:49 2021 -0700 + + Set PATHEXT for job containers to handle binaries with no extension + + This change sets the PATHEXT environment variable which Go checks during + exec.Cmd startup to do some path resolution. PATHEXT contains a semicolon + separated list of extensions to check against if a path ended without one + (e.g. /path/to/my/binary). This simply adds an empty string entry to the end + so that binaries with no extension can be launched correctly. Although this isn't + a common occurrence it's still a good thing to support. Windows Server containers + are able to handle this fine, and CreateProcess is perfectly happy launching + a valid executable without an extension. + + This is mainly to support the agnhost image which is a common k8s testing image whose + entrypoint is a binary named agnhost with no extension. + https://github.com/kubernetes/kubernetes/blob/d64e91878517b1208a0bce7e2b7944645ace8ede/test/images/agnhost/Dockerfile_windows + + Signed-off-by: Daniel Canter + +commit 369c47426a5b1ae16ea82c91eb6596a04d88371f +Merge: 9eaa531ba e6eaeee1b +Author: Kathryn Baldauf +Date: Wed Sep 22 13:33:27 2021 -0700 + + Merge pull request #1172 from katiewasnothere/update_kernel_driver_annotation + + Update kernel driver annotation for accuracy + +commit e6eaeee1bc71dc4870b618de174d6c546a79a56c +Author: Kathryn Baldauf +Date: Tue Sep 21 14:07:30 2021 -0700 + + Update kernel driver annotation for accuracy + + Signed-off-by: Kathryn Baldauf + +commit 9eaa531ba2929a1ca458da0903194f64ea790dd1 +Author: Sean T Allen +Date: Tue Sep 21 12:57:04 2021 -0400 + + Change internal data structure in SecurityPolicyEnforcer (#1171) + + This commit changes the data structure that we use to track possible + GCS container ids for a given security policy container from an array + to a set. + + Set is the correct data structure to represent our constraint of "id + should only appear once". + + Additionally, it makes this tricky bit of code slightly easier to understand. + + Signed-off-by: Sean T. Allen + +commit f20a064a5395e27dbd6634b367e94bd50bd8c2d1 +Author: Maksim An +Date: Mon Sep 20 11:35:35 2021 -0700 + + fix vmAccess param usage in AddSCSI (#1167) + + AddSCSI wasn't using vmAccess parameter when making addSCSIRequest + + Signed-off-by: Maksim An + +commit 54234dcdca1a1250978edf8b221921983434732d +Author: Sean T Allen +Date: Mon Sep 20 13:59:41 2021 -0400 + + Rename EnforceStartContainerPolicy (#1169) + + The security policy enforcement point named "EnforceStartContainerPolicy" is + enforced at container create, not container start. + + This commit changes to the more appropriate and less potentially confusing name. + + Signed-off-by: Sean T. Allen + +commit e1d9c69b74ad8bdee3a1d42e68849ee02f2d2f6e +Author: Sean T Allen +Date: Mon Sep 20 13:50:27 2021 -0400 + + Rename variable in SecurityPolicyEnforcer (#1168) + + Once upon a time, naming the variable that represented the type as + "policyState" made sense, it no longer does. + + At Maksim's suggestion, this commit renames from "policyState" to "pe" which is short + for "policy enforcer". + + Signed-off-by: Sean T. Allen + +commit 8f21c1144e53ba8e9186e0b2878cd68e01c44f70 +Author: Sean T Allen +Date: Mon Sep 20 13:40:01 2021 -0400 + + Update naming in internal security policy tool (#1166) + + Maksim pointed out that when we added information beyond the image of an image + that the "image" entries in a TOML policy generation file weren't describing + images; the describe containers. + + The addition of command line, environment variables, and what not to allow + is a description of a container that should be allowed to be created. The + only image specific bit is the name. + + Signed-off-by: Sean T. Allen + +commit 2d31cba7dcba59cd0a8e38774e682cd87bb6e292 +Author: Sean T Allen +Date: Mon Sep 20 12:22:16 2021 -0400 + + Remove unused variable (#1165) + + Signed-off-by: Sean T. Allen + +commit 5eaf8dc71bb9535505b3f43dc91f3eeaaa53a384 +Author: Sean T Allen +Date: Mon Sep 20 11:25:48 2021 -0400 + + Make policy environment variable rules consts (#1164) + + This was a small change that came up in the initial code review that we put + off "for a later date". + + The valid strategy strings are now shared between the policy tool and gcs + so they can't end up with a mismatch. + + Signed-off-by: Sean T. Allen + +commit 52d76e85a39091b015544f38ac49430e484706df +Author: Kathryn Baldauf +Date: Fri Sep 17 19:22:53 2021 -0700 + + Add support for passing in a virtual function index to assign pci device + + Signed-off-by: Kathryn Baldauf + +commit 403164d6066f8c5246713481a6746b48ee06dde9 +Author: Sean T Allen +Date: Thu Sep 16 17:22:57 2021 -0400 + + Enforce security policy at unmount (#1162) + + This is the first iteration of policy enforcement at unmount. There is an additional set + of functionality that will come as part of a larger change in the near future. + + With this commit, we record that a device has been unmounted such that it isn't eligible to + be used in any overlay after unmounting. + + In a future commit, I will be adding disallowing unmounting a device that is being used by a + running container. + + Signed-off-by: Sean T. Allen + +commit 65979d6d6238064bfe34c54dfc9377e21152662f +Author: Maksim An +Date: Wed Sep 15 17:41:26 2021 -0700 + + Enable scratch space encryption via annotation (#1095) + + Add bool annotation "io.microsoft.virtualmachine.storage.scratch.encrypted" + that enables scratch space encryption. + Update guest request protocols to allow encryption for SCSI + devices. + + Signed-off-by: Maksim An + +commit ae271bff40eaf81c1b35f94edc8b21a96dbddc00 (tag: v0.9.0-rc0) +Merge: 2811ffe26 c8afad4a1 +Author: Maksim An +Date: Tue Sep 14 12:13:30 2021 -0700 + + Merge pull request #1158 from SeanTAllen/scsi-with-dmverity + + Add security policy enforcement for SCSI devices + +commit c8afad4a1e72bcfc2ccc8bd517757da9f725741d +Author: Sean T. Allen +Date: Fri Sep 10 13:05:57 2021 -0400 + + Add security policy enforcement for SCSI devices + + Previously, we only had support for VPMem devices, however, under some scenarios, container + layer devices will be mounted as SCSI; for those scenarios, we will to enforce policy. + + Currently, we only enforce policy for read-only devices in a guest as those are the only ones that + are container layers. The scratch space for containers is mounted as read-write and we do + not want enforce policy for them. + + Actually dm-verity setup isn't included in this commit and will be added in a future change. + + Signed-off-by: Sean T. Allen + +commit 2811ffe26952c3ecf75e441b8fca2d3816967883 +Merge: 7866b484c edb95abf5 +Author: Maksim An +Date: Tue Sep 14 12:02:06 2021 -0700 + + Merge pull request #1161 from SeanTAllen/securitypolicy-tool-login + + Update securitypolicy tool to support multiple registries + +commit edb95abf5e1862a785de5a430271a7cda7256151 +Author: Sean T. Allen +Date: Tue Sep 14 09:26:40 2021 -0400 + + Update securitypolicy tool to support multiple registries + + Before this change, the securitypolicy tool could authorize with a registry + by providing a username and password as command-line options. + + This approach worked fine as long as all images were being pulled from the + same registry. It doesn't work if you need to access multiple registries. + + After this change, authorization is provided in the policy.toml on a per-image + basis. This allows for mixing and matching different registries together as + part of a pod. + + Signed-off-by: Sean T. Allen + +commit 9518addeda73352f3209ff248142e5bb2531aacb +Author: Daniel Canter +Date: Mon Sep 13 16:03:51 2021 -0700 + + Add test cases for the working directory functionality + + This change adds a couple tests to make sure that the working directory functions as + expected. Also some very small adjustments on the dockerfiles for the other tests + (which really didn't need to be changed, but makes it more explicit). + + Signed-off-by: Daniel Canter + +commit 3e7e5efbc6a5c52203074e428e6017e11effbc2c +Author: Daniel Canter +Date: Fri Aug 27 13:10:49 2021 -0700 + + Rework how working directory for job containers + + Instead of taking the working directory as is, change to joining the working directory + requested with where the sandbox volume is located. It's expected that the default behavior + would be to treat all paths as relative to the volume as this would be equivalent to a + normal Windows Server Containers behavior. + + For example: + A working directory of C:\ would become C:\C\12345678\ + A working directory of C:\work\dir would become C:\C\12345678\work\dir + + Signed-off-by: Daniel Canter + +commit 7866b484c574a64dccb834973bd79c6b2050915c +Merge: c7c555d47 7b6e3dac2 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Sep 13 10:43:14 2021 -0700 + + Merge pull request #1155 from adelina-t/patch-1 + + Update windowsbuilds.go + +commit 7b6e3dac2b3b0c2e06ab5d0bf2a0665fb80ae511 +Author: Adelina Tuvenie +Date: Thu Sep 9 20:50:58 2021 +0300 + + Update windowsbuilds.go + + Updates windowsbuilds to include build number for Windows Server 2022. + + Signed-off-by: Adelina Tuvenie + +commit c7c555d47fcb7867d01cbfcb6914c40742ff3d02 (hcsshim/cc-preview) +Merge: 106f5a88b b755c2668 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Sep 10 17:59:55 2021 -0700 + + Merge pull request #1159 from katiewasnothere/modules_ci_warning_update + + Add additional information to the error message when validating modules + +commit b755c2668556e0e19418b11826e5c0c17ce2bed7 +Author: Kathryn Baldauf +Date: Fri Sep 10 14:50:14 2021 -0700 + + Add additional information to the error message when validating modules + + Signed-off-by: Kathryn Baldauf + +commit 106f5a88b1d5ffe26082cae39f7a73d5e8fe8fca +Merge: 322931025 eea18abbb +Author: Kathryn Baldauf +Date: Fri Sep 10 13:18:49 2021 -0700 + + Merge pull request #1153 from katiewasnothere/internal_cmd_request_struct + + Add new internal cmd package request struct to remove shimdiag package import + +commit 3229310256a97c4785bc835bb8eaf9a83a236364 +Merge: 04d8aa4dd 7671a8456 +Author: Maksim An +Date: Fri Sep 10 09:57:56 2021 -0700 + + Merge pull request #1154 from SeanTAllen/maps-in-policy-3 + + Switch JSON policy schema from using arrays to maps + +commit 7671a84561e9c30d5e0963554d8e32edf1d81cb4 +Author: Sean T. Allen +Date: Thu Sep 9 09:25:17 2021 -0400 + + Switch JSON policy schema from using arrays to maps + + The existing array based policy doesn't work with managed HSMs query language, so, we have switched + it up to using maps instead of arrays. Map keys correspond to the array index that an entry would have. + This allows us to keep ordering. + + Signed-off-by: Sean T. Allen + +commit 04d8aa4dd737246af34931dc66db2d21236a6abb +Merge: e15e9940a 89d75bf14 +Author: Kathryn Baldauf +Date: Thu Sep 9 18:42:59 2021 -0700 + + Merge pull request #1143 from katiewasnothere/ncproxy_tests + + Add unit tests to ncproxy + +commit 89d75bf147d79530f4b0371bb6b0e820e6f0b72c +Author: Kathryn Baldauf +Date: Mon Aug 30 11:39:49 2021 -0700 + + Add unit tests to ncproxy + * Add mocked grpc and ttrpc services for ncproxy testing + + Signed-off-by: Kathryn Baldauf + +commit e15e9940abeafacdfd98e216a114d9d4ffff33b9 +Merge: b33088e48 f09308df1 +Author: Kathryn Baldauf +Date: Thu Sep 9 18:13:31 2021 -0700 + + Merge pull request #1157 from katiewasnothere/update_ci_go_modules + + Update script to verify go modules to match hashes of all files + +commit f09308df1c2199870ba9652518a2796e88bbc108 +Author: Kathryn Baldauf +Date: Thu Sep 9 13:48:13 2021 -0700 + + Update main and test modules + + Signed-off-by: Kathryn Baldauf + +commit b33088e48f9550f95c538c719c753f6650c3406f +Merge: 28c74fbbc bcab623e9 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Sep 9 13:42:48 2021 -0700 + + Merge pull request #1156 from dcantah/readme-mention-test + + Add note about test directory go mod vendor steps to README + +commit 43ced3322a4832ae9415325680ca5c65730e9b22 +Author: Kathryn Baldauf +Date: Thu Sep 9 13:30:45 2021 -0700 + + Update script to verify go modules to match hashes of all files in the directory + + Signed-off-by: Kathryn Baldauf + +commit bcab623e91df934690c3db9452e9e875d2c8ee3d +Author: Daniel Canter +Date: Thu Sep 9 12:51:54 2021 -0700 + + Add note about test directory go mod vendor steps to README + + This change adds a quick blurb about the test directory situation for contributors. + As the test directory is a bit odd and our CI will fail if the condition + isn't met, this seems like a good thing to call out. + + Signed-off-by: Daniel Canter + +commit eea18abbb891a70aae6f630c0f67092a25779fdc +Author: Kathryn Baldauf +Date: Fri Sep 3 18:25:21 2021 -0700 + + Add new internal cmd package request struct to remove shimdiag package import + + Signed-off-by: Kathryn Baldauf + +commit 28c74fbbc93ffe9d0effc23a32c4624c4ed3502a +Merge: 358f05d43 c0cd5e8ff +Author: Maksim An +Date: Wed Sep 8 13:20:46 2021 -0700 + + Merge pull request #1146 from SeanTAllen/enforce-env + + Add security policy enforcement of environment variables + +commit c0cd5e8ff089b6cc67a44227a2db565b9cb6781a +Author: Sean T. Allen +Date: Fri Sep 3 10:08:46 2021 -0400 + + Add security policy enforcement of environment variables + + Supports two different matching schemes: + + - string + + This is a direct string match. All characters must be equal. + + - re2 + + The rule is an re2 regular expression that will be matched against the environment variable. + + Environment variables are in the form "KEY=VALUE" as a single string. + + The securitypolicy tool has been updated to automatically include any environment variables defined + in the image spec for an image to the allowed environment variables in the generated policy. + + Signed-off-by: Sean T. Allen + +commit 358f05d43d423310a265d006700ee81eb85725ed +Merge: f0ab29e1c ab8929cf7 +Author: Kathryn Baldauf +Date: Tue Sep 7 15:53:16 2021 -0700 + + Merge pull request #1151 from katiewasnothere/update_test_vendor_hugepages + + Update test modules with up to date hcsshim code + +commit ab8929cf7388299a08e809bd6effdb76be9147de +Author: Kathryn Baldauf +Date: Tue Sep 7 15:49:16 2021 -0700 + + Update test modules with up to date hcsshim code + + Signed-off-by: Kathryn Baldauf + +commit f0ab29e1c2d39f9fc7112cf0dae80040c2195271 +Merge: e16581161 6fba53bf8 +Author: Kathryn Baldauf +Date: Tue Sep 7 15:40:56 2021 -0700 + + Merge pull request #1118 from ninzavivek/vivek_hugepages_mount + + Hugepage support for LCOW + +commit e1658116181e3791f256f44add287a5baf2a5e0c +Merge: 36361330f f53295d52 +Author: Kathryn Baldauf +Date: Tue Sep 7 15:21:18 2021 -0700 + + Merge pull request #1112 from katiewasnothere/verify_modules + + Add ci step to validate that modules have been vendored in + +commit f53295d5261bf1dcccdc5ed064a16187cfdad2ab +Author: Kathryn Baldauf +Date: Thu Aug 12 10:02:30 2021 -0700 + + Add ci step to validate that modules have been vendored in + + Signed-off-by: Kathryn Baldauf + +commit 36361330f33ca4b658a285b28ee47b6a23b2cd9e +Merge: 99733ae21 acfca301d +Author: Kathryn Baldauf +Date: Tue Sep 7 15:13:28 2021 -0700 + + Merge pull request #1150 from katiewasnothere/update_test_vendor + + Update test modules with hcsshim changes + +commit acfca301d8115059264755c1e2029cc246cfdaa4 +Author: Kathryn Baldauf +Date: Tue Sep 7 15:07:42 2021 -0700 + + Update test modules with hcsshim changes + + Signed-off-by: Kathryn Baldauf + +commit 99733ae2108b71e5a9ff33873156c7cb0b45232b +Merge: 958272a9d 76c63b50c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Sep 7 14:55:46 2021 -0700 + + Merge pull request #1117 from dcantah/job-container-filepath + + Job container path touchups + rework tests + +commit 76c63b50c130e519118ee74cc1081c55040212f5 +Author: Daniel Canter +Date: Fri Aug 13 18:28:51 2021 -0700 + + Remove filepath.Clean usage + touchup job containers path tests + + This change does a couple of things for the path resolution logic. + + 1. I was using filepath.Clean to remove any initial '.' paths in the command line + to handle relative paths with a dot. However it changes all forward slashes + to backslashes, which hinders command lines like the following: + + `"cmd /c ping 127.0.0.1"` + + as the /c argument will be altered. Windows Server containers don't handle + relative paths with a dot, so it doesn't seem necessary to support them for + job containers either, so just get rid of the call entirely. + + 2. Remove empty spaces off the end of the cmdline if it's quoted. There was + an empty space in this case as I was using strings.Join to join the arguments + after the quoted element. This had no effects on actual usage/functionality, + but to compare commandlines for tests, this made things easier. + + 3. When replacing instances of %CONTAINER_SANDBOX_MOUNT_POINT% in the commandline, + the path of the volume we were replacing it with had a trailing forward slash, so + you'd end up with C:\C\12345678abcdefg\\\mybinary.exe (two forward slashes). This + also didn't have much of an effect on anything, but just to clean things up. + + 4. Lastly, this change also refactors the job container path tests as they + were a bit unwieldy and were due for the t.Run treatment. This moves the + tests to being run via t.Run and a slice of configs to test different path, + working directory, env matrixes. Also adds some new test cases to try out. + + Signed-off-by: Daniel Canter + +commit 6fba53bf8cd74d993e20d77db34f918602b8b77c +Author: Vivek Aggarwal +Date: Mon Aug 16 18:26:54 2021 -0700 + + Hugepage support + + Signed-off-by: Vivek Aggarwal + +commit 958272a9dd25ee19221007f84d9681f2f5b1b108 +Author: Maksim An +Date: Tue Sep 7 11:14:03 2021 -0700 + + Add more messages when guest relays and init process finish (#1104) + + Additionally cleanup dead code during scsi mount, bump scsi mount + timeout to 5 seconds. + + Signed-off-by: Maksim An + +commit 9c8adb8b41669fbfa67e3ee06b83798c9445636c +Merge: 6e218877c 52251b715 +Author: Kathryn Baldauf +Date: Fri Sep 3 18:31:39 2021 -0700 + + Merge pull request #1145 from praenubilus/yunhao/add-disk-size-constant-092021 + + add RecommendedVHDSizeGB constant + +commit 6e218877c428142d9e62025271608034e3afec8a +Author: Maksim An +Date: Fri Sep 3 17:43:27 2021 -0700 + + Enable dm-verity for multi-mapped LCOW layers (#1089) + + Previously dm-verity was enabled only for dedicated VPMems. This + change adds dm-verity footer parsing logic to multi-mapped LCOW + layers + + Signed-off-by: Maksim An + +commit 52251b715f626b87e24cd331d6e102d4ba0ffc65 +Author: Yunhao Wan +Date: Fri Sep 3 22:07:31 2021 +0000 + + add VHD size constant + + Signed-off-by: Yunhao Wan + +commit 0e9cd549c6fb9288c55cb04f9476078c47a15b91 +Merge: 233357dfd d7cdc0f0a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Sep 1 14:14:59 2021 -0700 + + Merge pull request #1125 from dcantah/add-stylecheck + + Add stylecheck linter to golangci-lint CI runs + +commit 233357dfd1dea04e8863888fb63b23a3677ca0e7 +Merge: 8a7773ca9 bef81a6fe +Author: Kathryn Baldauf +Date: Tue Aug 31 10:57:35 2021 -0700 + + Merge pull request #1142 from katiewasnothere/cleanup_sandbox_dir_on_err + + Fixup logic for sandbox and container cleanup on failure + +commit bef81a6fe7faff6b1aa151655136c91bbe84d26c +Author: Kathryn Baldauf +Date: Mon Aug 30 15:28:36 2021 -0700 + + Fixup logic for sandbox and container cleanup on failure + + Signed-off-by: Kathryn Baldauf + +commit 8a7773ca93e89cffecb3b700aaa8f32b76ec241d +Merge: 1ca8616cb 3c2539745 +Author: Kathryn Baldauf +Date: Mon Aug 30 14:32:41 2021 -0700 + + Merge pull request #1141 from katiewasnothere/update_test_modules + + Update test package go modules + +commit 3c2539745b49c1c001c0256873c322ef2a507bfd +Author: Kathryn Baldauf +Date: Mon Aug 30 14:09:02 2021 -0700 + + Update test package go modules + + Signed-off-by: Kathryn Baldauf + +commit 1ca8616cba915b89edc78307a0ca20868d372902 +Merge: 69cf1c271 e0ecc18c3 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Aug 30 12:39:14 2021 -0700 + + Merge pull request #1140 from dcantah/dco-readme-note + + Add extra info about DCO check to README + +commit e0ecc18c33d180a8bdcaaa015f2857d613f63d40 +Author: Daniel Canter +Date: Mon Aug 30 11:43:45 2021 -0700 + + Add extra info about DCO check to README + + We recently added the DCO github app and it will get run on every PR. This change + adds a small blurb to our README to give more information on DCO for contributors. + + Signed-off-by: Daniel Canter + +commit 69cf1c27111eb971a95e86d90367ec9fc2ae9641 +Merge: e7fd842da 85b8ec055 +Author: Kathryn Baldauf +Date: Mon Aug 30 10:14:21 2021 -0700 + + Merge pull request #1139 from thaJeztah/double_failure + + Fix duplicate "failed" in HCS errors + +commit e7fd842da715873202253f232212a7fa925be63c +Merge: cc540938b 587be85a4 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri Aug 27 16:38:34 2021 -0700 + + Merge pull request #1138 from ambarve/unicodestr_bugfix + + Bugfix for UnicodeString constructor + +commit 587be85a4cc3ae962665adcf20be1bfe511ab741 +Author: Amit Barve +Date: Fri Aug 27 16:12:50 2021 -0700 + + Add test for UnicodeString Limit + + Signed-off-by: Amit Barve + +commit 85b8ec055ccc40246c6bf66d3928412d20938104 +Author: Sebastiaan van Stijn +Date: Sat Aug 28 00:36:48 2021 +0200 + + Fix duplicate "failed" in HCS errors + + HcsError.Error() already appends "failed" to the error message, which resulted + in some uses to contain a duplicate "failed", for example: + + re-exec error: exit status 1: output: hcsshim::ImportLayer - failed failed in Win32: The system cannot find the path specified. (0x3) + + Signed-off-by: Sebastiaan van Stijn + +commit 0afb0c9f89a5e7e3a0c64e0572460f44923ac888 +Author: Amit Barve +Date: Fri Aug 27 14:11:14 2021 -0700 + + Bugfix for UnicodeString constructor + + The existing UnicodeString constructor creates a unicode string object by taking the + length of a given GO string. This works fine for ASCII strings but fails when the input + string contains non ASCII characters. This change fixes it. + + Signed-off-by: Amit Barve + +commit d7cdc0f0a4ab5cebb55f56301f5254b19d65be46 +Author: Daniel Canter +Date: Fri Aug 27 05:43:21 2021 -0700 + + Add exclusions for rule ST1003 from stylecheck for some packages + + ST1003 checks for if any initialisms don't follow the Go idiom of all capitals. + However, due to this repo having a really high number of packages that have OS + bindings/constants, generated schema files that we generally try and not touch, + and some calls that have been exported and used forever so changing them would + introduce a breaking change, I've taken to excluding some directories from this + specific check. Stylecheck should still check for double imports, and any error + message shenanigans. + + This change additionally fixes all of the ST1003 errors in the packages that aren't + excluded. + + Signed-off-by: Daniel Canter + +commit c4c867d1df60b5fe9cc29198059af18df108ac0e +Author: Daniel Canter +Date: Tue Aug 24 06:13:43 2021 -0700 + + Fix golangci-lint stylecheck issues + + This change fixes the issues that the stylecheck linter for golangci-lint + brings up. Most of them are errors starting with a capital letter/ending with + punctuation, but there's two that are for double imports. Also adds -v to the + golangci-lint args, so it's easier to tell what's going on. + + In internal/layers/layers.go we were importing the /internal/uvm package twice, + as we used any constants from the package under a package alias of uvmpkg and then + any uses of a pointer to a UtilityVM object were passed around as `uvm`. I've changed + the latter to be passed around via vm, as we use this elsewhere to store a UtilityVM + object, and then simply replaced umvpkg with the package name itself, uvm. + + Signed-off-by: Daniel Canter + +commit 2ea1344710a3f00adca963040ca46a90af4f0189 +Author: Daniel Canter +Date: Tue Aug 24 06:24:44 2021 -0700 + + Add stylecheck linter to golangci-lint CI run + + This change adds the stylecheck linter to our golangci-lint ci run. + This catches a few nice things like double imports, checking if errors + end with punctuation/aren't capitalized. It also by default checks if + common initialisms (CPU, ID, HTTP, TLS) are in all caps, but this sets off a + metric ton of errors because of the amount of generated schema files we have. + We could exclude these directories from being linted altogether, but would like + to hear what others think. I don't see a way to exclude directories for only certain + checks (so if someone knows a way please do tell) + + Signed-off-by: Daniel Canter + +commit cc540938b6fc1b6ee13c616eb6633ae5139f8447 +Merge: c7c44e13f 662c3dd5c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Aug 26 18:24:20 2021 -0700 + + Merge pull request #1121 from dcantah/ncp-urfav + + Make ncproxy a urfave/cli app + +commit 662c3dd5c2c99ea04a5171793c9b32dfd0541861 +Author: Daniel Canter +Date: Wed Aug 18 06:59:01 2021 -0700 + + Make ncproxy a urfave/cli app + + This kind of started solely because the containerd version of the service flags + (because of urfave/cli) are double dashed, while flags from the flag package in + the stdlib are single, so writing generic code to launch both services just + by providing the name of the service was *mildly* annoying 😋. + + After actually thinking about it though, there's probably a couple commands + down the road that might be helpful. One to start is to output a default config + for ncproxy for local testing or for actual production use which is in this + change. It will output a default config to stdout or to a file if the --file + flag is specified. + + Signed-off-by: Daniel Canter + +commit c7c44e13fdacc83a07931653b47a21579f39063c +Merge: a88c2931b 3af4cb6b0 +Author: Kathryn Baldauf +Date: Wed Aug 25 13:53:17 2021 -0700 + + Merge pull request #1126 from katiewasnothere/container_id_to_compute_agent_sync + + Update ncproxy compute agent cache map + +commit a88c2931bdc2e3b4fc0e5cd6aaae7e11f2e341c2 +Merge: 3febf28db f445fb749 +Author: Kathryn Baldauf +Date: Wed Aug 25 11:06:08 2021 -0700 + + Merge pull request #1127 from SeanTAllen/patch-1 + + Fix spelling error + +commit f445fb7497a6a6d5d0d8487c9f73f958beab12f0 +Author: Sean T Allen +Date: Wed Aug 25 13:36:56 2021 -0400 + + Fix spelling error + + Signed-off-by: Sean T Allen seanallen@microsoft.com + +commit 3af4cb6b0c656ec09c8d2f8e04658b6d7eb2adaf +Author: Kathryn Baldauf +Date: Tue Aug 24 14:38:37 2021 -0700 + + Move containerID to compute agent cache from being a global and make it a sync map + + Signed-off-by: Kathryn Baldauf + +commit 3febf28db3d0454f000ecde87ca242f445214722 +Merge: 12f00a386 5abd1703d +Author: Scott Brender +Date: Tue Aug 24 09:39:14 2021 -0700 + + Merge pull request #1116 from SeanTAllen/enforce-command + + Add security policy enforcement of command line options when starting containers + +commit 12f00a38643ba1ff6772e03f8673977060515d01 +Merge: 409e4849c a342ac7e1 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Aug 23 13:40:46 2021 -0700 + + Merge pull request #1115 from dcantah/check-nil-pipes + + Check if stdio pipes are nil for job containers/fix windows.Close usage + +commit 409e4849c42112bf0169101f32f8c90fdf4883f0 +Merge: 2b5a08d79 57c5d6094 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Aug 19 17:14:54 2021 -0700 + + Merge pull request #1123 from dcantah/new-hcn-features-call + + Add GetCachedSupportedFeatures method to hcn package + +commit 57c5d6094e233bbb15f08b662e9eb3edafb0b131 +Author: Daniel Canter +Date: Thu Aug 19 13:24:02 2021 -0700 + + Fix GetSupportedFeatures' comment to please godoc + + Signed-off-by: Daniel Canter + +commit 16435c703bed94918583e90811669ae449c08e94 +Author: Daniel Canter +Date: Thu Aug 19 12:08:07 2021 -0700 + + Fix hcn GetSupportedFeatures's error log msg + + Signed-off-by: Daniel Canter + +commit f78d0ffd3ad7ebe3073cd1be149af64ab6be6697 +Author: Daniel Canter +Date: Thu Aug 19 03:51:58 2021 -0700 + + PR feedback + + - Change versionErr -> featuresErr + - Move work inside of the sync.Once out to its own function so we + can use standard return err error handling and simply assign the + output in GetCachedSupportedFeatures + - Mark GetSupportedFeatures as deprecated. + + Signed-off-by: Daniel Canter + +commit 112b5e7a30d0cac219085a26fc3a8188bc471db9 +Author: Daniel Canter +Date: Wed Aug 18 20:06:20 2021 -0700 + + Add GetCachedSupportedFeatures method to hcn package + + To avoid a breaking change on GetSupportedFeatures introduce a new + GetCachedSupportedFeatures method. This method does the feature check + and version parsing once and then assigns a global with the information. + This can be used to optimize for situations where many uses of the + hcn.IsXSupported methods are going to be used (kube-proxy for example). + + Signed-off-by: Daniel Canter + +commit 2b5a08d79b7ec0ebdafbf6c7c70a93266248edb8 +Merge: a0b514937 adc35b064 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Aug 18 18:06:09 2021 -0700 + + Merge pull request #1122 from dcantah/add-sleep-layerops + + Add sleep before layer operation retries + +commit adc35b064429d1e80be4bf5022a0f8504a9197ae +Author: Daniel Canter +Date: Wed Aug 18 16:05:28 2021 -0700 + + Add sleep before layer operation retries + + This change adds a small sleep before a re-attempt on layer operation + failures. These failures should only happen on RS5 and the probable cause is because + of a different way in which container loopback vhds were mounted on this OS version. + A theory of why things might go awry on RS5 is due to some events from pnp getting reported + too late/early. If the prognosis is correct, a small sleep might help to try and get + things back into a "good" state before a reattempt. + + Signed-off-by: Daniel Canter + +commit 5abd1703de66bfb4bf57be5f82434205aa388fce +Author: Sean T. Allen +Date: Wed Aug 4 15:13:04 2021 -0400 + + Add security policy enforcement of command line options when starting containers + + This includes a small switch from the first version of policy tool that had + command as a string. The single string was problematic as that isn't the + representation in gcs. I updated the representation to match as part of this PR. + +commit a342ac7e10862d4ea399218d534fcc72d4c069f0 +Author: Daniel Canter +Date: Mon Aug 16 05:11:45 2021 -0700 + + Misc. job containers cleanup + + This change does two things: + + 1. Checks if the stdio pipes are nil before closing them via the CloseStdout, + CloseStderr, CloseStdin methods. This just brings it inline with the other + `cow.Process` implementations that check for nilness. + 2. Fix an oversight where windows.Close was being used instead of windows.FreeLibrary + after loading kernel32.dll + + Signed-off-by: Daniel Canter + +commit a0b514937762363a4cc10caa89eb3aea34f16dd0 +Merge: 3ac13eef7 f8784aa2c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 13 15:58:34 2021 -0700 + + Merge pull request #1102 from jsturtevant/add-network-stats + + Add network stats to the enable getting stats directly + +commit 3ac13eef7f5afb02b3c7e92a013fd5bfbba7b9db +Merge: bd67428d8 ad0eaf384 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 13 13:05:36 2021 -0700 + + Merge pull request #1108 from ninzavivek/vivek_kernel_options + + Support for Kernel Boot Options - LCOW + +commit ad0eaf384ddb820339942272eaef01dc5f311e39 +Author: Vivek Aggarwal +Date: Tue Aug 10 17:09:50 2021 -0700 + + Support for Kernel Boot Options + + Signed-off-by: Vivek Aggarwal + +commit bd67428d86518b34cf065cc06098c08b2f14aafc +Author: Maksim An +Date: Thu Aug 12 21:15:36 2021 -0700 + + tests: fix VPMem layer packing tests (#1109) + + Previously ubuntu:18.04 container had 3 image layers, which is not + true anymore. Pin image digest to make sure that this issue doesn't + resurface. + +commit cbe2cc166b6797e915f5e26cfe777e004b92d7de +Merge: 8fc847f9d f55f5d4fe +Author: Maksim An +Date: Thu Aug 12 17:32:23 2021 -0700 + + Merge pull request #1105 from SeanTAllen/patch-1 + + Fix variable naming + +commit 8fc847f9d9213e951bf7d2a1c099baa8c5916e19 +Merge: 3f1e9b4d2 65a975144 +Author: Maksim An +Date: Thu Aug 12 17:32:08 2021 -0700 + + Merge pull request #1106 from SeanTAllen/patch-2 + + Fix incorrect variable casing + +commit 65a9751445292d8f11f3e6f52855a69a4dc85638 +Author: Sean T Allen +Date: Thu Aug 12 09:14:22 2021 -0400 + + Fix incorrect variable casing + +commit f55f5d4fec9b284fdf4507dd6c02f0bf798c7b5a +Author: Sean T Allen +Date: Thu Aug 12 08:42:48 2021 -0400 + + Fix variable naming + + I tend to use snake case rather than camel case. These snuck through previous reviews. + +commit 3f1e9b4d29697bdbe10a77231fe1a4e24aadf0f9 +Merge: bf946774b 84fcbce4d +Author: Maksim An +Date: Wed Aug 11 14:33:05 2021 -0700 + + Merge pull request #1099 from anmaxvl/skip-empty-policy + + Skip setting security policy when it's empty + +commit f8784aa2cdd7fb94ade0ee02a6fb003f2e4410a8 +Author: James Sturtevant +Date: Fri Aug 6 23:10:27 2021 +0000 + + Expose containers that are associated with network + + Signed-off-by: James Sturtevant + +commit 11375bf35d8b8abc83dc0a514f73dcfe6f269e80 +Author: James Sturtevant +Date: Fri Aug 6 20:54:26 2021 +0000 + + Add network stats for endpoints + + Signed-off-by: James Sturtevant + +commit bf946774bacb7532d0bf09a47f19e4f6b37223cd +Merge: 5036eccca 6e425b4ca +Author: Maksim An +Date: Wed Aug 11 10:40:38 2021 -0700 + + Merge pull request #1096 from anmaxvl/guest-storage-cleanup + + chore: Cleanup guest pmem package + +commit 6e425b4ca38b76ee7fd66122e33d1b9bea06e2b8 +Author: Maksim An +Date: Sun Aug 8 15:30:18 2021 -0700 + + chore: Cleanup guest pmem package + + Move device mapper code from pmem to devicemapper package. + + Signed-off-by: Maksim An + +commit 84fcbce4d326f082813bb5b8a3c177375bcff153 +Author: Maksim An +Date: Tue Aug 10 15:26:32 2021 -0700 + + fix: Skip setting security policy when it's empty + + Due to an error ignored when calling to json.Unmarshal the call + to SetSecurityPolicy with an empty or invalid string policy results + in a policy with no Containers and AllowAll set to false. No + container can be run as a result. + + Fix the behavior by not sending modification request for SetSecurityPolicy + when policy string is empty (which is the default) and checking the + error result from json.Unmarshal call + + Signed-off-by: Maksim An + +commit 5036eccca2d36a2f5cd47ae7e821bed20c02ab2a +Merge: d300e457d ab1fcc8ba +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Aug 11 11:28:33 2021 -0400 + + Merge pull request #1103 from SeanTAllen/patch-1 + + Fix incorrect casing in error message + +commit ab1fcc8bafe02196354f7660a037bcedc881d831 +Author: Sean T Allen +Date: Wed Aug 11 10:59:09 2021 -0400 + + Fix incorrect casing in error message + + I have a habit of capitalizing the first letter of error messages. We missed this one as part of the review for my PR that added the security policy functionality. + +commit d300e457d6f503eff3fe5b12b48f88628711ebc5 +Merge: b8f71acfd fd0cf7b89 +Author: Kathryn Baldauf +Date: Tue Aug 10 10:12:48 2021 -0700 + + Merge pull request #1098 from katiewasnothere/fix_mount_functional_test + + Fix build break in functional tests + +commit fd0cf7b895597b3e9af63895345da10d620a620a +Author: Kathryn Baldauf +Date: Mon Aug 9 17:39:52 2021 -0700 + + Fix build break in functional tests + + Signed-off-by: Kathryn Baldauf + +commit b8f71acfda791a67444b85059eb29ce81359d383 +Merge: 264a47d1a 01b99119b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Aug 6 02:17:55 2021 -0700 + + Merge pull request #1091 from dcantah/retry-layerops + + Add retry around wclayer operations for process isolated containers + +commit 01b99119beb113ad3c5c4aa39f55b2e30c2951da +Author: Daniel Canter +Date: Mon Aug 2 16:44:34 2021 -0700 + + Add retry around wclayer operations for process isolated containers + + This change adds a simple retry loop to handle some behavior on RS5. Loopback VHDs + used to be mounted in a different manor on RS5 (ws2019) which led to some + very odd cases where things would succeed when they shouldn't have, or we'd simply + timeout if an operation took too long. Many parallel invocations of this code path + and stressing the machine seem to bring out the issues, but all of the possible failure + paths that bring about the errors we have observed aren't known. + + On 19h1+ this retry loop shouldn't be needed, but the logic is to leave the loop if everything succeeded so this is harmless + and shouldn't need a version check. + + Signed-off-by: Daniel Canter + +commit 264a47d1abd8e310dfe64e6f82b8968e843c5afb +Merge: c65d826c0 95091013d +Author: Maksim An +Date: Tue Aug 3 20:42:20 2021 -0700 + + Merge pull request #1094 from SeanTAllen/minimalist-policy + + Add basis for allowing the creation of configuration enforcement in gcs + +commit c65d826c081e296971e16f3e4e948b5ff4600d35 +Merge: 8bbd2047b 69994fcda +Author: Maksim An +Date: Tue Aug 3 17:46:48 2021 -0700 + + Merge pull request #1090 from AntonioND/encrypted-scratch + + Add support to encrypt SCSI scratch disks with dm-crypt + +commit 8bbd2047b849176a84c605f2fe5913a38c64d019 +Merge: 477581578 3d5b0eb9f +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue Aug 3 16:11:18 2021 -0700 + + Merge pull request #1093 from ambarve/assigned_dev_vsmb_clone_bugfix + + Minor bug fixes + +commit 3d5b0eb9f63b4d3d16691166e2060d9e10f536ce +Author: Amit Barve +Date: Mon Aug 2 21:02:41 2021 -0700 + + Minor bug fixes + + Fix container creation failure when container config has empty device extensions. + Use the `getVSMBShareKey` function during vsmb share cloning. + + Signed-off-by: Amit Barve + +commit 95091013da2a918422dea63d18b4dc4b85526478 +Author: Sean T. Allen +Date: Tue Aug 3 09:46:46 2021 -0400 + + Add basis for allowing the creation of configuration enforcement in gcs + + This commit is the minimal set of functionality needed to allow users + to create a configuration policy that gcs can enforce. + + Policy enforcement will allow users to state "only these containers, with these + command lines, etc etc" should be run. If anything in gcs doesn't match the + user supplied policy, it will end container run and report an error. + + Currently, only container filesystem policy is enforced. This is done at + two points. When a pmem device is mounted, its dm-verity root hash is checked + against policy to see if it is allowed. + + At the time of overlay creation, the order of layers is compared to policy to + make sure that the container is being constructed as the user expected. + + Additional policy enforcement that is coming in future commits includes: + + - enforce policy for scsi mounts + - enforce container command line + - enforce environment variables + +commit 69994fcda2b604aea51737de887c205cdfc48306 +Author: Antonio Nino Diaz +Date: Mon Jun 28 12:00:02 2021 +0100 + + Add support to encrypt SCSI scratch disks with dm-crypt + + This protects the files generated by the guest from the host OS, as they + are encrypted by a key that the host doesn't know. + + This commit adds a new argument to the scsi.Mount() function, `encrypted`, + that makes the SCSI drive be mounted using dm-crypt. It also uses + dm-integrity for integrity checking. This makes the boot process a couple + of seconds slower. + + Also, it adds scsi.Unmount(), which also has the `encrypted` argument, + and it does the necessary cleanup for a drive that has been mounted as + an encrypted drive. + + All the pre-existing SCSI tests have been fixed to work with the new + scsi.Mount() function prototype. New tests have been added for the new + code. + + This is all disabled for now, it has to be enabled in a future patch. + + Important note: This depends on cryptsetup and mkfs.ext4. Also, the + kernel must be compiled with dm-crypt and dm-integrity support. + +commit 4775815789710f1aa6d8b79c6920abce837fdac2 +Merge: 834c0e5a6 2a1685eb8 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Wed Jul 28 14:19:21 2021 -0700 + + Merge pull request #1039 from ambarve/storage_spaces + + Support for extensible virtual disks as data disks + +commit 834c0e5a6b2effe30703e7c8abe55b05f9f2f88d +Merge: 5184adc1a 461cf9f1c +Author: Maksim An +Date: Wed Jul 28 14:09:29 2021 -0700 + + Merge pull request #1052 from anmaxvl/container-dev-shm-size + + make container's shared memory configurable via annotation + +commit 5184adc1a74fc11586a113cb351b7c819000456c +Merge: a8f5f611a d75f9f86e +Author: Maksim An +Date: Wed Jul 28 14:07:01 2021 -0700 + + Merge pull request #1088 from anmaxvl/increase-opengcs-test-verbosity + + tests: increase opengcs tests verbosity + +commit d75f9f86e5b949ffd9eb7f5184ccf3a365891f04 +Author: Maksim An +Date: Wed Jul 28 12:57:36 2021 -0700 + + tests: increase opengcs tests verbosity + + currently opengcs unit tests are not verbose enough and it's hard + to tell which tests are actually run. Increase verbosisty by + adding -v flag + + Signed-off-by: Maksim An + +commit 461cf9f1c2dc8093fc2d7c671c3b3efe1de26e54 +Author: Maksim An +Date: Mon Jun 21 15:26:40 2021 -0700 + + make container's shared memory configurable via annotation + + add annotation "io.microsoft.container.storage.shm.size-kb" to + set container's /dev/shm tmpfs size. + + this overrides any existing /dev/shm mounts in the spec + + additionally move the annotations parsing logic into a separate + function + + Signed-off-by: Maksim An + +commit a8f5f611a65940f3f974697105e000497b49bbea +Merge: c066f5969 3f47d4789 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jul 26 15:27:51 2021 -0700 + + Merge pull request #1084 from microsoft/dependabot/go_modules/github.com/opencontainers/runc-1.0.0-rc95 + + Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 + +commit 3f47d47898a4818bfd7532c129854919ad688f97 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jul 26 22:09:10 2021 +0000 + + Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 + + Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc93 to 1.0.0-rc95. + - [Release notes](https://github.com/opencontainers/runc/releases) + - [Commits](https://github.com/opencontainers/runc/compare/v1.0.0-rc93...v1.0.0-rc95) + + --- + updated-dependencies: + - dependency-name: github.com/opencontainers/runc + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit c066f5969c5cb978673bc91a9b7b56b41b8131ee +Merge: 562190a84 1b3ef3cd0 +Author: Kathryn Baldauf +Date: Mon Jul 26 15:00:20 2021 -0700 + + Merge pull request #1083 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.4 + + Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 + +commit 562190a84ac12c22113102b14681e6a3d33ae1bb +Merge: 826ec7f3f 7972e6405 +Author: Kathryn Baldauf +Date: Mon Jul 26 14:57:18 2021 -0700 + + Merge pull request #1082 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.4 + + Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test + +commit 1b3ef3cd0c71b43541fd6f7bf0cc736e580b388e +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jul 26 21:36:53 2021 +0000 + + Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.2 to 1.5.4. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.2...v1.5.4) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 7972e6405c9223a0fdd0350d8680f1f14fecf2d0 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jul 26 21:35:21 2021 +0000 + + Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test + + Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.2 to 1.5.4. + - [Release notes](https://github.com/containerd/containerd/releases) + - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) + - [Commits](https://github.com/containerd/containerd/compare/v1.5.2...v1.5.4) + + --- + updated-dependencies: + - dependency-name: github.com/containerd/containerd + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + +commit 826ec7f3f6058c6393465036e4712e6615bde132 +Merge: 8ef3c7401 03422a5a9 +Author: Kathryn Baldauf +Date: Mon Jul 26 11:54:14 2021 -0700 + + Merge pull request #1060 from katiewasnothere/device_extensions + + Add support for reading in device extension files for container create hcs document + +commit 8ef3c7401da37d3f5e6ce34a0bc36f7a015a2fcf +Merge: 8b8eac9c1 7a1ce51cc +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jul 23 12:46:32 2021 -0700 + + Merge pull request #1081 from dcantah/jobcontainer-workdir + + Fix relative paths (with dot) not working for job containers + +commit 8b8eac9c19d060715fcca9137ddf7d3500b2062c +Merge: 5961bcea3 c0a5047ba +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jul 23 12:09:45 2021 -0700 + + Merge pull request #1078 from elweb9858/hns_schema + + Updating HNS v1 policy schemas with correct omitEmpty fields + +commit 7a1ce51ccf39a7409713c2f8a75bec6e7958adc0 +Author: Daniel Canter +Date: Thu Jul 22 18:43:04 2021 -0700 + + Fix relative paths (with dot) not working for job containers + + Relative paths supplying a dot don't make it through our commandline + parsing for job containers, this change fixes that. + + In addition to this, this change adds logic to actually honor the working + directory specified for the container. + + Signed-off-by: Daniel Canter + +commit 2a1685eb8478006f206bf2bd8275bd0b9bc7435e +Author: Amit Barve +Date: Thu May 27 13:59:52 2021 -0700 + + Support for extensible virtual disks as data disks. + + This commit adds support in hcsshim to mount an extensible virtual disk data disk into a + container. In container config the host_path in the mount entry should + use the format evd:/// to specify an extensible virtual disk. + + Signed-off-by: Amit Barve + +commit 5961bcea3b5c8e2721e694f596f793d40c4e3ab7 +Merge: 40d90107f 7a55c170e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jul 19 21:50:07 2021 -0700 + + Merge pull request #1079 from dcantah/fix-update-tests + + Gate CRI update container tests behind feature flag + +commit 7a55c170ebdf0a69c4361d49c29b30bf609b7698 +Author: Daniel Canter +Date: Mon Jul 19 20:48:35 2021 -0700 + + Gate CRI update container tests behind feature flag + + Upstream containerd/cri doesn't have support for updating container resources, + so running these tests currently fails. + + Signed-off-by: Daniel Canter + +commit c0a5047ba474134d22e2118e8f42afeaf2ad3a88 +Author: elweb9858 +Date: Mon Jul 19 11:34:29 2021 -0700 + + Updating HNS v1 policy schemas with correct omitEmpty fields + + Signed-off-by: elweb9858 + +commit 40d90107f86cc5319b782e29a0d227b5b11b45f6 +Merge: 837c300f1 90a193c83 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jul 15 15:10:08 2021 -0700 + + Merge pull request #1057 from dcantah/jobcontainer-volume + + Add volume mount support for job containers + +commit 837c300f15fadd2bd0ee831658de2c726d345493 +Merge: 8f527b2ed f7d10cb13 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jul 13 23:30:06 2021 -0700 + + Merge pull request #1074 from TBBle/remove-leftover-schema-file + + Remove leftover generated HCS2 schema file + +commit f7d10cb13f286164c334785166524fcab51384d2 +Author: Paul "TBBle" Hampson +Date: Wed Jul 14 16:24:25 2021 +1000 + + Remove leftover generated HCS2 schema file + + This was left behind due to an unlucky conflict between #1004 and #930. + + The file already existed with the same content at the new location, and + nothing was referencing this location, so a trivial deletion. + + Signed-off-by: Paul "TBBle" Hampson + +commit 8f527b2edd78add26082415412d77901cd8c0b3d +Merge: 4378e839c 45ea8def8 +Author: Kathryn Baldauf +Date: Tue Jul 13 11:24:39 2021 -0700 + + Merge pull request #1071 from TBBle/rename-conflicting-opencensus-attribute + + Fix lost span attribute for NameToGuid + +commit 45ea8def8fd5938791844026752d4b6b8383cd77 +Author: Paul "TBBle" Hampson +Date: Tue Jul 13 16:18:25 2021 +1000 + + Fix lost span attribute for NameToGuid + + "name" is also used for the span title, so this attribute is lost, at + least in the textual output. + + Signed-off-by: Paul "TBBle" Hampson + +commit 4378e839c4fcff4e3b7d4c89f8c66df0af45795c +Merge: e36a7ab4d 35874b7f8 +Author: Kathryn Baldauf +Date: Tue Jul 13 10:18:29 2021 -0700 + + Merge pull request #1070 from katiewasnothere/ncproxy_dump_stacks + + Add support to dump stacks for ncproxy when requested + +commit 35874b7f8b3f807bc3cf4fef05b35baaaa64998a +Author: Kathryn Baldauf +Date: Mon Jul 12 17:59:58 2021 -0700 + + Add support to dump stacks for ncproxy when requested + + Signed-off-by: Kathryn Baldauf + +commit 03422a5a93ecc21904c3e352b45aca666e7666ae +Author: Kathryn Baldauf +Date: Tue Jul 6 16:14:02 2021 -0700 + + Add support for reading in device extension files for container create hcs document + + Signed-off-by: Kathryn Baldauf + +commit e36a7ab4dc5bec0ab521ddd5d99d581313a6cc57 +Merge: 7ca08bc6e ad02a2c1b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jul 12 06:15:50 2021 -0700 + + Merge pull request #1069 from TBBle/fix-missing-build-tag + + Add missing 'functional' tag to test source + +commit ad02a2c1b6329d6b893e29a11ef7827783ad7212 +Author: Paul "TBBle" Hampson +Date: Mon Jul 12 18:39:53 2021 +1000 + + Add missing 'functional' tag to test source + + Without this tag, gopls under VSCode notes that this file calls + undefined functions when no build tags are defined (the default). + + Signed-off-by: Paul "TBBle" Hampson + +commit 90a193c8352f0673e365992b9ea3b86a324e8edb +Author: Daniel Canter +Date: Thu Jul 1 06:15:30 2021 -0700 + + Add volume mount support for job containers + + This adds basic directory mount support for job containers. As any path on the host + is already accessible from the container, the concept of volume mounts is a bit funny + for job containers. However, it still makes sense to treat the volume mount point where + the container image is mounted as where most things should be found regarding the container. + + The manner in which this is done is by appending the container mount path for the volume to + where the rootfs volume is mounted on the host and then symlinking it. + + So: + Container rootfs volume path = "C:\C\123456789abcdefgh\" + + Example #1 + -------------- + { + "host_path": "C:\mydir" + "container_path": "\dir\in\container" + } + + "C:\mydir" would be symlinked to "C:\C\123456789abcdefgh\dir\in\container" + + Example #2 + --------------- + Drive letters will be stripped + { + "host_path": "C:\mydir" + "container_path": "C:\dir\in\container" + } + "C:\mydir" would be symlinked to "C:\C\123456789abcdefgh\dir\in\container" + + Signed-off-by: Daniel Canter + +commit 7ca08bc6ee86e174a6aa01837a0b4f00ad174d74 +Merge: 657ae58fb 2f6ae7ec1 +Author: Kevin Parsons +Date: Fri Jul 9 13:19:12 2021 -0700 + + Merge pull request #1068 from aledbf/1.5.2 + + Bump containerd to 1.5.2 + +commit 2f6ae7ec13277966608e37e49a80e48f9d42683c +Author: Manuel Alejandro de Brito Fontes +Date: Fri Jul 9 15:12:30 2021 -0400 + + Bump containerd to 1.5.2 + +commit 657ae58fbdf4a26a8745e949bb480b81d45e02fc +Merge: 137317f90 70d89bce4 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jul 8 15:45:42 2021 -0700 + + Merge pull request #1046 from dcantah/ncproxy-service + + Support registering and unregistering ncproxy as a Windows service + +commit 70d89bce4231228a02ebc14dc1ce6751f79cddca +Author: Daniel Canter +Date: Sat Jun 12 21:40:38 2021 -0700 + + Support registering and unregistering ncproxy as a Windows service + + Borrowed heavily from the Containerd implementation: + https://github.com/containerd/containerd/blob/master/cmd/containerd/command/service_windows.go + + Go mod vendor to bring in the x/sys/windows/svc package + + Signed-off-by: Daniel Canter + +commit 137317f90336da70a4e21624ac230faa1c5f54aa +Merge: c7a62d50a a2d897c20 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jul 8 13:38:43 2021 -0700 + + Merge pull request #1058 from dcantah/diff-log-level + + Support specifying a specific logrus log level for shim log output + +commit c7a62d50a0fbe23d23d8b641c4f4631d8ab4049e +Merge: 40b1634fc 8e69c5855 +Author: Kathryn Baldauf +Date: Thu Jul 8 13:32:25 2021 -0700 + + Merge pull request #1061 from katiewasnothere/export_annotations + + export annotations for use in test suite + +commit 8e69c5855c574d830968f0f4837f0f5136b8f942 +Author: Kathryn Baldauf +Date: Tue Jul 6 18:08:38 2021 -0700 + + export annotations for use in test suite + + Signed-off-by: Kathryn Baldauf + +commit 40b1634fc725ea68ab2946d6dbe1a997fa05a03f +Merge: 0ac60a299 d78544d6c +Author: Kevin Parsons +Date: Thu Jul 8 11:56:05 2021 -0700 + + Merge pull request #1064 from kevpar/container-leak + + Remove ERROR_PROC_NOT_FOUND from error checks + +commit a2d897c201cc1178f6e3ee5b1df26c13fe760893 +Author: Daniel Canter +Date: Mon Jul 5 22:08:52 2021 -0700 + + Support specifying a specific logrus log level for shim log output + + Sometimes debug is a bit too noisy and can cause log rotation at a higher than + ideal rate. + + This will be accompanied by an audit of our use of log levels throughout to make sure + they actually fit what level they're under. + + Signed-off-by: Daniel Canter + +commit d78544d6c2c2cbfde54155662138bf275cab7fca +Author: Kevin Parsons +Date: Wed Jul 7 15:16:49 2021 -0700 + + Remove ERROR_PROC_NOT_FOUND from error checks + + Previously, certain error check functions like IsAlreadyStopped returned + true if the error was ERROR_PROC_NOT_FOUND. Based on the comment in the + file, this was intended to be used to indicate a case where the process + could not be found. However, it seems this may have been added + erroneously. ERROR_PROC_NOT_FOUND is actually typically used to mean + that a _procedure_ lookup failed, and has nothing to do with processes. + + The original change[1] to check against ERROR_PROC_NOT_FOUND was made + five years ago, and did not contain much information on why this error + would be returned. We are removing this now based on several factors: + + - We are not aware of any condition where HCS would intentionally return + ERROR_PROC_NOT_FOUND to indicate a condition "process does not exist". + - There is an issue where HcsShutdownComputeSystem sometimes returns + ERROR_PROC_NOT_FOUND due to something failing internally. The current + error checks are causing this to be treated as "the container has + already exited", causing moby to not properly stop the container via + HcsTerminateComputeSystem. + + This change leaves the definition for ErrProcNotFound in the code, as it + may be used by external callers, but fixes its comment. + + [1]: See commit 0ae7e7ecebd7b5609582153ed680c35ba666a264 + + Signed-off-by: Kevin Parsons + +commit 0ac60a2990061c1b264d35182ee500d9249340c1 +Merge: 43d161b63 4df3a6e9d +Author: Kathryn Baldauf +Date: Wed Jul 7 13:53:04 2021 -0700 + + Merge pull request #1063 from katiewasnothere/fix_functional_mount_test + + Fix functional tests build and revendor + +commit 4df3a6e9d38aec48f76dd84e0dd9d5b4ca74dd7a +Author: Kathryn Baldauf +Date: Wed Jul 7 13:18:57 2021 -0700 + + Fix functional tests build and revendor + + Signed-off-by: Kathryn Baldauf + +commit 43d161b6313f5771fa4b346a7b4f085df1f4010f +Merge: ef584efeb bbf558965 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 25 21:03:33 2021 -0700 + + Merge pull request #962 from dcantah/job-containers-shim + + Add containerd-shim plumbing for job containers + +commit ef584efeb02e8728d7a959ac4b5a3c0a39b6ec87 +Merge: d793bf097 6288bb971 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Jun 25 14:20:06 2021 -0700 + + Merge pull request #1053 from dcantah/hcn-log-cleanup + + Get rid of redundant logs in HCN version range checks + +commit d793bf0970ea693844588dc1cec8ca74f02a2143 +Merge: 60b791395 a7ad80ff2 +Author: Maksim An +Date: Thu Jun 24 11:47:21 2021 -0500 + + Merge pull request #1054 from anmaxvl/fix-wrong-error-logging + + fix wrong error logged when dm-verity footer read fails + +commit a7ad80ff203aa7ea078fa09b1af5216cf793e1d5 +Author: Maksim An +Date: Thu Jun 24 09:34:21 2021 -0700 + + fix wrong error logged when dm-verity footer read fails + + Signed-off-by: Maksim An + +commit 6288bb97125c8a25d79b87ffd3a597258fa4e0bc +Author: Daniel Canter +Date: Tue Jun 22 16:19:03 2021 -0700 + + Get rid of redundant logs in HCN version range checks + + Kubeproxy logs are filled with redudnant version check spam from an unexported call that's invoked + as part of checking if a feature is supported. The logs don't detail what feature(s) are even being checked + so it just seems like spam. With the way things are implemented all of the hcn features are checked for support in + any of the `hcn.XSupported()` calls not just the one being checked, so these logs come up quite a bit if there's + many features that aren't supported on the machine. + + Add two new logs in a sync.Once that logs the HNS version and supported features. This should be enough + to investigate version issues. + + Should remedy https://github.com/microsoft/hcsshim/issues/1043 + + Signed-off-by: Daniel Canter + +commit 60b791395cdc0febc5ff3f239a125ab76ad6457d +Merge: 1c8b91e38 9dc13ebaf +Author: Maksim An +Date: Thu Jun 24 02:06:16 2021 -0500 + + Merge pull request #1008 from anmaxvl/read-vhd-verity-footer + + Read vhd verity footer + +commit 9dc13ebafb2f9c0af4c501d7cd3848d12fe4cd34 +Author: Maksim An +Date: Tue Apr 20 23:18:40 2021 -0700 + + add logic to parse dm-verity footer from layer VHDs + + this builds on top of the dm-verity footer feature that + has been previously added. changes to opengcs have already been + made where the verity info (root hash, merkle tree etc) is expected + to be appended to the ext4 data and this change enables passing + in the actual verity information. + + If dm-verity footer read fails, fallback to the original behavior as + if the footer wasn't present at all. + + Signed-off-by: Maksim An + +commit 1c8b91e38d229216622e466799611e2d6af7bf8e +Merge: 9bc76cd06 9ed930028 +Author: Maksim An +Date: Wed Jun 23 11:44:46 2021 -0500 + + Merge pull request #930 from anmaxvl/user/maksiman/device-mapper + + add logic to stack lcow layers on a single VPMEM device + +commit bbf558965c70f14fac7d8649be1be8071d28b8a2 +Author: Daniel Canter +Date: Wed May 19 22:17:18 2021 -0700 + + Add containerd-shim plumbing for job containers + + * Add the necessary plumbing in containerd shim to be able to create a job container + if asked for via the annotation. + + * Rework jobcontainers package a bit to return a resources struct to avoid some hacks during cleanup. + This was resource cleanup for wcow/lcow is the exact same for job containers in the shim. + + * Change some of the layer code to handle taking in a volume mount point + + Signed-off-by: Daniel Canter + +commit 9bc76cd068a2c05a76f678253b5d4dad27629f9c +Merge: 62680e0b8 49c3e4b2a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jun 15 12:41:13 2021 -0700 + + Merge pull request #1047 from dcantah/dnsdomain + + Add DNSDomain to hns endpoint object + +commit 49c3e4b2a084930e9c16589a299836d2559ac250 +Author: Daniel Canter +Date: Mon Jun 14 16:26:40 2021 -0700 + + Add DNSDomain to hns endpoint object + + It was missing from our go definition. For instance if the hcn definitions were used to set the + dns information/make the endpoint and then we requery for the endpoint with the v1 hns schema/calls, + this information won't be present. + + This controls the `Connection-specific DNS Suffix` you'd see on ipconfig for example. + + Signed-off-by: Daniel Canter + +commit 9ed9300284206b37e987b94d0f3ea025c916ada8 +Author: Maksim An +Date: Fri Feb 12 00:09:51 2021 -0800 + + add support for packing multiple LCOW layers onto single VPMem + + add VirtualPMemMapping schema and update gcs types + + add memory allocator interface and implementation + + VPMem multi-mapping support has been added in 19H1, which enables + packing multiple VHDs onto a single VPMem device. + This feature enables an optimization, where multiple LCOW container + layers can be packed onto a single VPMem device. + + This change uses memory allocator introduced above to keep track + of the VPMem surface allocation. + + Additionally, introduce new structs to keep track of the internal + state of each mapped LCOW layer VHD and update HCS/GCS calls + accordingly. + + The optimization is enabled by default on supported systems and + fall-back to old behavior otherwise. + + add CRI tests + + Signed-off-by: Maksim An + +commit 62680e0b85326a67506094fc0f89ceac239b8820 +Merge: 43d30843e a0e93da59 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jun 10 11:37:45 2021 -0700 + + Merge pull request #1045 from netal/user/negup/networkLevelACLPolicy + + Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy + +commit a0e93da5933a9fc59ff8e3c07b6a3e8c37a2b62a +Author: netal +Date: Thu Jun 10 10:51:01 2021 -0700 + + Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy + + Signed-off-by: netal + +commit 43d30843e27c72233aa8609ce13379de4313d9e5 +Merge: 106fa2a01 3b54b4f15 +Author: Kathryn Baldauf +Date: Tue Jun 8 17:12:21 2021 -0700 + + Merge pull request #1044 from katiewasnothere/fix_exec_in_shim_host + + use requested stdio in call to exec in shim host + +commit 3b54b4f1544b198493fc63fb13f73511e161566f +Author: Kathryn Baldauf +Date: Tue Jun 8 16:14:04 2021 -0700 + + use requested stdio in call to exec in shim host + + Signed-off-by: Kathryn Baldauf + +commit 106fa2a01215711329a5ddf3c9e5e41f413a54d0 +Merge: 0de8ce769 c793ff47a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Jun 7 05:34:07 2021 -0700 + + Merge pull request #1026 from dcantah/ncproxy-dns + + Add DnsSettings to ncproxy CreateEndpointRequest + +commit c793ff47ab49bc5fc2aa2b95d9e6c2ce5e3d20e8 +Author: Daniel Canter +Date: Thu May 13 10:27:58 2021 -0700 + + Add DnsSettings to CreateEndpointRequest + + To be able to set DNS configurations on the endpoint add a new DnsSettings message to + be used on the hcn endpoint. + + This PR also fixes up a spelling mistake in subnet_ipadress_prefix -> subnet_ipaddress_prefix, + and a couple casing changes on the proto file. + + Signed-off-by: Daniel Canter + +commit 0de8ce769783af195f3049098667ceaff96c8fb2 +Merge: 5558027a8 15f794e7d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jun 1 11:15:38 2021 -0700 + + Merge pull request #1034 from dcantah/opengcs-readme + + Add instructions to build containerd-shim and gcs binaries + +commit 15f794e7d3d311bf1c50277526cc2e804747355d +Author: Daniel Canter +Date: Wed May 19 17:11:15 2021 -0700 + + Add instructions to build containerd-shim and gcs binaries + + Touch up the README a bit to add instructions on how to build some of the + important binaries. + + Add a small README to the ./internal/guest directory. + + Remove the stray ./opengcs/README.md that was leftover from the merge. + + Signed-off-by: Daniel Canter + +commit 5558027a8516f1955f59956d8e63715212ccbd43 +Merge: 71e1621e1 cd895b4d1 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 28 20:10:18 2021 -0700 + + Merge pull request #1038 from dcantah/remove-internal-guestconn + + Remove internal GCS connection functionality + +commit 71e1621e1ce4b4532622402905e978b8572fccc2 +Merge: 4b9542467 450cdb150 +Author: Kevin Parsons +Date: Fri May 28 16:55:10 2021 -0700 + + Merge pull request #1041 from kevpar/shim-delete + + shim: Clean up delete invocation behavior + +commit 450cdb150a74aa594d7fe63bb0b3a2a37f5dd782 +Author: Kevin Parsons +Date: Fri May 28 15:45:08 2021 -0700 + + shim: Clean up delete invocation behavior + + This changes the behavior when the shim is invoked with the "delete" + command line argument. + + Previously, the delete path did two things it should not: + - Attempted to locate the sandbox container for the pod and delete it as + well. This meant if "shim delete" was invoked for a workload + container, it could bring down the whole pod. The only reason we did + not see this in the past is that prior to containerd 1.5 "shim delete" + was not called for successful container stop operations. + + - Deleted the bundle directory. We shouldn't do this in the shim, as + containerd does it itself. + + For reference on what the Linux shim does, see here: https://github.com/containerd/containerd/blob/master/runtime/v2/runc/v2/service.go#L291 + + Signed-off-by: Kevin Parsons + +commit cd895b4d114093e858d48139ed8dc214727cac7d +Author: Daniel Canter +Date: Thu May 27 11:55:51 2021 -0700 + + Remove internal GCS connection functionality + + HCS maintains an internal guest connection to the GCS normally if you request it. + However, there are certain features that require us to maintain an external connection + (external in this sense meaning not in HCS) instead like late cloning. + + We had swapped to always managing the connection to the GCS ourselves some time ago and + afaik there's been no fallout from it, so I propose let's get rid of the internal branches + altogether. This greatly simplifies the work for going through a different virtstack for + hypervisor isolated containers as well. + + Ran go mod vendor in /test to bring in the changes as well. + + Signed-off-by: Daniel Canter + +commit 4b95424673b5f34c7072b8bfd2c7c4b0e1b1e9be +Merge: 3d01d8241 575db04c9 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed May 26 01:11:44 2021 -0700 + + Merge pull request #955 from dcantah/share-scratch-tests + + Add tests for LCOW shared scratch space work + +commit 3d01d8241f28aec4d4eb2fa75c3f09b568387ce0 +Author: Sean T Allen +Date: Tue May 25 13:51:36 2021 -0400 + + VHD with dm-verity (#985) + + * Adds a dm-verity integrity option to VHDs created from tar files. + + - allow for the creation of dmverity superblocks + - getting the complete merkle tree + - getting a roothash from an existing tree + + tar2ext4 now takes an additional option to include tree information in + the + generated VHD. Information will be stored as: + + ext4 / verity superblock / merkle tree / VHD footer + + assuming that all optional content is included. + + At time, the salt value for all verity code is hardcoded. It could be + changed later as with the usage of a superblock, we no longer need + to know the salt on the use side as it will be obainted from the + superblock. + + The included `cmd/dmverity-vhd` and `cmd/roothash` commands can be used + for testing. + + dmverity-hd takes the name of a docker image which it will download + and for each layer, it will generate a VHD in the provided output + directory. + + The layer VHDs are named after the SHA for the given layer. + + dmverity-vhd outputs the name of each vhd created. + + roothash takes the nane of a docker image which it will download and for + each + layer, it will output the roothash for the layer. + + For example: + + ``` + > ./dmverity-vhd -i alpine:3.10 -o test + test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 + + > ./roothash -i alpine:3.10 + 680edf0d62d42085f446efc20f34d02f5d21f4a2eec1ab79506809321105a13a + + > dumpe2fs + test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 + dumpe2fs 1.45.5 (07-Jan-2020) + Filesystem volume name: + Last mounted on: + Filesystem UUID: + Filesystem magic number: 0xEF53 + Filesystem revision #: 1 (dynamic) + Filesystem features: ext_attr sparse_super2 filetype extent flex_bg + large_file huge_file extra_isize read-only + Default mount options: (none) + Filesystem state: clean + Errors behavior: Continue + Filesystem OS type: Linux + Inode count: 496 + Block count: 1544 + Reserved block count: 0 + Free blocks: 7 + Free inodes: 3 + First block: 0 + Block size: 4096 + Fragment size: 4096 + Blocks per group: 32768 + Fragments per group: 32768 + Inodes per group: 496 + Inode blocks per group: 31 + Flex block group size: 2147483648 + Last mount time: n/a + Last write time: Wed Dec 31 19:00:00 1969 + Mount count: 0 + Maximum mount count: 0 + Last checked: Wed Dec 31 19:00:00 1969 + Check interval: 0 () + Reserved blocks uid: 0 (user root) + Reserved blocks gid: 0 (group root) + First inode: 11 + Inode size: 256 + Required extra isize: 24 + Desired extra isize: 24 + + Group 0: (Blocks 0-1543) + Primary superblock at 0, Group descriptors at 1-1 + Block bitmap at 1542 (+1542) + Inode bitmap at 1543 (+1543) + Inode table at 1511-1541 (+1511) + 7 free blocks, 3 free inodes, 90 directories + Free blocks: 2-8 + Free inodes: 494-496 + + > veritysetup verify --data-blocks=1544 \ + --hash-offset=6324224 \ + test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 \ + test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 \ + 680edf0d62d42085f446efc20f34d02f5d21f4a2eec1ab79506809321105a13a + + ``` + + where no output from the verifysetup command means that + everything is working as expected. + + * vendor new dependencies + + * create a new cli app for dmverity-vhd + + additionally combine dmverity-vhd and roothash into a single app + with corresponding subcommands. + + Signed-off-by: Maksim An + + Co-authored-by: Maksim An + +commit 91974a2b0a9d17a5dbf6a721110651a8aa21fff9 +Merge: f444c40a2 7d4dbe4d2 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 21 18:29:52 2021 -0700 + + Merge pull request #1023 from dcantah/remotevm-uvm + + Remotevm UVM implementation + +commit f444c40a23266d231a0102b74001c9ce46765aed +Merge: 9ca705de1 b9c244e7b +Author: Kathryn Baldauf +Date: Fri May 21 16:53:10 2021 -0700 + + Merge pull request #1032 from dcantah/gitattr + + lf line endingify stray opengcs files + +commit b9c244e7b22b07a5393d4b547193c908dfb55b9c +Author: Daniel Canter +Date: Tue May 18 17:26:20 2021 -0700 + + lf line endings opengcs files + + For some reason there's 2 opengcs files that are crlf, 2 out of the 3 files in + vsockexec.. + + Run go mod vendor + tidy in test in case + + Signed-off-by: Daniel Canter + +commit 575db04c9001bb68d5760f986c2ced9880c3d045 +Author: Daniel Canter +Date: Fri Feb 26 19:28:45 2021 -0800 + + Add tests for LCOW shared scratch space work + + First test validates that after launching a pod and one container there is only a single + scsi disk available in the guest. + + Second test launches two workload containers both sharing the pod sandbox containers scratch space. A + file is written in the first workload container and the available size left on the rootfs is then checked in + both workload containers. The success case is if both containers show the same available size left. + + Signed-off-by: Daniel Canter + +commit 9ca705de1ba636d259491c73728eeb0ddbc5842e +Merge: 236b8e1d4 6779771ed +Author: Kathryn Baldauf +Date: Thu May 20 14:39:16 2021 -0700 + + Merge pull request #1036 from katiewasnothere/fix_cpugroup_test + + fix break in cpu groups test on machines with build < 20124 + +commit 6779771ed92e8fd9558e50a492b0053625bf771b +Author: Kathryn Baldauf +Date: Thu May 20 14:20:56 2021 -0700 + + fix break in cpu groups test on machines with build < 20124 + + Signed-off-by: Kathryn Baldauf + +commit 236b8e1d44186eeb99e1894c1ad9e7680e9ce4d2 +Merge: 640d38098 f0de01365 +Author: Kathryn Baldauf +Date: Tue May 18 19:26:20 2021 -0700 + + Merge pull request #1033 from dcantah/fix-critests + + Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break + +commit f0de013658e00c021091e395be2df36290c64195 +Author: Daniel Canter +Date: Tue May 18 19:08:59 2021 -0700 + + Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break + + In this PR (https://github.com/microsoft/hcsshim/pull/1019) I changed how we pass annotations to + the cri-containerd suite, but this PR (https://github.com/microsoft/hcsshim/pull/1030) got in before + which added a new test. This caused the CI to fail on checkin of the first PR. Always rebase kids + + Signed-off-by: Daniel Canter + +commit 640d38098eb87e7ae802ab259ffaded192e74ab6 +Merge: fc68b2a1d 1a8a5d861 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue May 18 19:01:34 2021 -0700 + + Merge pull request #1019 from dcantah/remotevm-test + + Add new flags to integration tests to specify virtstack + +commit fc68b2a1de8a3d2fbb206ce07d31e14d3444100b +Merge: 79f91508d dffc7ef16 +Author: Kathryn Baldauf +Date: Tue May 18 18:48:29 2021 -0700 + + Merge pull request #931 from katiewasnothere/task_update_implementation + + support pod and container updates + +commit dffc7ef169deb77e36437130f64a9da37515651b +Author: Kathryn Baldauf +Date: Fri Dec 4 16:02:39 2020 -0800 + + support pod and container updates + + Signed-off-by: Kathryn Baldauf + +commit 7d4dbe4d25dfe057a620557fad6d24a56f1531fb +Author: Daniel Canter +Date: Mon May 10 17:07:57 2021 -0700 + + Remotevm UVM implementation + + Add an implementation of the vm.UVM interface using the vmservice ttrpc + definitions. + + Fix up cpugroup HypervisorId type to be a uint64 + + Signed-off-by: Daniel Canter + +commit 79f91508d66583957c9b8295693649ddc38d6b19 +Merge: 5a7e7e04f a4bdb0736 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue May 18 17:37:34 2021 -0700 + + Merge pull request #1031 from katiewasnothere/makefile_lf + + Change Makefile file type from crlf to lf + +commit a4bdb0736ea01721f58539b1704ef581a9e899d6 +Author: Kathryn Baldauf +Date: Tue May 18 16:30:03 2021 -0700 + + Change Makefile file type from crlf to lf + + Signed-off-by: Kathryn Baldauf + +commit 5a7e7e04fdf9d253de919bcb3f3e2c50770bdf19 +Merge: 482a0b89f e43978ff2 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue May 18 15:36:06 2021 -0700 + + Merge pull request #1029 from ambarve/shim_panic_limit + + Read max 1MB data from panic.log + +commit e43978ff239e889326c92ab938bd90bc73bcbfb2 +Author: Amit Barve +Date: Tue May 18 12:42:02 2021 -0700 + + Read max 1MB data from panic.log + + Panic.log file can get very large if there are other log statements writing to + stderr. Avoid reading the entire file + + Signed-off-by: Amit Barve + +commit 482a0b89f2e2e2af624fe76877cf3a922ca3c1b4 +Merge: 0feed3f8e 11cd03de3 +Author: Kathryn Baldauf +Date: Tue May 18 15:15:57 2021 -0700 + + Merge pull request #1030 from katiewasnothere/vsmb_no_direct_map + + Add option to set no direct map by default on wcow VSMB devices + +commit 11cd03de39e6786fc28c9ef05a9d2dc606d5b003 +Author: Kathryn Baldauf +Date: Tue May 18 14:31:30 2021 -0700 + + Add option to set no direct map by default on wcow VSMB devices + + Signed-off-by: Kathryn Baldauf + +commit 0feed3f8e9ddde800d3bf1c3185394b53bfcf5c7 +Merge: 264333450 4cd8e71b3 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue May 18 12:43:54 2021 -0700 + + Merge pull request #1021 from ambarve/scsi_vsmb_fix + + Fix bug with VSMB & SCSI mounts on the same host path + +commit 2643334504a19e7a777a85416fd8bb959da33ae4 +Merge: 3b82d4106 6fcfcf10b +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue May 18 12:05:18 2021 -0700 + + Merge pull request #1028 from ambarve/late_clone_test_build_fix + + Run late clone tests on 20H2+ builds only. + +commit 3b82d41068eb4d64d130626f06a65a9b55ccb29a +Merge: 407147a88 0c991565c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon May 17 16:57:19 2021 -0700 + + Merge pull request #973 from dcantah/merge-opengcs + + Merge Microsoft/opengcs and Microsoft/hcsshim + +commit 0c991565c4f31ce595a014e5ff15ed9524604242 +Author: Daniel Canter +Date: Thu Apr 29 01:33:21 2021 -0700 + + Fix up opengcs CI issues/remove ginkgo from Makefile + + We're not using ginkgo for any of our tests anymore (that I can see) so for Makefile + test just swap to running every test in /internal/guest which comprises (mostly) all of the + Linux specific guest features. + + This commit also adds linter tags to a couple things to fix up deadcode warnings as well as fixes + a casing mistake on the setSubreaper function in /internal/guest/runtime/runc/runc.go + + Signed-off-by: Daniel Canter + +commit f8a46eb21dea329e93d93ee2a3c0a090076e57f5 +Author: Daniel Canter +Date: Wed Apr 28 10:39:03 2021 -0700 + + Add build tags to everything so testing at root works + + Running our CI explodes as when it gets to anything in /internal/guest there's a whole + bunch of unix going on. + + Signed-off-by: Daniel Canter + +commit 29eb4983a0ea34e1488edd374029463cf9b1a398 +Author: Daniel Canter +Date: Wed Apr 28 06:09:38 2021 -0700 + + Get rid of need for containerd/sys/reaper + + The exported function we were using just calls a unix syscall, so just call + this directly. + + Signed-off-by: Daniel Canter + +commit a9a05626b53677086cc2fe785d9758a7921083d8 +Author: Daniel Canter +Date: Wed Apr 28 05:55:05 2021 -0700 + + Fix up Makefile to build gcs binaries from /cmd + + Signed-off-by: Daniel Canter + +commit ef9e2810beaabc85ee3e81fbf85a873abf3f26dd +Author: Daniel Canter +Date: Mon May 17 15:54:53 2021 -0700 + + Vendor in opengcs dependencies + + Bring in the opengcs dependencies: + github.com/linuxkit/virtsock + github.com/vishvananda/netlink + github.com/vishvananda/netns + github.com/opencontainers/runc + github.com/mattn/go-shellwords + + Signed-off-by: Daniel Canter + + Signed-off-by: Daniel Canter + +commit 9f7d3a8f46ee00128f6cd4185b2d7173cb8c517a +Author: Daniel Canter +Date: Wed Apr 28 05:36:26 2021 -0700 + + Fix up imports for opengcs files + build tag for gcs binary + + * Change import paths to actually reflect where the files currently reside. + * Put a linux build tag on the gcs binary + * Get rid of the secondary gitignore file in the service directory, afaict this isn't + actually needed from checking what it's actually exlcuding. This was likely a relic of + a much older version of the gcs and binaries/artifacts that used to be built out of it. + + Signed-off-by: Daniel Canter + +commit 5d97cc3f5234a7f0bbcc9997835c0eba820a8e2a +Author: Daniel Canter +Date: Wed Apr 28 04:55:57 2021 -0700 + + Add opengcs build job to github actions CI + + Add new job to the CI to run the Makefile for opengcs and delete the existing + opengcs CI yml file living in /opengcs/.github + + Signed-off-by: Daniel Canter + +commit 6eb9d6fb4c40421c56b8e2bbf97f53cddbee2fc5 +Author: Daniel Canter +Date: Wed Apr 28 04:51:03 2021 -0700 + + Move opengcs service/gcs and service/libs code to internal/guest + + Move all of the code that used to live in the opengcs service directory to the + internal guest package to live with the rest of the opengcs internal code. + + Signed-off-by: Daniel Canter + +commit 4d20492c6d01a7e03a4ba85b67147cc4b16bb8a5 +Author: Daniel Canter +Date: Wed Apr 28 04:23:26 2021 -0700 + + Build gcs and gcstools binaries out of cmd + + This commit moves the code for the main opengcs binary and the gcstools binary + to cmd so we can build the binaries the same way we do for the all of the other + binaries we care about. + + The Makefile will be edited in a future commit to be aware of this rearrange. + + Signed-off-by: Daniel Canter + +commit 686fc6e20ca814158e89bbc82d960f617af23a92 +Author: Daniel Canter +Date: Wed Apr 28 04:16:44 2021 -0700 + + Move opengcs/internal to /internal + + The debug package is useful and not strictly related to guest behavior so I've moved this to + a new debug package in internal, however for everything that's either Linux specific or opengcs + specific I've created a new `guest` package that houses these. This includes the kmsg package + (linux specific) the hcs v2 runtime guest code, all of the storage functionality that ends up + leading to mount syscalls, and guest side vmbus/pci related code. + + Signed-off-by: Daniel Canter + +commit 2de739712f6d14ce58ae9c54f96d59fdcacfe152 +Author: Daniel Canter +Date: Wed Apr 28 03:17:47 2021 -0700 + + Remove unneccessary opengcs/log and opengcs/oc packages + + These were just exact copies of the log and oc packages already in hcsshim. + + Signed-off-by: Daniel Canter + +commit 4cdb366e845b2e1da73ae88ae31424efa5ccb1a2 +Author: Daniel Canter +Date: Wed Apr 28 03:11:42 2021 -0700 + + Move all non gcs code to top level + + * Move hack/, init/, vsockexec/ and Makefile top level + + Signed-off-by: Daniel Canter + +commit 86d8b454101c59499c21d0537c01a042f91ef13b +Author: Daniel Canter +Date: Wed Apr 28 03:09:23 2021 -0700 + + Remove vendor dir for opengcs + + No need for it, all the deps wil be going in the hcsshim vendor directory. + + Signed-off-by: Daniel Canter + +commit ba9332e1cb9b25323b742023d9079b82652af375 +Author: Daniel Canter +Date: Wed Apr 28 03:03:32 2021 -0700 + + Get rid of unnecessary opengcs files + + * Add gitignore rules to top level gitignore and remove files that have + duplicates and make no sense here anymore (LICENSE, CODEOWNERS, go.mod/sum) + + Signed-off-by: Daniel Canter + +commit 9d39093d9a9711d795df3eda966e3359e8ca1033 +Merge: 407147a88 2dcf9121a +Author: Daniel Canter +Date: Mon May 17 15:07:30 2021 -0700 + + Merge Microsoft/opengcs and Microsoft/hcsshim + + Merge Microsoft/opengcs and Microsoft/hcsshim + + This was done more or less like the following: https://www.nomachetejuggling.com/2011/09/12/moving-one-git-repo-into-another-as-subdirectory/ + + This is solely just adding the repo to hcsshim in an opengcs subdirectory with the history, nothing else. + + The reason for this is really that there's no reason for opengcs to be it's own repository anymore. The gcs binary itself + is built out of the repo but opengcs itself isn't really used as a library anymore so positives like versioning aren't as important. + The repository itself will live on and we cut a tag before removing all of the v1 codebase so I think the bases are covered. + +commit 6fcfcf10b1dd7835fae00f8e3c6e4b62a121b6e4 +Author: Amit Barve +Date: Mon May 17 14:19:34 2021 -0700 + + Run late clone tests on 20H2+ builds only. + + Late clone needs some registry settings when running on builds older than 20H2. We do not + add these registry settings on such builds by default so the late clone tests might fail + on machines with builds older than 20H2. Skip running these tests on such machines. + + Signed-off-by: Amit Barve + +commit 407147a8825c21b2f1f1ef4e53b24b27fb8632fb (tag: v0.8.17) +Merge: 0f5799e5e eba372547 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu May 13 22:00:50 2021 -0700 + + Merge pull request #1027 from Priyankasaggu11929/psaggu-bump-containerd-to-1.5.1 + + bump containerd version to v1.5.1 + +commit eba372547321473e09161ac34a266f499ffdb78a +Author: Priyanka Saggu +Date: Fri May 14 06:57:30 2021 +0530 + + bump containerd version to v1.5.1 + + Signed-off-by: Priyanka Saggu + +commit 0f5799e5e9fe19aa85ea3b0f4a6285c8640daa6c +Merge: 710d70470 ce4f34789 +Author: Kevin Parsons +Date: Thu May 13 16:01:22 2021 -0700 + + Merge pull request #1025 from kevpar/close-stdio + + internal/cmd: Close individual IO pipes when the relay finishes + +commit ce4f347898357e7dcf025409716a44789b1a7f5a +Author: Kevin Parsons +Date: Tue May 11 10:19:02 2021 -0700 + + internal/cmd: Close individual IO pipes when the relay finishes + + The shim is expected to close its end of the IO pipes from the gcs when + it is done using them. This is done to ensure that no data is left + buffered in the pipes on the gcs's end. Previously, this was + accomplished via the ioChannel closing its underlying connection if Read + returned EOF. + + However, this is not sufficiently robust, as it will not work in cases + where the shim's IO relay breaks on the write end (e.g. if CRI has gone + away). + + To resolve this, we now expose individual methods on cow.Process to + close each IO pipe (in/out/err), and call those from the Cmd + implementation once the IO relay completes. + + This should be a good first-pass fix here, until we can apply some more + focused cleanup to the IO relay code in the future. + + Some minor renaming/cleanup as well. + + Signed-off-by: Kevin Parsons + +commit 710d704708cb3a468f551880f83197d6ea2760c9 +Merge: 18de184a3 47674600e +Author: Kevin Parsons +Date: Wed May 12 16:36:37 2021 -0700 + + Merge pull request #1024 from kevpar/log-cleanup + + internal/hcs: hcsshim -> hcs in operation name strings + +commit 18de184a3c14e33b8eec883f68b0f5096b2e6cff +Merge: 20ce9b887 70edd1250 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed May 12 01:19:54 2021 -0700 + + Merge pull request #1022 from vikas-bh/tieracl5 + + Add support for tier acl policy + +commit 47674600ef0f7f1979bde38f1840ccc2d6b88843 +Author: Kevin Parsons +Date: Tue May 11 10:12:11 2021 -0700 + + internal/hcs: hcsshim -> hcs in operation name strings + + e.g. hcsshim::System::Modify -> hcs::System::Modify + This should make the log messages a bit clearer. + + Signed-off-by: Kevin Parsons + +commit 70edd1250e3e415a2b6ff83d56fa1bc70a38aa14 +Author: Vikas Bhardwaj +Date: Thu Jan 14 10:30:34 2021 -0800 + + Changes for tier acl policy + + Signed-off-by: Vikas Bhardwaj + +commit 20ce9b887fbf8d1ee4077b2490b29facf2be0a28 +Merge: 2895e629f 4641e993c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri May 7 18:08:31 2021 -0700 + + Merge pull request #1009 from dcantah/vm-package + + Add abstractions for direct HCS interactions + +commit 4cd8e71b358ab00a4f3955f7bcfeb6a7f42ed6cd +Author: Amit Barve +Date: Fri May 7 15:27:43 2021 -0700 + + Fix bug with VSMB & SCSI mounts on the same host path + + When mounting a VHD at host path `C:\data\test.vhdx` into the container over SCSI and also + sharing the same VHD inside the container over VSMB the current code just shares the VHD + inside the container for both mounts instead of actually SCSI mounting the VHD for one of + the mounts. This change fixes that. + + Signed-off-by: Amit Barve + +commit 1a8a5d861fd2b4dcda866e86b89787c1fc915577 +Author: Daniel Canter +Date: Thu May 6 01:18:31 2021 -0700 + + Add new flags to integration tests to specify virtstack + + Add some new flags to the integration test suite that enables choosing what virtstack + to use for hypervisor isolated containers. This makes it so we can re-use our existing tests + and just pass in new flags to run them with a new stack. + + To have this play nice with the test suite I changed `getRunPodSandboxRequest` to take in whatever + annotations we'd want to set on the pod config directly instead of us having to set them on the + returned object itself. + + Signed-off-by: Daniel Canter + +commit 2895e629ff5e1ab0811d3e1d21597761457f2e6a +Merge: 2d5a2c3c0 880590bca +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed May 5 23:15:24 2021 -0700 + + Merge pull request #1017 from dcantah/fix-codeowners + + Take off hcn package CODEOWNERS line + +commit 4641e993ca02a8c98ef95a840bc2b24da28bee8a +Author: Daniel Canter +Date: Thu Apr 22 03:32:57 2021 -0700 + + Add abstractions for direct HCS interactions + + Add vm package, uvm and uvmbuilder interfaces to abstract away the operations that we call directly into + hcs for. This will be useful for having these operations be performed by a different virtstack + so long as it supports what is needed for containers. + + Signed-off-by: Daniel Canter + +commit 2d5a2c3c03768113f35f75172d0db295f72fd31d +Merge: 691999834 0882cf37d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue May 4 17:59:47 2021 -0700 + + Merge pull request #1003 from jsturtevant/update-ipv6-versioning + + WS 2004 supports dual stack + +commit 691999834a8854517e18bcf8d3a8fa42765bfd78 +Merge: f105e0775 7299e2e4f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue May 4 17:30:26 2021 -0700 + + Merge pull request #1016 from erfrimod/erfrimod/l4wfpproxy-policy + + Adding proxy exceptions to L4WFP Proxy Policy + +commit 7299e2e4fa03df8981e3a18cd5ea43d709f8342d +Author: Erik Frimodig +Date: Tue May 4 16:10:09 2021 -0700 + + Adding proxy exceptions to L4WFP Proxy Policy + + Signed-off-by: Erik Frimodig + +commit 880590bca4dff2abf383cf183bf31118a4eb51d0 +Author: Daniel Canter +Date: Tue May 4 17:07:46 2021 -0700 + + Take off hcn package codeowners line + + The CODEOWNERS logic for the hcn package shouldn't work as the required reviewer + doesn't have write access which is required. + + From https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners: + + "The people you choose as code owners must have write permissions for the repository. When the code owner + is a team, that team must have write permissions, even if all the individual members of the team already have + write permissions directly, through organization membership, or through another team membership." + + Signed-off-by: Daniel Canter + +commit f105e07757c116119c3af0665641151d3b0e7d2d +Merge: e481a139d 6212521e6 +Author: Kathryn Baldauf +Date: Tue May 4 13:22:32 2021 -0700 + + Merge pull request #1015 from dims/updated-to-containerd-v1.5.0 + + Updated to containerd v1.5.0 + +commit 6212521e67f47c01515f015bb721e8fc4f433947 +Author: Davanum Srinivas +Date: Tue May 4 13:15:11 2021 -0400 + + Updated to containerd v1.5.0 + + Signed-off-by: Davanum Srinivas + +commit e481a139d6e1bfcd216372e5ea62cfd6fb7a6a2c +Merge: 1175109e8 716eddc8e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Apr 30 13:27:40 2021 -0700 + + Merge pull request #1013 from vikas-bh/ipv6fields1 + + Add NatFlags flag to OutboundNatPolicySetting + +commit 1175109e82dfa984459977a26f9128494f4f2e99 +Merge: bf20b75af 06256be9f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 29 22:08:54 2021 -0700 + + Merge pull request #1014 from dcantah/fix-spelling + + Fix spelling mistake with `notificationWatcherContext` + +commit 06256be9f531bc38af378a5d37adb567be7b793d +Author: Daniel Canter +Date: Thu Apr 29 18:18:52 2021 -0700 + + Fix spelling mistake with `notificationWatcherContext` + + notifcationWatcherContext -> notificationWatcherContext + + Signed-off-by: Daniel Canter + +commit 716eddc8e0ab29db0341108d1c523bd08e1c80cc +Author: Vikas Bhardwaj +Date: Thu Apr 29 16:33:51 2021 -0700 + + CR feedback + + Signed-off-by: Vikas Bhardwaj + +commit f568d433f83efc97f2eaecb882ef8e1e79357f23 +Author: Vikas Bhardwaj +Date: Thu Apr 29 15:58:53 2021 -0700 + + CR feedback + + Signed-off-by: Vikas Bhardwaj + +commit d3f1ab7aff4da7a2e367a9a05ab5b2c6c919fcca +Author: Vikas Bhardwaj +Date: Wed Apr 28 18:13:27 2021 -0700 + + Add ipv6 flag to OutboundNatPolicySetting + + Signed-off-by: Vikas Bhardwaj + +commit 2dcf9121abc025834baaa0151f00c8bd3dc8bc25 +Author: Daniel Canter +Date: Wed Apr 28 02:45:49 2021 -0700 + + Getting ready for hcsshim merge + + * Move entire repo into opengcs subdir + * `gofmt -s -w .` all the files to satisfy linter + + Signed-off-by: Daniel Canter + +commit bf20b75af1b95345d2ee526b66942b9cc98908ea +Merge: 8656c9baa 377e39a5b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Apr 27 17:01:55 2021 -0700 + + Merge pull request #1006 from dcantah/cpugroup-onstart + + Add support for assigning cpu group on creation + +commit 377e39a5b739ffe533e68930ed079cf201262cc0 +Author: Daniel Canter +Date: Wed Apr 21 14:11:05 2021 -0700 + + Add support for assigning cpu group on creation + + In recent builds of Windows there was support added to the HCS to allow assigning + a cpugroup at creation time of the VM instead of afterwards. The current approach in this + repo of adding a vm after start was only a workaround as this wasn't supported at the time. + The current approach isn;t ideal due to some wonky behavior on machines with + multiple NUMA nodes as we can suffer performance penalties because of remote memory access on + machines with > 1 node when adding a VM after start. + + Signed-off-by: Daniel Canter + +commit 0882cf37d229ebd85bc69c423bd3c2aebc85321a +Author: James Sturtevant +Date: Thu Apr 15 14:28:19 2021 -0700 + + WS 2004 supports dual stack + +commit 8656c9baa760afb56717c0bb674ae7464426d617 +Merge: faecc38b9 a7fe5d3af +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Apr 27 13:23:57 2021 -0700 + + Merge pull request #1012 from estebanreyl/esrey/rootNotInitializedBug + + Fix tar2vhd on specific unordered tars + +commit a7fe5d3af6467e3c04d3c75d690d05374f32294f +Author: Esteban Rey +Date: Tue Apr 27 10:42:19 2021 -0700 + + Added fix for unordered tars not starting with a + root folder file. + + Signed-off-by: Esteban Rey + +commit faecc38b9fbd3cfe8d2ecd11f15af11e3897cc9e +Merge: 141e8c092 5d1799c3f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Apr 26 18:25:15 2021 -0700 + + Merge pull request #1010 from dcantah/vmservice + + Add vmservice ttrpc interface + +commit 5d1799c3fb121bcdd5054c023840859569b544e1 +Author: Daniel Canter +Date: Fri Apr 23 00:10:05 2021 -0700 + + Add vmservice ttrpc interface + + This change brings in a new generated ttrpc service intended to be implemented + by a virtstack to facilitate running hypervisor isolated containers. + + The goal is to have the operations we need and rely on for running hypervisor based + containers be abstracted away so we're not calling directly into HCS for everything + anymore, but rather make it a configurable option on what underlying virtstack is chosen. + These definitions are missing some key Windows features like VSMB but what's here + currently is enough to run a Linux guest at the moment with networking. + + There will be future work to add an implementation of the UVM interface (https://github.com/microsoft/hcsshim/pull/1009) + based off of these definitions. + + Signed-off-by: Daniel Canter + +commit 141e8c0923c7474aff700d16c46053a8c149545b +Merge: b35557ddb fec8e08ab +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu Apr 22 12:36:18 2021 -0700 + + Merge pull request #1007 from ambarve/shim_panic_create_pod_fixes + + Minor fixes to shim panic log & create task functions + +commit b35557ddbc85daa1e64d5c6278f1aff2537747ed +Merge: 01c70382b ff9c76f69 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Apr 21 19:21:43 2021 -0700 + + Merge pull request #1004 from dcantah/resourcepath + + Move around HCS schema and resource path definitions + +commit 01c70382bcabfe856276cf1a3d215bdd13ef2e6a +Merge: d9474d26c 3cd77f39f +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Apr 21 17:34:49 2021 -0700 + + Merge pull request #1005 from dcantah/hcn-port + + Add VmEndpointRequest in hcn for eventual usage in the shim + +commit fec8e08ab641b9e3f0c9121861a6d8cba020f3fe +Author: Amit Barve +Date: Wed Apr 21 16:51:19 2021 -0700 + + Minor fixes to shim panic log & create task functions + + The change to collect shim panic logs during shim delete command does not work in cases + when the delete command itself runs into some error. To avoid losing shim panic logs in + such cases we log the shim panic logs (if found) as first thing in the delete command. + + CreateTask function had `wcl` mutex lock that wasn't really being used anywhere, this + change removes that. We also don't add a `nil` entry for a new task in the `workloadTasks` + map anymore to avoid the shim panic in some cases where a `GetTask` function might + be called while we are still in the process of creating the task and haven't updated the + nil entry with the actual task struct reference. + +commit ff9c76f69b6c6ecc47aae4e701596ee4998bb4af +Author: Daniel Canter +Date: Wed Apr 21 10:51:39 2021 -0700 + + Move around HCS schema and resource path definitions + + As both the V1 and V2 HCS schema are tied to HCS itself, it makes more sense + to have the schema definitions co-located under the hcs package. The resource paths + are also tied to HCS and in preparation of some work where we'll need the resourcepaths available + outside of the uvm and gcs packages, move the resource paths for both virtual machines and containers + to their own package. + + Signed-off-by: Daniel Canter + +commit 3cd77f39f5df37ca4476454af401682c6aa7870d +Author: Daniel Canter +Date: Wed Apr 21 11:07:17 2021 -0700 + + Add VmEndpointRequest for eventual usage in the shim + + HCS today for adding a network adapter to a virtual machine sets up the switch + port itself by making a VmEndpointRequest. There are cases where we will want to + do this ourselves, and we need the switch ID for this which will only exist after + this request. + + Signed-off-by: Daniel Canter + +commit 9c5f6dbaf5fd7686e509e2a9b2091bfb2ba298ca +Merge: 5eca651ab 00dbf04d0 +Author: Kathryn Baldauf +Date: Tue Apr 20 14:34:00 2021 -0700 + + Merge pull request #405 from katiewasnothere/remove_travis + + Remove travis files and related dockerfile + +commit 00dbf04d0ba8424b58b35d3f742b3eb63cc987fe +Author: Kathryn Baldauf +Date: Tue Apr 20 12:49:12 2021 -0700 + + Remove travis files and related dockerfile + + Signed-off-by: Kathryn Baldauf + +commit 5eca651ab77c6559176cab3a46620c317344f1ad +Merge: 3bfc2da24 9ee477cb5 +Author: Kathryn Baldauf +Date: Tue Apr 20 12:34:10 2021 -0700 + + Merge pull request #402 from katiewasnothere/gh_actions + + Switch to Github actions + +commit 9ee477cb55029fc90e0125ae68fbaf2ca7200f37 +Author: Kathryn Baldauf +Date: Tue Apr 13 18:19:23 2021 -0700 + + Add CI github action + + Signed-off-by: Kathryn Baldauf + +commit 3bfc2da24bc55e1a6e1c94490a3ccaa67d8d7187 +Merge: b1ad9ad87 02bb73fc5 +Author: Maksim An +Date: Tue Apr 13 23:04:23 2021 -0700 + + Merge pull request #403 from anmaxvl/fix_storage_tests + + fix wrong type in pmem debug message, pmem and scsi unit tests + +commit 02bb73fc59afd0ee9a41b6b748e0a629e6712633 +Author: Maksim An +Date: Tue Apr 13 22:50:32 2021 -0700 + + minor bugfix in pmem debug message. fix pmem and scsi unit tests + + Debug message format in pmem package was using a wrong type. + + Unit tests for pmem and scsi were using old structs and function + signatures. + + Trigger unit tests in Makefile + + Signed-off-by: Maksim An + +commit b1ad9ad878f2ec1bf605c62ec3b313d85961404c +Merge: 8f1f0a0b0 7913d73b5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Apr 13 22:57:21 2021 -0700 + + Merge pull request #404 from dcantah/gcs-core-remove + + Get rid of service/gcs/core/gcs + +commit 7913d73b5870d53b41ae43e1c3fbe3945d356c40 +Author: Daniel Canter +Date: Tue Apr 13 22:34:04 2021 -0700 + + Get rid of service/gcs/core/gcs + + Remnants of the v1 gcs removal. I don't see this used anywhere. + + https://github.com/microsoft/opengcs/commit/e972b276edcc73be63c6f05a53e623bf38e5332a + + Signed-off-by: Daniel Canter + +commit 8f1f0a0b08a75765cc8344b12f4d32e54b13b425 +Merge: 2ed586680 7604c07f9 +Author: Kathryn Baldauf +Date: Tue Apr 13 16:06:45 2021 -0700 + + Merge pull request #401 from katiewasnothere/fix_generichook_dep + + Update generichook package to fix broken dependency + +commit 7604c07f956f4ccd3dcc73962f99d7cab7b454f1 +Author: Kathryn Baldauf +Date: Tue Apr 13 15:55:11 2021 -0700 + + Update generichook package to fix broken dependency + + Signed-off-by: Kathryn Baldauf + +commit 2ed586680c70550301feefe3440d0e6ab1ee26c0 +Merge: daa2c7856 50edeb3dd +Author: Kathryn Baldauf +Date: Tue Apr 13 15:40:13 2021 -0700 + + Merge pull request #400 from katiewasnothere/vendor_missing_deps + + Update go modules to get missing dependencies + +commit 50edeb3dd1b3febf8f472353043c3e85a5deb172 +Author: Kathryn Baldauf +Date: Tue Apr 13 15:32:00 2021 -0700 + + Update go modules to get missing dependencies + + Signed-off-by: Kathryn Baldauf + +commit d9474d26c57bed6081b3941dd7980d5e8457148e +Merge: c1d36212c 442a9aa4c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Apr 13 14:41:05 2021 -0700 + + Merge pull request #1001 from dcantah/remove-mergemaps-v2 + + Get rid of mergemaps functionality for v2 codepaths + +commit c1d36212c6b98c43d2e6ff6b0d4453f2d27df7aa +Merge: 840644c77 d5f4aeef4 +Author: Kathryn Baldauf +Date: Tue Apr 13 14:36:54 2021 -0700 + + Merge pull request #987 from katiewasnothere/fix_propagation_lcow + + Support passing in propagation flags on scsi mounts for LCOW + +commit d5f4aeef4245025bef2fe717f2a975a953618792 +Author: Kathryn Baldauf +Date: Thu Mar 25 17:03:37 2021 -0700 + + Support passing in propagation flags on scsi mounts for LCOW + + Signed-off-by: Kathryn Baldauf + +commit 840644c77d02d44939bab31570c644c9e94c0bec +Merge: 4b67ed2cd 8bc18f34b +Author: Kathryn Baldauf +Date: Tue Apr 13 12:52:42 2021 -0700 + + Merge pull request #1000 from katiewasnothere/fix_ttrpc_status_panic + + Update grpc and genproto library to avoid panic in ttrpc + +commit 442a9aa4cab2b61fbd494fd8ce294550c3362dd5 +Author: Daniel Canter +Date: Tue Apr 13 12:51:12 2021 -0700 + + Get rid of mergemaps functionality for v2 codepaths + + There's not a single place we used to set the uvm.Options `AdditionHCSDocumentJSON` field to + anything so it was as good as not there already. Just skip the calls entirely and remove the copying + of the fields for lateclone scenarios. + + Signed-off-by: Daniel Canter + +commit 8bc18f34bf79940fb1e6445fed4ac4bf10a01509 +Author: Kathryn Baldauf +Date: Tue Apr 13 12:46:33 2021 -0700 + + Update grpc and genproto library to avoid panic in ttrpc + + Signed-off-by: Kathryn Baldauf + +commit 4b67ed2cdb5355b30cf572ec17d5ffe648a85b0e +Merge: da33ecd60 bab6498e1 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Apr 12 13:06:51 2021 -0700 + + Merge pull request #996 from thaJeztah/use_the_build + + Use osversion.Build() utility, and add a sync.Once + +commit daa2c785680ada661fb4284a50073d21c652a8a1 +Merge: a72614fb7 1b5fcfe14 +Author: Maksim An +Date: Thu Apr 8 16:54:37 2021 -0700 + + Merge pull request #399 from anmaxvl/maksiman/dm-verity-target + + add support for dm verity target when mounting VPMem devices + +commit a72614fb7dd03b828484fb943ae63dd4fbe85d99 +Merge: 6c9e795d2 01a276740 +Author: Kathryn Baldauf +Date: Thu Apr 8 14:00:42 2021 -0700 + + Merge pull request #398 from katiewasnothere/fix_propagation_scsi + + Support passing through arbitrary options and propagation flags for scsi mounts + +commit 01a276740d18e2f1c51f6bfe86894ebfd7854efe +Author: Kathryn Baldauf +Date: Thu Mar 25 17:08:29 2021 -0700 + + Support passing through arbitrary options and propagation flags for scsi mounts + + Signed-off-by: Kathryn Baldauf + +commit da33ecd607e170385eb03eaba5e6834633f9fe17 +Merge: 2b139f628 8a22e26c5 +Author: Kathryn Baldauf +Date: Thu Apr 8 13:54:31 2021 -0700 + + Merge pull request #992 from katiewasnothere/test_execinhost_utility + + Add a utility function to exec in shimdiag for cri-containerd tests + +commit 8a22e26c53bcf0ca71ebdfcf6ca19a7ef7e81a3f +Author: Kathryn Baldauf +Date: Wed Apr 7 20:23:12 2021 -0700 + + Add a utility function to exec in shimdiag for cri-containerd tests + + Signed-off-by: Kathryn Baldauf + +commit 2b139f6283e643928dc358f02f7a126036a5accd +Merge: d5dd5179d b68de0515 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 8 10:52:53 2021 -0700 + + Merge pull request #995 from dcantah/fix-stderr-comment + + Fix stderr comment in containerd-shim serve command + +commit d5dd5179dd5634e0480c9d865abf2db2d3e724e4 +Merge: 2f0b9f3d0 6e2f5995b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 8 10:11:30 2021 -0700 + + Merge pull request #997 from dcantah/fix-ncproxy-comment + + Remove incorrect comment from ncproxy grpc service struct + +commit 6e2f5995bcc4a5e79d1aed073a2827a519dabb01 +Author: Daniel Canter +Date: Thu Apr 8 07:46:36 2021 -0700 + + Remove incorrect comment from ncproxy grpc service struct + + The GRPC service doesn't hold a mutex. This was left in from an older iteration + where the client map would get updated in the grpc service. + + Signed-off-by: Daniel Canter + +commit bab6498e1a1246c6735a2e7e785e4770f3c8a317 +Author: Sebastiaan van Stijn +Date: Thu Apr 8 14:42:58 2021 +0200 + + osversion.Get(): use sync.Once + + Given that it's _very_ unlikely that the Windows version changes at runtime, + we can use a sync.Once to not repeatedly call windows.GetVersion() + + Signed-off-by: Sebastiaan van Stijn + +commit d3cbd1d90ef16e46a11b7dae7fd6c18496bc9d4e +Author: Sebastiaan van Stijn +Date: Thu Apr 8 12:49:31 2021 +0200 + + Use osversion.Build() utility where possible + + Signed-off-by: Sebastiaan van Stijn + +commit b68de0515391790db646dd6980d26030aaaeba11 +Author: Daniel Canter +Date: Tue Apr 6 15:19:27 2021 -0700 + + Fix stderr comment in containerd-shim serve command + + In a comment in the serve command for the containerd-shim it says that to signify that we're + successfully serving the ttrpc endpoint we should close stderr, but we actually close stdout + to signify this. The write end of the pipe is hooked up to stdout on the "serve" command invocation + of the shim and we simply forward stderr to the read side until close. Stderr for the serve + invocation is hooked up to the panic.log file in case the shim panics. + + Signed-off-by: Daniel Canter + +commit 2f0b9f3d0ea07b79006be8a173b66b0a4a20c7d3 +Merge: e811ee705 7289451f5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 8 02:40:30 2021 -0700 + + Merge pull request #993 from hex0punk/goroutine-leak-fix + + prevents a goroutine from being leaked if binary cmd fails to finish + +commit 7289451f52c08330c4dc320b382130a875852fff +Author: hex0punk +Date: Thu Apr 8 01:05:27 2021 -0700 + + prevents a goroutine from being leaked if binary cmd fails to finish + +commit e811ee705ec77df2ae28857ade553043fb564d91 (tag: v0.8.16) +Merge: 7fa8bda4e f731440f5 +Author: Kathryn Baldauf +Date: Wed Apr 7 13:57:52 2021 -0700 + + Merge pull request #991 from katiewasnothere/remove_extra_info + + Remove extra info from error logs + +commit f731440f562046527c8a470acb18c3a357402655 +Author: Kathryn Baldauf +Date: Wed Apr 7 13:34:53 2021 -0700 + + Remove extra info from error logs + - these logs create noise and are no longer useful + + Signed-off-by: Kathryn Baldauf + +commit 1b5fcfe142a50dd9c9f83aaf0ef7ccae1ec188fd +Author: Maksim An +Date: Wed Mar 31 00:28:05 2021 -0700 + + add support for dm verity target when mounting VPMem devices + + Update VPMem mount APIs to support passing dm verity information + in addition to VPMem multi-mapping. + + Hash device is expected to be the same as the data device with + hash tree appended right after the ext4 file system data, block + sizes for data and hash devices are expected to be the same as + well. + + Additionally handle a case when both multi-mapping and verity + are enabled, in that case, first create dm-linear target and use + that target as a data and hash device for dm-verity target. + + Signed-off-by: Maksim An + +commit 7fa8bda4e6ba503caf0d53d0a4ee99b9a64ceed8 +Merge: b5d7f5129 012856b73 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Apr 2 01:47:12 2021 -0700 + + Merge pull request #979 from dcantah/hostprocess-stats + + Add stats support for job containers + +commit b5d7f5129cac9babd1035384b3d7270ecd308f5b +Merge: 628db61b9 66e564129 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu Apr 1 14:48:30 2021 -0700 + + Merge pull request #990 from ambarve/tar2ext_expansion_test + + Add test for tar2ext layer expansion + +commit 66e564129aaa16e18b87ef6bf691d82e12806c6d +Author: Amit Barve +Date: Thu Apr 1 13:05:41 2021 -0700 + + Add test for tar2ext layer expansion + + tar2ext layer expansion had a bug where during a tar expansion if a file showed up before + its parent directory then the expansion would fail with path not found error. This was + fixed in #972. This commit just a adds a test for that fix. + + Signed-off-by: Amit Barve + +commit 628db61b9f871a7fc32a6c57257187dbc34669e3 +Merge: 65090e5b3 557915e0f +Author: Kathryn Baldauf +Date: Thu Apr 1 12:20:48 2021 -0700 + + Merge pull request #964 from katiewasnothere/ncproxy-iov + + Add support for modifying iov settings in ncproxy + +commit 557915e0f24367dd2f0e4905c2bb3d24b1f741d3 +Author: Kathryn Baldauf +Date: Tue Mar 9 14:37:52 2021 -0800 + + Add support for modifying iov settings in ncproxy + + Signed-off-by: Kathryn Baldauf + +commit 012856b73109e9eccbff67429a85efec49121238 +Author: Daniel Canter +Date: Fri Mar 19 16:44:12 2021 -0700 + + Add stats support for host process containers + + * Add PropertiesV2 and Properties calls for host process containers. The only supported queries for them are + PropertiesV2: Statistics + Properties: ProcessList + * Add NtQuerySystemInformation and SYSTEM_PROCESS_INFORMATION binds. + + This work will be utilized in the containerd shim just as the PropertiesV2 and Properties calls + are today for process and hv isolated containers. + + Signed-off-by: Daniel Canter + +commit 65090e5b3e45723e2d579b701a29eb8ed9826915 +Merge: f496574ac 2d2c19c14 +Author: Kathryn Baldauf +Date: Fri Mar 26 11:30:24 2021 -0700 + + Merge pull request #975 from slonopotamus/golangci-lint-action + + Switch from deprecated gometalinter to golangci/golangci-lint-action + +commit 2d2c19c143e916a5fab0ea743fce7fca01a02cbe +Author: Marat Radchenko +Date: Wed Mar 17 21:43:35 2021 +0300 + + Switch from deprecated gometalinter to golangci/golangci-lint-action + +commit f496574ac80359b554360d57c3370c81f7977b5f +Merge: 64000d5a6 58f7ef4c7 +Author: Kathryn Baldauf +Date: Thu Mar 25 14:49:34 2021 -0700 + + Merge pull request #977 from katiewasnothere/linter_fixes + + Fix various golangci linter issues + +commit 64000d5a68982266245a1db50f426f49187b4b2c +Merge: 10f84228c 37ab22eb5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Mar 25 13:41:41 2021 -0700 + + Merge pull request #984 from thaJeztah/remove_k8s_k8s + + test: remove k8s.io/kubernetes dependency by using containerd copy + +commit 37ab22eb5d25fec015a38c106c642976ea4ce88f +Author: Sebastiaan van Stijn +Date: Thu Mar 25 10:37:52 2021 +0100 + + test: go.mod: remove replace rule, which is no longer needed + + Now that k8s.io/kubernetes is no longer used, this replace rule should + no longer be needed (`go mod tidy` and `go mod vendor` worked without + problem). + + Signed-off-by: Sebastiaan van Stijn + +commit 75abc2e83808a0cfff3a92a7cd5e4b711bb9ade8 +Author: Sebastiaan van Stijn +Date: Thu Mar 25 10:29:58 2021 +0100 + + test: remove k8s.io/kubernetes dependency by using containerd copy + + The k8s.io/kubernetes dependency is only needed for a single function + (GetAddressAndDialer), which doesn't seem to be in any module, other than + k8s.io/k8s itself. + + Containerd created a copy of this utility for that reason, so let's use that + copy to get rid of the dependency on k8s.io/k8s. + + Perhaps we should try to have that utils package included in one of the + smaller k8s.io moduless. + + Signed-off-by: Sebastiaan van Stijn + +commit 10f84228cc6f17b15dcebb4437ef62367bb0a35c +Merge: 77f39d64f a83893ceb +Author: Maksim An +Date: Wed Mar 24 21:45:35 2021 -0700 + + Merge pull request #981 from anmaxvl/maksiman/tests/scale-cpu-limits + + Add test for ScaleCPULimitsToSandbox runtime config + +commit 77f39d64f725e888c095125c43f8d0a79ead2670 +Merge: 29393c59d bb94c3575 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Mar 24 17:30:16 2021 -0700 + + Merge pull request #983 from dcantah/breakway-job + + Set CREATE_BREAKAWAY_FROM_JOB flag for job container processes + +commit bb94c3575c0ee3eee68da896d824a1c0ee750d90 +Author: Daniel Canter +Date: Wed Mar 24 17:02:57 2021 -0700 + + Set CREATE_BREAKAWAY_FROM_JOB flag for job container processes + + We don't want to inherit the job object of whatever process is running the job container code (the containerd-shim + generally but this would apply for any process). Set the CREATE_BREAKAWAY_FROM_JOB flag on job container processes + to prevent this from happening. The job object itself will also need to have the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit + set for this to take affect. + + Signed-off-by: Daniel Canter + +commit 29393c59d8fd30b84070519c7d66490315fae863 +Merge: bc6f3d31e 8640c6465 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Mar 24 16:47:01 2021 -0700 + + Merge pull request #982 from dcantah/update-xsyswindows + + Update/revendor x/sys/windows to pull in ProcThreadAttributeList changes + +commit 8640c64651c090611a084de63d05629b7e4a227e +Author: Daniel Canter +Date: Wed Mar 24 16:09:12 2021 -0700 + + Vendor in x/sys/windows to pull in ProcThreadAttributeList changes + + https://github.com/golang/sys/commit/f36f78243c0c784c12079479984ffb57e9eb5792 added similar functionality + that I had been working on to manage a PROC_THREAD_ATTRIBUTE_LIST structure. Pull this in to avoid + re-inventing the wheel. + + Signed-off-by: Daniel Canter + +commit bc6f3d31eb88f5770bda20449b68e6847cfb1a5c +Merge: af6877f9e e746a523e +Author: Maksim An +Date: Tue Mar 23 18:45:38 2021 -0700 + + Merge pull request #978 from anmaxvl/maksiman/binary-io-debug-cleanup + + use cmd.String() when logging binary_io command + +commit af6877f9e2a505453d02f265acc95f948fddfb44 +Merge: 8a843926f fcc18548d +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Mar 23 16:00:17 2021 -0700 + + Merge pull request #969 from dcantah/jobcontainer-tests + + Add new job container tests + +commit e746a523e8b9ba7843a75e7ff7e96c954badb8b5 +Author: Maksim An +Date: Fri Mar 19 13:22:56 2021 -0700 + + use cmd.String() when logging binary_io command + + additionally clean up potential linter errors + + Signed-off-by: Maksim An + +commit a83893ceb1d18f61084b09baa5eda0c13e203ad6 +Author: Maksim An +Date: Mon Mar 22 09:47:10 2021 -0700 + + Add a test for ScaleCPULimitsToSandbox runtime config + + Test does the following: + - calculate 1 core equivalent cpu limit based on the number of cores + the host has, i.e. 10,000/hostNumCPU + - set container CPU limit to the above value. + NOTE: There won't be any difference if the host has only 2 cores + (which is the default for a UVM), but this is unlikely to happen + - make 2 stats request with a 5 second interval and calculate + the CPU usage + - the CPU usage should be around 100% with acceptable error set to 10% + + Add `requireBinary` wrapper to check if a binary with a given + name exists in the same directory as the test executable and + conditionally skips the tests if the binary doesn't exist + + Signed-off-by: Maksim An + +commit 6c9e795d2b8a359bd4b5679b848beab94027ee15 +Merge: 221178af9 99173928f +Author: Kathryn Baldauf +Date: Tue Mar 23 10:17:26 2021 -0700 + + Merge pull request #388 from katiewasnothere/generic_hook + + Add a new generic hook for use in device setup + +commit 99173928fc1d47bcacff9f31b0842cd64620682f +Author: Kathryn Baldauf +Date: Wed Jan 6 13:06:16 2021 -0800 + + Add a new generic hook for use in device setup + + Signed-off-by: Kathryn Baldauf + +commit 58f7ef4c7bb7926454e301b0c0b35f66bbd9c5cf +Author: Kathryn Baldauf +Date: Wed Mar 17 18:41:22 2021 -0700 + + Fix various golangci linter issues + + Signed-off-by: Kathryn Baldauf + +commit 221178af90fc5e458ca70b9be52a9e176a8165fe +Merge: b72a02232 fd3663278 +Author: Kathryn Baldauf +Date: Mon Mar 22 14:11:05 2021 -0700 + + Merge pull request #397 from katiewasnothere/fix_containerd_update + + Update to new package location for containerd/sys/reaper + +commit fd3663278af4b11a7082b01eaf6326fd2215a6e6 +Author: Kathryn Baldauf +Date: Mon Mar 22 14:03:49 2021 -0700 + + Update to new package location for containerd/sys/reaper + + Signed-off-by: Kathryn Baldauf + +commit 8a843926faab47403c769e7def9b753e1e5f956d +Merge: 885f896c5 555806735 +Author: Kathryn Baldauf +Date: Mon Mar 22 11:12:06 2021 -0700 + + Merge pull request #980 from dcantah/document-shimdiag-list + + Update ArgsUsage for shimdiag commands to add flags + +commit 555806735c045718186fa8cf417cd4242eb6bbad +Author: Daniel Canter +Date: Mon Mar 22 06:02:40 2021 -0700 + + Update ArgsUsage for shimdiag commands to add flags + + None of the ArgsUsage's for any of the commands listed flags so add this. + + Signed-off-by: Daniel Canter + +commit b72a022324c3b3f4ed74d96c08415a5662eaa3e2 +Merge: d39f8763d c0ed29070 +Author: Kathryn Baldauf +Date: Thu Mar 18 16:01:43 2021 -0700 + + Merge pull request #396 from thaJeztah/bump_deps + + go.mod: github.com/containerd/containerd v1.5.0-beta.4 + +commit c0ed29070880bd2130bedd8e15077c683e9505cf +Author: Sebastiaan van Stijn +Date: Thu Mar 18 14:02:06 2021 +0100 + + go.mod: github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3 + + full diff: https://github.com/linuxkit/virtsock/compare/8e79449dea07...f8cee7dfc7a3 + + Signed-off-by: Sebastiaan van Stijn + +commit 59148dadb42a15dacf0e479882fe2b61a8f7c7cd +Author: Sebastiaan van Stijn +Date: Thu Mar 18 13:34:28 2021 +0100 + + go.mod: github.com/containerd/containerd v1.5.0-beta.4 + + Signed-off-by: Sebastiaan van Stijn + +commit 885f896c5a8548ca36c88c4b87fd2208c8d16543 +Merge: ae2494ce2 cd57213fb +Author: Kathryn Baldauf +Date: Wed Mar 17 18:39:25 2021 -0700 + + Merge pull request #976 from dcantah/linter-fix + + Fix golangci linter issues + +commit cd57213fb88522c492c8e2097b425595365b72e6 +Author: Daniel Canter +Date: Wed Mar 17 15:35:59 2021 -0700 + + Fix golangci linter issues + + * Remove unused mutex for the grpc service in ncproxy + * Remove unneccessary os.Stat call that didn't even check the return value + *facepalm* + + Signed-off-by: Daniel Canter + +commit ae2494ce2a05596d0269d8322a7b06c85c4c1e55 +Merge: f86d0cc3c e3bde0e6f +Author: Kathryn Baldauf +Date: Wed Mar 17 14:26:29 2021 -0700 + + Merge pull request #968 from thaJeztah/bump_test_deps + + test: go.mod: github/containerd/containerd v1.5.0-beta.4 + +commit e3bde0e6f9f9c77d2d4c00ce2e1e5d67bea841ad +Author: Sebastiaan van Stijn +Date: Fri Mar 12 17:54:30 2021 +0100 + + test: go.mod: github/containerd/containerd v1.5.0-beta.4 + + Signed-off-by: Sebastiaan van Stijn + +commit f86d0cc3c4f0292376b8d4acaeb2fa89975a17db +Merge: 9e1ba4d0e 326d5022a +Author: Kathryn Baldauf +Date: Wed Mar 17 14:13:46 2021 -0700 + + Merge pull request #967 from thaJeztah/bump_deps2 + + go.mod: github.com/containerd/containerd v1.5.0-beta.4 + +commit 326d5022a16fdcf9bd302e2c92318f38a6a464db +Author: Sebastiaan van Stijn +Date: Fri Mar 12 17:47:37 2021 +0100 + + go.mod: github.com/containerd/containerd v1.5.0-beta.4 + + Signed-off-by: Sebastiaan van Stijn + +commit 9e1ba4d0e438c45acc13f962612da1eb0728cf42 +Merge: ac95fba4a 282a5037c +Author: Kathryn Baldauf +Date: Wed Mar 17 11:43:07 2021 -0700 + + Merge pull request #974 from slonopotamus/patch-1 + + Fix CI badge in README + +commit 282a5037cac31c4a128a5c40b775a2f7ea830c8d +Author: Marat Radchenko +Date: Wed Mar 17 21:31:56 2021 +0300 + + Fix CI badge in README + + This is a follow-up to #970 + +commit fcc18548da0562ab57feb895f5d1892e824853d1 +Author: Daniel Canter +Date: Thu Mar 11 11:04:17 2021 -0800 + + Add new job container tests + + Add tests to excercise the scenarios we care about and expect to work. + + This includes: + 1. HNS access. Validate we can create a dead simple network and remove after. + 2. Look at disks/volumes/partitions on the host. + 3. Create a vhd from in the container. + 4. Check hostname at beginning of test -> exec in job container and check hostname -> compare to validate that they're the same. + 4. Manipulating/generating etw file. + 5. Install (and uninstall on success) a program. + + Signed-off-by: Daniel Canter + +commit ac95fba4a1eba45c9e3c0c7f0487483fd47230d3 +Merge: 7f2254953 d77c1c4f6 +Author: Kathryn Baldauf +Date: Wed Mar 17 11:24:10 2021 -0700 + + Merge pull request #970 from slonopotamus/gh-actions + + Switch CI to GitHub Actions + +commit d77c1c4f6486a366a33e8dae0c1777ae311e6a08 +Author: Marat Radchenko +Date: Tue Mar 2 22:27:43 2021 +0300 + + Switch CI to GitHub Actions + + Signed-off-by: Marat Radchenko + +commit 7f2254953b47afd30f1ea94a2665a5e258da7dc3 +Merge: 5d9980ceb bdddc24a5 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Tue Mar 16 16:31:37 2021 -0700 + + Merge pull request #972 from ambarve/tar2ext4-dir-fix + + Fix tar extraction issue where parent directories don't exist. + +commit bdddc24a55e56e64cbc135ec8f4c27c8b1a15708 +Author: Amit Barve +Date: Tue Mar 16 13:38:42 2021 -0700 + + Fix tar extraction issue where parent directories don't exist. + + Extracting LCOW layers to vhd fails when a file shows up in the + tar list before the parent directory of that file shows up. This change fixes that by + always creating any non existing parent directories and then updating their permissions + later when actual directory entry shows up. + + Signed-off-by: Amit Barve + +commit 5d9980cebb1dc5f23d61d860116e7015e9dfd692 +Merge: 5281188fe 11cc3a2fa +Author: Maksim An +Date: Tue Mar 16 16:24:58 2021 -0500 + + Merge pull request #971 from anmaxvl/maksiman/read-ext4-superblock + + add utility method to read ext4 superblock from a VHD + +commit 11cc3a2fa9b4a2ccf233b0ac1616a14b1d39186d +Author: Maksim An +Date: Thu Mar 11 21:10:00 2021 -0800 + + add utility method to read ext4 superblock from a VHD + + The change enables getting accurate information about ext4 fs on + a given VHD, rather than doing os.Stat or temp mounting the VHD. + + Signed-off-by: Maksim An + +commit 5281188fe242eb225b10491d108091cc8f50685c +Merge: 57cae1d60 d0a87add5 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Mar 12 16:12:20 2021 -0800 + + Merge pull request #966 from dcantah/ncproxy-oc + + Add open census spans for ncproxy + go mod vendor + +commit d0a87add5a107bf071f5332ec0bf47a9d9c17e0c +Author: Daniel Canter +Date: Thu Mar 11 13:56:40 2021 -0800 + + Add open census spans for ncproxy + go mod vendor + + * Give ncproxy its own etw provider + * Add open census spans around all of the ncproxy calls + * Go mod vendor + tidy to bring in go.opencensus.io/plugin and go.opencensus.io/stats + + Signed-off-by: Daniel Canter + +commit 57cae1d6044b60425edf753e91e71fcfe596e996 +Merge: 8a04f284a f71abf34e +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Mar 11 11:22:38 2021 -0800 + + Merge pull request #965 from dcantah/change-timestamp-image + + Change image used for Test_PullImageTimestamps + +commit f71abf34e916a73050e98854b2a9e91f803fd207 +Author: Daniel Canter +Date: Thu Mar 11 11:06:29 2021 -0800 + + Change image used for Test_PullImageTimestamps + + Swap the image we used to use for the Test_PullImageTimestamps test to one hosted on an + ACR registry. + + Signed-off-by: Daniel Canter + +commit 8a04f284aab56bbfc71bc1168c1a53e67d3c08e2 +Merge: 5b2c8a709 061a180eb +Author: Kevin Parsons +Date: Tue Mar 9 16:35:47 2021 -0800 + + Merge pull request #963 from kevpar/test-cri-address + + Add -endpoint-address flag to cri-containerd tests + +commit 061a180eb8fae6ac97e7db7efc13b7a85464b7e2 +Author: Kevin Parsons +Date: Fri Mar 5 12:41:39 2021 -0800 + + Add -endpoint-address flag to cri-containerd tests + + This test flag allows control over what address we use to talk to CRI. + Using this allows testing with upstream containerd that only supports + named pipe. + + This change also takes a dependency on a Kubernetes utility function to + resolve the address to a dialer of the appropriate type. This brings in + some grossness in test/go.mod due to the way k8s handles their modules, + but I don't think it's a big deal given this is test code. + + Signed-off-by: Kevin Parsons + +commit d39f8763d066526e3d8f0e5e94e16af03052ae4d +Merge: 039c267e8 2b24f2fb7 +Author: Maksim An +Date: Mon Mar 8 21:53:21 2021 -0800 + + Merge pull request #395 from dmitsh/ds-typo + + Fixed typo in README + +commit 2b24f2fb7ee72653a47a174b664c6722144bbb36 +Author: Dmitry Shmulevich +Date: Mon Mar 8 19:37:01 2021 -0800 + + Fixed typo in README + + Signed-off-by: Dmitry Shmulevich + +commit 5b2c8a709fadfa327ef90cc8e90051b0919d4bb0 +Merge: 60a28f35d 6321a7ae9 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Mar 8 12:25:57 2021 -0800 + + Merge pull request #903 from dcantah/jobcontainers + + Add job containers package + +commit 6321a7ae93db4e3249ae7c64714327e34b2b493f +Author: Daniel Canter +Date: Fri Dec 4 17:29:35 2020 -0800 + + Add job containers package + + * Add `JobContainer` and `JobProcess` types as the two types to represent a job container + and a process in a job container. + * Add logic to find the executable being asked to run for a job container. + * Logic to launch the container as specific user. + * Logic to mount the containers scratch space on the host to a directory. + * Small subset of tests added to jobobject package + + Signed-off-by: Daniel Canter + +commit 60a28f35d505bf2904c2e91dd8bcf89726b3afeb +Merge: 081ab2f5d 153ef5e62 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Mar 8 10:52:53 2021 -0800 + + Merge pull request #958 from estebanreyl/esrey/exceededMaxSizeBugfix + + Corrected usedGdBlocks calculation + +commit 153ef5e62a6b15567163b6b2a3e5dbb4164c1cc9 +Merge: 30bb0c0ba 8b297c49b +Author: Esteban Rey +Date: Mon Mar 8 10:17:03 2021 -0800 + + Merge branch 'esrey/exceededMaxSizeBugfix' of https://github.com/estebanreyl/hcsshim into esrey/exceededMaxSizeBugfix + +commit 30bb0c0baafde77363293125ef92a3fcb568379a +Author: Esteban Rey +Date: Fri Mar 5 17:25:21 2021 -0800 + + Corrected usedGdBlocks calculation + + Signed-off-by: Esteban Rey + +commit 081ab2f5da5382e713a073852b90cba6ddb5c77f +Merge: 8f44f311b 2af0cd6c7 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Sun Mar 7 22:52:11 2021 -0800 + + Merge pull request #959 from dcantah/mod-and-tidy-ci + + Run go mod vendor+tidy to fix ci break + +commit 2af0cd6c70bf7956e88e0b366b42cfe9a5a4f4ec +Author: Daniel Canter +Date: Fri Mar 5 18:25:00 2021 -0800 + + Run go mod vendor+tidy to fix ci break + + * Somehow our vendored google.golang.org dependency doesn't have any files in the + root directory. Building ncproxy currently fails because of this. Believe this was + uncovered after this PR landed: https://github.com/microsoft/hcsshim/pull/956 + + Signed-off-by: Daniel Canter + +commit 8b297c49baf0f6ed8b232a8514a7164e27e853ae +Author: Esteban Rey +Date: Fri Mar 5 17:25:21 2021 -0800 + + Corrected usedGdBlocks calculation + + Signed-off-by: Esteban Rey + +commit 039c267e8fcd925f37d39b53ea232b8a74f97fd5 +Merge: 4db65a8ad 80883eeae +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Mar 4 12:21:52 2021 -0800 + + Merge pull request #393 from dcantah/removenetnscfg + + Remove netnscfg gcstools utility + +commit 8f44f311bfa8238227caba9c441bfc1f23055465 +Merge: 70a08f989 88e182c04 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Mar 4 09:59:21 2021 -0800 + + Merge pull request #915 from dcantah/ncproxy-newdesign + + Add implementation of network configuration proxy + +commit 70a08f9895c9b17a6e581368e0197f679d778063 +Merge: 75535b904 ac45669c0 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Wed Mar 3 12:42:54 2021 -0800 + + Merge pull request #957 from ambarve/late_clone_test_fix + + ping localhost in tests + +commit ac45669c094cc1201f22ea63128c2dbfce087a30 +Author: Amit Barve +Date: Wed Mar 3 12:35:19 2021 -0800 + + ping localhost in tests + + This fixes an issue when running tests on VMs which don't have network access. If we ping + something like microsoft on such VMs then test fails when it really shouldn't. + + Signed-off-by: Amit Barve + +commit 75535b904555dad23b8d51cf9f58302d9babe242 (tag: v0.8.15) +Merge: 43a75bb4e af84d88bd +Author: Kevin Parsons +Date: Tue Mar 2 14:51:55 2021 -0800 + + Merge pull request #956 from kevpar/ci-fix + + Improve CI reliability by forcing vendor use + +commit af84d88bd8cc2b59a3170333b8586308909cb48d +Author: Kevin Parsons +Date: Tue Mar 2 14:43:19 2021 -0800 + + Improve CI reliability by forcing vendor use + + Signed-off-by: Kevin Parsons + +commit 88e182c049ac7b5a99e72d778248b518e765f8e9 +Author: Daniel Canter +Date: Fri May 15 15:21:39 2020 -0700 + + Add implementation of network configuration proxy + + * Ncproxy (abbreviation of network configuration proxy) is a proxy used to facilitate + external configuration of a pods network through a set of TTRPC and GRPC services. + Ncproxy relies on other TTRPC/GRPC services to get the information it needs to perform + its actions. + + The full set of services are as follows: + + ------------------------------------------------------------------------------------------------------ + + NetworkConfigProxy (TTRPC) - This service is exposed by Ncproxy and is used by the shim. + + NodeNetworkService (GRPC) - This service is exposed by any application implementing the interface + to the service (/cmd/ncproxy/sdn_nodenetsvc/nodenetsvc.proto). + + NetworkConfigProxy (GRPC) - This service is exposed by Ncproxy and is used by a service implementing + the NodeNetworkService GRPC interface. + + ComputeAgent (TTRPC) - This service is exposed by the shim and is called by ncproxy. + + --------------------------------------------------------------------------------------------------------- + + This is an optional feature that can be enabled by setting the annotation "io.microsoft.network.ncproxy" + and providing an address to a TTRPC service that implements the NetworkConfigProxy TTRPC service defined in + /internal/ncproxyttrpc. + + Signed-off-by: Daniel Canter + +commit 4db65a8ad759b7a2dc7b74744c971cd49b50011c +Merge: 5f390c4c1 d32b51284 +Author: Kathryn Baldauf +Date: Mon Mar 1 15:41:47 2021 -0800 + + Merge pull request #394 from katiewasnothere/proc_cmdline_logs + + Ignore error when container process has exited between queries in /proc + +commit d32b512840021b298cd5c3c4fa9101d9ef2ab892 +Author: Kathryn Baldauf +Date: Wed Feb 24 17:06:58 2021 -0800 + + Ignore error if container process dies between queries + * Add additional logs and error messages around this scenario + + Signed-off-by: Kathryn Baldauf + +commit 5f390c4c16ea339907a6527af7fd032f33b97085 +Merge: 1e3104ecf 3a54e77a1 +Author: Maksim An +Date: Mon Mar 1 10:22:18 2021 -0800 + + Merge pull request #389 from anmaxvl/maksiman/device-mapper-support + + Use device mapper to create and mount linear block devices that correspond to container layers + that were mapped onto a single VPMEM device. + The device offset and size are expected to be in bytes and properly aligned + + Signed-off-by: Maksim An maksiman@microsoft.com + +commit 43a75bb4edd3722bdbc0cb6830c2439c72d62ea4 +Merge: 70015668f 11ec1d1eb +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri Feb 26 17:33:16 2021 -0800 + + Merge pull request #951 from ambarve/shim_panic_logs + + Log shim panic logs in containerd. + +commit 11ec1d1eb51a12dc5187c2f12a1cddac8634c9ed +Author: Amit Barve +Date: Tue Feb 23 12:09:08 2021 -0800 + + Log shim panic logs in containerd. + + Currently hcsshim writes the shim panic logs in a file named panic.log inside the sandbox + directory. However, those logs are never logged in containerd and they get lost when the + sandbox container is removed. This change allows the shim to log these panic logs to + containerd before deleting them. + + Signed-off-by: Amit Barve + +commit 70015668f742e252f17d809a8108b1f913990ff8 +Merge: 360f61dc8 4c55e4cca +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Feb 26 10:43:54 2021 -0800 + + Merge pull request #954 from dcantah/fix-nilderef-jobs + + Fix nil dereference in jobobject.Create and Open + +commit 4c55e4cca794ed4eb3642ff791dd2c3b6ad1a7a1 +Author: Daniel Canter +Date: Fri Feb 26 02:44:15 2021 -0800 + + Fix nil dereference in jobobject.Create and Open + + If nil options were passed for `Create` or `Open` both methods would run into a + nil dereference even though for `Create` it states that it will just use default options. + + For `Open` you can't open without a name so if nil options are passed just return an error. + + Signed-off-by: Daniel Canter + +commit 360f61dc8c4a0bc4f00f8a7055612f7c1b9d1efc +Merge: 0a9e81bdd 1f8111fd1 +Author: Kathryn Baldauf +Date: Thu Feb 25 17:00:03 2021 -0800 + + Merge pull request #952 from katiewasnothere/vb_gpu_tests + + Update gpu tests with Vb build number + +commit 1f8111fd18598a470bea9870b76283ac9c6a5f63 +Author: Kathryn Baldauf +Date: Thu Feb 25 11:03:54 2021 -0800 + + Update gpu tests with Vb build number + + Signed-off-by: Kathryn Baldauf + +commit 80883eeae70e72c072fdcb55356c130e8ceeb49d +Author: Daniel Canter +Date: Thu Feb 18 16:58:08 2021 -0800 + + Remove netnscfg gcstools utility + + This utility only existed because go used to not play well with network namespaces + due to it's nature of goroutine thread multiplexing. This poor behavior was remedied/solved in go + 1.10 due to some changes in how runtime.LockOSThread works with regards to scheduling new goroutines + and spawning new threads. + + Great article on the problem: https://www.weave.works/blog/linux-namespaces-and-go-don-t-mix + + and the eventual resolution: https://www.weave.works/blog/linux-namespaces-golang-followup + + * Add DoInNetNS function to perform a function in a specific network namespace. + * Convert netnscfg to a function to be used in tandem with DoInNetNS + + Signed-off-by: Daniel Canter + +commit 0a9e81bdd4ef1d08da4510cc8729148c3d04555e +Merge: ae4dec96d f9fa0e6f2 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Mon Feb 22 12:13:45 2021 -0800 + + Merge pull request #949 from microsoft/late_clone_test_to_master + + Add end to end tests for late cloning. (to master) + +commit f9fa0e6f221bba8e581bc1919db14bcc2031dc7b +Author: Amit Barve +Date: Tue Aug 18 12:01:24 2020 -0700 + + Add end to end tests for late cloning. + + This is one of the many small PRs that enable the support for late + cloning. This commit adds several end to end tests for the late cloning + feature. + + Signed-off-by: Amit Barve + +commit 3a54e77a193e57a42a5b8156c88a9dfeee004c4c +Author: Maksim An +Date: Wed Jan 20 14:07:34 2021 -0800 + + enable device-mapper for mounting container layers + + Signed-off-by: Maksim An + +commit ae4dec96de0b303db68e8ea76bc5d60de827184e +Merge: 1287a2c40 3bae952b5 +Author: Kathryn Baldauf +Date: Fri Feb 19 14:59:35 2021 -0800 + + Merge pull request #947 from TBBle/update-to-latest-go-winio + + Update go-winio to 6eac466e5fa3 for GetFileStandardInfo + +commit 3bae952b5e96ed0385dbd6e9cb6d6215ac8665f3 +Author: Paul "TBBle" Hampson +Date: Wed Feb 17 18:49:19 2021 +1100 + + Update go-winio to 6eac466e5fa3 for GetFileStandardInfo + + See https://github.com/microsoft/go-winio/pull/185; this also pulls in a + newer golang.org/x/sys release and some generated syscall cleanups. + + Signed-off-by: Paul "TBBle" Hampson + +commit 1287a2c4080d11822384ddd9622db209103c12c9 +Merge: e49e19b6e bd140d72d +Author: Kathryn Baldauf +Date: Tue Feb 16 13:37:44 2021 -0800 + + Merge pull request #946 from TBBle/update-containerd-to-v1.5.0-beta1 + + Update containerd to v1.5.0-beta1 and revendor + +commit bd140d72d8cae9e513ac1f9a3d5ae2f273b12de9 +Author: Paul "TBBle" Hampson +Date: Fri Feb 12 21:24:24 2021 +1100 + + Update containerd to v1.5.0-beta1 and revendor + + containerd has an extensive dependency tree, and this is a large jump + from v1.3.2, so this single-line change leads to a lot of churn in both + go.mod and vendoring, particularly for the 'test' submodule. + + Signed-off-by: Paul "TBBle" Hampson + +commit e49e19b6ef6694fe6b91653320d0f189fdda7439 +Merge: 122ec5aad 80ed7470c +Author: Kathryn Baldauf +Date: Thu Feb 11 10:49:11 2021 -0800 + + Merge pull request #942 from thaJeztah/test_fix_vendor + + test/go.mod: go mod tidy and go mod vendor + +commit 122ec5aade493b997cdf8f8cf527cc7e2d94d22b +Merge: 7bf6ec3b3 45104de93 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Feb 11 10:14:52 2021 -0800 + + Merge pull request #945 from SeanTAllen/patch-2 + + Remove non-determinism in hard link handling + +commit 45104de930d21d67ae364f09341c0d26aa4dd244 +Author: Sean T Allen +Date: Thu Feb 11 12:41:14 2021 -0500 + + Remove non-determinism in hard link handling + + Hard links share the same inode number leading to a lack of determinism when they are layed out. + + This change sorts by inode and then if they are the same, by name thereby introducing determinism. + +commit 7bf6ec3b31718a15a16c8ad6575f3b104867a69b +Merge: 45b02f18e ac15a31b4 +Author: Kevin Parsons +Date: Tue Feb 9 01:06:06 2021 -0800 + + Merge pull request #943 from SeanTAllen/deterministic-directories + + Make directory creation deterministic + +commit ac15a31b43ee2ee181708f8d484d69cc2a5f1ada +Author: Sean T. Allen +Date: Mon Feb 8 12:47:08 2021 -0500 + + Make directory creation deterministic + + Prior to this commit, the layout of created ext4 filesystems created using tar2ext4 wasn't + deterministic. Recursive directory creation would change from run to run due to the usage + of a map as temporary storage for items from the tar stream. + + This commit changes recursive directory creation to follow the same deterministic pattern + as writeDirectory. + + At this point, the only possible source of non-determinism in a create file system is the + UUID in the VHD footer. If no VHD footer is included, then the results are deterministic. + +commit 80ed7470c2bb1ca2f8888abded0307f7b675c7da +Author: Sebastiaan van Stijn +Date: Mon Feb 8 15:21:02 2021 +0100 + + test/go.mod: go mod tidy and go mod vendor + + Signed-off-by: Sebastiaan van Stijn + +commit 1e3104ecf3b0098cab73ae2a3406898e3e7021c9 +Merge: 60b645507 642f7826d +Author: Kathryn Baldauf +Date: Fri Feb 5 11:35:58 2021 -0800 + + Merge pull request #391 from katiewasnothere/update_to_modify_call + + Change the update container bridge call to use the modify call instead + +commit 642f7826db99a41582b2ea1cd875857f50bf6e48 +Author: Kathryn Baldauf +Date: Fri Jan 22 18:29:37 2021 -0800 + + Change the update container bridge call to use the modify call instead + + Signed-off-by: Kathryn Baldauf + +commit 45b02f18efced56b5bd0793cf6d4158d0265e729 +Merge: 486694feb fccadc615 +Author: Kevin Parsons +Date: Fri Feb 5 10:10:20 2021 -0800 + + Merge pull request #939 from kevpar/fix-symlink-mount + + Resolve mount source path before passing it to HCS + +commit fccadc615f0fcc5e99979cf49a251356ac2d69b1 +Author: Kevin Parsons +Date: Thu Feb 4 18:33:55 2021 -0800 + + Resolve mount source path before passing it to HCS + +commit 60b645507ce3f54dda0f4df35b2c0a6b6a912874 +Merge: 5ea360ef3 e972b276e +Author: Kathryn Baldauf +Date: Thu Feb 4 15:07:56 2021 -0800 + + Merge pull request #390 from katiewasnothere/remove_v1_additional + + Remove the v1 gcs + +commit 486694feb17cfb62e1dd699ddb60cafe090ba96d +Merge: d6f73e1cd de43bd9fe +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Feb 4 14:24:52 2021 -0800 + + Merge pull request #938 from dcantah/fix-mounts + + Fix duplicated credential spec/devices setup in allocateWindowsResources + +commit de43bd9fe63820312a9235bbc9a95e353e28e569 +Author: Daniel Canter +Date: Thu Feb 4 14:08:12 2021 -0800 + + Fix duplicated credential spec/devices setup in allocateWindowsResources + + Recent rebase from my PR: https://github.com/microsoft/hcsshim/commit/61e1b43691874280f053a7af75bcb69fe35be117 + duplicated the credential spec and devices setup. + + Signed-off-by: Daniel Canter + +commit d6f73e1cdfce00fa6989e7d821983f7db0ea3e1b +Author: Maksim An +Date: Thu Feb 4 13:59:15 2021 -0800 + + Add better handling of windows-style paths for io_binary (#923) + + Signed-off-by: Maksim An + +commit 251b969e31699d4b72750d5855dc3403e85a300a +Merge: c22b7009a 2acb93cb6 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jan 28 13:55:37 2021 -0800 + + Merge pull request #934 from jsturtevant/containerd-stats-update + + Add Check for access denied when looking for stats in Containerd + +commit 2acb93cb65d08daffec95066f764e408ede51c35 +Author: James Sturtevant +Date: Thu Jan 28 13:15:55 2021 -0800 + + Add Check for access denied when looking for stats + + Signed-off-by: James Sturtevant + +commit c22b7009a014b94d21b390f6d5c947a84aff3c5f +Merge: 6103d69d1 1e6897238 +Author: Kevin Parsons +Date: Thu Jan 28 13:06:04 2021 -0800 + + Merge pull request #933 from jsturtevant/error-messages + + Expose more internal errors via hscshim api + +commit 1e6897238b57b70be623231d839558e682e30e90 +Author: James Sturtevant +Date: Thu Jan 28 12:05:20 2021 -0800 + + Expose internal errors via hscshim + + Signed-off-by: James Sturtevant + +commit 6103d69d1f2604098781c8e848ab196239bb9aa6 +Merge: e7d50a70e 61e1b4369 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jan 27 17:40:07 2021 -0800 + + Merge pull request #932 from dcantah/special-case-scratch + + Skip unmounting layers for sandbox container. + +commit 61e1b43691874280f053a7af75bcb69fe35be117 +Author: Daniel Canter +Date: Mon Jan 25 15:57:09 2021 -0800 + + Skip unmount layers for sandbox container. + + * Skip unmounting the layers for the sandbox container as we know the UVM + gets torn down shortly afterwards. + + Signed-off-by: Daniel Canter + +commit e7d50a70e2c60a410ca5a4b24c2f159eea82aa75 +Merge: 47a44bda7 be4c8e19e +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Wed Jan 27 15:02:21 2021 -0800 + + Merge pull request #839 from microsoft/user/ambarve/lcpr1_vmcompute + + Add support for saving hcs compute system. + +commit be4c8e19ebff1f202d44c1a90a41506473c52601 (hcsshim/user/ambarve/lcpr1_vmcompute) +Author: Amit Barve +Date: Mon Aug 17 21:37:02 2020 -0700 + + Add support for creating late clones via hcsshim + + This is one of the many small PRs that enable the support for late + cloning.This commit adds the set of functions that expose the late cloning + functionality from hcsshim and adds new annotations for clients to use + the late cloning feature. + + Signed-off-by: Amit Barve + +commit 97ca218702b6bb447cfc2697def6b89d2289e1ed +Author: Amit Barve +Date: Thu Jun 11 00:03:50 2020 -0700 + + Add support for creating network namespaces inside cloned uvms. + + This is one of the many small PRs that enable the support for late cloning. + This commit adds the set of functions required for adding network namespace and + network endpoints to cloned UVMs. + + Signed-off-by: Amit Barve + +commit 50112c71fc64c8e1694eec121a90423673efc528 +Author: Amit Barve +Date: Thu Jun 11 00:03:50 2020 -0700 + + Add support for creating cloned UVMs. + + This is one of the many small PRs that enable the support for late cloning. + This commit adds the template and clone creation support in the uvm module. + + Signed-off-by: Amit Barve + +commit e37a4dc0402b1090427f4b07908710b923e039f4 +Author: Amit Barve +Date: Wed Jun 10 20:00:47 2020 -0700 + + Add support for saving hcs compute system. + + This is one of the many small PRs that enable the support for late cloning. + This PR simply adds the go wrappers required for saving a HCS compute system + which is used during template creation. + + Signed-off-by: Amit Barve + +commit 47a44bda751fabb1a19c54a3d8fca144074e62de +Merge: c19ef4bd0 9c9b92a53 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jan 27 14:43:39 2021 -0800 + + Merge pull request #929 from dcantah/new-overlay-path + + Create upper and work directories in new locations if sharing scratch + +commit 9c9b92a537dfe5c7e1b1dacfc598c433f8e7d797 +Author: Daniel Canter +Date: Sun Jan 24 10:01:28 2021 -0800 + + Create upper and work directories in new locations if sharing scratch + + Signed-off-by: Daniel Canter + +commit e972b276edcc73be63c6f05a53e623bf38e5332a +Author: Justin Terry (VM) +Date: Wed Nov 6 12:25:11 2019 -0800 + + Remove the v1 gcs + + LCOW is only supported RS5+ which already had LCOW v2. We no longer need to + keep the v1 gcs impl. + + Signed-off-by: Justin Terry (VM) + Signed-off-by: Kathryn Baldauf + +commit c19ef4bd03a74f4ab40484963ad1d271a1820a0f +Merge: 4490e2e6b 0bb6d5c3c +Author: Kathryn Baldauf +Date: Thu Jan 21 16:24:16 2021 -0800 + + Merge pull request #926 from TBBle/convert-pointer-to-slice-without-failing-checkptr + + Create a correctly-sized slice to proxy *uint16 + +commit 0bb6d5c3c3a6f01a96e8bebe5a796ff3d47fa2d1 +Author: Paul "TBBle" Hampson +Date: Wed Jan 13 04:50:54 2021 +1100 + + Create a correctly-sized slice to proxy *uint16 + + Fixes the below issue seen in the containerd test suite. + ``` + fatal error: checkptr: converted pointer straddles multiple allocations + ``` + + Also adds `-gcflags=all=-d=checkptr` to all the test runs on CI, to + avoid this regressing in future. This requires testing with Go 1.14 or + newer, so CI now runs on Go 1.15, as Go 1.14 did not recommend using + checkptr on Windows. + + And _that_ requires the Visual Studio 2019 build image on AppVeyor. + + Signed-off-by: Paul "TBBle" Hampson + +commit 4490e2e6b67ea2197f233bd821463e7c3199ccc0 +Merge: 7c492d64f e081f3e5b +Author: Kathryn Baldauf +Date: Thu Jan 21 13:12:12 2021 -0800 + + Merge pull request #918 from katiewasnothere/job_object_limits_tool + + Create tool to get/set job object resource limits + +commit 7c492d64f4ea44054fc0886bf4e5cb84d7372835 +Merge: 99c7fb3d1 c1ea4f550 +Author: Kathryn Baldauf +Date: Thu Jan 21 13:10:21 2021 -0800 + + Merge pull request #928 from katiewasnothere/fix_stats_not_found + + Ignore NotFound errors when getting task stats + +commit e081f3e5b99a9c3bc959a91b22ac248ee27cb229 +Author: Kathryn Baldauf +Date: Mon Dec 21 22:26:30 2020 -0800 + + Create tool to get/set job object resource limits + + Signed-off-by: Kathryn Baldauf + +commit c1ea4f550eba2d7f54d7a0d748aef4f20d08a25c +Author: Kathryn Baldauf +Date: Tue Jan 12 16:24:23 2021 -0800 + + Ignore NotFound errors when getting task stats + + Signed-off-by: Kathryn Baldauf + +commit 99c7fb3d1140c02c2d2a7c879c69e23b477f824b +Merge: 3d9501067 e6272dea4 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Jan 19 17:03:53 2021 -0800 + + Merge pull request #912 from dcantah/improve-shimdiag + + Add shimdiag flag to find shim process ID for shims + +commit e6272dea4f708b7a4fcb3f320a4dd22dfbbd0836 +Author: Daniel Canter +Date: Tue Dec 15 22:06:10 2020 -0800 + + Add shimdiag flag to find shim process ID for shims + + * Adds a new -pids flag to the `shimdiag list` command that will print out the + process ID of the shim executable. + + Sample output: + + PS C:\> shimdiag.exe list -pids + Shim Pid + k8s.io-3719754aab39925924b0beb27d2a195a4a6784c6ebe3690b81b2e7274a7021af 65892 + k8s.io-908ea3697874891fd5814b1967515d3214257b65fc1974bdafd17276ee8ba3e5 69444 + + Signed-off-by: Daniel Canter + +commit 3d95010677b276a8fdba30a17b632e4bb7387882 +Merge: d25785cb2 9bb70a316 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri Jan 15 11:18:34 2021 -0800 + + Merge pull request #916 from TBBle/make_ociwclayer_a_public_api + + Make internal/ociwclayer a public API: pkg/ociwclayer, with Context for cancellation + +commit d25785cb231377c9290c18c4585fb4abbe1c51ee +Merge: fd21b8d19 f69cfc41a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Jan 14 17:53:13 2021 -0800 + + Merge pull request #925 from dcantah/wrap-computestorage-err + + Wrap errors from computestorage package + +commit f69cfc41a2f1212182af8f2e239d11ef3ac03dac +Author: Daniel Canter +Date: Thu Jan 14 08:20:22 2021 -0800 + + Wrap errors from computestorage package + + * Change from stringifying errors with fmt.Errorf to errors.Wrap everywhere + + Fixes: https://github.com/microsoft/hcsshim/issues/924 + + Signed-off-by: Daniel Canter + +commit 9bb70a316fec35cc74dd2979e10301273dcd900b +Author: Paul "TBBle" Hampson +Date: Sun Dec 20 00:25:15 2020 +1100 + + New APIs for streaming layers as tar streams + + This (re-)introduces ImportLayerFromTar and ExportLayerToTar into + pkg/ociwclayer. + + Before #173, these APIS were exposed from oci/wclayer as ImportLayer and + ExportLayer, but those names are too generic and already overloaded for + similar but different meanings in this project. + + See eb0cc25755569ca6fcb06f1ef54edd9c976cce82 + + Signed-off-by: Paul "TBBle" Hampson + +commit 96d33e93d0f09ea649995594423d2f56939f3763 +Author: Paul "TBBle" Hampson +Date: Sun Dec 20 00:15:47 2020 +1100 + + Add Context to ociwclayer's ImportLayer and ExportLayer + + This is to support callers cancelling these operations, or setting a + deadline. + + Based on the same behaviour seen in the containerd implementations of + these same functions. + + Signed-off-by: Paul "TBBle" Hampson + +commit fd21b8d1922c7fb8b4a50c76d048fe1a69b7e7dc +Author: Maksim An +Date: Thu Jan 7 12:34:06 2021 -0800 + + Add support for logging binary (#896) + + Logging binary support and integration tests + + Signed-off-by: Maksim An + +commit bf55dadfbdf10cc0bccfaf0ca6a481e5bf28ea68 +Merge: d3e5debf7 6e87c0c4f +Author: Kathryn Baldauf +Date: Tue Dec 22 11:35:24 2020 -0800 + + Merge pull request #905 from katiewasnothere/gcs_update_container + + Add support for issuing a container update to gcs + +commit d3e5debf77dab8cd35ce1a842065358469f4b7ea (tag: v0.8.14) +Merge: e18ab3e70 00c108e73 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Dec 18 14:35:36 2020 -0800 + + Merge pull request #914 from dcantah/gitattributes + + Add .gitattributes to force LF line endings + +commit 6e87c0c4f534a9d5be868d050f8850da6d92f1d7 +Author: Kathryn Baldauf +Date: Mon Dec 7 16:39:54 2020 -0800 + + Add support for issuing a container update to gcs + + Signed-off-by: Kathryn Baldauf + +commit e18ab3e70ef67cbb3d3e76db101c95f750f438ff +Merge: fae98bb85 020897b2e +Author: Kathryn Baldauf +Date: Fri Dec 18 11:19:11 2020 -0800 + + Merge pull request #907 from katiewasnothere/uvm_share + + Add utility function for sharing files into UVMs from the host + +commit 020897b2e959de8d772e4de82e602ab28e24c5e2 +Author: Kathryn Baldauf +Date: Wed Dec 9 17:52:07 2020 -0800 + + Add utility function for sharing files into UVMs from the host + + Signed-off-by: Kathryn Baldauf + +commit 00c108e731e0a31ed116102756a77f1a2654a8c6 +Author: Daniel Canter +Date: Thu Dec 17 14:31:53 2020 -0800 + + Add .gitattributes to force LF line endings + + Signed-off-by: Daniel Canter + +commit fae98bb85072e1cadf765126e89f0d5a324bf4a4 (tag: v0.8.13) +Merge: f5ee97de0 307217720 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Dec 17 12:11:19 2020 -0800 + + Merge pull request #913 from dcantah/fix-nil-deref + + Fix nil dereference in `newHcsTask` if no shim options were passed + +commit 307217720beb750f5be4fec797b53244def8fd92 +Author: Daniel Canter +Date: Thu Dec 17 12:03:07 2020 -0800 + + Fix nil dereference in `newHcsTask` if no shim options were passed + + Signed-off-by: Daniel Canter + +commit f5ee97de032438b87812962213d8664daaa7efa5 +Merge: ae33b435c bac648084 +Author: Kathryn Baldauf +Date: Tue Dec 15 13:55:58 2020 -0800 + + Merge pull request #888 from katiewasnothere/cpugroup_vm_create_on_start + + Support assigning cpugroup immediately after UVM start + +commit bac648084a868235ca7d17f1fc3164abda805a78 +Author: Kathryn Baldauf +Date: Mon Oct 26 17:55:04 2020 -0700 + + Support assigning cpugroup immediately after UVM start + + Signed-off-by: Kathryn Baldauf + +commit ae33b435ce9518e56ed5b01cf9638cd3290bdaac +Merge: e8a2e45c6 e0f4dafe1 +Author: Kathryn Baldauf +Date: Tue Dec 15 12:21:34 2020 -0800 + + Merge pull request #906 from katiewasnothere/uvm_update_cpu_limits + + Add uvm call for updating cpu limits + +commit e8a2e45c60de542b8a92bc481c5fb9c6bb5cb2f2 (tag: v0.8.12) +Merge: d7fea3716 410f893ad +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Dec 15 11:43:37 2020 -0800 + + Merge pull request #910 from elweb9858/l4wfpproxy_portupdate + + Updating L4WfpProxyPolicy struct + +commit 410f893adc499374d532d12d191637be7f5bbecd +Author: elweb9858 +Date: Mon Dec 14 17:07:00 2020 -0800 + + Updating L4WfpProxyPolicy struct + + Signed-off-by: elweb9858 + +commit d7fea371629954e33e1ca195de003c45ba179db0 +Merge: 1286fcd6c 26bcb7255 +Author: Kathryn Baldauf +Date: Thu Dec 10 10:25:46 2020 -0800 + + Merge pull request #908 from katiewasnothere/fix_create_lcow_spec + + Fix potential panic in createLCOWSpec when no network ns is set + +commit 26bcb7255cf245638a9162ab66c46b64387ef49d +Author: Kathryn Baldauf +Date: Wed Dec 9 18:09:20 2020 -0800 + + Fix potential panic in createLCOWSpec when no network ns is set + + Signed-off-by: Kathryn Baldauf + +commit e0f4dafe13a5f72868f7a280de87f2a52524d5da +Author: Kathryn Baldauf +Date: Wed Dec 9 17:41:53 2020 -0800 + + Add uvm call for updating cpu limits + + Signed-off-by: Kathryn Baldauf + +commit 1286fcd6c97490c14ce152e8e7cac62ef5d1b38c +Author: Maksim An +Date: Wed Dec 9 17:00:24 2020 -0800 + + add test for running container as non-default user that is missing (#904) + + * refactor tests to use getRunPodSandboxRequest + + * add integration test for running lcow as non-default username and uid + + Signed-off-by: Maksim An + +commit 11f327c43c16594f9163254c6ccb247dfba35920 +Merge: 2010d9a3e b0ed708f6 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Dec 8 08:56:00 2020 -0800 + + Merge pull request #902 from dcantah/computestorage-helpers + + Add base layer/uvm helpers to computestorage package + +commit b0ed708f641aed4ee7883faf4c40f46de4354ca5 +Author: Daniel Canter +Date: Wed Dec 2 17:40:15 2020 -0800 + + Add base layer/uvm helpers to computestorage package + + * Add helper functions to setup the disks for a base WCOW layer. + + Signed-off-by: Daniel Canter + +commit 5ea360ef3d618f48f8d13c7ec89e00dce0ead678 +Merge: d84eb8a91 b9c7fc484 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu Dec 3 20:07:08 2020 -0800 + + Merge pull request #386 from ambarve/fix_uid_bug + + Allow passing any uid for container processes. + +commit b9c7fc484b96af3b4a664db614a92919a36f05aa +Author: Amit Barve +Date: Thu Dec 3 14:40:24 2020 -0800 + + Allow passing any uid for container processes. + + Usually if a username is provided when starting a process inside the container + we look inside the /etc/passwd file of the container to find the uid and gid for that + user. However, if a uid is provided instead of a username there is no need to look into + the /etc/passwd file to see if that user exists. + + Signed-off-by: Amit Barve + +commit 2010d9a3eeb0a93b64faac63c39eff76fb12082c (tag: v0.8.11) +Merge: 53828ca2b a27eac224 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Dec 2 15:22:27 2020 -0800 + + Merge pull request #900 from dcantah/revendor-winio + + Revendor go-winio at d1ffc52c73318019ce58aaa5282588c52df029b7 + +commit d84eb8a912ec703060587178b7ed613ffee333c6 +Merge: db3851c72 48a6b710c +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Wed Dec 2 14:46:30 2020 -0800 + + Merge pull request #385 from ambarve/cleanup_container_process + + Cleanup process directory after process exits. + +commit 48a6b710cb8173453a59a17f33fb68c7bca444ec +Author: Amit Barve +Date: Wed Dec 2 12:28:31 2020 -0800 + + Cleanup process directory after process exits. + + Whenever a new process is started inside a container we create a temporary directory for + that process at path `/run/gcsrunc//` to store some process related + information. However, the v2 workflow of execProcess didn't cleanup these directories when + the process exited. This can cause the tmpfs mounted at the /run to get full for long + running containers. This change adds the change for cleaning up the directories after + process exits. + + Signed-off-by: Amit Barve + +commit 53828ca2b5dc186693463b0b77af5e444e905383 +Merge: de74fe8b9 bdbc1542c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Dec 2 12:19:18 2020 -0800 + + Merge pull request #877 from dcantah/jobwrapper + + Add high level job object wrapper + +commit a27eac224c5a5060dcd3afc9004de820df88a7d8 +Author: Daniel Canter +Date: Tue Dec 1 12:35:53 2020 -0800 + + Revendor go-winio at d1ffc52c73318019ce58aaa5282588c52df029b7 + + Signed-off-by: Daniel Canter + +commit de74fe8b94ae4eee0d92d59d51b8190c1ac9b6b0 +Merge: 966bebae1 9910dd14a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Nov 24 15:19:31 2020 -0800 + + Merge pull request #899 from dcantah/remove-automanage + + Remove automanaged vhd functionality + +commit 9910dd14aa91cada262a9ea94cce796884da7b93 +Author: Daniel Canter +Date: Tue Nov 24 14:53:36 2020 -0800 + + Remove automanaged vhd functionality + + Signed-off-by: Daniel Canter + +commit bdbc1542cf6f0df1c0c25c4ceb500d693d287070 +Author: Daniel Canter +Date: Wed Sep 16 09:23:03 2020 -0700 + + Add high level job object wrapper + + * Add high level job object wrapper. + * Add extra job object bindings for stats usage. + + Signed-off-by: Daniel Canter + +commit 966bebae11b480a7bb1112f65c7131df9728d456 +Merge: f14fc666e aff39ed2c +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Nov 19 09:46:02 2020 -0800 + + Merge pull request #886 from dcantah/lcow-scratch-work + + Set default scratch size for containers/UVMs and reuse LCOW scratch + +commit f14fc666e78f55768b3c34d940209e25fffc0b89 +Merge: 3cc00bc91 4987a057b +Author: Kevin Parsons +Date: Wed Nov 11 10:16:59 2020 -0800 + + Merge pull request #894 from kevpar/vsmb-directmap + + Force disable VSMB direct map when the volume does not support it + +commit 4987a057b4c4741e6a79eaa40ff38528f05b48e0 +Author: Kevin Parsons +Date: Tue Nov 10 23:43:22 2020 -0800 + + Force disable VSMB direct map when the volume does not support it + + VSMB direct map requires support for querying FileIdInfo from the + backing volume. There is a bug in certain Windows versions where instead + of falling back to non-direct map when FileIdInfo is not supported, VSMB + instead causes errors whenever files on the share are accessed. + + To work around this until the issue is fixed, we will query FileIdInfo + ourselves when setting up a VSMB share, and force disable direct map if + the query fails. + + Signed-off-by: Kevin Parsons + +commit 3cc00bc91358a30282adc44f98488615f6f08000 +Merge: 1432f9c05 36c772f44 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Nov 9 15:10:05 2020 -0800 + + Merge pull request #893 from dcantah/use-computestorage + + Change CreateNTFSVHD to use computestorage call + +commit 36c772f4405f63a0bd90a0d5c37885d211919446 +Author: Daniel Canter +Date: Mon Nov 9 13:05:48 2020 -0800 + + Change CreateNTFSVHD to use computestorage call + + * Previously CreateNTFSVHD would call a local (/internal/hcs) binding of hcsFormatWritableLayerVhd. + As the computestorage calls are all present now, just use the exported calls from the + computestorage package instead. + + Signed-off-by: Daniel Canter + +commit 1432f9c05649e85644bdb8c592d7b423ec23b2da +Merge: ff4402aa8 04779e800 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Nov 6 15:15:11 2020 -0800 + + Merge pull request #881 from dcantah/hcs-storage + + Add HCS storage APIs + +commit 04779e80073f86641420860ed93832e1a4f5083a +Author: Daniel Canter +Date: Tue Oct 6 04:46:07 2020 -0700 + + Add HCS storage APIs + + * Add bindings for the HCS storage APIs from computestorage.dll + + Signed-off-by: Daniel Canter + +commit ff4402aa838c9692d6166a52dcc2b422b01e84c4 +Merge: d672bc1c5 f77f51722 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Nov 6 10:39:22 2020 -0800 + + Merge pull request #890 from netal/user/negup/NetworkL4Proxy_Version_Update + + Updating the Supported version ranges for Network L4proxy policy + +commit d672bc1c54bfdab46b71814e48f93a3418e95a62 +Merge: 6e6b6ce98 5acb8e61f +Author: Maksim An +Date: Fri Nov 6 00:16:38 2020 -0800 + + Merge pull request #887 from anmaxvl/tests-for-pod-removal-without-pod-stop + + Add tests for removing sandbox pod, without stopping it + +commit 5acb8e61f28f097476c095b564b7e1b01435c48e +Author: Maksim An +Date: Mon Oct 26 13:24:30 2020 -0700 + + Add tests for removing sandbox pod, without stopping it + + Signed-off-by: Maksim An + +commit f77f51722962e44314cb65cfedab20d9c40d2675 +Author: netal +Date: Thu Nov 5 15:23:01 2020 -0800 + + Updating the Supported version ranges for Network L4proxy policy + + Signed-off-by: netal + +commit aff39ed2cadf8c2513b886e3931c3b7a3fd19972 +Author: Daniel Canter +Date: Wed Oct 14 14:39:28 2020 -0700 + + Add ability to set default scratch size for containers/UVM and re-use LCOW container scratch + + * Add containerd.toml options to be able to set the default scratch space size for containers and + the UVMs scratch size for WCOW. + + * Add containerd.toml option to be able to specify that we'd like to share the sandbox containers + scratch space for workload containers for LCOW. + + * Evaluate symlinks for the sandbox.vhd in the scratch layer as that's what is expected to be + set up by the LCOW snapshotter instead of an absolute path to a previous containers sandbox.vhd. + + Signed-off-by: Daniel Canter + +commit 6e6b6ce98037df0ea4d9389c4c9462a166463565 +Merge: 0af9b9dc6 13f64b4e6 +Author: Kathryn Baldauf +Date: Fri Oct 30 14:20:21 2020 -0700 + + Merge pull request #889 from katiewasnothere/argon_execinhost + + Add new function to exec cmds in host for process isolated containers + +commit 13f64b4e66f9040e90c8867c00ab0800585df446 +Author: Kathryn Baldauf +Date: Tue Oct 27 13:57:08 2020 -0700 + + Add new diag function to exec a command on the host system + + Signed-off-by: Kathryn Baldauf + +commit 0af9b9dc6b39c4643046bc188af3561b7013b253 +Merge: 0ab229b35 c7253df57 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Oct 27 12:05:15 2020 -0700 + + Merge pull request #856 from dcantah/hyperv-gmsa + + Add GMSA support for V2 HCS schema xenon containers + +commit c7253df57b2bb272b7acedf34958adcfbdfa0d67 +Author: Daniel Canter +Date: Mon Jun 22 14:01:43 2020 -0700 + + Add GMSA support for V2 HCS schema xenon containers + + * Add new UVM function 'UpdateHvSocketService' to be able to hot add + Hvsocket service table entries. + * Add new UVM function 'RemoveHvSocketService' to be able to hot remove + an Hvsocket service. + * Add disabled field to HvSocketServiceConfig (used to be private in the schema) + * Remove hardcoded error if supplying a cred spec and the client asked for a + hypervisor isolated container. + * Misc refactors (comments, style) + + Signed-off-by: Daniel Canter + +commit db3851c72aded9fb854e95a43c6b66625bcd234c +Merge: 9787141bf 1a6b13cbf +Author: Kathryn Baldauf +Date: Mon Oct 19 13:42:53 2020 -0700 + + Merge pull request #382 from katiewasnothere/revert_init_kill_all + + Revert previous change that issues a kill all on container stop for LCOW + +commit 0ab229b358c7b9345736c545627ed1b9d114b4a5 +Merge: e8b45bc11 56191cc34 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Fri Oct 16 18:59:37 2020 -0700 + + Merge pull request #882 from dcantah/reg-changes + + Add regkey to WCOW to deal with containment for GNS compartment changes + +commit 56191cc34687edfbf1625049fd0379c1cdbca419 +Author: Daniel Canter +Date: Thu Oct 8 03:14:56 2020 -0700 + + Add regkey to WCOW to deal with containment for GNS compartment changes + + * A change was added recently to GNS that will be backported to Vb and possibly + 19H1 and RS5 that changes how network compartments are created to fix an issue + with accessing smb shares in hypervisor isolated containers. To ease the worries + of this breaking anything the change will be put behind a registry key (that is only set by us) + so that the change won't impact docker and can be optionally toggled off by us through + this annotation. + + Signed-off-by: Daniel Canter + +commit e8b45bc11a8b78cc7c0bb8062639cb9d6795fed3 +Merge: 6feb77486 c91b39de7 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Oct 15 09:29:29 2020 -0700 + + Merge pull request #885 from dcantah/fix-compartment + + Change SetJobCompartmentId to use win32 error code semantics + +commit c91b39de715815e653647cee32f6ab09a664804e +Author: Daniel Canter +Date: Thu Oct 15 06:47:49 2020 -0700 + + Change SetJobCompartmentId to use win32 error code semantics + + * Binding currently has the return value checked against HRESULT semantics when + this shouldn't be the case. + + Signed-off-by: Daniel Canter + +commit 6feb774860a73f43daf05758377dbc413a6909fa +Merge: e529bb33c 688da9024 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Oct 14 18:41:13 2020 -0700 + + Merge pull request #883 from dcantah/setjobcompartment + + Add SetJobCompartmentId function from iphlpapi.dll + +commit 688da9024c6d261ad036d895bbb8745f733d9e3b +Author: Daniel Canter +Date: Mon Oct 12 15:09:58 2020 -0700 + + Add SetJobCompartmentId function from iphlpapi.dll + + * For future work to be able to run a job container in a network namespace + that isn't the hosts, added the SetJobCompartmentId function from iphlpapi. + + Signed-off-by: Daniel Canter + +commit 1a6b13cbf15ac0e61afb4dc7ec99315862b64857 +Author: Kathryn Baldauf +Date: Wed Oct 14 18:07:14 2020 -0700 + + Revert previous change that issues a kill all on container stop for LCOW + + Signed-off-by: Kathryn Baldauf + +commit e529bb33c9c6466c72fa2d38f3082edd679e1684 +Merge: 936eeeb28 127715ce6 +Author: Kevin Parsons +Date: Wed Oct 14 17:54:19 2020 -0700 + + Merge pull request #884 from kevpar/lcow-layer-logging + + Improve logging for LCOW layer operations + +commit 127715ce662cd68f3d2e8858e75a300e28d84b7f +Author: Kevin Parsons +Date: Wed Oct 14 02:07:37 2020 -0700 + + Improve logging for LCOW layer operations + + Signed-off-by: Kevin Parsons + +commit 9787141bf586cbefb59309d5787fde58126229cd +Merge: eaba4b742 deb2d17ee +Author: Kathryn Baldauf +Date: Tue Oct 13 12:22:08 2020 -0700 + + Merge pull request #380 from katiewasnothere/update_container + + Add new bridge call to update runc container + +commit eaba4b7429d790052139d0c3cf3413f2fe33c64f +Merge: 3c959b72f c5204274b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Oct 6 11:23:14 2020 -0700 + + Merge pull request #381 from dcantah/use_hierarchy + + Write 1 to memory.use_hierarchy to enable hierarchy support + +commit c5204274b734aa740ed612a75720ba5401ed2fcd +Author: Daniel Canter +Date: Sat Oct 3 02:59:41 2020 -0700 + + Write 1 to memory.use_hierarchy to enable hierarchy support + + `Created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future. + cgroup: "memory" requires setting use_hierarchy to 1 on the root.` + + After booting the UVM, this is present in dmesg. There's numerous threads on this over the years from docker, lxc and many others. This should enable the hierarchy support we (believe) we're using for our nested container cgroups so the resource consumptions are properly propagated upwards to their parent cgroup (/containers).` + + * Enable hierarchy support so memory usage and limits can flow upwards to the parent cgroup like we'd expect for the /container and its nested cgroups. It's not necessary to set this on any nested cgroups, only the root. + + Signed-off-by: Daniel Canter + +commit 936eeeb286fd1197f107acfc4c3c82e4a9afc2c8 +Merge: 380508768 dfb862d42 +Author: Kevin Parsons +Date: Thu Oct 1 16:42:39 2020 -0700 + + Merge pull request #880 from kevpar/rescale-cpu-limit + + Add option to scale Windows container CPU limit based on UVM CPUs + +commit dfb862d4211be24a084ac7b5e8a0ff87917aba87 +Author: Kevin Parsons +Date: Thu Oct 1 03:09:55 2020 -0700 + + Add option to scale Windows container CPU limit based on UVM CPUs + + Previously we would always use the CPU limit given without any change. + However, there is an issue with kubelet where it calculates that value + based on the number of host CPUs, which causes an incorrect value to be + computed when the container runs in a UVM. + + We now provide a config option to enable adjusting the CPU limit value + based on the UVM's number of processors, so that the resulting amount + of CPU will be what the kubelet expects. + + As this path is a fix to address specific behavior in the kubelet, and + there could be other users who don't want this change, we lock the new + behavior behind a config option. + + In the future, if kubelet becomes more aware of VM sandboxes for + containers, we could adjust this behavior, or remove it entirely. + + Signed-off-by: Kevin Parsons + +commit 380508768ed2619a4777f268c6443017bb76b04e (tag: v0.8.10) +Merge: bfd1217cb 0d64dfa64 +Author: Kathryn Baldauf +Date: Wed Sep 23 10:48:57 2020 -0700 + + Merge pull request #875 from katiewasnothere/modify_memory + + Add calls to modify UVM memory size and tests + +commit bfd1217cb9f75fa1cd0ddce44e924aeb7157bc39 +Merge: 016dbfd1e 0baeb83a9 +Author: Kevin Parsons +Date: Wed Sep 23 10:20:19 2020 -0700 + + Merge pull request #876 from TBBle/revendor-gowinio-for-updated-tar + + Revendor Microsoft/go-winio for 8gB file fix in `wclayer` + +commit 0d64dfa648b10e4fdf952bbe1483d44a88240c49 +Author: Kathryn Baldauf +Date: Tue Sep 8 18:48:04 2020 -0700 + + Add calls to modify UVM memory size and tests + + Signed-off-by: Kathryn Baldauf + +commit deb2d17eec18b8916b124e9b30c2ec454b11192f +Author: Kathryn Baldauf +Date: Thu Sep 17 14:17:46 2020 -0700 + + Add new bridge call to update runc container + + Signed-off-by: Kathryn Baldauf + +commit 016dbfd1ef01c234b1cb09760b4262ce9c148fdc +Merge: 6dd55e705 592d4f8fc +Author: Kathryn Baldauf +Date: Thu Sep 17 13:38:48 2020 -0700 + + Merge pull request #878 from katiewasnothere/fix_memory_schema + + Fix schema memory size field type + +commit 592d4f8fcbff1a786355cdd88f8cf0bd354e2189 +Author: Kathryn Baldauf +Date: Thu Sep 17 13:32:27 2020 -0700 + + Fix schema memory size field type + + Signed-off-by: Kathryn Baldauf + +commit 6dd55e70584bdf9eb6c632cb293cc3962db79898 +Merge: 1a9588fd6 12eee6e44 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Sep 14 13:18:25 2020 -0700 + + Merge pull request #874 from dcantah/expand-winapi + + Add new winapi bindings for job containers + +commit 12eee6e44ec39e3627c2974b8baf98694ef423cd +Author: Daniel Canter +Date: Fri Sep 4 12:54:54 2020 -0700 + + Add new winapi bindings for job containers + + * Add windows bindings needed for job containers work + + Signed-off-by: Daniel Canter + +commit 0baeb83a97ba502ae6b729a22eee354104f21a67 +Author: Paul "TBBle" Hampson +Date: Wed Sep 9 22:30:16 2020 +1000 + + Revendor Microsoft/go-winio to v0.4.15-0.20200908182639-5b44b70ab3ab + + This pulls in the migration of go-winio/backuptar from the bundled fork + of archive/tar from Go 1.6 to using Go's current archive/tar. + + Currently only affects the wclayer utility, but resolves a problem + creating OCI layers containing files larger than 8gB. + + Signed-off-by: Paul "TBBle" Hampson + +commit 1a9588fd692bcf7e7e8df6c0344e1f04cc5a2544 +Merge: a24031cfe 0bbf25b0a +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Tue Sep 8 14:41:13 2020 -0700 + + Merge pull request #873 from elweb9858/l4wfpproxy_versioncheck + + Adding version check for L4WfpProxy endpoint policy + +commit 0bbf25b0a739cfff840719a19924f7f7147b6959 +Author: elweb9858 +Date: Fri Sep 4 12:16:48 2020 -0700 + + Adding version check for L4WfpProxy endpoint policy + + Signed-off-by: elweb9858 + +commit a24031cfee7b62cbe025ce60de9add8947c9bc24 +Merge: d2cba219a 23d02c871 +Author: Kevin Parsons +Date: Fri Sep 4 16:01:30 2020 -0700 + + Merge pull request #872 from kk-src/format-disk + + Add prepare-disk command. + +commit 23d02c871bb904a25ca6b5001a3d7682dd08d92b +Author: Krishnakumar R(KK) <65895020+kk-src@users.noreply.github.com> +Date: Fri Sep 4 14:05:58 2020 -0700 + + Add prepare-disk command + + Prepare-disk command formats a given disk with ext4. This is required for a disk(as passthrough) to be made available within a container. Here is an excerpt from a configuration for such a scenario. + + "mounts": [ + { + "host_path": "\\.\PHYSICALDRIVE2", + "container_path": "/disk" + } + ] + + The gcs/runc combo expects the pass-through disk to be formatted and tries to mount it on a local path within the uvm. Prepare-disk ensures that this restriction is met. + + Note: Full disk is formatted with ext4 without any partitioning. TODO: add options to allow partitioning and then formatting. + + Signed-off-by: Krishnakumar R(KK) <65895020+kk-src@users.noreply.github.com> + +commit 3c959b72f069ae352757caf5c752996d847bde5a +Merge: ed1730c2b 968870061 +Author: Kevin Parsons +Date: Thu Sep 3 10:00:32 2020 -0700 + + Merge pull request #379 from kevpar/fix-resolvconf + + Fix resolv.conf generation + +commit 9688700614ec94c5bc740db56081993f520bfea4 +Author: Kevin Parsons +Date: Thu Sep 3 01:28:33 2020 -0700 + + Fix resolv.conf generation + + This change fixes two issues in the resolv.conf generation code: + - If DNSSuffix or DNSServerList are empty strings, the resulting slice + would contain a single empty string instead of being an empty slice. + This is due to strings.Split("", ",") returning [""] rather than []. + - The code in standalone_container.go was accidentally not passing a + value for searches to network.GenerateResolvConfContent. + + Signed-off-by: Kevin Parsons + +commit d2cba219a8d746362bdd75753492c1dfd217f435 +Merge: 301c83a30 9f824883e +Author: Kathryn Baldauf +Date: Mon Aug 31 13:51:10 2020 -0700 + + Merge pull request #842 from katiewasnothere/hyperv_assigned_devices_split + + Support hyper-v assigned devices + +commit ed1730c2b917da8d532dc5403a9c6e44da0040e1 +Merge: 60d84e92d ef66283a3 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Mon Aug 31 01:16:08 2020 -0700 + + Merge pull request #378 from dcantah/cgroups-fix + + Touchup OOM/memory limit logging events + +commit 9f824883e0640fc3b5c190b6f67fe64e321dc289 +Author: Kathryn Baldauf +Date: Tue Jun 16 13:30:55 2020 -0700 + + Add e2e tests for assigned devices in WCOW + + Signed-off-by: Kathryn Baldauf + +commit 9ffc90a28f709d40badcf3d76cef7f62f31594fe +Author: Kathryn Baldauf +Date: Tue Jun 16 13:18:43 2020 -0700 + + Use previously defined functions to allow device assignment + * Extend parsing of assigned devices on the hcsv2 doc to include xenon + * Use functions that handle assigned devices when allocating + windows container resources + + Signed-off-by: Kathryn Baldauf + +commit 1f2256d5d9ed72e74cce82cc450c315867eb576b +Author: Kathryn Baldauf +Date: Tue Jun 16 13:13:53 2020 -0700 + + Add ability to handle assigned devices for WCOW + * Add ability to parse assigned devices + * Add function to query UVM for location paths of child devices assigned + * Add new prefix for container spec specified devices in vpci + * Remove block on assigning devices in WCOW + + Signed-off-by: Kathryn Baldauf + +commit ae426175f1380a324154bceee6bc9113d05fe51b +Author: Kathryn Baldauf +Date: Tue Jun 16 13:09:44 2020 -0700 + + Add commands for pnp device querying/management + * Add new comma separated annotation "io.microsoft.assigneddevice.kerneldrivers" + for path to device drivers + * Add commands to install kernel drivers + * Add command to query UVM for pnp device information + + Signed-off-by: Kathryn Baldauf + +commit 3fde72426aa83126fdb4cc9dbd4b4a8d7f7e9ce5 +Author: Kathryn Baldauf +Date: Tue Jun 16 13:07:00 2020 -0700 + + Create new utility 'device-util' for querying pnp information of devices + * Add a new shim option for the `device-util` path + + Signed-off-by: Kathryn Baldauf + +commit ea4a3ab6d5fe9ecac0b6e6e7d90261c0a378620c +Author: Kathryn Baldauf +Date: Tue Jun 16 12:40:57 2020 -0700 + + Add ability to query NT obj directories + * create new pkg `winapi` that contains the low level syscall bindings + for windows dll api calls + * add device querying code with CM* api to new package `windevice` + * add code to enumerate NT object directories in pkg `winobjdir` + + Signed-off-by: Kathryn Baldauf + +commit 301c83a30e7cade283b2afd5dc4e4068181662c3 +Author: Daniel Canter +Date: Tue Aug 25 20:17:06 2020 -0700 + + Fix LpIndex JSON annotation + + * Fix the LpIndex JSON annotation in the LogicalProcessor v2 HCS schema + from being the wrong value. + + Signed-off-by: Daniel Canter + +commit ef66283a384518835cc39df784ac393f3170269b +Author: Daniel Canter +Date: Fri Aug 21 20:04:58 2020 -0700 + + Touchup OOM/memory limit logging events + + * An event gets sent during cgroup teardown so avoid logging an event for this case. + + * Fix returning nil stats if the LCOW kernel doesn't have CONFIG_MEMCG_SWAP + (no memsw cgroup entries). + + * Add additional gcs start timestamp and current timestamp fields to logs. + + Signed-off-by: Daniel Canter + +commit 94556e86d3db0e9e09390ea36e8aaf608fcbc9e8 +Author: Daniel Canter +Date: Tue Aug 18 14:56:22 2020 -0700 + + Fix flaky cri-containerd LCOW events test + + * Move the context.WithTimeout after the setup/launch of the sandbox/uvm + to avoid hitting the timeout and failing the test. + + Signed-off-by: Daniel Canter + +commit 6735787a4e853b8ca9144d3da29cd210aa435c11 +Merge: 1869133ca 6e13016b7 +Author: Kathryn Baldauf +Date: Fri Aug 14 17:55:29 2020 -0700 + + Merge pull request #865 from katiewasnothere/refactor_hcsoci + + Refactor code in hcsoci into logical packages + +commit 6e13016b72f2808eb255d46e34e6d9d960898d33 +Author: Kathryn Baldauf +Date: Mon Aug 10 15:41:31 2020 -0700 + + Refactor code in hcsoci into logical packages + * Created a new package `cmd` that contains code for running processes in a compute system + * Created a new package `resources` that contains code for creating, updating, releasing container resources + * Created a new package `credentials` which handles container credential guard instances needed for gmsa + * Created a new package `layers` that contains code for creating container image layers + + Signed-off-by: Kathryn Baldauf + +commit 1869133ca498cb7f27813514c3e6642cb1d8e5fe (adoshim/kevpar/ingest-public) +Merge: e24759cb1 556e84706 +Author: Kevin Parsons +Date: Wed Aug 5 12:36:50 2020 -0700 + + Merge pull request #862 from kevpar/update-test-vendor + + Update test module vendoring + +commit 556e84706cb057e21eda8dd8988baf4307f56034 +Author: Kevin Parsons +Date: Wed Aug 5 12:31:50 2020 -0700 + + Update test module vendoring + + The vendoring for the test module was out of date, which caused build + failures. Ran `go mod vendor` to update the vendoring. + + Signed-off-by: Kevin Parsons + +commit e24759cb1f31ffc497761d195ff1f9984b830190 +Author: vidushv +Date: Fri Jul 31 15:58:52 2020 -0700 + + Update AclSupportForProtocol252Version to support versions > 11.0 + + Signed-off-by: vidushv + +commit d80bc7196cb0025723d5fc8dc33796d0a3d0ebfb +Author: netal +Date: Mon Aug 3 12:13:15 2020 -0700 + + L4 proxy policy + + Signed-off-by: netal + +commit d06a1265d776f12fd4c7a628e23d4807a8285f52 +Merge: 06bbb5c92 3c9cf4236 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Sat Aug 1 11:18:57 2020 -0700 + + Merge pull request #852 from TBBle/wclayer_actually_mounts + + Teach wclayer to mount volumes at mountpoints + +commit 3c9cf4236a0192221f21822c4db25e14477248b7 +Author: Paul "TBBle" Hampson +Date: Thu Jul 23 17:29:45 2020 +1000 + + Teach wclayer to mount volumes at mountpoints + + This just makes life slightly easier when debugging or inspecting + wclayer behaviours. + + Signed-off-by: Paul "TBBle" Hampson + +commit 06bbb5c920aee2f3c825af789e8f92daa0109fac +Merge: ec90316d4 ad690807d +Author: Kevin Parsons +Date: Fri Jul 31 10:31:05 2020 -0700 + + Merge pull request #859 from kevpar/vsmb-readonly-reuse + + Fix VSMB to not mix up rw/ro shares + +commit ec90316d4d8526f22d0352654309eb5393295260 +Merge: 5345ae94f 44ac5c1ac +Author: Kathryn Baldauf +Date: Fri Jul 31 10:08:26 2020 -0700 + + Merge pull request #849 from katiewasnothere/sandbox_devices_test + + Add tests for sharing devices from the sandbox into a lcow container + +commit 5345ae94fade229beabf906dc60fc562492a76b0 +Author: Paul "TBBle" Hampson +Date: Sat Jul 25 18:12:52 2020 +1000 + + Fix comment on CreateScratchLayer + + CreateScratchLayer doesn't take a parent id anymore, just the list of parent layer paths, since #183 in 0.7.0 + + Signed-off-by: Paul "TBBle" Hampson + +commit ad690807d94c9ef1ec6151d0c9536dd3f717e311 +Author: Kevin Parsons +Date: Thu Jul 30 11:14:31 2020 -0700 + + Add test for reusing ro VSMB share as rw + + Signed-off-by: Kevin Parsons + +commit 50df2843fc0976a4fb4d334b513941d4a20ce50e +Author: Kevin Parsons +Date: Thu Jul 30 03:05:24 2020 -0700 + + Fix VSMB to not mix up rw/ro shares + + The VSMB code attempts to create as few actual shares as possible. This + is done by ref-counting existing shares so that if the same directory is + shared again, the old share is used instead. However, the mechanism for + looking up an existing share currently only keys off of the share path. + This has the unfortunate affect that a read-only share can be repurposed + as a read-write share. + + I first looked at fixing this by more broadly refactoring the VSMB code, + with the aim of not only fixing this bug, but also removing some of the + hacks that were put in place to support single-file mapping. However, + that work ended up complicating things a lot, so I think other cleanup + work will need to be done first before that broader refactoring can + be merged. + + As a more immediate and tactical fix, I have now simply changed the way + we create keys to look for an existing VSMB share. The key now includes + both the host path and the rw/ro state of the share. This should allow + for read-only and read-write shares of the same directory to coexist. + + One consequence of this change is that operations like RemoveVSMB and + GetVSMBUvmPath now need to know the rw/ro state of the share, so they + can operate on the correct share. To resolve this, I have added a + readOnly parameter to the signatures of these functions, and updated the + callers to pass the correct value in. + + Signed-off-by: Kevin Parsons + +commit 44ac5c1acbf1db8abf88837de21d011e4ed4cf1a +Author: Kathryn Baldauf +Date: Wed Jul 15 23:41:59 2020 -0700 + + Add tests for sharing devices from the sandbox into a lcow container + + Signed-off-by: Kathryn Baldauf + +commit 60d84e92d10a23a5822dca0ce0a67d952edb10c4 +Merge: ac9ffdaa4 146fa3f4e +Author: Kathryn Baldauf +Date: Thu Jul 30 18:48:28 2020 -0700 + + Merge pull request #377 from katiewasnothere/sandbox_devices + + Add support for parsing linux devices into workload containers + +commit 15ff992334f9bcdd4083fc6beeaed845e34ab56c +Merge: fc27c5026 1ac4b0237 +Author: Kevin Parsons +Date: Tue Jul 28 10:09:44 2020 -0700 + + Merge pull request #857 from TBBle/windows_1909_osversion + + Add Windows V19H2 (1909) to builds list + +commit 1ac4b023746040c0a6d89b77ae3cd002f8e6d006 +Author: Paul "TBBle" Hampson +Date: Wed Jul 29 03:02:18 2020 +1000 + + Add Windows V19H2 (1909) to builds list + + It's not "semi-annual" if you're 12 months apart. + + Mainly useful for vendoring, no tests currently distinguish V19H2 + behaviour. + + Signed-off-by: Paul "TBBle" Hampson + +commit fc27c5026e6ff001dc1b171b99bda7bb3dcf6e78 +Merge: 09453f7b6 da7633bde +Author: Kevin Parsons +Date: Fri Jul 24 12:28:55 2020 -0700 + + Merge pull request #854 from kevpar/test-2004 + + Add support for Windows 2004 release to test suite + +commit da7633bde58e1a14490afc6d6b798b72ffcf8062 +Author: Kevin Parsons +Date: Fri Jul 24 11:25:39 2020 -0700 + + Add support for Windows 2004 release to test suite + + Also ran `go mod tidy` to clean up test modules file. + + Signed-off-by: Kevin Parsons + +commit 09453f7b6cebf99f992bc5b785b9ba3a996f5d66 +Merge: 5eafd1556 3a05609b6 +Author: Kevin Parsons +Date: Thu Jul 23 10:19:41 2020 -0700 + + Merge pull request #851 from kevpar/empty-dir-test + + Add test for WCOW kubernetes.io~empty-dir support + +commit 3a05609b60100b6f3cfbf21a5c05ad25ca3859c4 +Author: Kevin Parsons +Date: Wed Jul 22 16:19:56 2020 -0700 + + Add test for WCOW kubernetes.io~empty-dir support + +commit 146fa3f4ecd09a869972d810d82695a54eb39d21 +Author: Kathryn Baldauf +Date: Wed Jul 15 23:43:01 2020 -0700 + + Add support for parsing linux devices into workload containers + + Signed-off-by: Kathryn Baldauf + +commit 5eafd1556990abd5e7390ff4b5abc9a14a5e16ed +Author: elweb9858 +Date: Wed Jul 15 14:07:06 2020 -0700 + + Updating DSR version check to 9.3-9.max, 10.2+ + +commit 23becc456facc06c292c5d9c2bed33ba0f64ec21 +Merge: 0ab38ee75 9d8593590 +Author: Kevin Parsons +Date: Sun Jul 12 11:38:36 2020 -0700 + + Merge pull request #847 from microsoft/fix-test-rs5 + + Change image timestamp test to use 19H1 runtime class + +commit 9d859359013d45eaead2e6b52abc71ed2d545acd (hcsshim/fix-test-rs5) +Author: Kevin Parsons +Date: Sun Jul 12 00:47:46 2020 -0700 + + Change image timestamp test to use 19H1 runtime class + + This test involves running a 19H1-based image, and previously used + the wcow-hypervisor runtime class which uses the host OS version. This + caused the test to fail to run on RS5. This change fixes this by + explicitly using the 19H1 runtime class. + + Signed-off-by: Kevin Parsons + +commit 0ab38ee751bd995672b12624a5a63d9ece4af789 +Merge: e50252db8 298804bba +Author: Kevin Parsons +Date: Wed Jun 24 11:50:51 2020 -0700 + + Merge pull request #845 from kevpar/processor-qos-block + + Remove block on processor weight/maximum for WCOW process-isolated + +commit 298804bbafaaeab3681d832990614cbb5c598c1d +Author: Kevin Parsons +Date: Wed Jun 24 10:00:39 2020 -0700 + + Remove block on processor weight/maximum for WCOW process-isolated + + Previously there was an OS bug that prevented processor weight/maximum + from working properly. This has now been fixed and backported to 1809+, + so it is safe to remove this block. + + Signed-off-by: Kevin Parsons + +commit ac9ffdaa4b9774e47beec5999aa521ac0b917d26 +Merge: bff689ff5 200301a20 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Sun Jun 14 16:27:52 2020 -0700 + + Merge pull request #376 from dcantah/pmem-fix + + Fix pmem build error + +commit 200301a209296d53afc3abc162d91c629da5eea2 +Author: Daniel Canter +Date: Sun Jun 14 16:15:04 2020 -0700 + + Fix pmem build error + + * Fix 'pmem declared and not used' build error introduced with https://github.com/microsoft/opengcs/pull/375. + When testing things to solve the 5.4 kernel build failure I had been doing all of + the work on a '54-kernel-failure' branch, so when we discovered the dax issue I + added the fix to this branch and built off of it to verify. When seeing that this + resolved the issue I created a new branch and just added the removing of dax changes + and forgot to add what is in this commit before pushing. + + Signed-off-by: Daniel Canter + +commit e50252db8f09e897e5c2a5d5d071bffb163c4637 +Merge: 27a858bf1 945b22014 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Mon Jun 8 22:53:34 2020 -0700 + + Merge pull request #832 from microsoft/user/ambarve/bug26547010 + + Fix the timestamp bug in pulling a multi layer image. + +commit 945b2201480db3e4836bb819a9b4e9cb94b550d9 +Author: Amit Barve +Date: Wed Jun 3 14:02:16 2020 -0700 + + Fix the timestamp bug in pulling a multi layer image. + + When pulling a multilayer image, the delta layers can delete some files or create new hard links. We have to do this file deletion or hard link creation after we are done with the ImportLayer call. However, these operations alter the last modification timestamps of the parent directories of these files. Some container applications depend on these timestamps and these applications don't work as expected when we delete the files or create hardlinks. This change reverts the timestamps after doing the delete or hard link creation operation so that the container applications depending on them aren't affected. + Also, until now we only did this for files that aren't symlinks, with this change we will do it for files that are symlinks too. This had to be done because while exporting a layer we sometimes incorrectly adds the symlink attribute to a directory that isn't actually a symlink. + + Signed-off-by: Amit Barve + +commit 27a858bf1651e8204c64b5e6f9979f6c51a0f943 +Author: JocelynBerrendonner +Date: Thu Jun 4 18:05:15 2020 -0700 + + Exposing VXLAN ports configuration + + Signed-off-by: JocelynBerrendonner + +commit 4e0d8b8d830a02822eacc84675ebf93e8c0b4866 +Author: Daniel Canter +Date: Tue May 19 03:17:59 2020 -0700 + + Add share file/directory command to shimdiag + + * Add command to shimdiag to be able to share an arbitrary directory/file + from the host into the UVM. + * Export new GuestRequest method on UVM to be able to issue arbitrary guest requests. + * Some misc comment/code fixes. + + Signed-off-by: Daniel Canter + +commit 971423bf8469a26e82720df9c72ab51a3e945a64 +Merge: 00b7a8be8 25885de49 +Author: Kathryn Baldauf +Date: Fri Jun 5 14:19:06 2020 -0700 + + Merge pull request #828 from kolyshkin/bump-cgroups + + go.mod: bump containerd/cgroups + +commit 00b7a8be8940f9001771de242ed9f88672deddbc +Merge: 70248d045 fa92bb595 +Author: Kathryn Baldauf +Date: Wed Jun 3 16:42:45 2020 -0700 + + Merge pull request #833 from microsoft/remove_vsmb_guestpath_func + + Remove VSMB GuestPath func + +commit fa92bb595ff34e20c7a234564a4af970edb5151a +Author: Kathryn Baldauf +Date: Wed Jun 3 16:20:45 2020 -0700 + + Remove VSMB GuestPath func + + Signed-off-by: Kathryn Baldauf + +commit bff689ff535ca94cac2e85beae25f3d9bf0c8406 +Merge: 5e5e32fa2 a66c6ad69 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Jun 3 13:59:03 2020 -0700 + + Merge pull request #375 from dcantah/remove-dax + + Remove dax mount option to avoid 5.4 kernel hard failure + +commit a66c6ad69c4a5415e7aa64689457f172125c9215 +Author: Daniel Canter +Date: Wed Jun 3 12:57:25 2020 -0700 + + Remove dax mount option to avoid 5.4 kernel hard failure + + * Removed dax mount option to circumvent the 5.4 kernel hard failure on + unsupported dax devices. Previously if the block device wasn't supported + the kernel would simply silently fail. This behavior was changed with this patch + https://patchwork.kernel.org/patch/10631361/. + + This change should be reverted whenever dax is properly supported for our + pmem devices. + + Signed-off-by: Daniel Canter + +commit 25885de4952703d3207701fce71c92ac4c277066 +Author: Kir Kolyshkin +Date: Mon Jun 1 13:40:05 2020 -0700 + + go.mod: bump containerd/cgroups etc + + This is mostly to update dependencies. + + Since we have updated x/sys/windows, make cmd/containerd-shim-runhcs-v1 + use the new windows.SecurityDescriptorFromString(), removing the ugly + unsafe cast. + + Signed-off-by: Kir Kolyshkin + +commit 70248d045a858ae21b83a043fa80ee6b1a47a84a +Author: Daniel Canter +Date: Mon Jun 1 18:50:10 2020 -0700 + + Add DefaultVSMBOptions function and remove guestrequest parameter + + * As we use almost the same set of VSMB options throughout the codebase, + this consolidates the settings into a single function instead of having to + set them manually each time. + * Remove guestrequest object from VSMBShare struct and AddVSMB as it isnt used + anywhere. + + Signed-off-by: Daniel Canter + +commit 2ba2cb51c5da57bbdbcaf827ef0ed3469bda3697 +Merge: 3a4267ffd 81278f5cb +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Thu May 21 13:35:55 2020 -0700 + + Merge pull request #820 from microsoft/user/ambarve/external_gcs_wcow + + Enable external GCS connection for WCOW. + +commit 81278f5cb754cf8944d1db5dda88a2693664ec34 +Author: Amit Barve +Date: Wed May 20 13:26:12 2020 -0700 + + Enable external GCS connection for all of WCOW. + + Signed-off-by: Amit Barve + +commit 3a4267ffd198f62e7dfef31e7eabe9be5f60fa78 +Author: Daniel Canter +Date: Wed May 20 13:55:01 2020 -0700 + + Fix RootVpIndex type mistake + + * In a minroot configuration, everything assigned to the VM > the hosts + logical processors will return -1 for RootVpIndex, so unmarshalling into a + unsigned integer will fail if the virtual processor count assigned to the UVM is + greater than the hosts amount. This was an oversight as our schema generates + uints as regular ints and when manually changing them I missed that RootVpIndex + was not also a uint. + + Signed-off-by: Daniel Canter + +commit c681474851789041027f8728b1e3c98e6ba67b2a +Merge: 9e1106260 5490249c6 +Author: Kevin Parsons +Date: Thu May 14 18:16:30 2020 -0700 + + Merge pull request #823 from netal/user/negup/hcsshim_setpolicy + + Updating the supported HNS minor and major version for SetPolicy + +commit 5490249c646a08a766fa147f4a69bad822991768 +Author: netal +Date: Wed May 13 13:15:00 2020 -0700 + + updated formatting of files + + Signed-off-by: netal + +commit 314a1f660463552c82c3d0e34a230b4c66087ea6 +Author: netal +Date: Wed May 13 12:16:22 2020 -0700 + + Updating HNS Minor and Major version for SetPOlicy + + Signed-off-by: netal + +commit 9e1106260eb69a6b777624f2ca092e684e4e7835 +Author: Daniel Canter +Date: Fri May 8 13:19:12 2020 -0700 + + Change to use GetActiveProcessorCount for logical processor count + + * Change to use GetActiveProcessorCount instead of GetMaximumProcessorCount + as the latter takes into account hot addable CPUs. + + Signed-off-by: Daniel Canter + +commit 495a5f8e4e02db9060897393136a0cf7f99ffa91 +Author: Daniel Canter +Date: Mon Apr 20 20:42:36 2020 -0700 + + Fix 'WorkingSetBytes' memory metric for PA backed VMs + + * Added a field (physicallyBacked) to UtilityVM + struct. + * Fix behavior of querying the UVMs vmmem process to get the working set + size for physically backed UVMs. Instead we assign the total memory assigned + to the UVM by using AssignedMemory * 4096 (is returned as number of 4kb pages) + * Add tests to verify working set size for physically backed WCOW AND LCOW. + * Refactor how we check for unsupported/incorrect configurations for the UVM settings. + + Signed-off-by: Daniel Canter + +commit 92534ef560742021a43fd45bc98b71b5869c0a39 +Author: Daniel Canter +Date: Wed May 6 21:02:09 2020 -0700 + + Fix UVM processor cap with processor groups. + + * Fix bug where we were incorrectly capping a users requested + CPU count in multiple processor group scenarios. This was due to + the fact that we used runtime.NumCPU() to get the logical processor + count of the system and this does not take into account multiple + processor groups. Instead use the processor topology information from HCS + to cap the UVMs amount and the win32 API function GetMaximumProcessorCount + to cap a process isolated containers requested amount. + * Add HCS schema files necessary to retrieve the processor topology information. + + Signed-off-by: Daniel Canter + +commit 222e9efadbe02a056b6ad4e7160ba5a035aa2c6a +Merge: 1eb324a5b 950fb8388 +Author: Kathryn Baldauf +Date: Wed May 6 11:10:21 2020 -0700 + + Merge pull request #811 from katiewasnothere/process_assigned_devices + + add support for assigned devices in process isolated containers + +commit 950fb838837e50472cd60d127b48a95774290369 +Author: Kathryn Baldauf +Date: Tue Apr 21 10:33:11 2020 -0700 + + Add support for assigned devices in process isolated containers + + Signed-off-by: Kathryn Baldauf + +commit 1eb324a5b689e1b780af28742575ca0cd7751df7 +Merge: f722e88bb 7ac8354b1 +Author: Kathryn Baldauf +Date: Tue May 5 19:31:51 2020 -0700 + + Merge pull request #805 from katiewasnothere/assigned_devices_multiple + + Add ref counting of assigned devices + +commit 7ac8354b16af94f5e04e896ce600d2420b1f8ac1 +Author: Kathryn Baldauf +Date: Wed Apr 29 12:07:05 2020 -0700 + + Add support for ref counting assigned devices + + Signed-off-by: Kathryn Baldauf + +commit f722e88bb2a3313f4ad62f920e52e4bd545c68c9 +Merge: 5249f66ac 4f577aca8 +Author: Kevin Parsons +Date: Tue May 5 16:59:59 2020 -0700 + + Merge pull request #819 from kumarvin123/master + + Added the IPV6PrefixLength field + +commit 5249f66ac927b445b245a954206f43120ddd48ec +Merge: 72489c472 1d988b27c +Author: Kathryn Baldauf +Date: Tue May 5 10:29:20 2020 -0700 + + Merge pull request #806 from katiewasnothere/device_backing_annotation + + Add annotation for UVMs to be fully physically backed + +commit 4f577aca8da64bbe8b8f327ed5f942e58b298ea9 +Author: Vinod K L Swamy +Date: Mon May 4 14:53:09 2020 -0700 + + Added the IPV6PrefixLength field + + Signed-off-by: Vinod K L Swamy + +commit 72489c472437d3c83e3e3c4be216be0fa1f8fe97 +Merge: d3a8d6f67 9a98f2c9c +Author: Kathryn Baldauf +Date: Mon May 4 11:43:32 2020 -0700 + + Merge pull request #818 from kumarvin123/master + + Add the IPV6 EndPoint Address and Gateway Field to HnsEndPoint. + +commit 9a98f2c9c7f91369a2f926263592d8a9cf1682ee +Author: Vinod K L Swamy +Date: Sun May 3 11:50:52 2020 -0700 + + Add the IPV6 EndPoint Address and Gateway Field to HnsEndPoint. + + Signed-off-by: Vinod K L Swamy + +commit 1d988b27c58f92657572adb7461d3709a86d08b5 +Author: Kathryn Baldauf +Date: Mon Apr 13 15:19:08 2020 -0700 + + Add annotation for uvm's to be fully physically backed + * add functions to handle annotations that imply other annotations + * handle new annotation for both wcow and lcow + + Signed-off-by: Kathryn Baldauf + +commit d3a8d6f6753578ebff745989b6f5949d33408dbb +Author: Daniel Canter +Date: Fri Mar 27 14:00:33 2020 -0700 + + Add GMSA support for V2 process isolated containers + + * Add generated V2 schema files for Container Credential Guard + * Add new hcs calls that are necessary to setup container credential guard + instances. + * Add new resource type CCGInstance that implements ResourceCloser so a containers + ccg instance will be cleaned up on container close. + * Add tests to validate gmsa + * Remove logging from resource Release methods and just return an error. + Forego returning immediately on an error in ReleaseResources and return + afterwards if any of the releases failed. + + Signed-off-by: Daniel Canter + +commit 5bc557dd210ff2caf615e6e22d398123de77fc11 (tag: v0.8.9) +Author: Vinod K L Swamy +Date: Mon Apr 27 15:30:37 2020 -0700 + + Added Version support for IPv6 Dual stack support in HNS + + Signed-off-by: Vinod K L Swamy + +commit eec8eb1acde5cbe0b32a69819b8153a8fab50613 +Merge: ffb46c5b1 698268f47 +Author: Kathryn Baldauf +Date: Thu Apr 23 13:27:50 2020 -0700 + + Merge pull request #798 from katiewasnothere/export_execinuvm + + Export execInUVM to allow for access to the tool outside cmd + +commit ffb46c5b1ed3068aee80c8d1aafde3be2323041e +Merge: c3e488f0d 1421f3c53 +Author: Kevin Parsons +Date: Tue Apr 21 23:14:49 2020 -0700 + + Merge pull request #812 from kevpar/test-feature-flags + + Add feature flags to cri-containerd tests + +commit 1421f3c53c7fa5937617212a43d3f78693a48c55 +Author: Kevin Parsons +Date: Tue Apr 21 16:34:27 2020 -0700 + + Add feature flags to cri-containerd tests + + This change adds support to the cri-containerd test suite to pass + feature flags on the command line to control what sets of functionality + are tested. The flags are passed as "-feature ", and multiple + flags can be passed to a single invocation. This change also adds a + helper function that can be used to test if a given set of features are + enabled. If any of the required features are not enabled, the current + test is skipped. If no feature flags were passed, the helper function + treats all features as enabled. + + This change is needed to support environments where we only want to run + subsets of the tests. For instance, in some cases we don't want to test + LCOW at all. + + The -run test command parameter offers similar functionality through + specifying a regex to filter tests. However, it does not seem feasible + to write a regex that could detect the presence of e.g. "LCOW" in both + a top-level test name, or a subtest name. Therefore, this approach is + unsuitable. + + Signed-off-by: Kevin Parsons + +commit c3e488f0d815e9e90815779a3e79df509c43a6d5 +Merge: 7ffb5b16a 16766c929 +Author: Kevin Parsons +Date: Tue Apr 21 11:28:05 2020 -0700 + + Merge pull request #810 from kevpar/fix-test-rs5 + + Skip test on Windows before 19H1 + +commit 16766c92922acfd2e89ad6ff4e6ba9b92e0fb183 +Author: Kevin Parsons +Date: Tue Apr 21 10:49:12 2020 -0700 + + Skip test on Windows before 19H1 + + The Test_RunPodSandbox_MultipleContainersSameVhd_WCOW test does not work + prior to 19H1. In those versions, HcsFormatWritableLayerVhd requires the + VHD to be mounted prior to calling, which we don't do currently. Because + of this, we are unable to create a VHD to use for the test. + + This fixes the issue by simply skipping the test on the affected OS + versions. We could potentially resolve this in the future by adding + more code to do the VHD mount ourselves, but this is a quick fix for + moment. + + We will still have test coverage of this functionality on 19H1, so this + shouldn't be a big issue. + + Signed-off-by: Kevin Parsons + +commit 7ffb5b16a3ea3b2d96e9757e9769cc90e57318bd +Author: elweb9858 +Date: Thu Apr 16 12:09:47 2020 -0700 + + Updating session affinity version check + +commit 5e5e32fa27c3e5082fdfdd59787180f210050739 +Merge: 096d842c8 53d8b674a +Author: Kathryn Baldauf +Date: Thu Apr 16 11:00:08 2020 -0700 + + Merge pull request #374 from microsoft/readme_with_signing + + Update readme with information on commit signing + +commit 53d8b674a7b92babb854f5fe5013e176b6d76b10 +Author: Kathryn Baldauf +Date: Thu Apr 16 10:53:52 2020 -0700 + + Update readme with information on commit signing + + Signed-off-by: Kathryn Baldauf + +commit 46c4dff8bb17f8044207cab82043cd3ddf297d85 +Merge: b1a692569 afbdc5709 +Author: Kathryn Baldauf +Date: Thu Apr 16 10:51:43 2020 -0700 + + Merge pull request #808 from katiewasnothere/update_readme_with_signing + + Update the readme to include information on signing commits + +commit afbdc5709ee632bca17890543dc2e6892e29569f +Author: Kathryn Baldauf +Date: Thu Apr 16 10:31:19 2020 -0700 + + Update the readme to include information on signing commits + + Signed-off-by: Kathryn Baldauf + +commit b1a692569e58876ea6920c347349fb629a688217 +Merge: 237a7c972 6ad064280 +Author: Kathryn Baldauf +Date: Wed Apr 15 14:33:22 2020 -0700 + + Merge pull request #804 from microsoft/scsi_layer_fix + + Update scsi layer's uvmPath + +commit 6ad064280b2c5b5de5d405dcc24f69937d5cbd78 (hcsshim/scsi_layer_fix) +Author: Kathryn Baldauf +Date: Wed Apr 15 14:04:51 2020 -0700 + + Update scsi layer's uvmPath + + Signed-off-by: Kathryn Baldauf + +commit 237a7c9720bfa35af16bb54b2734bed19c67eee5 (tag: v0.8.8) +Merge: 5c42905ff 9ed612aba +Author: Kathryn Baldauf +Date: Fri Apr 10 14:25:30 2020 -0700 + + Merge pull request #799 from microsoft/fix_test_go_mods + + Update test vendor with up to date hcsshim and containerd/containerd/log + +commit 9ed612abad8af9a598bb2db009e4adca53cbdad0 (hcsshim/fix_test_go_mods) +Author: Kathryn Baldauf +Date: Fri Apr 10 14:09:48 2020 -0700 + + Update test vendor with up to date hcsshim and containerd/containerd/log + + Signed-off-by: Kathryn Baldauf + +commit 698268f47a027496e9fd687b38777c6f8c633572 +Author: Kathryn Baldauf +Date: Thu Apr 9 15:36:53 2020 -0700 + + Export execInUVM to allow for access to the tool outside cmd + + Signed-off-by: Kathryn Baldauf + +commit 5c42905ff6ceaacb7cb8bbbfd03db53b1c22a51c +Merge: 1cc6d5fcf 8cf116b99 +Author: Kathryn Baldauf +Date: Thu Apr 9 15:48:47 2020 -0700 + + Merge pull request #792 from katiewasnothere/scsi_grant_vm_access + + Refactor scsi layer addition + +commit 8cf116b9967d830ca2009b3fe2250930037544df +Author: Kathryn Baldauf +Date: Mon Apr 6 12:40:57 2020 -0700 + + Refactor scsi layer addition + * move mount location of scsi layers + * add option for customizing vm granted access to scsi functions + + Signed-off-by: Kathryn Baldauf + +commit 096d842c8b5f51257deaf4a2c8f3b7095873090b +Merge: 4906aa78d 043c67b3b +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 9 13:44:56 2020 -0700 + + Merge pull request #372 from dcantah/gcs_cgroup + + Improve low memory detection + +commit 1cc6d5fcfaec531f0e3d78bd531d8fc1077db6b7 +Merge: 4c0b06bf8 d587e1aca +Author: Kevin Parsons +Date: Wed Apr 8 19:18:10 2020 -0700 + + Merge pull request #796 from kevpar/fix-ro-vsmb + + Fix read-only VSMB mounts + +commit 043c67b3bbc8b4e353c762292efcaea316b64e05 +Author: Daniel Canter +Date: Tue Apr 7 13:17:14 2020 -0700 + + Vendor new version of containerd/cgroups + + * Vendor new version of containerd/cgroups that has the functionality to + register for other memory events besides oom. + * Remove cgrouputils package in favor of using the cgroups methods. + + Signed-off-by: Daniel Canter + +commit d587e1aca3d8967d3babb453fa49839c9116e6cd +Author: Kevin Parsons +Date: Tue Apr 7 23:32:15 2020 -0700 + + Fix read-only VSMB mounts + + Previously, an errant break statement caused the presence of a read-only + VSMB mount on a container to cause the container activation to fail. + This fixes the issue by removing the break statement. This commit also + adds test cases for read-only mounts (for both LCOW and WCOW, even + though VSMB is only used for WCOW). + + Signed-off-by: Kevin Parsons + +commit 4c0b06bf850ae6bf66d894c414fdb0e53994b270 +Author: Daniel Canter +Date: Mon Apr 6 23:41:44 2020 -0700 + + Add zero vpmem (no gpu) test case + + * Add a non gpu zero vpmem test case to test lcow scsi layer additions. + + Signed-off-by: Daniel Canter + +commit e2e2a26589aec99e098877d36d31f07c8296e427 +Merge: 298b1378a 581feb580 +Author: Kevin Parsons +Date: Tue Apr 7 11:54:03 2020 -0700 + + Merge pull request #795 from kevpar/fix-missing-err + + Fix wrapped error missing when failing to add scratch VHD + +commit 581feb5804485a6c96c7bcae9f28e99030f77baa +Author: Kevin Parsons +Date: Tue Apr 7 11:45:18 2020 -0700 + + Fix wrapped error missing when failing to add scratch VHD + + Fixes an issue introduced in 298b1378aa39919c4a103c1e450c95bdace16d05. + + Signed-off-by: Kevin Parsons + +commit 298b1378aa39919c4a103c1e450c95bdace16d05 +Merge: bb7f17505 e3614297a +Author: Kevin Parsons +Date: Tue Apr 7 11:16:43 2020 -0700 + + Merge pull request #793 from kevpar/fix-scsi-layer-mounting + + Fix LCOW SCSI layer mounting + +commit e3614297ab5a97adae982530b1652d7ad515acc2 +Author: Kevin Parsons +Date: Mon Apr 6 21:46:21 2020 -0700 + + Fix LCOW SCSI layer mounting + + Fixes an issue that broke mounting of SCSI layers. Due to changing the + assignment of the return values from `AddSCSILayer` from `:=` to `=`, + the error value became scoped to the inner if block, which caused the + later return statement to pick up the previous error value instead of + the new one. + + This change also improves some error values and adds additional logging. + + Signed-off-by: Kevin Parsons + +commit 91822c7df1cd83951f6789da4f820ec44b9d9cbc +Author: Daniel Canter +Date: Mon Apr 6 13:11:45 2020 -0700 + + Remove opengcs:: prefix from main log statements + + Signed-off-by: Daniel Canter + +commit 7a9e7fa7ebba6d0f45db6ca46bbb1ad1610d67b2 +Author: Daniel Canter +Date: Sun Mar 22 23:03:25 2020 -0700 + + Improve low memory detection + + * Remove 50 MB default hard limit on the gcs cgroup. + * Register an eventfd to get notified when the cgroup the gcs is in + goes over 50 MB memory threshold. + * Register for oom notification on the containers cgroup. + + Signed-off-by: Daniel Canter + +commit bb7f1750551ea9ec174decf84554a8b5a34cae91 +Author: Daniel Canter +Date: Mon Mar 2 17:49:45 2020 -0800 + + Refactor how resources are cleaned up + * Changed all resources that were originally just a slice of strings(paths mostly) to be actual structs with the paths as fields. This allows the structs to implement how they are cleaned up/released now. + * Moved the logic of resource cleanup out of ReleaseResources and into the corresponding Release methods of the structs. + * New interface to have all resources implement so they can all be generically closed without worrying about what the resource is. + * Move scsiInfo fields into SCSIMount so we can track the lifetime of a scsi mount from one object instead of two. + * Exported vsmbShare + * Added new resource type AutoManagedVHD + + Signed-off-by: Daniel Canter + +commit 4906aa78d08a8bf4160661211864c8c466d5dde9 +Merge: 24ef46429 cc00831f4 +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Thu Apr 2 14:29:51 2020 -0700 + + Merge pull request #373 from dcantah/logkmsg + + Continuously log /dev/kmsg + +commit cc00831f4cf24350c82fbf54ac85c4c61f79fc80 +Author: Daniel Canter +Date: Tue Mar 17 18:33:26 2020 -0700 + + Continuously log /dev/kmsg + + * Added new internal package kmsg + * Continuously log all /dev/kmsg entries <= the priority level chosen + * Added new flag 'kmsgLogLevel' to be able to set the priority of entries we would + like to have logged (default is 4). + + Signed-off-by: Daniel Canter + +commit 8def383c2b18438ba3e4a38567aec1570f40a3d6 +Author: Davanum Srinivas +Date: Sat Mar 28 10:50:01 2020 -0400 + + adjust how we run tests + + - run the schema version test + + Signed-off-by: Davanum Srinivas + +commit eba98948d7ee0e0b214ee6f96e3ac203c5a7af0b +Author: Davanum Srinivas +Date: Sat Mar 28 10:37:18 2020 -0400 + + Add a separate go.mod for test/ directory to avoid dependency creep in root go.mod + + Signed-off-by: Davanum Srinivas + +commit 04ee9e63a4ed5eb78614447c1ead6e7f1482b394 +Merge: fd0797d76 76286f99b +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Fri Mar 27 10:49:16 2020 -0700 + + Merge pull request #780 from microsoft/user/ambarve/fix_multivhd_wcow_bug + + Allow a VHD to be mounted into multiple WCOW containers in the same pod + +commit 76286f99b6e34e4a680fbb34f4849db64ae31df9 (hcsshim/user/ambarve/fix_multivhd_wcow_bug) +Author: Amit Barve +Date: Tue Mar 3 11:57:54 2020 -0800 + + Allow mounting the VHD inside multiple WCOW containers + + In order to mount a VHD to a container first it needs to be mounted + inside the UVM. We generate a unique mount point (inside UVM) for + every such mount that is requested by a container. However, this + breaks when two container try to mount the same VHD because then we + generate two unique paths for the same VHD and try to mount it at two + different locations inside the UVM. This change fixes that issue for + WCOW containers. + +commit fd0797d766b1933ade4b9f6c12c341ddc9c9f95f +Author: Daniel Canter +Date: Wed Mar 4 11:12:41 2020 -0800 + + Test for starting/stopping container and reusing pod + + * The test case covers starting and stopping two containers in the same pod. + + Signed-off-by: Daniel Canter + +commit af6d13f3d4335e2ed1687348ae4b854079359345 +Merge: 432e537ac ddc3095db +Author: Danny Canter <36526702+dcantah@users.noreply.github.com> +Date: Wed Mar 11 16:27:24 2020 -0700 + + Merge pull request #783 from dcantah/removek8s + + Remove k8s dependency to circumvent recursive import + +commit ddc3095dba49c60ce9b5b85de18c2f45e57e4bcb +Author: Daniel Canter +Date: Fri Mar 6 17:41:46 2020 -0800 + + Remove k8s dependency to circumvent recursive import + + * https://github.com/kubernetes/kubernetes/issues/87420 + * This is to fix the above issue regarding the recursive dependency of kubernetes importing the shim and the shim importing + kubernetes when all we used it for was the cri package (and the fact it's only used for tests). + * Use k8s.io/cri-api for tests instead of k8s.io/kubernetes/pkg/kubelet/apis/cri + * Bump gogo/protobuf version to 1.3.1 and grpc to 1.23.1 + + Signed-off-by: Daniel Canter + +commit 432e537acbeb74fed644b5b34a781b2675cae9ab (adoshim/kevpar/wiki-ncproxy) +Merge: ed6547b67 beac03266 +Author: Kevin Parsons +Date: Thu Mar 5 11:18:58 2020 -0800 + + Merge pull request #778 from microsoft/container-init-fork-test + + Add test case where container init forks then exits + +commit 24ef464298ff1b6a104702a40abb0b3766f1535a +Merge: d5b0dea80 e6dd8c68b +Author: Kevin Parsons +Date: Thu Mar 5 10:05:21 2020 -0800 + + Merge pull request #371 from kevpar/init-fork-exit + + Terminate all other container processes when the init exits + +commit e6dd8c68bab163c32e116624e19cfd7af3bf7d85 +Author: Kevin Parsons +Date: Tue Mar 3 00:43:15 2020 -0800 + + Terminate all other container processes when the init exits + + Previously, if the container init spawned a child process which + inherited its stdio, then exited, gcs would continue waiting until all + child processes terminated. This only occurs when the container does not + have its own pid namespace, as otherwise the kernel terminates all + processes in the namespace automatically. To preserve this semantic even + when the namespace is shared, we now explicitly kill all other container + processes when its init exits. + + Signed-off-by: Kevin Parsons + +commit ed6547b672c860886c826ccfa15414ea885420a9 +Merge: b400e4ffe e43bf1ba1 +Author: ambarve <57150885+ambarve@users.noreply.github.com> +Date: Sun Mar 1 22:26:15 2020 -0800 + + Merge pull request #779 from microsoft/user/ambarve/fix_multivhd_lcow_bug + + Fix multiple VHD overlapping mount bug for LCOW + +commit e43bf1ba16f10f6b6092989c50fe7210e356d719 +Author: Amit Barve +Date: Fri Feb 28 14:15:45 2020 -0800 + + Every VHD that is mounted inside a container must be mounted in the UVM first. When different containers + mount the different VHDs, a unique mount path (inside UVM) should be generated for each such VHD. Existing mount + code generates such unique paths but those paths are unique only acorss the container. Hence, two different VHDs + mounted by two different containers will have unique path inside the container but can have the same path inside + the UVM. Due to this the second mount will end up mounting over the existing mount of the first container. + This change fixes the bug to generate such unique mount paths across the UVM instead of just keeping them unique to the + container. This change only handles this bug for LCOW containers, for WCOW this is fixed in a seprate PR. + +commit beac03266c7aca3c915423a5217497c00eadcea8 (hcsshim/container-init-fork-test) +Author: Kevin Parsons +Date: Fri Feb 28 01:58:48 2020 -0800 + + Add test case where container init forks then exits + + This adds a new test in the cri-containerd suite. The test runs an LCOW + container with a command line that causes the init process to fork + a background process (which runs forever) then exit. The test then + ensures that the container status is reported as exited, since the init + process has terminated. + + Signed-off-by: Kevin Parsons + +commit d5b0dea80f2800cb35ada72ad62f49da78d0de08 +Merge: dbf8a63ec 1abf9dbf1 +Author: Justin +Date: Wed Feb 26 10:38:49 2020 -0800 + + Merge pull request #370 from jstarks/no_timeout + + gcs: Handle infinite wait timeouts + +commit 1abf9dbf1631500e3eb2a98edfa7bc58ffb14d3e +Author: John Starks +Date: Wed Feb 26 08:34:52 2020 -0800 + + gcs: Handle infinite wait timeouts + + The timeout value passed in the wait message is supposed to treat + 0xffffffff as meaning no timeout (as in the Win32 API + WaitForSingleObject). Without this special handling, process waits + will expire after 49 days. + +commit b400e4ffecccc16f2a916e7e61ac61ffd185a091 +Merge: 501663707 19db0901e +Author: Kathryn Baldauf +Date: Mon Feb 24 22:42:21 2020 -0800 + + Merge pull request #777 from microsoft/mmio_test_fix + + only run MMIO tests on OS builds with schema support + +commit 19db0901e33d0318a9a24ee5250ea8b65abc1d00 (hcsshim/mmio_test_fix) +Author: Kathryn Baldauf +Date: Mon Feb 24 22:00:36 2020 -0800 + + update MMIO annotation tests to only run on OS builds that support the schema + + Signed-off-by: Kathryn Baldauf + +commit 501663707d60afb88ea97870274f8bde93759b7a +Merge: 09292e220 fc41ae544 +Author: Kathryn Baldauf +Date: Mon Feb 24 16:22:31 2020 -0800 + + Merge pull request #775 from microsoft/fix_gpu_scsi_path + + fix scsimount path for gpu vhd addition to allow proper clean up + +commit fc41ae544f18553883726d62909e4e737bbd9040 (hcsshim/fix_gpu_scsi_path) +Author: Kathryn Baldauf +Date: Mon Feb 24 11:50:19 2020 -0800 + + fix scsimount path for gpu vhd addition to allow proper clean up on removal + + * add necessary annotation to previous gpu test for linux boot files + * add additional check that after container has exited, gpu vhd is removed from uvm + + Signed-off-by: Kathryn Baldauf + +commit 09292e220f0b45e63308f735ece9bba1fa4b3359 +Merge: d73252d80 74f927441 +Author: Kathryn Baldauf +Date: Mon Feb 24 12:47:05 2020 -0800 + + Merge pull request #774 from microsoft/fix_scsi_ref_count + + always set newly allocated scsi device's ref count to 1 + +commit 74f927441afe5a71d84c90f797d8a23cd979ede7 (hcsshim/fix_scsi_ref_count) +Author: Kathryn Baldauf +Date: Sun Feb 23 23:04:37 2020 -0800 + + always set newly allocated scsi device's ref count to 1 + + * previously in the work to support adding the same scsi device to + multiple containers, ref count was only set to 1 if the device + was a layer. This caused allocated non-layer scsi devices to never + be removed as decrementing the ref count on removal would cause + uint underflow. + + Signed-off-by: Kathryn Baldauf + +commit d73252d80b2080d58119cc7b9009fe82bd353f0e +Merge: 0e20cd814 0cea5a2f9 +Author: Kevin Parsons +Date: Thu Feb 20 12:50:45 2020 -0800 + + Merge pull request #773 from kevpar/multi-container-vhd + + Allow a VHD to be mounted into multiple LCOW containers in the same pod + +commit 0cea5a2f955dc5b1c4a0bb16582b381941745cea +Author: Kevin Parsons +Date: Thu Feb 20 11:07:34 2020 -0800 + + Allow a VHD to be mounted into multiple LCOW containers in the same pod + + This is a re-visiting of the change made by abwah previously in commit + 7f17353012eda1dbd8367135642ec24ebc88bd1d. That work was reverted due to + test failures with WCOW. With this new change, we no longer attempt to + support WCOW (we can look into that later if needed). + + This change also differs from the original in that we now generate the + VHD dynamically at test time, rather than checking in a static VHD file. + + Signed-off-by: Kevin Parsons + +commit dbf8a63ec6c340ae13c1d4262c2b5ca75470d4ad +Merge: a7ebf6256 372535f8e +Author: Kathryn Baldauf +Date: Thu Feb 20 11:33:52 2020 -0800 + + Merge pull request #369 from microsoft/gpu_support + + Guest GPU assigned device support + +commit 0e20cd81408a773a3f06c14829a7383d3b2171b8 +Merge: 016605082 aeb12df87 +Author: Kathryn Baldauf +Date: Thu Feb 20 10:39:45 2020 -0800 + + Merge pull request #765 from microsoft/assigned_device_support + + GPU Assigned Device Support + +commit 372535f8ecc91bca9687c46eb561635472e27ae5 +Author: Kathryn Baldauf +Date: Mon Jan 13 12:40:52 2020 -0800 + + add gpu support for lcow + + * use vmbus path for find pci bus location of gpu + * add new pci and vmbus packages + * add new storage utility to wait for files of a given pattern + * add nvidiaPrestartHook command + * setup nvidia-container-cli arguments + * dump nvidia-container-cli debug file on error + * add new modify option for vpci devices + * add tests for new storage packages and utilities + + Signed-off-by: Kathryn Baldauf + +commit aeb12df873c031c32d4b12fa9584b00f0ab16d48 (hcsshim/assigned_device_support) +Author: Justin Terry (VM) +Date: Tue Nov 12 13:49:33 2019 -0800 + + add nvidia gpu support for lcow + + * add ability to assign hyperv pci devices + * hot add gpu vhd when container requests gpu + * add lopt for kernel pci arg + * use configurable path to nvidia gpu vhd + * add tests for additional annotations + * add test for assigning & removing vpci devices + * add e2e test for nvidia gpu scenario + + Signed-off-by: Kathryn Baldauf + +commit 016605082a968b26595cb554918bd8d14bd0a98c +Merge: 7aa61c085 0c93d0c25 +Author: Kevin Parsons +Date: Fri Feb 14 13:45:13 2020 -0800 + + Merge pull request #771 from kevpar/revert-multiple-vhds + + Revert "Mount Same SCSI Vhd in multiple containers" + +commit 0c93d0c2555c673d63770949cf233f6009ca379e +Author: Kevin Parsons +Date: Fri Feb 14 13:30:04 2020 -0800 + + Revert "Mount Same SCSI Vhd in multiple containers" + + This reverts commit 7f17353012eda1dbd8367135642ec24ebc88bd1d. + + The new VHD test fails intermittently on WCOW. Reverting for now until + we can fully investigate and fix. + +commit 7aa61c085020f83adfc228f08ebaf3e3cea423fd +Merge: 8ed402d31 b16a30d17 +Author: Justin +Date: Wed Feb 12 10:28:36 2020 -0800 + + Merge pull request #770 from jterry75/resource_paths + + Add all supported UVM resource modification paths + +commit b16a30d17151964419b4bc804cc9c1c5a97d9d23 +Author: Justin Terry (SF) +Date: Tue Feb 11 15:24:44 2020 -0800 + + Add all supported UVM resource modification paths + + Signed-off-by: Justin Terry (SF) + +commit 8ed402d318d1ec85524aee62bb8faa33a7e846bb +Merge: 1207ac98d df3fca3fb +Author: Justin +Date: Thu Feb 6 10:08:52 2020 -0800 + + Merge pull request #768 from bhaskardeep/ExposeProxyPolicy + + Expose the Proxy policy types for Endpoint + +commit df3fca3fb4cd8f4475c8d5019ca6719a46f39ce1 +Author: Bhaskardeep Khaund +Date: Wed Feb 5 17:22:56 2020 -0800 + + Expose the Proxy policy types for Endpoint + +commit 1207ac98da64295bd61753c9de3a93580a1f419c +Merge: 2207b7067 a529e65c9 +Author: Justin +Date: Wed Feb 5 10:27:14 2020 -0800 + + Merge pull request #766 from bhaskardeep/AddProxyPolicyToV1 + + V1 Api: Add Proxy Policy type for Endpoints + +commit a529e65c9ad76400f2a32a752e1cc2a208574887 +Author: Bhaskardeep Khaund +Date: Tue Feb 4 10:47:56 2020 -0800 + + V1 Api: Add Proxy Policy type for Endpoints + +commit a7ebf625668c705ff63ef4bc968dbbcf3f2978b0 +Merge: 7794bd147 63d626e3d +Author: Kevin Parsons +Date: Tue Feb 4 14:07:50 2020 -0800 + + Merge pull request #368 from microsoft/rlimit + + init: Set RLIMIT_NOFILE hard limit to 1M + +commit 2207b70678253b4cf6c03e7e4afa69d4790d429e +Merge: 99f064b70 7f1735301 +Author: Kathryn Baldauf +Date: Mon Feb 3 13:40:06 2020 -0800 + + Merge pull request #745 from abwah/vdiskmultcontainers + + Mount Same SCSI Vhd in multiple containers + +commit 7f17353012eda1dbd8367135642ec24ebc88bd1d +Author: Abdul Waheed +Date: Mon Dec 9 18:15:03 2019 -0800 + + Mount Same SCSI Vhd in multiple containers + + Fix broken build + + CR Feedback + + go fmt -s -w + + Move physical disks to global path as well + + Bug + +commit 99f064b70e88824d6653da19160d4ae02fd35a72 +Merge: 1d618e383 076bd2ea2 +Author: Justin +Date: Thu Jan 30 21:46:56 2020 -0800 + + Merge pull request #762 from bhaskardeep/FixSdnUnitTests + + Fix bugs in the UT files for SDN route + +commit 076bd2ea203747aaeecf23ebcb391e623f79888f +Author: Bhaskardeep Khaund +Date: Thu Jan 30 15:30:37 2020 -0800 + + Fix UT files for SDN Route + +commit 63d626e3d24bbcef4c9afeb76c133a169ffb1ce1 +Author: John Starks +Date: Thu Jan 30 13:21:03 2020 -0800 + + init: Set RLIMIT_NOFILE hard limit to 1M + + Many containers expect an rlimit hard limit greater than the kernel + default of 4096. On Debian systems, the default hard limit is 1M. + In 2018, systemd set the default hard limit to 512K for all processes it + launces. Apparently modern kernel versions can handle large limits + without disadvantage: large limits are efficient, and large fd memory use + is correctly accounted in cgroups. + + Therefore, unconditionally set a large hard limit. Keep the soft + limit small for compatibility (an unprivileged process can update + the soft limit up to the hard limit). + +commit 1d618e3830359550ce41c25beb34c5b30a1a7180 +Merge: 9e8f20c02 105e1bf12 +Author: Justin +Date: Wed Jan 22 17:10:44 2020 -0800 + + Merge pull request #759 from bhaskardeep/AddSdnRoute + + Add sdn route + +commit 105e1bf124504fc719ff9959ea1476f7d226eef7 +Author: Bhaskardeep Khaund +Date: Wed Jan 22 16:52:12 2020 -0800 + + Add shim implementation to support SDN Routes + +commit 9e8f20c0266cb35d63c187e2ad67148da37b81ac +Merge: b807fc313 bbccfb110 +Author: Justin +Date: Fri Jan 17 13:04:23 2020 -0800 + + Merge pull request #651 from jterry75/wclayer_logging + + Improve wclayer context logging + +commit b807fc313b9a18785dee67a6b324a2c533e26667 +Merge: 8081a2ff1 254c9105c +Author: Justin +Date: Fri Jan 17 11:05:50 2020 -0800 + + Merge pull request #756 from jterry75/clean_shim_internal_spans + + Cleanup usage of internal spans in shim + +commit 254c9105c8033730663dc072eb902c19f8dc0cb0 +Author: Justin Terry (VM) +Date: Wed Jan 15 16:25:07 2020 -0800 + + Cleanup usage of internal spans in shim + + We decided long ago that only entry and exit methods should have spans + associated. Since the caller of all context methods will always have a span + removing these child spans makes it significantly easier to see a full log + chain. + + Signed-off-by: Justin Terry (VM) + +commit 8081a2ff10918af6e8f52c761e517061f7e68ee8 +Merge: 7e472fd5a 0570fb18b +Author: Kathryn Baldauf +Date: Thu Jan 16 14:56:14 2020 -0800 + + Merge pull request #692 from microsoft/eventstesting + + Add tests that we receive expected events from the shim for pod/container + +commit 0570fb18b6f290af0e54d2659147a2153f1255b9 +Author: Kathryn Baldauf +Date: Tue Sep 10 16:54:57 2019 -0700 + + Add tests that we recieve expected events from the shim + + Signed-off-by: Kathryn Baldauf + +commit bbccfb110ddc6ca56ade233e3bc9c90387418a33 +Author: Justin Terry (VM) +Date: Mon Jul 22 12:24:45 2019 -0700 + + Improve wclayer context logging + + 1. Add span support for all wclayer operations. + 2. Remove excess storage logging since it is all logged at the wclayer + interface now. + + Signed-off-by: Justin Terry (VM) + +commit 7e472fd5a67cf0f337f8857b12e85575d8ca14d3 +Merge: 87af63272 cc01cb9a9 +Author: Justin +Date: Wed Jan 15 17:14:58 2020 -0800 + + Merge pull request #758 from jterry75/copy_file_span + + Add span around CopyFileW win32 call + +commit cc01cb9a97414f88e0f4419e9da378e0518e0e59 +Author: Justin Terry (VM) +Date: Wed Jan 15 16:50:17 2020 -0800 + + Add span around CopyFileW win32 call + + CopyFileW is an external call from the shim and thus should have a span for + tracking reliability and duration. + + Signed-off-by: Justin Terry (VM) + +commit 87af6327261fb0e5f77b061ad8fa0c976f192964 +Merge: cb32db615 476af080c +Author: Justin +Date: Wed Jan 15 16:41:32 2020 -0800 + + Merge pull request #757 from jterry75/use_dial_pipe_context + + Use winio.DialPipeContext for upstream IO + +commit 476af080ccc01672ada00aaa3a9e0051cedc38fc +Author: Justin Terry (VM) +Date: Wed Jan 15 16:30:27 2020 -0800 + + Use winio.DialPipeContext for upstream IO + + In order for the shim to support true cancellation we need to use contextual + pipe dial's when opening in/out/err pipes for container upstream IO. + + Signed-off-by: Justin Terry (VM) + +commit cb32db61583c09cbd8f3b3133b5951154bb600c0 +Merge: ec54bf8f6 9f97d9c9c +Author: Justin +Date: Wed Jan 15 16:13:20 2020 -0800 + + Merge pull request #755 from jterry75/trace_context_exec_uvm + + Fix trace context forwarding for UVM exec's + +commit 9f97d9c9ce48b35e24fb605ddf7ff15ae5131bd7 +Author: Justin Terry (VM) +Date: Wed Jan 15 15:49:06 2020 -0800 + + Fix trace context forwarding for UVM exec's + + Signed-off-by: Justin Terry (VM) + +commit ec54bf8f6cb2633af9127e7b0cfa82a3b895fc02 +Merge: 0b571ac85 ef1656169 +Author: Justin +Date: Wed Jan 15 14:59:07 2020 -0800 + + Merge pull request #754 from jterry75/fallback_logging + + Log when we fallback to SCSI for vPMEM LCOW Layers + +commit ef1656169a680d52e6dfa5ad9bad27fb32857c56 +Author: Justin Terry (VM) +Date: Wed Jan 15 14:53:14 2020 -0800 + + Log when we fallback to SCSI for vPMEM LCOW Layers + + Signed-off-by: Justin Terry (VM) + +commit 0b571ac85d7c5842b26d2571de4868634a4c39d7 +Merge: 1f9b057ba 5613e3d98 +Author: Justin +Date: Wed Jan 8 16:06:40 2020 -0800 + + Merge pull request #749 from steffengy/patch-1 + + HCS: Remove not anymore needed CGO dependency + +commit 5613e3d980a4fc78e045c8c78c6aee4f4e3151bb +Author: Steffen Butzer +Date: Tue Jan 7 22:53:47 2020 +0100 + + Remove now unused mingw from appveyor.yml + +commit 1f9b057baceff3d8b78e2ddd768030bb74ffddc4 +Merge: 1364039ae 5a8d86e37 +Author: Justin +Date: Tue Jan 7 11:35:18 2020 -0800 + + Merge pull request #752 from TBBle/fix_crash_in_process_isolated_containers + + Fix shim crash when cleaning up process-isolated containers + +commit 5a8d86e375e3a4ddea652477dc071a0e047deb8a +Author: Paul "TBBle" Hampson +Date: Wed Jan 8 06:23:42 2020 +1100 + + Fix shim crash when cleaning up process-isolated containers + + Signed-off-by: Paul "TBBle" Hampson + +commit 1364039ae29b220a1e57e9afc22ebf0c173b3f07 +Merge: e355f1cd6 a2d75b4da +Author: Kathryn Baldauf +Date: Tue Jan 7 10:17:43 2020 -0800 + + Merge pull request #751 from TBBle/patch-1 + + Updated link to Host Compute Service blog post + +commit a2d75b4da8919381a1c3c2b18cfaf09f5a31fdff +Author: Paul "TBBle" Hampson +Date: Wed Jan 8 00:56:21 2020 +1100 + + Updated link to Host Compute Service blog post + + The previous link now redirects to the top of the Virtualization team blog. + +commit 0981fba75cc27b842950636eb469e940b4d3ebe3 +Author: Steffen Butzer +Date: Mon Dec 30 20:50:37 2019 +0100 + + HCS: Remove not anymore needed CGO dependency + + With https://github.com/golang/go/commit/bb0fae603bd19e096e38c3321d95bf114f40dcff this also + works without CGO (>=Go 1.11). + +commit 7794bd147350611897a64a81ccdf4ac5aad5bf0b +Merge: b57744415 7b9296d4a +Author: Justin +Date: Tue Dec 10 15:24:42 2019 -0800 + + Merge pull request #363 from jterry75/owners + + Set default reviewers for PR's + +commit 7b9296d4a1ed4ef472f25605546a6a95ec59eb1f +Author: Justin Terry (VM) +Date: Tue Dec 10 15:23:48 2019 -0800 + + Set default reviewers for PR's + + Signed-off-by: Justin Terry (VM) + +commit e355f1cd68bed1168a87cdd5332e6ca2345f0401 +Merge: 852530648 e4f92b8ca +Author: Justin +Date: Tue Dec 10 15:19:34 2019 -0800 + + Merge pull request #746 from jterry75/owners + + Set default reviewers for PR's + +commit e4f92b8cac4dfaac191fee295d953203fd687dfc +Author: Justin Terry (VM) +Date: Tue Dec 10 15:18:02 2019 -0800 + + Set default reviewers for PR's + + Signed-off-by: Justin Terry (VM) + +commit 852530648bb5e5ce402861b52fb72b45c9c20c3b +Merge: f4e291da8 6cc79fbe1 +Author: Justin +Date: Mon Dec 9 09:24:44 2019 -0800 + + Merge pull request #744 from nagiesek/addHcnErrors + + Adds HcnError, and some error codes to use + +commit 6cc79fbe10018d922712eba836660bd6efd8d7cb +Author: Nathan Gieseker +Date: Fri Dec 6 17:19:27 2019 -0800 + + Adds HcnError, and some error codes to use + +commit f4e291da8c52608262710f1622f19539c179c40c +Merge: bd5800270 2fbf00d9a +Author: Justin +Date: Wed Dec 4 14:39:57 2019 -0800 + + Merge pull request #741 from veerun14/proto_defaults_cpu_mem + + Override default processor and memorysize with values from shim options + +commit bd5800270abad8006e7c71ed83beb9cf39966144 +Merge: 0c2a856c8 b1a87aadf +Author: Justin +Date: Wed Dec 4 14:37:07 2019 -0800 + + Merge pull request #742 from jterry75/regression_fix + + Fix regression in LCOW cpuset tests + +commit 2fbf00d9a4677f28cb4fd2e0b075f595556f92b5 +Author: Veeraiah Chowdary Nuvvula +Date: Wed Dec 4 14:20:02 2019 -0800 + + Change to better naming scheme for tests + +commit b1a87aadf186437acb7c0e22612e6e09af2e116d +Author: Justin Terry (VM) +Date: Wed Dec 4 13:39:53 2019 -0800 + + Fix regression in LCOW cpuset tests + + See original commit: 0bc510b4c5259af4f852ff8be7421ced2c8d92a5 + + Signed-off-by: Justin Terry (VM) + +commit 0c2a856c85c614d7b526cdf73b1595134c7403d6 +Merge: faaee83ac 6bda4cfb1 +Author: Justin +Date: Wed Dec 4 12:46:26 2019 -0800 + + Merge pull request #740 from benmoss/master + + Fix NetworkNotFoundError and EndpointNotFoundError message strings + +commit 6bab563beee344242141d4b16e54d65d8c055b1d +Author: Veeraiah Chowdary Nuvvula +Date: Wed Dec 4 12:23:33 2019 -0800 + + Override default processor and memorySize with values from runhcsOptions + +commit 6bda4cfb15a831d9fa3ca45283be4c8d28dd6c1d +Author: Ben Moss +Date: Mon Mar 11 15:34:38 2019 -0400 + + Fix NetworkNotFoundError and EndpointNotFoundError message strings + + It looks like it had its logic backwards. Added some test coverage and + tried to make the test failures more helpful as well. + +commit c8e8204a2a507b1c823f9444b65c4286b6784492 +Author: Justin Terry (VM) +Date: Tue Dec 3 13:04:18 2019 -0800 + + Add support for UVM processor and memory override via toml + + Adds support to the options struct for shim creation to override the default + memory size and processor count at the config level rather than per activation + via annotations. + + Signed-off-by: Justin Terry (VM) + +commit faaee83ac4fc987a0d6e28c58d201e5ee0f93617 +Merge: bd6bd2b09 5dfb30923 +Author: Justin +Date: Tue Dec 3 10:02:32 2019 -0800 + + Merge pull request #735 from jterry75/limit_max_start + + Remove support for limiting max parallel starts + +commit bd6bd2b09bd4dbec6198c74ee1af6ebc2bfb45b5 +Merge: 5f244acdd e87b24576 +Author: Kathryn Baldauf +Date: Mon Dec 2 12:45:43 2019 -0800 + + Merge pull request #734 from microsoft/delete_container_state + + add ability to call opengcs delete container state + +commit b57744415e916cdda199418ff8058691660c6d0f +Merge: 6bf813c4b 8e258af15 +Author: Kathryn Baldauf +Date: Mon Dec 2 12:39:41 2019 -0800 + + Merge pull request #360 from microsoft/delete_container_state + + add new delete container state bridge call + +commit 6bf813c4bab9138d2ae7a9dad24aee7d68db1c75 +Merge: bc080b5d4 19af99ede +Author: Justin +Date: Tue Nov 26 14:31:45 2019 -0800 + + Merge pull request #362 from kevpar/increase-gcs-mem-limit + + Increase GCS memory limit to 50MB + +commit 19af99edebf2618143e1323675714c6ae219d04a +Author: Kevin Parsons +Date: Tue Nov 26 14:15:33 2019 -0800 + + Increase GCS memory limit to 50MB + + We are currently seeing cases where we hit the GCS 10MB memory limit, + especially when invoking runc. This change increases the limit to give + some additional breathing room. + + At a later point, we will make another change to revamp the GCS limits + more drastically, as we probably just want to monitor the GCS usage, + rather than limiting it. + + Signed-off-by: Kevin Parsons + +commit 5f244acddde81b579e80e475b5e5afe59a0c2cdc +Merge: bcedae6b5 b3f49c06f +Author: Kevin Parsons +Date: Fri Nov 15 10:26:30 2019 -0800 + + Merge pull request #737 from kevpar/fix-legacy-stdio + + Fix race condition in legacy process stdio code + +commit b3f49c06ffaeef24d09c6c08ec8ec8425a0303e2 (tag: v0.8.7) +Author: Kevin Parsons +Date: Thu Nov 14 10:46:01 2019 -0800 + + Fix race condition in legacy process stdio code + + HcsCreateProcess returns a set of stdio handles for the newly created + process. A while ago, we used to cache these handles and return them + the first time stdio handles were requested for the process, and then + get new handles via HcsGetProcessInfo for each subsequent request. At + some point, this code was cleaned up to instead always return the + original set of handles as non-closable (for new callers) and always get + new handles via HcsGetProcessInfo (for legacy callers, who required + closable handles). + + However, this change introduced a race condition for legacy callers, + where in the case of a short lived container process, the container + could have terminated between when it was started and when the + orchestrator requested stdio handles. This led to ERROR_NOT_FOUND + being returned from HcsGetProcessInfo. + + This change addresses this by returning the original handles the first + time stdio handles are requested, and then calling HcsGetProcessInfo for + every subsequent request (just as it used to work a while ago). + + Signed-off-by: Kevin Parsons + +commit bcedae6b5ebc18e581392fb735c466eaf0e30664 +Merge: 32862ca34 9d18e86f9 +Author: Kathryn Baldauf +Date: Tue Nov 12 16:57:54 2019 -0800 + + Merge pull request #736 from microsoft/golang1.13.4 + + update to golang 1.13.4 + +commit bc080b5d461a08f2c0cf95ce4a66406799965ba9 +Merge: 15d8e38fe 34c95b0f9 +Author: Kathryn Baldauf +Date: Tue Nov 12 16:52:30 2019 -0800 + + Merge pull request #361 from microsoft/golang1.13.4 + + update to golang 1.13.4 + +commit 34c95b0f98799c1c970e812149e657315ad9de59 +Author: Kathryn Baldauf +Date: Tue Nov 12 15:33:24 2019 -0800 + + update to golang 1.13.4 + + Signed-off-by: Kathryn Baldauf + +commit 9d18e86f91a5521e04a668a7a7a7671255f2fd9a +Author: Kathryn Baldauf +Date: Tue Nov 12 15:34:55 2019 -0800 + + update to golang 1.13.4 + + Signed-off-by: Kathryn Baldauf + +commit 5dfb309236923a6cae1439c7fda3e0e9696211a6 +Author: Justin Terry (VM) +Date: Mon Nov 11 11:32:24 2019 -0800 + + Remove support for limiting max parallel starts + + 1. Docker already supports limiting max parallel starts at its level and we + no longer need support for limiting this at our level through an environment + variable. + + Signed-off-by: Justin Terry (VM) + +commit e87b245765f10b464bd0321be15d285a9208f6e6 +Author: Kathryn Baldauf +Date: Fri Nov 8 15:05:49 2019 -0800 + + add ability to call opengcs delete container state + + Signed-off-by: Kathryn Baldauf + +commit 8e258af158b7169d7147efdf5cb76cd288bf4833 +Author: Kathryn Baldauf +Date: Fri Nov 8 14:27:36 2019 -0800 + + add new delete container state bridge call + * add delete container state capability for opengcs + * delete container state bridge call calls runc delete for container + * delete container state bridge call unmounts user mounts on sandbox + mounts + * add new function to unmount all paths under a given path + * add tests for new unmount function + + Signed-off-by: Kathryn Baldauf + +commit 32862ca3495e8a6925d167ec163b43563cb75971 +Merge: 1b27b03e4 2274977a4 +Author: Justin +Date: Fri Nov 8 12:49:03 2019 -0800 + + Merge pull request #732 from jterry75/pod_id_correlation + + Add 'pod-id' correlation to all shim entry RPC's + +commit 1b27b03e429f360daf6bbe8710e92115b94d6ddc +Merge: 1e9909969 63e87042a +Author: Justin +Date: Fri Nov 8 08:25:18 2019 -0800 + + Merge pull request #733 from lowenna/typo + + Typo: 'Sever' --> 'Server' + +commit 63e87042a55512d36a192fca37dabef2153814c5 +Author: John Howard +Date: Fri Nov 8 07:03:55 2019 -0800 + + Typo: 'Sever' --> 'Server' + + Signed-off-by: John Howard + +commit 15d8e38fe5a180c4015120b4bf34c618bde01d1e +Merge: 675a6c4e4 15fb66d27 +Author: Justin +Date: Thu Nov 7 16:18:02 2019 -0800 + + Merge pull request #359 from jterry75/lcow_v1_readme + + Formally deprecate LCOW v1 + +commit 15fb66d27e4c793b375b8314ae6f849a49f00898 +Author: Justin Terry (VM) +Date: Thu Nov 7 10:39:19 2019 -0800 + + Formally deprecate LCOW v1 + + Signed-off-by: Justin Terry (VM) + +commit 675a6c4e443ef66eb2a92898ad79716a230114fb +Merge: 05314b091 5bf3e8146 +Author: Justin +Date: Thu Nov 7 10:14:23 2019 -0800 + + Merge pull request #358 from jterry75/run_external_v2 + + Remove v2 dependency on v1 for host processes + +commit 5bf3e814649c9a1506fdc8617517d9b10edbce14 +Author: Justin Terry (VM) +Date: Wed Nov 6 12:57:51 2019 -0800 + + Remove v2 dependency on v1 for host processes + + When activating host processes (ie: processes in the uvm namespace) the + v2 code still used the old v1 execution. This change removes that + dependency in preparation on removing v1 entirely. + + Signed-off-by: Justin Terry (VM) + +commit 1e9909969aed4731e9d28995381d55fdc443ce5d +Merge: b3f977fd1 b342a0ead +Author: Kathryn Baldauf +Date: Wed Nov 6 16:12:14 2019 -0800 + + Merge pull request #731 from microsoft/move_container_files + + move container files to be backed by writeable storage + +commit b342a0eadce8dcb93faa6befc906ea8360019b79 +Author: Kathryn Baldauf +Date: Tue Nov 5 12:25:35 2019 -0800 + + move container files to be backed by writeable storage + * move layer files to /run/layers + * move container specific files to /run/gcs/c/ + + Signed-off-by: Kathryn Baldauf + +commit b3f977fd1ecba769cab117934029880fe2cbd312 +Merge: d9dd88b42 d1bab04b8 +Author: Justin +Date: Wed Nov 6 13:13:02 2019 -0800 + + Merge pull request #727 from veerun14/fix-19h1-tests + + fix 19h1 tests + +commit d1bab04b8b537fc102f79668668f808f50f7d0b2 +Author: Veeraiah Chowdary Nuvvula +Date: Wed Nov 6 13:09:26 2019 -0800 + + Restricted downlevel container test to run on host builds >= 19H1 + +commit 05314b091d457955adc160d4980de962bf384d4a +Merge: 9ae39472d 57a1d0af8 +Author: Kathryn Baldauf +Date: Wed Nov 6 12:45:30 2019 -0800 + + Merge pull request #357 from microsoft/move_container_files + + move container files under /run writeable storaage + +commit 57a1d0af8b41253a2fecc0b8b50c6efa88d5f069 +Author: Kathryn Baldauf +Date: Tue Nov 5 15:03:31 2019 -0800 + + move container files under /run writeable storaage + + Signed-off-by: Kathryn Baldauf + +commit 2274977a4b4df68b7939435e7407433d8a845c5b +Author: Justin Terry (VM) +Date: Wed Nov 6 08:56:47 2019 -0800 + + Add 'pod-id' correlation to all shim entry RPC's + + To improve the ability to understand what is when the shim is managing a pod we + now include the 'pod-id' on the entry span as well as the existing 'task id' + and 'exec id'. + + Signed-off-by: Justin Terry (VM) + +commit adadfdc0d6f1e989302c30407f783347a025cb47 +Author: Veeraiah Chowdary Nuvvula +Date: Fri Oct 25 09:17:58 2019 -0700 + + Fixed functional tests for 19h1 + parent d9dd88b422ca6cbea0444772f4894614635b1553 + author Veeraiah Chowdary Nuvvula 1572020278 -0700 + committer Veeraiah Chowdary Nuvvula 1572978271 -0800 + + parent d9dd88b422ca6cbea0444772f4894614635b1553 + author Veeraiah Chowdary Nuvvula 1572020278 -0700 + committer Veeraiah Chowdary Nuvvula 1572978153 -0800 + + fix 19h1 tests + + performed a go fmt for one of the files + + updated windows images based on PR comments + + performed a go fmt for one of the files + + performed a go fmt for one of the files + + updated windows images based on PR comments + + using switch instead of if/else + +commit d9dd88b422ca6cbea0444772f4894614635b1553 +Merge: 65519b622 c5f869264 +Author: Justin +Date: Mon Nov 4 15:24:13 2019 -0800 + + Merge pull request #730 from elweb9858/distributiontype + + Adding session affinity support through loadbalancer distribution type + +commit c5f86926405619899930c2cbf17da41c89b8601a +Author: elweb9858 +Date: Mon Oct 28 10:33:23 2019 -0700 + + Added distribution type option to loadbalancer + +commit 9ae39472daef1ab85068e276bf88b12c1445d773 +Merge: f4d93b53d 212cece39 +Author: Kathryn Baldauf +Date: Mon Nov 4 13:07:43 2019 -0800 + + Merge pull request #355 from microsoft/runc_log_read + + add ability to read runc log for errors in runc commands + +commit f4d93b53dc57f86dd1ba771613bf7a5e26857567 +Merge: 53acb41fd 2a2ea96ee +Author: Justin +Date: Mon Nov 4 11:32:53 2019 -0800 + + Merge pull request #356 from jterry75/fix_scsi_devicelen + + Fix issue causing SCSI hot add to find no matching device + +commit 2a2ea96ee2c1b2abf2c7624ffdd759caa6fbfe15 +Author: Justin Terry (VM) +Date: Fri Nov 1 15:50:17 2019 -0700 + + Fix issue causing SCSI hot add to find no matching device + + It appears there is a timing issue in the current code that checks for the + SCSI device to be added. We were waiting for the /block folder to show up but + then immediately read the device entries. There is some amount of time that it + can take for that to show up as well. So this change now waits for both the + /block and /block/sd* entry under the same context timeout. + + Signed-off-by: Justin Terry (VM) + +commit 212cece39875e60cb03944c978fc4b6e5e330afb +Author: Kathryn Baldauf +Date: Tue Oct 29 13:26:07 2019 -0700 + + add ability to read runc log for errors in runc commands + + Signed-off-by: Kathryn Baldauf + +commit 65519b62243cf523857241e80fe4debef765e434 +Merge: 3cb5e370c 1341b1fb1 +Author: Justin +Date: Fri Nov 1 10:31:18 2019 -0700 + + Merge pull request #729 from jterry75/uvm_combine_layers + + Remove external references to uvm.Modify + +commit 1341b1fb1adc769e252065a09cf0c1083631a7d5 +Author: Justin Terry (VM) +Date: Fri Oct 25 10:53:16 2019 -0700 + + Remove external references to uvm.Modify + + 1. Cleanup hcsoci package to use new CombineLayers*COW method rather than + call uvm.Modify itself. + 2. Remove unused hcsoci tests. + 3. Simplify hcsoci.MountContainerLayers and UnmountContainerLayers logic. + + Signed-off-by: Justin Terry (VM) + +commit 3cb5e370cf5905d7601ee2e8f08175a074ddb47e +Merge: c558106bb 9a999e597 +Author: Justin +Date: Fri Oct 25 09:15:59 2019 -0700 + + Merge pull request #726 from jterry75/simplify_hcsoci_mountlayers_cleanup + + Simplify hcsoci.MountContainerLayers cleanup logic + +commit 9a999e59714a3d5e9e147cafff4abcd7165c9dc3 +Author: Justin Terry (VM) +Date: Thu Oct 24 11:57:18 2019 -0700 + + Simplify hcsoci.MountContainerLayers cleanup logic + + 1. Simplifies the hcsoci.MountContainerLayers logic on failure to use defer + statements to avoid duplicate code. + 2. Modified the uvm.AddSCSILayer to return the uvmpath since all callers + assumed its location. + 3. Modified the uvm.AddPMEM to stop returning device number since all callers + ignored its response. + + Signed-off-by: Justin Terry (VM) + +commit c558106bb75c3da0a45485b0872541946bb7fc67 +Merge: 6c7177eae 2fb0ff4ab +Author: Justin +Date: Thu Oct 24 10:44:31 2019 -0700 + + Merge pull request #725 from jterry75/fix_layers + + Fix a race condition in vPMEM layer addition fallback + +commit 2fb0ff4abf8211614da44c1251647d2b76ac4e6e +Author: Justin Terry (VM) +Date: Wed Oct 23 16:06:50 2019 -0700 + + Fix a race condition in vPMEM layer addition fallback + + 1. Fixes a race condition between when the check for vPMEM layer space and the + actual addition takes place for parallel creates/removals. + 2. Simplifies the fallback logic for LCOW when adding layers first to vPMEM and + if there is no space or the file is too large based on max vpmem layer size + settings falls back to SCSI. + 3. Fixes a bug in vPMEM allocation where the refcount add/remove was updated by + value rather than by reference causing it to fail to deallocate the attachment. + + Signed-off-by: Justin Terry (VM) + +commit 6c7177eae8be632af2e15e44b62d69ab18389ddb +Merge: 86b946e54 997572ce7 +Author: Justin +Date: Wed Oct 23 11:28:39 2019 -0700 + + Merge pull request #723 from JocelynBerrendonner/master + + Adding Slash32EndpointPrefixes and AclSupportForProtocol252 feature detection logic + +commit 86b946e5465ae90e7665850ebc1002f027e6b7a6 +Merge: d2849cbdb 0bc510b4c +Author: Justin +Date: Wed Oct 23 10:56:16 2019 -0700 + + Merge pull request #724 from jterry75/fix_test_regression + + Fix issue in LCOW test with CPU set limit + +commit 0bc510b4c5259af4f852ff8be7421ced2c8d92a5 +Author: Justin Terry (VM) +Date: Wed Oct 23 10:50:28 2019 -0700 + + Fix issue in LCOW test with CPU set limit + + Now that we properly honor the CPU set limits the test starting failing because + it uses an invalid set of processors for a default 2 vCPU UVM. + + Signed-off-by: Justin Terry (VM) + +commit 997572ce7a67abae8d43cdda199e7a09ccb1486e +Author: JocelynBerrendonner +Date: Tue Oct 22 15:46:23 2019 -0700 + + Adding Slash32EndpointPrefixes and AclSupportForProtocol252 feature detection logic + +commit d2849cbdb9dfe5f513292a9610ca2eb734cdd1e7 +Merge: 725d456df d2042e6c9 +Author: Justin +Date: Mon Oct 21 10:02:33 2019 -0700 + + Merge pull request #718 from jstarks/workaround_expandlayer + + wclayer: Work around Windows bug when expanding sandbox size + +commit 725d456df1b17f7306aa15a7b21a00967106b290 +Merge: e3ec4b139 a04eb60e6 +Author: Justin +Date: Fri Oct 18 14:01:30 2019 -0700 + + Merge pull request #722 from jterry75/ignore_pty_failure + + Ignore ResizePty failure in non-running state + +commit a04eb60e677b5389e843fbd8aa2dfd916c6de998 +Author: Justin Terry (VM) +Date: Fri Oct 18 12:17:52 2019 -0700 + + Ignore ResizePty failure in non-running state + + Signed-off-by: Justin Terry (VM) + +commit 53acb41fd91441fa3d772b1f51e725c8a617d042 +Merge: 0aebdc405 368522955 +Author: Justin +Date: Fri Oct 18 11:22:34 2019 -0700 + + Merge pull request #353 from dariopb/rule_fix + + Correctly setting the table rule to include only packets from the interface. + +commit e3ec4b139e6f75dd465bb60c268a0021a11cb227 +Merge: a3e8dfa71 fd7da3d94 +Author: Kathryn Baldauf +Date: Fri Oct 18 10:55:12 2019 -0700 + + Merge pull request #719 from katiewasnothere/finish_container_stats + + Container Stats for LCOW/WCOW + +commit 0aebdc4058ae5b8999bb76e7140b99eede9bb954 +Merge: ed49d576f 58ef35edc +Author: Kathryn Baldauf +Date: Fri Oct 18 10:50:24 2019 -0700 + + Merge pull request #352 from microsoft/container_stats + + update getPropertiesV2 with ability to get container stats for LCOW + +commit fd7da3d9461ef7a1772f2f7da101a9d44a24ccb7 +Author: Justin Terry (VM) +Date: Wed Oct 9 11:14:06 2019 -0700 + + finish container stats work + * update hcs api with correct field types + * refactor stats retrieval + * add tests for container stats + + Signed-off-by: Kathryn Baldauf + +commit 368522955614bc20356e21a30766f0abc8c30e5c +Author: Dario Bazan +Date: Fri Oct 18 10:41:04 2019 -0700 + + Correctly setting the table rule to include only packets from the interface + +commit a3e8dfa71c634a5bdcdd5e3804949a78f680d8ff +Merge: 2a08d6fcd 01cc3c6ed +Author: Justin +Date: Fri Oct 18 09:37:24 2019 -0700 + + Merge pull request #720 from jterry75/runtime_id + + Log runtime id GUID as string + +commit 2a08d6fcd23883573a39ba32ab7ed2b197a9a9eb +Merge: 4635e5098 63c947070 +Author: Justin +Date: Fri Oct 18 07:14:44 2019 -0700 + + Merge pull request #717 from nagiesek/addDestinations + + Adds Destinations to OutboundNat policies + +commit 01cc3c6edd2b06c6a6c9cb184b43e0a88f4a2d4f +Author: Justin Terry (VM) +Date: Thu Oct 17 16:09:32 2019 -0700 + + Log runtime id GUID as string + + Signed-off-by: Justin Terry (VM) + +commit 63c94707059e7a7ded91b00447869471d32f2d50 +Author: Nathan Gieseker +Date: Thu Oct 17 15:06:12 2019 -0700 + + Adds Destinations to OutboundNat policies + +commit ed49d576fe343f768f7c1be84f7da44df5eb89a4 +Merge: c79cd34fe 08a7e6d3b +Author: Justin +Date: Thu Oct 17 12:10:16 2019 -0700 + + Merge pull request #351 from jterry75/fix_panic_in_relay + + Fix nil dereference race in Pipe/TtyRelay Wait + +commit 08a7e6d3b5b96c0bbc20936c933d8b6b8faf668b +Author: Justin Terry (VM) +Date: Thu Oct 17 11:38:09 2019 -0700 + + Fix nil dereference race in Pipe/TtyRelay Wait + + The process for creating a V2 container is separated into a few different + steps. First a CreateContainer is called which creates the actual runc + container process with a standard pipe relay but no upstream IO. Next the HCS + sends an ExecProcess call passing in the upstream IO to relay to. If that call + fails, when the HCS calls Kill on the container the relay wait code would panic + because the upstream IO had never been assigned. + + Signed-off-by: Justin Terry (VM) + +commit d2042e6c90c526638eb5ef665eeed7a7199ed4d9 +Author: John Starks +Date: Thu Oct 17 09:52:06 2019 -0700 + + wclayer: Work around Windows bug when expanding sandbox size + + This change works around a bug in Windows where a sandbox VHDX that has + been resized cannot be successfully mounted. This is due to a failure in + the path that resizes the NTFS volume inside the VHDX during the sandbox + mount process. To work around this, manually expand the volume in the + wclayer package just after making the call to expand the VHDX. + + This change hurts the performance of the resize operation on affected + Windows hosts (19H1 and prerelease versions of Vb) and should be + reverted once the Windows bug has been fixed and is widely deployed. + +commit 58ef35edcb98eac07c221ae4d83374b162b8bf8e +Author: Kathryn Baldauf +Date: Fri Oct 11 15:53:21 2019 -0700 + + update getPropertiesV2 with ability to get container stats for LCOW + + Signed-off-by: Kathryn Baldauf + +commit 4635e50987a9514eaa2f53984a584f3f5de41818 +Merge: c49a72008 8320476f2 +Author: Justin +Date: Wed Oct 16 09:40:27 2019 -0700 + + Merge pull request #714 from erfrimod/erfrimod/hcn-adding-to-endpoint + + HNS Adding SharedContainers to HostComputeEndpoint + +commit 8320476f2a39958621b044288b5f703be54c5b46 +Author: Erik Frimodig +Date: Mon Oct 14 17:08:53 2019 -0700 + + Removing proxytype from policy + +commit c49a720085d4252c2cedfa251683210403aef74b +Merge: 61f1b4b16 78fcdceae +Author: Kevin Parsons +Date: Mon Oct 14 11:00:37 2019 -0700 + + Merge pull request #713 from kevpar/wcow-pipes + + Support forwarding named pipes to WCOW hypervisor container + +commit 78fcdceae3ccad9532d5f03a369a060093b748da +Author: Kevin Parsons +Date: Sun Oct 13 23:29:07 2019 -0700 + + Support forwarding named pipes to WCOW hypervisor container + + Adds support for forwarding a named pipe from the host into a WCOW + hypervisor container (forwarding to a process container appears to + already have been supported). To forward a pipe into a hypervisor + container, the pipe must first be mapped into the UVM via the + MappedPipes resource type. The MappedPipes resource actually just sets + up a VSMB share for the pipes, so in the future we could choose to + manage this concept directly as a VSMB share rather than via the + MappedPipes resource. + + Signed-off-by: Kevin Parsons + +commit 61f1b4b16f766e32cc7984f9c16969c62c4bda55 +Merge: 01067183a dde739972 +Author: Justin +Date: Thu Oct 10 19:30:40 2019 -0700 + + Merge pull request #712 from jterry75/clear_cgroup_lcow + + Clear Linux.CgroupsPath in LCOW activation + +commit dde73997246ebf5906fa3502129e697756e55677 +Author: Justin Terry (VM) +Date: Thu Oct 10 15:56:45 2019 -0700 + + Clear Linux.CgroupsPath in LCOW activation + + The GCS itself sets the cgroup parent based on its internal layout. Disallow + users to set this themselves. + + Signed-off-by: Justin Terry (VM) + +commit c79cd34fecb56869d0699aa80110ee1aecf4e0af +Merge: f2cb33a1f 01d040a33 +Author: Justin +Date: Thu Oct 10 13:49:53 2019 -0700 + + Merge pull request #350 from jterry75/parent_cgroup + + Create Containers and GCS cgroups on GCS startup + +commit 01d040a33add42aa2e0904d4b1f32d8f668cfc7b +Author: Justin Terry (VM) +Date: Thu Oct 10 10:46:29 2019 -0700 + + Create Containers and GCS cgroups on GCS startup + + Setup the UVM cgroups to protect against a workload taking all available + memory and causing the GCS to malfunction we create two cgroups: gcs, + containers. + + The containers cgroup is limited only by {Totalram - 75 MB (reservation)}. + + The gcs cgroup is limited to 10 MB to prevent unknown memory leaks over time + from affecting workload memory. + + Signed-off-by: Justin Terry (VM) + +commit 01067183ac4a73f427917c39e352a82bb877cefe +Merge: c81bb6b07 50949ce32 +Author: Justin +Date: Tue Oct 8 12:04:53 2019 -0700 + + Merge pull request #705 from erfrimod/erfrimod/hns-proxy-updates + + Updating HCN LoadBalancer and Proxy code. + +commit c81bb6b077cbf137262fa84e13bb25786e1421ac +Merge: 0b6a23aa5 586f4f953 +Author: Justin +Date: Mon Oct 7 15:22:09 2019 -0700 + + Merge pull request #709 from jterry75/update_shutdown_timeout + + Shorten Shutdown and Terminate timeout to 30 seconds + +commit f2cb33a1ffe827d278631bd97625a0130547fe00 +Merge: 6c7630fc0 3b6b46c1e +Author: Justin +Date: Mon Oct 7 15:21:49 2019 -0700 + + Merge pull request #348 from jterry75/stop_waiting_for_exec_exit + + Do not wait for outstanding execs on container exit + +commit 6c7630fc0c48fcf199d14aec748a77ee412499cb +Merge: ee915ce26 2df21164d +Author: Justin +Date: Mon Oct 7 12:37:50 2019 -0700 + + Merge pull request #349 from microsoft/mount_propagation + + Support mount propagation for sandbox mounts + +commit 0b6a23aa5e067cc1cf419d28e6089f075fd76650 +Merge: cf76d8132 2ff40af2c +Author: Justin +Date: Mon Oct 7 12:37:18 2019 -0700 + + Merge pull request #711 from microsoft/cold_discard_hints_annotation + + Pass through cold discard hint annotation to hcs + +commit 2df21164dca6835a6d8b425cab5d1eb2004c8d49 +Author: Kathryn Baldauf +Date: Fri Oct 4 15:11:45 2019 -0700 + + Support mount propagation for sandbox mounts + * This change creates a new dedicated directory path in the uvm for all + sandbox mounts at /tmp/gcs/cri//sandboxMounts. + * The above path will be marked as rshared + * OpenGCS now expects sandbox mounts to be given with a source prefix + of 'sandbox://' + * OpenGCS will also create any files or directories in the resulting + source sandbox mount path. + + Signed-off-by: Kathryn Baldauf + +commit 2ff40af2c6e4608c08140abb43d0fe14c8261f04 +Author: Kathryn Baldauf +Date: Thu Sep 26 14:46:31 2019 -0700 + + Pass through cold discard hint annotation to hcs + + Signed-off-by: Kathryn Baldauf + +commit cf76d8132ece001f18046aefdfd51599d1a9069d +Merge: d0766c752 9e97ddc96 +Author: Kathryn Baldauf +Date: Mon Oct 7 10:11:58 2019 -0700 + + Merge pull request #710 from microsoft/mount_propagation + + Do not remove sandbox prefix for sandbox mount before passing to opengcs + +commit d0766c75207682356a1babb7686510b43e8909c5 +Merge: 04f60b98e 5d1beef3c +Author: Kevin Parsons +Date: Fri Oct 4 15:57:06 2019 -0700 + + Merge pull request #707 from kevpar/wcow-single-file-map + + Support WCOW single-file mounts + +commit 9e97ddc96e72d1a259a74baff1c62604f19fe84b +Author: Kathryn Baldauf +Date: Fri Oct 4 15:08:38 2019 -0700 + + Do not remove sandbox prefix for sandbox mount before passing to opengcs + + Signed-off-by: Kathryn Baldauf + +commit 586f4f953489b594bcbb316e0d721b2f34d7f061 +Author: Justin Terry (VM) +Date: Fri Oct 4 15:02:59 2019 -0700 + + Shorten Shutdown and Terminate timeout to 30 seconds + + 1. When issuing a Shutdown/Terminate over external bridge shorten the timeout + window to 30 seconds to protect against a misbehaving guest. + 2. When waiting for a Shutdown to complete and the container to exit shorten + the timeout to 30 seconds to protect against a misbehaving guest. + + Signed-off-by: Justin Terry (VM) + +commit 3b6b46c1edbe5abbc4b5c7cb8f9601da963da305 +Author: Justin Terry (VM) +Date: Fri Oct 4 10:24:41 2019 -0700 + + Do not wait for outstanding execs on container exit + + 1. The expectation of containerd is that when a process exits the exit + notification is sent. But it is also possible in the api to signal a container + exit without using all=true thus outstanding execs may be running when the exit + should fire. This enables the caller to receive the notification and then + handle the shutdown properly. + + Signed-off-by: Justin Terry (VM) + +commit 5d1beef3c4194408b5af824985d5ba1d70118952 +Author: Kevin Parsons +Date: Wed Oct 2 15:08:36 2019 -0700 + + Support WCOW single-file mounts + + We currently support a temporary fix here to allow WCOW single-file + mounts to function. VSMB does not support directly mapping a single file + into a UVM, but rather supports an `AllowedFileList` along with options + `RestrictFileAccess` and `SingleFileMapping`, which are together used to + ensure that the share only presents a subset of the actual present + files. We map the file into the UVM using this approach, and then use + bindflt in the UVM to present the file in the share at the desired + location in the container file system. + + However, naively implementing this introduces some problems. Notably, + the VSMB share map tracks shares by the host path, leading to problems + if you try to map an additional single file from the same directory, or + map a directory as both a set of single files, as well as in another + location as the entire directory. + + To fully resolve this issue, we require broader changes to how resources + are managed in hcsshim. But for now we introduce a temporary fix. We now + separately track VSMB shares that present an unrestricted directory, and + those that allow only specific file access. When the VSMB functions + receive a host path, they take the appropriate action based on if that + path points to a file (map its directory as a share restricted to only + the desired files), or if it points to a directory (map the directory + without restriction). + + Signed-off-by: Kevin Parsons + +commit ee915ce269cf10789d7870352e188298d1bd877b +Merge: 8cadd9c85 b2d9d4bfa +Author: Justin +Date: Wed Oct 2 13:03:32 2019 -0700 + + Merge pull request #347 from microsoft/plan9_mount_perf + + Add sock options and set payload size for plan 9 mounts + +commit b2d9d4bfafb972aa24dc989eecc468c769833e0f +Author: Kathryn Baldauf +Date: Wed Sep 25 17:11:39 2019 -0700 + + Add sock options and explicitly set payload size for plan 9 mounts + + Signed-off-by: Kathryn Baldauf + +commit 04f60b98e7cbdab8aa2703e54a8ecb19f813ef1d +Merge: 82c7525d9 efbf2f7e0 +Author: Justin +Date: Mon Sep 30 14:05:41 2019 -0700 + + Merge pull request #706 from jterry75/force_terminate + + Force terminate UVM if any container ignores SIGKILL + +commit 8cadd9c853d28c9c7c245856d3e473bc23f6b55d +Merge: cd6add313 9581e44c6 +Author: Justin +Date: Fri Sep 27 15:14:25 2019 -0700 + + Merge pull request #346 from jterry75/update_cd_1_3_0 + + Update to containerd 1.3.0 vendor + +commit 9581e44c66d155d00cb60238d50e1d65fb645a6a +Author: Justin Terry (VM) +Date: Fri Sep 27 13:58:29 2019 -0700 + + Update to containerd 1.3.0 vendor + + Signed-off-by: Justin Terry (VM) + +commit efbf2f7e0e5ced6e70ff207c157664a1ae95735b +Author: Justin Terry (VM) +Date: Fri Sep 27 10:31:02 2019 -0700 + + Force terminate UVM if any container ignores SIGKILL + + If any hypervisor container running in a UVM ignores the SIGKILL for longer + than 30 seconds forcibly terminate the UVM. This is a mitigation against a + misbehaving guest that could potentially cause stop failures if it doesn't + respond with the proper exit. + + Signed-off-by: Justin Terry (VM) + +commit 50949ce32706ea6019cd27b71d778dcf79a1fefe +Author: Erik Frimodig +Date: Thu Sep 26 14:23:35 2019 -0700 + + Updating LoadBalancer tests to create SDNNetworks so LBPolicy will work. Updating Proxy Policy with latest Schema changes. + +commit 82c7525d98c8990d0ceb533322bc9c72fbddaf70 +Merge: 7a7dcfb26 d64e060d0 +Author: Kevin Parsons +Date: Thu Sep 26 11:10:21 2019 -0700 + + Merge pull request #704 from kevpar/stats-fixes + + Reliability and logging improvements to UVM stats + +commit d64e060d0493fa015a68f2842caaa0d6ac6ea857 +Author: Kevin Parsons +Date: Thu Sep 26 10:45:19 2019 -0700 + + Reliability and logging improvements to UVM stats + + This change does several things to make querying UVM stats more robust: + - Regardless of the error encountered when checking a process to see if + it is the correct vmmem instance, log the error and skip to the next + process. Previously we only skipped if the error was + ERROR_ACCESS_DENIED. One case this will handle better now is if the + process has exited by the time we try to open it, we will now continue + looking at the other processes. + - The error returned by the vmmem lookup is now saved and returned every + time we retrieve the saved vmmem process. This will make it easier to + understand what the original error was even if we only have logs from + the Nth time querying for stats. + - Added additional logging during vmmem lookup: + - Every time we fail to check a process + - Every vmmem process right before we check its user identity. + + Signed-off-by: Kevin Parsons + +commit 7a7dcfb26c32e84ad16430c0fa9e8581500e7092 +Merge: 9a7a24526 fc97d61af +Author: Kevin Parsons +Date: Wed Sep 25 14:48:50 2019 -0700 + + Merge pull request #703 from Random-Liu/update-ttrpc + + Update ttrpc to fix status check error. + +commit 9a7a24526c32826098d0349db3886bcb709dd5f7 +Merge: 10079297f 0b41bc250 +Author: Justin +Date: Wed Sep 25 10:02:35 2019 -0700 + + Merge pull request #702 from Random-Liu/fix-live-restore-for-shim-log + + Fix live restore for shim log. + +commit fc97d61af2b59fb38f6670cd86dd6201e0de5a6d +Author: Lantao Liu +Date: Tue Sep 24 22:25:35 2019 -0700 + + Update ttrpc to fix status check error. + + Signed-off-by: Lantao Liu + +commit 0b41bc2500cf068e066d5ce5f991fa0ce6d8a387 +Author: Lantao Liu +Date: Tue Sep 24 21:13:49 2019 -0700 + + Fix live restore for shim log. + + Signed-off-by: Lantao Liu + +commit 10079297f84d15d34549527f2290c1148ce450b3 +Merge: 3f5164479 bd326c948 +Author: Justin +Date: Tue Sep 24 15:35:42 2019 -0700 + + Merge pull request #701 from jterry75/hostname_tests + + Add cri-containerd hostname tests + +commit bd326c948763b5c9ccb0338153a158c916ed5ce6 +Author: Justin Terry (VM) +Date: Tue Sep 24 10:55:20 2019 -0700 + + Add cri-containerd hostname tests + + 1. Adds a hostname test for a workload container in each of: + runhcs-wcow-process, runhcs-wcow-hypervisor, runhcs-lcow runtimes. + + Signed-off-by: Justin Terry (VM) + +commit 3f5164479a9fb775c51d0959bb2be04bbdb49ad9 +Merge: db47838f9 274c77292 +Author: Justin +Date: Fri Sep 20 07:11:53 2019 -0700 + + Merge pull request #699 from jterry75/fix_test_defer_order + + Fix test bug in defer order + +commit 274c772921dba94aaccb500e7ccb165ca52173c3 +Author: Justin Terry (VM) +Date: Fri Sep 20 07:10:56 2019 -0700 + + Fix test bug in defer order + + Signed-off-by: Justin Terry (VM) + +commit db47838f9af74df1a17c2da9dacdc922d6a2f697 +Merge: 079e6c8fa d3d1ef23a +Author: Justin +Date: Fri Sep 20 07:07:19 2019 -0700 + + Merge pull request #698 from kevpar/uvm-metrics + + Add tests for UVM stats + +commit d3d1ef23ac2142deb73684ee35573f0a7f8bdf34 +Author: Kevin Parsons +Date: Thu Sep 19 12:35:51 2019 -0700 + + Add tests for UVM stats + + Signed-off-by: Kevin Parsons + +commit 079e6c8fa2c3b641844e7f217d58a5a57b3a6440 +Merge: 72930876e 1e4afe9fd +Author: Justin +Date: Thu Sep 19 05:38:31 2019 -0700 + + Merge pull request #697 from kevpar/uvm-metrics + + LCOW UVM metrics support + +commit 1e4afe9fdf8f3210e7631d1f21ae3c40d5ad87ae +Author: Kevin Parsons +Date: Wed Sep 18 21:08:53 2019 -0700 + + LCOW UVM metrics support + + This change adds the ability to query an LCOW UVM for metrics. The + currently supported metrics are CPU usage in nanoseconds, and working + set size in bytes. Because containerd does not understand the concept of + a UVM, we return a Statistics protobuf that has both a section for + container stats, as well as a section for UVM stats. When the task that + owns the UVM is queried for stats, it will fill out the VM section. In + the future when container stats are supported as well, the container + stats section will also be filled out. + + Signed-off-by: Kevin Parsons + +commit 72930876e40877e275cc4b87479a325040e27f77 +Merge: bd9b25532 2150d49d8 +Author: Justin +Date: Wed Sep 18 14:18:41 2019 -0700 + + Merge pull request #694 from jterry75/fix_exec + + Fix an issue where un-exited exec's can stop container kill + +commit 2150d49d82f7700491c9c1ddf27c28d9fec67df0 +Author: Justin Terry (VM) +Date: Wed Sep 18 12:41:21 2019 -0700 + + Add Stop tests with Timeout and running Exec + + 1. Cleans up and extracts some common test methods for reuse. + 2. Adds StopContainer test for LCOW with a Timeout. + 3. Adds StopContainer test for LCOW with a running Exec. + + Signed-off-by: Justin Terry (VM) + +commit 74797621272dcdb86962d7b6b29d3b9ed2cf902a +Author: Justin Terry (VM) +Date: Mon Sep 16 15:53:00 2019 -0700 + + Fix an issue where un-exited exec's can stop container kill + + 1. When issuing a Kill we know log any error from outstanding execs but do not + stop iterating to all other execs. We finally always send that signal to the + init exec. + 2. We no longer verify that when sending a signal to the init exec that all + other execs are in the exited state. This was allowing a non-exited exec to + prevent the container from stopping. + 3. When issuing a delete on the init exec we now forcibly exit all outstanding + execs. + + Signed-off-by: Justin Terry (VM) + +commit bd9b2553245043e79a1037b13afb0091d970a93d +Merge: e6890e6c3 cc1fcb6d9 +Author: Kathryn Baldauf +Date: Mon Sep 16 11:10:05 2019 -0700 + + Merge pull request #693 from microsoft/vpmemfix + + add lock around check for uvm vpmem limits exceeding + +commit cd6add313b0a6211971015545b17aed1f936be17 +Merge: 5cfb937d0 3c0a9adb4 +Author: Justin +Date: Mon Sep 16 11:03:44 2019 -0700 + + Merge pull request #345 from microsoft/fix_344 + + Fix bug in json.Unmarshal on OpenCensus TraceState entries + +commit 3c0a9adb4d76e21fceb606c45947a5821a84ff0a +Author: Justin Terry (VM) +Date: Mon Sep 16 10:49:54 2019 -0700 + + Fix bug in json.Unmarshal on OpenCensus TraceState entries + + Fixes: 344 + + Signed-off-by: Justin Terry (VM) + +commit cc1fcb6d9dcf36f47fc2f50abb9b53da5f71e68a +Author: Kathryn Baldauf +Date: Mon Sep 16 09:59:26 2019 -0700 + + add lock around check for uvm vpmem limits exceeding + + Signed-off-by: Kathryn Baldauf + +commit e6890e6c30ebf9ce517c96ca1b6ba8ebb2a4d2cc +Merge: 559a1cf5a 639e9861a +Author: Kathryn Baldauf +Date: Mon Sep 9 13:46:26 2019 -0700 + + Merge pull request #691 from microsoft/vpmem + + Add check for number of vpmem devices on uvm + +commit 639e9861a941facad960ba23ce47eba4b43242b2 +Author: Kathryn Baldauf +Date: Fri Sep 6 15:40:48 2019 -0700 + + Add check for number of vpmem devices on uvm + + Signed-off-by: Kathryn Baldauf + +commit 5cfb937d00bd4e0aec6a5adafdb07c0c8bba2378 +Merge: 7ab470012 33a702547 +Author: Kevin Parsons +Date: Fri Sep 6 16:28:44 2019 -0700 + + Merge pull request #342 from jstarks/entropy_fix + + init: Close entropy-related fds + +commit 559a1cf5a26cfd2b1c467c446ad83b91745c4a06 +Merge: 26ed62201 cec87f358 +Author: Kevin Parsons +Date: Fri Sep 6 16:19:33 2019 -0700 + + Merge pull request #690 from kevpar/fix-runas-test + + Fix LCOW run-as-user test to use own PID namespace + +commit cec87f3581d471650819c744c17e2ba1916d442d +Author: Kevin Parsons +Date: Fri Sep 6 16:06:01 2019 -0700 + + Fix LCOW run-as-user test to use own PID namespace + + Previously execcontainer_test.go was marked with a failing_tests build + tag which caused it to not actually be built. At some point after we + added support for run-as-user to LCOW, the build tag was removed. + However, it appears the test actually didn't work. The CRI default is to + put all containers in the same pod PID namespace, but the test assumed + the workload container's init would be PID 1 (PID 1 was actually the + sandbox container's init). + + To fix this, we now specify the container PID namespace mode for the + workload container, so that it won't share a namespace with other + containers. + + Signed-off-by: Kevin Parsons + +commit 33a702547f6dba2e6970653c83dcd087eaadd35d +Author: John Starks +Date: Fri Sep 6 15:48:44 2019 -0700 + + init: Close entropy-related fds + +commit 26ed62201ba21ec4815bacc0ab09406dbcbf45c0 +Merge: c088f411a ca6711998 +Author: Kevin Parsons +Date: Thu Sep 5 12:26:06 2019 -0700 + + Merge pull request #688 from jstarks/entropy + + uvm: Send entropy to Linux UVMs during boot + +commit c088f411aaf3585d8dffc9deb4289ffa32854497 +Merge: 84b0c364e 472381b52 +Author: Kevin Parsons +Date: Thu Sep 5 10:21:10 2019 -0700 + + Merge pull request #689 from kevpar/fix-event-namespace + + Explicitly set namespace when publishing an event + +commit ca6711998dafdac392699e0f50b155fe926ea5eb +Author: John Starks +Date: Wed Sep 4 09:33:29 2019 -0700 + + uvm: Send entropy to Linux UVMs during boot + + This change updates the Linux UVM boot sequence to open a vsock + connection to send entropy data to seed the kernel RNG. This is + necessary so that early uses of the kernel RNG reliably get + unpredictable data. + + This depends on the corresponding change to init in the opengcs repo. + +commit 472381b52744432c9564886ed2ab776955ae0d1b +Author: Kevin Parsons +Date: Wed Sep 4 21:53:41 2019 -0700 + + Explicitly set namespace when publishing an event + + This fixes a regression introduced when we switched to TTRPC for + publishing events to containerd. Previously we explicitly passed the + namespace for each event as a command line parameter to containerd.exe, + which was invoked to publish the event. Now that TTRPC is used, the + context passed to Publish is expected to include the namespace as a + stored value. + + Signed-off-by: Kevin Parsons + +commit 7ab4700121e4158a0156061b15c5392c17f16020 +Merge: 53f496fcd 39c13e68f +Author: Kevin Parsons +Date: Wed Sep 4 15:56:13 2019 -0700 + + Merge pull request #341 from microsoft/fix-randomh + + init: Add workaround for musl-gcc missing linux/random.h + +commit 39c13e68f4e3583f0dbd702e2fe0c7cb37772501 +Author: Kevin Parsons +Date: Wed Sep 4 15:50:55 2019 -0700 + + init: Add workaround for musl-gcc missing linux/random.h + + Signed-off-by: Kevin Parsons + +commit 53f496fcd11e56ccdb7bfd6260579fc62c37004f +Merge: 26b56e5b2 a33866838 +Author: Justin +Date: Wed Sep 4 14:05:20 2019 -0700 + + Merge pull request #339 from jstarks/entropy + + init: Add option to initialize entropy from vsock + +commit 26b56e5b253c19d01f554475b9b8681ea6c95867 +Merge: 5838adbdd 49026a11d +Author: Justin +Date: Wed Sep 4 14:04:47 2019 -0700 + + Merge pull request #340 from jstarks/pmem_error + + gcs: Improve error message on pmem mount failure + +commit 49026a11db901ea42331aa533e2995cfb5f51e58 +Author: John Starks +Date: Wed Sep 4 13:24:44 2019 -0700 + + gcs: Improve error message on pmem mount failure + +commit a33866838cc21875c1423e3ee5945c84c566f094 +Author: John Starks +Date: Wed Sep 4 08:17:47 2019 -0700 + + init: Add option to initialize entropy from vsock + + This change adds a command line option, -e, that specifies a vsock port + to read initial RNG entropy. init reads all data written to the + connection by the host, adds this data to the kernel RNG, and increments + the available entropy count. The host is trusted to write + cryptographically random data to this port. + + Without this, the available entropy at LCOW boot is very low, and data + read from /dev/urandom is likely to be highly predicable. + +commit 84b0c364e1e3bb91e43b85bf20d72e7948666817 +Merge: e458edf24 8aaa5037e +Author: Justin +Date: Wed Sep 4 07:17:38 2019 -0700 + + Merge pull request #685 from jterry75/abwah_carry + + Enable container mounts to refer to host path on the UVM + +commit 8aaa5037edf71d347d1f8299995b43ea184efe35 +Author: Abdul Waheed +Date: Fri Aug 30 17:31:11 2019 -0700 + + Enable container mounts to refer to host path on the UVM + + Signed-off-by: Abdul Waheed + Signed-off-by: Justin Terry (VM) + +commit e458edf240e8702dcf0a1718d76cdb3fed906d28 +Merge: 1354cb2e8 df8f88fef +Author: Justin +Date: Fri Aug 30 15:18:43 2019 -0700 + + Merge pull request #684 from abwah/customscratchtests + + Add Tests for create containers with custom size scratch vhd + +commit df8f88feffb2b3149d998040fb8b5d677cce7c74 +Author: Abdul Waheed +Date: Fri Aug 30 14:48:13 2019 -0700 + + CR Feedback + +commit 3616f7ca0c72ae0847bdcddb20c630ab0e0a8d7f +Author: Abdul Waheed +Date: Fri Aug 30 12:37:52 2019 -0700 + + Add Tests for create containers with custom size scratch vhd + +commit 1354cb2e878d37d2f5c11595634290ea9e2600a1 +Merge: c5aeac863 f2dbb0cdf +Author: Justin +Date: Thu Aug 29 12:49:16 2019 -0700 + + Merge pull request #682 from Random-Liu/hcn-namespace-error + + Namespace not found error. + +commit f2dbb0cdfd46a786f979e355c38df75daf97ce92 +Author: Lantao Liu +Date: Wed Aug 28 17:46:04 2019 -0700 + + Namespace not found error. + + Signed-off-by: Lantao Liu + +commit c5aeac86373c6b87df28c73209881df06133c631 +Merge: e14161022 9f2d4ade2 +Author: Kathryn Baldauf +Date: Wed Aug 28 12:58:52 2019 -0700 + + Merge pull request #681 from microsoft/katiewasnothere/ttrpcevents + + Use ttrpc for event publishing to containerd + +commit 9f2d4ade26609ae12b13f021e85737a55b71a87f +Author: Kathryn Baldauf +Date: Mon Aug 19 11:25:16 2019 -0700 + + Use ttrpc for event publishing to containerd + + Signed-off-by: Kathryn Baldauf + +commit 5838adbddd1b1486531e879096b2c4512682e6ee +Merge: e08da9b89 a978dc15a +Author: Justin +Date: Mon Aug 26 12:36:36 2019 -0700 + + Merge pull request #336 from dariopb/two_interfaces + + Adding support for 2 ethernet interfaces (ingress/egress on secondary interface) + +commit a978dc15a599b6c69df81dd180d1bc20bddf2e9b +Author: Dario Bazan +Date: Sun Aug 25 22:24:53 2019 -0700 + + Adding support for 2 ethernet interfaces (ingress/egress on secondary + interface) + +commit e141610227250972242dbeb8e9bb8f1bef304045 +Merge: d64a16fba 36ef098e6 +Author: Justin +Date: Mon Aug 26 10:46:44 2019 -0700 + + Merge pull request #679 from microsoft/update-ttrpc + + Revendor containerd/ttrpc + +commit 36ef098e617784e169af705e48fae8e6daa37fd4 +Author: Kevin Parsons +Date: Mon Aug 26 10:13:19 2019 -0700 + + Revendor containerd/ttrpc + + This is just to bring in the fix to TTRPC service names as seen by + interceptors. + + Signed-off-by: Kevin Parsons + +commit d64a16fba14c833a539fcff9a2eabc3191d5db30 +Merge: 7e6c52e1c 34ec02362 +Author: Kevin Parsons +Date: Sat Aug 24 21:58:20 2019 -0700 + + Merge pull request #678 from microsoft/octtrpc + + Support forwarding OpenCensus spans over TTRPC for shim task service + +commit 34ec02362051a8c7a265bc9cf34d0d13a68ec4d8 +Author: Kevin Parsons +Date: Sat Aug 24 12:10:30 2019 -0700 + + Use octtrpc interceptor for shim task service + + Signed-off-by: Kevin Parsons + +commit 3379c1f22cf3f98e06824834e41ae2a8f5853457 +Author: Kevin Parsons +Date: Sat Aug 24 12:09:55 2019 -0700 + + Add octtrpc package + + Signed-off-by: Kevin Parsons + +commit 41e170c49e55e09017849a26465cd04042c4265d +Author: Kevin Parsons +Date: Sat Aug 24 12:09:03 2019 -0700 + + Update containerd/ttrpc + + Signed-off-by: Kevin Parsons + +commit 7e6c52e1cc1c375b6a307d8a9a414bfe7b5d9d12 +Merge: 0f4e8c34d 040b1ec72 +Author: Justin +Date: Sat Aug 24 09:02:33 2019 -0700 + + Merge pull request #677 from jterry75/enable_stacks_for_standalone_lcow + + Include context identifiers on DumpStacks requests + +commit 040b1ec72ca9f3ce786ed4e5af180b3e67b5c52e +Author: Justin Terry (VM) +Date: Fri Aug 23 11:26:17 2019 -0700 + + Include context identifiers on DumpStacks requests + + 1. Adds context to the dump stack trace so that it can be correlated. + 2. Adds support for guet DumpStacks on standalone LCOW/WCOW as well. + 3. Limits the guest timeout from 5 minutes to 5 seconds for a guest stack trace. + + Signed-off-by: Justin Terry (VM) + +commit 0f4e8c34dad9446c2f5ec837bce5bdfd54b6623d +Merge: a03d139f7 33f1ffa7f +Author: Justin +Date: Thu Aug 22 19:42:17 2019 -0700 + + Merge pull request #676 from jterry75/fix_9pfs_test + + Only enable single-file 9pfs test on 19H1+ + +commit 33f1ffa7fcb6f558f3bd69ab13ead773e1df08f2 +Author: Justin Terry (VM) +Date: Thu Aug 22 19:36:20 2019 -0700 + + Only enable single-file 9pfs test on 19H1+ + + Signed-off-by: Justin Terry (VM) + +commit e08da9b89a07f056555eb339318afb3a9cb66abd +Merge: 2b2cc6bba 8641aef54 +Author: Justin +Date: Thu Aug 22 16:18:44 2019 -0700 + + Merge pull request #334 from jterry75/update_golang + + Update to golang 1.12.9 + +commit a03d139f7c688c2b0b475f0ffb6d9be2f86bca46 +Merge: 08c4feeed 7840cafba +Author: Justin +Date: Thu Aug 22 16:16:14 2019 -0700 + + Merge pull request #669 from jterry75/cleanup_uvm_logs + + Cleanup excess or duplicate internal/uvm package logs + +commit 08c4feeedeb061e52f68d0c40aa6001e2bc1e507 +Merge: 52e7c177c 01465311e +Author: Justin +Date: Thu Aug 22 16:15:55 2019 -0700 + + Merge pull request #667 from jterry75/update_appveyor + + Update AppVeyor to golang 1.12.9 + +commit 52e7c177caf0601927b5a84a30b1d01876e7b8bf +Merge: c2ea5d025 2dc2a7dee +Author: Justin +Date: Thu Aug 22 15:57:52 2019 -0700 + + Merge pull request #672 from jterry75/automanage_vhd + + Add support for automanage-virtual-disk targets + +commit 2dc2a7dee3aa61f5ce58867f11ff4109245f0653 +Author: Justin Terry (VM) +Date: Tue Aug 20 15:57:50 2019 -0700 + + Add support for automanage-virtual-disk targets + + Signed-off-by: Justin Terry (VM) + +commit 8641aef549b0693c3d445253eb43ad719e76a48e +Author: Justin Terry (VM) +Date: Wed Aug 14 09:25:27 2019 -0700 + + Update to golang 1.12.9 + + Signed-off-by: Justin Terry (VM) + +commit 7840cafba45c29fa2a09eac7368e26d0d27e3590 +Author: Justin Terry (VM) +Date: Thu Aug 1 12:26:38 2019 -0700 + + Cleanup excess or duplicate internal/uvm package logs + + Almost all logs at this level are duplicate as they translate to a message that + is sent to either the gcs or hcs package which logs all RPC messages already. + + Signed-off-by: Justin Terry (VM) + +commit 01465311e75f4a2f3c0bd5dbf4d36a4d49780cd7 +Author: Justin Terry (VM) +Date: Wed Aug 14 09:21:27 2019 -0700 + + Update AppVeyor to golang 1.12.9 + + Signed-off-by: Justin Terry (VM) + +commit c2ea5d0256e63409bf3d6b1e131a4001bd22ca59 +Merge: 9e921883a 27b8d9834 +Author: Justin +Date: Wed Aug 21 12:47:58 2019 -0700 + + Merge pull request #673 from sprt/compartmentid + + Use the right field name in L4ProxyPolicySetting + +commit 27b8d9834a17f9cd64b4b75c90a5c227ff6e8133 +Author: Aurélien Bombo +Date: Tue Aug 20 17:36:25 2019 -0700 + + Use the right field name in L4ProxyPolicySetting + + WFP expects the field "CompartmentID", not "NetworkCompartmentID". + Passing the wrong field causes it to be silently ignored, but the proxy + would be misconfigured. + +commit 9e921883ac929bbe515b39793ece99ce3a9d7706 +Merge: ff1cc0be6 421312b7c +Author: Justin +Date: Tue Aug 20 13:37:02 2019 -0700 + + Merge pull request #671 from microsoft/katiewasnothere/plan9hostpath + + Change parsing of hostpath string for plan9 file mounting + +commit 421312b7cbb27d9ff0d80fbb1db83766f4b43bb4 +Author: Kathryn Baldauf +Date: Mon Aug 19 15:53:18 2019 -0700 + + Change parsing of hostpath string to work on windows + + Signed-off-by: Kathryn Baldauf + +commit 2b2cc6bba61ba979acd7156a8bab8a2006ea11cb +Merge: 84850a659 73b7ba6cc +Author: Kathryn Baldauf +Date: Fri Aug 16 12:33:31 2019 -0700 + + Merge pull request #335 from microsoft/katiewasnothere/dumpstacks + + Add ability to dump stacks in OpenGCS + +commit ff1cc0be6aa069ea838264de1e671b8b463eeef1 +Merge: f3a709278 c4c3be440 +Author: Kathryn Baldauf +Date: Fri Aug 16 12:33:25 2019 -0700 + + Merge pull request #668 from microsoft/katiewasnothere/dumpstacks + + Call gcs dump stacks on etw callback + +commit c4c3be440b2be039f7a5950a6b5ad5cae11ff4b1 +Author: Kathryn Baldauf +Date: Wed Aug 14 13:39:27 2019 -0700 + + Add call to opengcs bridge to get guest stacks + + Signed-off-by: Kathryn Baldauf + +commit 73b7ba6cc7c6ba06d8f0a52d96eacd34e848e4ee +Author: Kathryn Baldauf +Date: Wed Aug 14 13:14:26 2019 -0700 + + Add bridge command to retrieve stacks + + Signed-off-by: Kathryn Baldauf + +commit f3a709278302553a13f3076369160103d274276c +Merge: e38a39c07 9d912f335 +Author: Justin +Date: Thu Aug 15 16:46:07 2019 -0700 + + Merge pull request #670 from jterry75/tmp_vhd_mount + + Support LCOW /tmp backed by temporary vhdx + +commit 9d912f335652f21e5d763268e45ff9de9f842a38 +Author: Justin Terry (VM) +Date: Thu Aug 15 09:54:06 2019 -0700 + + Support LCOW /tmp backed by temporary vhdx + + This is a temporary workaround for adding a writable section mapped to /tmp + backed by a vhdx on the host without requiring the orchestrator to create and + managed the vhd. Long term this should be removed. + + Signed-off-by: Justin Terry (VM) + +commit e38a39c0716c28df758f4a8afadc76ec5ceaa165 +Merge: c8c5bd49a ad79e4599 +Author: Justin +Date: Fri Aug 9 11:37:51 2019 -0700 + + Merge pull request #666 from jterry75/fix_cri-tests + + Fix VM processor.limit in tests + +commit ad79e4599b24ff55445c6ae817efc86d7f098b6f +Author: Justin Terry (VM) +Date: Thu Aug 8 23:58:59 2019 -0700 + + Fix VM processor.limit in tests + + The setting for VM processor limit is out of 100,000 not 10,000 so previously + only 9% CPU limit was being applied for the entire UVM. + + Signed-off-by: Justin Terry (VM) + +commit c8c5bd49a8b963219e493bb1eab37a81a1bef520 +Merge: 3b852ccdc 2ab18974e +Author: Justin +Date: Wed Aug 7 16:13:28 2019 -0700 + + Merge pull request #665 from jterry75/revendor_go-winio + + Update Microsoft/go-winio v0.4.14 + +commit 3b852ccdcea5dbd2427adf7d00d4194a2b4128c8 +Merge: 8694eade7 f837c1b86 +Author: Justin +Date: Wed Aug 7 15:37:13 2019 -0700 + + Merge pull request #664 from jterry75/vmcompute_pkg + + Introduce the vmcompute package + +commit 2ab18974ee30e628cf9f4da5b73820450183a811 +Author: Justin Terry (VM) +Date: Tue Aug 6 13:49:58 2019 -0700 + + Update Microsoft/go-winio v0.4.14 + + Signed-off-by: Justin Terry (VM) + +commit f837c1b86aa9b003c791db67faea7df695e5856a +Author: Justin Terry (VM) +Date: Thu Aug 1 15:04:04 2019 -0700 + + Introduce the vmcompute package + + 1. Seperates the internal/hcs from internal/vmcompute packages. This is because + the HCS has multiple entry API's now and the internal/hcs package can handle + them all. + 2. Improves the entry/exit logging of the vmcompute syscall interface request, + response json. + + Signed-off-by: Justin Terry (VM) + +commit 8694eade7dd3d05d90042682459d4f1d0ab83e62 +Merge: 56febed20 0e84e4129 +Author: Justin +Date: Wed Jul 31 20:52:47 2019 -0700 + + Merge pull request #663 from jterry75/hcs_span_support + + Cleanup internal/hcs logging with Span support + +commit 84850a65901a17ae2424c4eb8f73c59998fd915c +Merge: f21f430f4 ed3f68b94 +Author: Justin +Date: Wed Jul 31 20:51:09 2019 -0700 + + Merge pull request #331 from jterry75/cleanup_spans + + Cleanup duplicate spans and add context + +commit f21f430f448c18a894a0533ae1e5dfc1b9924ecb +Merge: 9d1842e1f 0ad60cee2 +Author: Justin +Date: Wed Jul 31 15:51:57 2019 -0700 + + Merge pull request #332 from jterry75/network_wait_context + + Use context wait patterns + +commit 0ad60cee292b2372b350713b715fdba75c79bd39 +Author: Justin Terry (VM) +Date: Tue Jul 30 23:20:47 2019 -0700 + + Use context wait patterns + + Signed-off-by: Justin Terry (VM) + +commit ed3f68b945b621efda883e899c81818541046b94 +Author: Justin Terry (VM) +Date: Tue Jul 30 17:31:17 2019 -0700 + + Cleanup duplicate spans and add context + + Signed-off-by: Justin Terry (VM) + +commit 9d1842e1f9be9acdfc19830501e0d868eafb2308 +Merge: 4062fc9ce e6ee10bca +Author: Justin +Date: Wed Jul 31 15:29:25 2019 -0700 + + Merge pull request #333 from jterry75/seperate_uvm_modify + + Break apart hcsv2.Host ModifySettings methods + +commit e6ee10bca38736be3a15d291e3954cbc16fe5ad8 +Author: Justin Terry (VM) +Date: Wed Jul 31 11:23:49 2019 -0700 + + Break apart hcsv2.Host ModifySettings methods + + Seperates all hvsv2.Host ModifySettings calls into seperate functions to make + growth easier when adding new entries. + + Signed-off-by: Justin Terry (VM) + +commit 4062fc9cedc5164b14c601d39130902c5287a392 +Merge: 9c65c894f b4d5ba02f +Author: Justin +Date: Tue Jul 30 16:36:33 2019 -0700 + + Merge pull request #330 from jterry75/parent_ctx + + Accept OpenCensus SpanContext on requests + +commit 56febed2020589f593236b238f8b9eb6684f6aca +Merge: 7eb1fb6ac 830f5f630 +Author: Justin +Date: Tue Jul 30 16:36:12 2019 -0700 + + Merge pull request #662 from jterry75/gcs_span_support + + Add external bridge OpenCensus span support + +commit 0e84e4129e0e7b7098f339647041d7d1a23d1940 +Author: Justin Terry (VM) +Date: Tue Jul 30 16:03:15 2019 -0700 + + Cleanup internal/hcs logging with Span support + + Signed-off-by: Justin Terry (VM) + +commit 830f5f630d562f37e955511d328b1826570e8f2a +Author: Justin Terry (VM) +Date: Mon Jul 29 12:58:22 2019 -0700 + + Add external bridge OpenCensus span support + + Signed-off-by: Justin Terry (VM) + +commit 7eb1fb6ac2daeb5a44c8b5952533c0c56b79d780 +Merge: 0291ac21d 38e85eca2 +Author: Justin +Date: Tue Jul 30 15:35:38 2019 -0700 + + Merge pull request #660 from sprt/master + + Add tests for the L4 proxy policy + +commit b4d5ba02fdb331ef8365d36ec25bdf5115c2e858 +Author: Justin Terry (VM) +Date: Tue Jul 30 13:38:45 2019 -0700 + + Accept OpenCensus SpanContext on requests + + Signed-off-by: Justin Terry (VM) + +commit 38e85eca2085ebe770b73744ac32a42446f8cf89 +Author: Aurélien Bombo +Date: Mon Jul 29 12:46:08 2019 -0700 + + Remove the ID field from L4ProxyPolicySetting + +commit 0291ac21db715cc43d6068dc18f78b7abed6ab9d +Merge: 45c1c5fb9 013514e7f +Author: Kevin Parsons +Date: Mon Jul 29 11:23:35 2019 -0700 + + Merge pull request #661 from microsoft/shim-opts-2 + + Add support for different log output modes + +commit 013514e7f7a86eba1bded1dc32633f002f2e227a +Author: Kevin Parsons +Date: Thu Jul 25 18:07:45 2019 -0700 + + Add support for different log output modes + + Log output modes determine where logging output is sent from the serve + shim: + + - NPIPE, the default, causes log output to be sent over the log pipe + that containerd provides. + - FILE, is unsupported and causes the shim to panic. + - ETW, causes log output to be sent only to ETW via the Logrus hook. + + Log output mode can be set via the DebugType enumeration on the shim + options struct. + + Signed-off-by: Kevin Parsons + +commit 9c65c894f5dc49d69455af130fd549e48e81c196 +Merge: 9dbdb559c 6cb62de84 +Author: Justin +Date: Fri Jul 26 11:14:04 2019 -0700 + + Merge pull request #329 from jterry75/signal_init_all + + Send SignalProcess to initpid to all pids in ns + +commit 6cb62de84bccebdae6d1876e59216b2f2d319fe8 +Author: Justin Terry (VM) +Date: Thu Jul 25 07:45:43 2019 -0700 + + Send SignalProcess to initpid to all pids in ns + + Signed-off-by: Justin Terry (VM) + +commit daa7b2bf6194c7c72d11230bfc9de7c57f379d7a +Author: Aurélien Bombo +Date: Thu Jul 25 18:22:04 2019 -0700 + + Delete the TestUpdateL4ProxyPolicyOnEndpoint test + + One test is enough to prove that the shim is able to program HNS, we'll + test edge cases in HNS directly. + +commit 45c1c5fb95bb3d8fbfd45b9aa397bda5f137de49 +Merge: d3edaf5e6 40ed75e2e +Author: Justin +Date: Thu Jul 25 10:37:40 2019 -0700 + + Merge pull request #657 from JocelynBerrendonner/vm + + Fixing an issue with NAT network type and omitempty using the V2 schema + +commit 40ed75e2e4ee4a0efd16f03f6a58e335f43c963b +Author: JocelynBerrendonner +Date: Tue Jul 23 19:05:08 2019 -0700 + + Fixed a regression in formatting + +commit d9324b8f5cf4bb04162ff22969748c7bc416a73b +Author: JocelynBerrendonner +Date: Fri Jul 12 13:15:03 2019 -0700 + + Fixing an issue with NAT network type and omitempty using the V2 schema + +commit 68d8003dcf45dcf54e5d6e62646c3b26d0decb8c +Author: Aurélien Bombo +Date: Wed Jul 24 16:22:20 2019 -0700 + + Add tests for the L4 proxy policy + + This tests that HNS doesn't spit back errors in case we send either an + Add or Create request to it for a detached endpoint. + + In addition, I added some fields to the L4ProxyPolicySetting struct to + support the WFP proxy. I also added the ability to specify the request + type when calling HostComputeEndpoint.ApplyPolicy(). + +commit d3edaf5e605e418ff37b1dd12c13481507506c2d +Merge: 87b250933 0f5002a11 +Author: Kevin Parsons +Date: Wed Jul 24 15:43:16 2019 -0700 + + Merge pull request #659 from microsoft/shim-opts + + Receive shim options via stdin + +commit 0f5002a11e92163dcfb6fd1ed65d2288de12e6a5 +Author: Kevin Parsons +Date: Wed Jul 24 13:52:32 2019 -0700 + + Receive shim options via stdin + + containerd has an option struct for our shim which contains both + shim-wide options (e.g. logging level) and task specific options (e.g. + sandbox image to use). Previously containerd only passed these options + in as part of the task creation call, but recently also added support + to pass them in directly to the shim via a protobuf message in stdin. + + Now that containerd supports passing the options directly to the shim, + we can use that as the source for shim-wide options, instead of doing + that only when a task is created. This will also make it easier to add + more shim-wide options in the future, as their affect can be applied + immediately on shim start. + + Signed-off-by: Kevin Parsons + +commit 87b2509333c514bbc643a8195ee3a2ee84898f0f +Merge: ae5748b26 e5b723643 +Author: Justin +Date: Tue Jul 23 08:18:14 2019 -0700 + + Merge pull request #655 from jterry75/more_context + + Forward Span context to all methods. + +commit ae5748b260f99b2332c5cb6fbaa4ef31ec91d3f1 +Merge: 0e75f08c2 d1aa4fb8c +Author: Justin +Date: Tue Jul 23 08:11:59 2019 -0700 + + Merge pull request #656 from jterry75/filter_shutdown + + Filter OperationPending logs SystemShutdown + +commit d1aa4fb8ccfbaf08e5fe5166a7fe16936d2ca171 +Author: Justin Terry (VM) +Date: Tue Jul 23 07:58:29 2019 -0700 + + Filter OperationPending logs SystemShutdown + + We do not need to log the OperationPending error code because this is an + expected case. + + Signed-off-by: Justin Terry (VM) + +commit 0e75f08c21280dc36758f99f3c925284abb6b3ca +Merge: 30ebd3d8c fbb9befe5 +Author: Justin +Date: Mon Jul 22 23:41:47 2019 -0700 + + Merge pull request #654 from jterry75/remove_unused + + Remove unused code + +commit e5b723643dfd557162e739159b0bed3a6177296c +Author: Justin Terry (VM) +Date: Mon Jul 22 23:00:57 2019 -0700 + + Forward Span context to all methods. + + 1. Forwards the entry Span context to all methods from the shim. + 2. Updates most logrus. messages to log.G(ctx). messages so that span + information will be forwarded as well. + 3. Updates the various tests/infra to the new calling patterns. + +commit fbb9befe5d98b0536a65a0ab9ca8c7080d3114ea +Author: Justin Terry (VM) +Date: Mon Jul 22 21:20:29 2019 -0700 + + Remove unused code + + Signed-off-by: Justin Terry (VM) + +commit 30ebd3d8c14b59fc0f7589c6afb8ce0da771e9a5 +Merge: ae5995d61 442a58fc4 +Author: Justin +Date: Mon Jul 22 16:05:14 2019 -0700 + + Merge pull request #653 from jterry75/revert_oc_error_response + + Revert OpenCensus Span Filtering + +commit 442a58fc43b4f49fe7c975f983bf20ba082fd768 +Author: Justin Terry (VM) +Date: Mon Jul 22 15:50:08 2019 -0700 + + Revert OpenCensus Span Filtering + + After talking more about this it is incorrect to revert this at the span level + this needs to be a client side filter as the span truly should represent the + status of the function or unit of work being executed. + + Signed-off-by: Justin Terry (VM) + +commit ae5995d61ccbeef1df818a963ac6dfa048d63733 +Merge: 593dfadf0 805178493 +Author: Justin +Date: Mon Jul 22 15:24:15 2019 -0700 + + Merge pull request #650 from jterry75/limit_errors + + Stop logging expected error values + +commit 8051784930b57da9b70c9253f4d0d72e209bad2b +Author: Justin Terry (VM) +Date: Mon Jul 22 11:55:34 2019 -0700 + + Stop logging expected error values + + Some HCS* functions return errors to signify a success with additional + information. In these cases we need to skip logging the error because the use + cases is expected and this isn't an error for the client who handles it. + + Signed-off-by: Justin Terry (VM) + +commit 593dfadf010b176483380d2b3f0a79cb22327ccb +Merge: 74cbcc173 6f84fff91 +Author: Justin +Date: Thu Jul 18 12:22:47 2019 -0700 + + Merge pull request #648 from jterry75/process_exitcode + + Capture ExitCode at process exit + +commit 6f84fff91a503c1a41faf6d0c7b53f90da0ab34e +Author: Justin Terry (VM) +Date: Thu Jul 18 10:53:07 2019 -0700 + + Capture ExitCode at process exit + + Signed-off-by: Justin Terry (VM) + +commit 74cbcc173d05441792bc951b0b65cf1f6443deb5 +Merge: 5edad5dad 7da7ba8a0 +Author: Justin +Date: Wed Jul 17 21:32:50 2019 -0700 + + Merge pull request #646 from microsoft/syscall_ctx + + Add context to vmcompute syscalls + +commit 5edad5dad7fa8c1dff525a424997ce3ea35df4f6 +Merge: d3efc4729 85d3fcf0e +Author: Justin +Date: Wed Jul 17 21:32:17 2019 -0700 + + Merge pull request #647 from nagiesek/hcnTestFixes + + Test fixes, removing an obsolete tests + +commit 7da7ba8a04429da9fc5e9232089cad0aedb283d2 +Author: Justin Terry (VM) +Date: Wed Jul 17 11:45:56 2019 -0700 + + Add context to vmcompute syscalls + + Signed-off-by: Justin Terry (VM) + +commit 85d3fcf0e03c67cf08a3ef843a34137a5c8144a1 +Author: Nathan Gieseker +Date: Wed Jul 17 21:16:46 2019 -0700 + + Test fixes, removing an obsolete tests + +commit 9dbdb559c37d8e3b8da6ca1bacd5b5cbf5f02c2c +Merge: 2e5055dc4 d40aa6457 +Author: Justin +Date: Wed Jul 17 14:49:48 2019 -0700 + + Merge pull request #326 from rhdedgar/master + + Typo fix + +commit d40aa645766d59c7689960ff4addf613e9d168cd +Author: Doug Edgar +Date: Tue Jul 16 14:51:39 2019 -0800 + + Typo fix + +commit d3efc47299c81d63099c593adde816cc8aefdbad +Merge: 40275baa2 438d2ef9f +Author: Justin +Date: Tue Jul 16 09:59:53 2019 -0700 + + Merge pull request #643 from microsoft/publish-event-logging + + Improve logging for event publishing + +commit 2e5055dc4c08665470f26321a5994c915c1b4fdf +Merge: 98047cd05 7defe2362 +Author: Justin +Date: Tue Jul 16 00:16:37 2019 -0700 + + Merge pull request #325 from jterry75/exit_code_fix + + ExitStatus should contain a signaled offset + +commit 438d2ef9f3fadee7a2ed52cecf66cb390738bb8c +Author: Kevin Parsons +Date: Mon Jul 15 14:10:27 2019 -0700 + + Improve logging for event publishing + + Signed-off-by: Kevin Parsons + +commit 7defe2362f377c56e53cc89c30c71281407249ce +Author: Justin Terry (VM) +Date: Mon Jul 15 16:11:26 2019 -0700 + + ExitStatus should contain a signaled offset + + Signed-off-by: Justin Terry (VM) + +commit 40275baa29f3dd7effb4dd8307b688e56418a00f +Merge: 60251c25c b6855b64e +Author: Justin +Date: Mon Jul 15 15:18:14 2019 -0700 + + Merge pull request #640 from nagiesek/policyFlag + + Adds NatFlags to portmappings + +commit 60251c25cd7b73c0349070bc7806c0f8f06af6d1 +Merge: f6382aa89 7b26e63b1 +Author: Justin +Date: Mon Jul 15 15:04:04 2019 -0700 + + Merge pull request #644 from microsoft/lcow_external_bridge + + uvm: Enable external guest connection for LCOW + +commit 7b26e63b12c66d3eec19aebe8d8ea73b8a7e805e +Author: John Starks +Date: Fri Jul 5 14:01:26 2019 -0700 + + uvm: Enable external guest connection for LCOW + +commit f6382aa89263eb773c96e4f01ff740fd9074cd7f +Merge: afccc7086 4124c0e65 +Author: Justin +Date: Mon Jul 15 10:30:24 2019 -0700 + + Merge pull request #641 from microsoft/nrcpus + + lcow: Explicitly pass CPU count to UVM via kernel command line + +commit 4124c0e659930be95625b5cfec1f51c363341e59 +Author: Kevin Parsons +Date: Thu Jul 11 16:43:45 2019 -0700 + + lcow: Explicitly pass CPU count to UVM via kernel command line + + Signed-off-by: Kevin Parsons + +commit b6855b64ea4a015d9fdf1f9ba739da484f57708f +Author: Nathan Gieseker +Date: Tue Jul 9 15:03:54 2019 -0700 + + Adds NatFlags to portmappings + +commit 98047cd05becb8ee189089709f0adc24bbe32999 +Merge: feafeff55 38167a9a5 +Author: Justin +Date: Sat Jul 6 09:43:20 2019 -0700 + + Merge pull request #324 from jterry75/etc_hosts + + Generate /etc/hosts on sandbox/standalone activation + +commit 38167a9a584eb702cfd02ed3da9de1fa39032491 +Author: Justin Terry (VM) +Date: Fri Jul 5 15:39:01 2019 -0700 + + Generate /etc/hosts on sandbox/standalone activation + + Signed-off-by: Justin Terry (VM) + +commit afccc7086fd30f0a13423319289cf569f92770e0 +Merge: 0703ee5e8 5b848eba1 +Author: Justin +Date: Fri Jul 5 09:30:21 2019 -0700 + + Merge pull request #639 from microsoft/update_lcow_memorytest + + Update minimum memory size for LCOW Memory test + +commit 5b848eba1577239c98b7983941a69bd5db227acd +Author: Justin Terry (VM) +Date: Fri Jul 5 09:28:26 2019 -0700 + + Update minimum memory size for LCOW Memory test + + Signed-off-by: Justin Terry (VM) + +commit feafeff55b2ac0bcbc3d12383efd187145d5af17 +Merge: 9bf5f376c 95f3e6181 +Author: Justin +Date: Wed Jul 3 00:16:08 2019 -0700 + + Merge pull request #323 from jterry75/runas_user + + Honor userstr override to uid/gid for runc activation + +commit 95f3e6181e35d953ecc2271e6d79631888dda949 +Author: Justin Terry (VM) +Date: Wed Jul 3 00:11:28 2019 -0700 + + Honor userstr override to uid/gid for runc activation + + Signed-off-by: Justin Terry (VM) + +commit 0703ee5e81cafe696c8851e3ee41f4a1edad23b3 +Merge: c6f98528d a404fe56c +Author: Justin +Date: Tue Jul 2 23:21:05 2019 -0700 + + Merge pull request #638 from jterry75/lcow_namespaces + + Forward all OCI Linux.Namespaces + +commit a404fe56c34f8cac92873e0543d8f991dac9c389 +Author: Justin Terry (VM) +Date: Tue Jul 2 23:17:55 2019 -0700 + + Forward all OCI Linux.Namespaces + + Signed-off-by: Justin Terry (VM) + +commit c6f98528dede8abc293dc90029c95e7436397134 +Merge: 852a61e54 381a14a5b +Author: Justin +Date: Thu Jun 27 14:10:51 2019 -0700 + + Merge pull request #634 from jterry75/cleanup_lcow_package + + Cleanup internal lcow package + +commit 852a61e54abdedc13babd7edce0b49c31000f6b6 +Merge: dc2a1837b 2d65022c4 +Author: Justin +Date: Thu Jun 27 14:10:36 2019 -0700 + + Merge pull request #635 from jterry75/cleanup_deallocatescsi + + Cleanup UVM RemoveSCSI workflow + +commit dc2a1837b7c71c309c941129a4531c2175276e1b +Merge: e7b99e120 951cfd164 +Author: Justin +Date: Thu Jun 27 14:10:23 2019 -0700 + + Merge pull request #636 from jterry75/cleanup_removevpmem + + Cleanup UVM RemoveVPMEM + +commit e7b99e120c9d2d16a86f1cfcf457af50f5cc0022 +Merge: 009b3782b 4dafc1203 +Author: Justin +Date: Thu Jun 27 14:04:12 2019 -0700 + + Merge pull request #637 from jterry75/cleanup_uvmwait + + Cleanup UVM Wait + +commit 4dafc1203a141de3bba0094b9da49bd164bf216f +Author: Justin Terry (VM) +Date: Thu Jun 27 11:14:38 2019 -0700 + + Cleanup UVM Wait + + Signed-off-by: Justin Terry (VM) + +commit 951cfd1648f310e65d943dff8dd8bdcae1dac3b9 +Author: Justin Terry (VM) +Date: Thu Jun 27 10:59:15 2019 -0700 + + Cleanup UVM RemoveVPMEM + + Signed-off-by: Justin Terry (VM) + +commit 2d65022c4f61e0ca49e1f7e92d6f3fb0c0006afc +Author: Justin Terry (VM) +Date: Thu Jun 27 10:56:00 2019 -0700 + + Cleanup UVM RemoveSCSI workflow + + Signed-off-by: Justin Terry (VM) + +commit 381a14a5b9af9b03397e4237566417d90566e476 +Author: Justin Terry (VM) +Date: Thu Jun 27 10:44:09 2019 -0700 + + Cleanup internal lcow package + + Signed-off-by: Justin Terry (VM) + +commit 009b3782b7699e013d517ae149c8161e0a4428f3 +Merge: 7a5bf6f90 2f2db50db +Author: Justin +Date: Thu Jun 27 10:01:06 2019 -0700 + + Merge pull request #633 from veerun14/add-container-network-test + + Added a simple network ping test on container start + +commit 2f2db50db2d46fd35ea60d0eed9cef51da268609 +Author: Veeraiah Chowdary Nuvvula +Date: Wed Jun 26 08:39:45 2019 -0700 + + Added a simple network ping test on container start + +commit 9bf5f376cf792133d54ee864944a1063ecbf2b0b +Merge: 205d179d2 a79395def +Author: Justin +Date: Tue Jun 25 16:30:04 2019 -0700 + + Merge pull request #322 from jterry75/duration_to_string + + Force span duration to pretty print + +commit 7a5bf6f90c7bdfe087f9590eb4fe32a9d9780a0f +Merge: 20f132925 387aa9155 +Author: Justin +Date: Tue Jun 25 16:27:31 2019 -0700 + + Merge pull request #631 from jterry75/support_oc + + Add OpenCensus support to containerd runhcs shim + +commit a79395def0385069542e56578fb0251074696f33 +Author: Justin Terry (VM) +Date: Tue Jun 25 16:26:32 2019 -0700 + + Force span duration to pretty print + + Signed-off-by: Justin Terry (VM) + +commit 387aa91550a7a1a91d3e36d18454265f5e70763f +Author: Justin Terry (VM) +Date: Fri Jun 21 15:00:45 2019 -0700 + + Add OpenCensus support to containerd runhcs shim + + Signed-off-by: Justin Terry (VM) + +commit 20f132925185ba8de972deb1feffded3d8ec0e91 +Merge: 7c0c2589d ef775b6a9 +Author: Justin +Date: Tue Jun 25 13:54:17 2019 -0700 + + Merge pull request #582 from thaJeztah/fix_version_typo + + Fix Windows Server version for RS4 in comment + +commit 7c0c2589d86d5b4cff5781362d45fd2e28647b90 +Merge: 3eedef742 d1649af66 +Author: Justin +Date: Tue Jun 25 10:55:29 2019 -0700 + + Merge pull request #632 from microsoft/vendor-winio + + Revendor go-winio + +commit d1649af6616716c9a943a3b0e605b370495ff561 +Author: Kevin Parsons +Date: Tue Jun 25 10:47:55 2019 -0700 + + Revendor go-winio + + Signed-off-by: Kevin Parsons + +commit 3eedef742624f3d8884f2c0a554a5d1f496245d0 +Merge: 70518867a ad4db9818 +Author: Justin +Date: Tue Jun 25 10:34:30 2019 -0700 + + Merge pull request #626 from microsoft/jjh/panic21355099 + + Avoid panic: argon with VHD + +commit 205d179d2af6fb6a9d2b7622ebeeaabf6f5a190a +Merge: 7b0368e38 b75c62cf3 +Author: Justin +Date: Tue Jun 25 10:33:39 2019 -0700 + + Merge pull request #321 from jterry75/span_name + + Export all OC span's with name key + +commit b75c62cf3e80ee45a088ef8ec649782d769f8ecc +Author: Justin Terry (VM) +Date: Tue Jun 25 10:26:20 2019 -0700 + + Export all OC span's with name key + + Signed-off-by: Justin Terry (VM) + +commit ad4db98187effd387587740933d8575b5a0707c3 +Author: John Howard +Date: Tue Jun 11 16:09:00 2019 -0700 + + Avoid panic:argon with VHD + + Signed-off-by: John Howard + +commit 70518867aaffe97576db2854a7b7eee6543db93d +Merge: 115e45533 23b674df7 +Author: Kevin Parsons +Date: Fri Jun 21 15:12:30 2019 -0700 + + Merge pull request #629 from microsoft/log-rotate + + Add test for container log rotation + +commit 7b0368e385a319a5021404c7cf9d064216199e6b +Merge: dfc46977d d15938c03 +Author: Justin +Date: Thu Jun 20 17:17:15 2019 -0700 + + Merge pull request #318 from jterry75/add_ctx + + Forward context logging for all requests/responses + +commit d15938c03e854de4f119a18b6df58cdf03cc7aa5 +Author: Justin Terry (VM) +Date: Fri May 31 16:14:03 2019 -0700 + + Add OpenCensus support for all V2 requests/responses + + Creates a context chain on all requests and forwards it to all calls for the + duration of the context. + + Signed-off-by: Justin Terry (VM) + +commit 115e455336c0a9adf2ff64ab6064156ef24ae348 +Merge: 16602123e 6e9db1e87 +Author: Kevin Parsons +Date: Thu Jun 20 14:17:52 2019 -0700 + + Merge pull request #622 from microsoft/process-stdio + + Add new create process API to not save stdio pipes + +commit dfc46977d7710ef9c31d74bbde3197532f46179d +Merge: b788199fa afadb5087 +Author: Justin +Date: Thu Jun 20 11:14:52 2019 -0700 + + Merge pull request #320 from jterry75/non_ptr_basetype + + MessageBase should not be including as ptr type + +commit afadb508764889e8c46063f4c2f16d8c61b9cc75 +Author: Justin Terry (VM) +Date: Thu Jun 20 09:59:59 2019 -0700 + + MessageBase should not be including as ptr type + + Signed-off-by: Justin Terry (VM) + +commit b788199fa3c08887ca94050d84e76a919fec44bb +Merge: f516a03c0 456e8a83a +Author: Justin +Date: Wed Jun 19 16:44:28 2019 -0700 + + Merge pull request #319 from jterry75/etc_hosts + + Maps /etc/hosts and /etc/hostname to sandbox/workload containers + +commit 456e8a83a06061d54f291cd7859202cf774f0a5d +Author: Justin Terry (VM) +Date: Thu May 30 16:47:26 2019 -0700 + + Maps /etc/hosts and /etc/hostname to sandbox/workload containers + + 1. Modifies the existing networking model to properly allocate namespaces only + for standalone or sandbox containers. + 2. Modifies the existing /etc/resolv.conf handling to properly create for + standalone or sandbox containers but bind mount for workload containers. + 3. Adds support for mapping the sandbox containers /etc/hostname to the + workload container. + 4. Adds support for mapping the sandbox containers /etc/hosts file to the + workload container. + 5. Adds support to standalone containers for /etc/hostname and /etc/hosts + files. + +commit 6e9db1e87e4f5996dd61b6a522b451633c62f7a7 +Author: Kevin Parsons +Date: Mon Jun 3 14:20:57 2019 -0700 + + Add new create process API to not save stdio pipes + + CreateIoCompletionPort (used by makeOpenFiles) can only be called once + successfully for a given underlying object, regardless of how many + handles we have to the object. + + The previous behavior of process stdio was to call + HcsGetProcessInfo when Stdio was called, then call makeOpenFiles and + return the resulting handles[1]. + + As part of a recent change, CreateProcess was changed to call + makeOpenFiles on the stdio handles at process creation time, and save + the new handles on the process struct. These saved handles are now + returned directly by Stdio. In an effort to preserve legacy compat, a + new function, StdioLegacy, was added which preserved the old Stdio + behavior, and the legacy caller was changed to use StdioLegacy instead + of Stdio. + + However, because CreateIoCompletionPort can only be called once for a + single object, and it has already been called on a handle for the stdio + pipe object at process creation time, StdioLegacy now fails. + + This change addresses this issue by creating a new CreateProcessNoStdio + function which preserves the old process creation behavior, and just + closes the initial stdio handles received at process creation time. This + function is now used by the legacy caller, which should allow projects + like Docker to work properly. + + [1] This actually means that although the comment on the old Stdio + implementation stated it could be called multiple times to receive + multiple sets of handles, it would actually fail after being called the + first time. This change does not fix this issue, but does remove the + incorrect comment. + + Signed-off-by: Kevin Parsons + +commit 23b674df7f7bf719300ccbe4ceadf04883057690 +Author: Kevin Parsons +Date: Tue Jun 18 16:27:20 2019 -0700 + + Add test for container log rotation + + This test runs a container that outputs incrementing integers every 0.1 + seconds. The container output goes to a log file. After 3 seconds of + execution, the log file is rotated by first renaming the existing file + (which will cause output to continue to go to the renamed file), and + then calling CRI's ReopenContainerLog. ReopenContainerLog causes + containerd to close the old log file handle, and open a new handle to + the original file path. After waiting 3 more seconds, we then stop the + container, and validate to make sure no numbers were skipped in the + combined two log files. + + Signed-off-by: Kevin Parsons + +commit 16602123eae47600eca7a569aee0a1af88c58d08 +Merge: 079f257e9 9e70581d7 +Author: Justin +Date: Wed Jun 12 11:36:09 2019 -0700 + + Merge pull request #625 from jterry75/create_scratch_size + + Add support for custom scratch sizes + +commit 9e70581d7cd4165cf5c1f30aba37a0e71206f965 +Author: Justin Terry (VM) +Date: Mon Jun 10 14:28:52 2019 -0700 + + Add support for custom scratch sizes + + Signed-off-by: Justin Terry (VM) + +commit f516a03c01b82fcc45fec792b5dfd792f9e06a83 +Merge: 517472ccc 379e9f634 +Author: Justin +Date: Thu Jun 6 15:51:05 2019 -0700 + + Merge pull request #317 from jterry75/simplify_request_return + + Simplify the bridge request/return pattern + +commit 379e9f63454781bf7cc9900de0dca47a118b23eb +Author: Justin Terry (VM) +Date: Wed Jun 5 10:09:35 2019 -0700 + + Simplify the bridge request/return pattern + + This change makes it easier for the rquest/response pattern to return a result + or error. This is perferred over the w.Write and w.Error pattern where a + response must be written and then an early return. This makes the code easier + to read and control flow easier to understand. + +commit 517472ccc15549bf0f7332b83f3fa3baeea82a0f +Merge: 7977f11b2 dc5fc6e61 +Author: Justin +Date: Wed Jun 5 14:52:26 2019 -0700 + + Merge pull request #315 from jterry75/regression_on_stop + + Fix regression in external process wait on V2 + +commit 7977f11b2f5d33c83201899ec4ae65340801751f +Merge: a613c5742 4d73321a5 +Author: Justin +Date: Wed Jun 5 14:52:10 2019 -0700 + + Merge pull request #316 from jstarks/fix_rootfs_hard_links + + rootfs: Convert from initrd by extracting and archiving + +commit 4d73321a52c390506bae3e257ed49daa4c7c9c17 +Author: John Starks +Date: Wed Jun 5 14:33:53 2019 -0700 + + rootfs: Convert from initrd by extracting and archiving + + This fixes files that are hard linked in the root file system. + + Before this change, bsdtar was used to convert the cpio initrd archive + to a tar file, but this failed for mkfs* files that are hard linked to + each other. This is arguably a bug in bsdtar, but it is complicated + because tar and cpio store hard linked files in reverse order from each + other (tar stores the payload in the first hard link, while cpio stores + the payload in the last link). + +commit dc5fc6e61ba1dbb0dd7bcc26dc548cbf25fe0244 +Author: Justin Terry (VM) +Date: Wed Jun 5 14:15:49 2019 -0700 + + Fix regression in external process wait on V2 + + Signed-off-by: Justin Terry (VM) + +commit 079f257e900ec9086f9f8476e6ded645458b70e2 +Merge: f5d95a7b5 9e237ca76 +Author: Justin +Date: Wed Jun 5 11:19:13 2019 -0700 + + Merge pull request #623 from jterry75/lcow_create_scratch + + Fix regressions in lcow.CreateScratch + +commit 9e237ca766197bbe1b5dfa63a91ad62d5ceeada4 +Author: Justin Terry (VM) +Date: Wed Jun 5 08:43:05 2019 -0700 + + CreateScratch should test for /block dir + + Signed-off-by: Justin Terry (VM) + +commit ddc409701d979c376fc66d94c095f52e9fe4cf03 +Author: Justin Terry (VM) +Date: Wed Jun 5 08:11:28 2019 -0700 + + Print valid err in type assertion failure + + Signed-off-by: Justin Terry (VM) + +commit 4f32c6df9d0b0d99f1e6610062dbd91a86dcc9e7 +Author: Justin Terry (VM) +Date: Wed Jun 5 08:10:28 2019 -0700 + + Context cancel should only run on success + + Signed-off-by: Justin Terry (VM) + +commit f5d95a7b528dd83bbd8dc8530617dcc12f40d934 +Merge: 09706d16c 81545fb32 +Author: Kevin Parsons +Date: Mon Jun 3 10:04:20 2019 -0700 + + Merge pull request #618 from microsoft/fix-nametoguid + + Replace guid-to-array with APIs from guid package + +commit 09706d16c3c7791bdb1b0e5cbd1003d083ed6eeb +Merge: 1085c8f56 7f121e3de +Author: Justin +Date: Mon Jun 3 09:03:52 2019 -0700 + + Merge pull request #621 from jterry75/619 + + Fixing malformed JSON tag + +commit 7f121e3de130c11532f4f58668f2288bbf2c8e5a +Author: Justin Terry (VM) +Date: Mon Jun 3 08:56:54 2019 -0700 + + Fixes a malformed JSON tag + + Resolves: #620 + + Signed-off-by: Justin Terry (VM) + +commit 04f79a53058cf411e3c326ee34b460b73daaee37 +Author: Justin Terry (VM) +Date: Mon Jun 3 08:54:40 2019 -0700 + + Fixing malformed JSON tag + + Resolves: #619 + + Signed-off-by: Justin Terry (VM) + +commit 81545fb3221f1bec7558004d5124f904cc69e741 +Author: Kevin Parsons +Date: Fri May 31 18:05:29 2019 -0700 + + Replace guid-to-array with APIs from guid package + + This is part of fixing the guid-to-array functions in layer.go which + were using the wrong array indices. The best way to fix this now is to + use the functionality in the go-winio guid package. + + Signed-off-by: Kevin Parsons + +commit 6bb25550e5f2a7ef6b0cb603587787b9aec8f4b8 +Author: Kevin Parsons +Date: Fri May 31 18:04:58 2019 -0700 + + Revendor go-winio + + Signed-off-by: Kevin Parsons + +commit 1085c8f569e1e3a07ce2ebcc921a952aa4b1af50 +Merge: 6ed005e99 d1fa7950e +Author: Justin +Date: Fri May 31 11:37:25 2019 -0700 + + Merge pull request #617 from microsoft/state_log + + Improve shim entry/exit logging + +commit d1fa7950e0f8326a149ac866796f873cc60f3e10 +Author: Justin Terry (VM) +Date: Thu May 30 07:07:36 2019 -0700 + + Improve shim entry/exit logging + + 1. Improves the fields logged on exit to include important values from the + response. + 2. Returns the logrus.Entry from beginActivity to avoid another alloc on + endActivity. + + Signed-off-by: Justin Terry (VM) + +commit 6ed005e99491cf14fa05b713de4b2f35e20b2f36 +Merge: 68b466dde da320e6c7 +Author: Justin +Date: Thu May 30 11:24:37 2019 -0700 + + Merge pull request #611 from jstarks/dead_code + + lcow: Remove process creation and copywithtimeout + +commit 68b466ddec9f9ddb13301e701e23e485b38801fa +Merge: 92f72af61 a9f15356e +Author: Justin +Date: Wed May 22 15:51:03 2019 -0700 + + Merge pull request #614 from jstarks/shimdiag_hang + + shimdiag: Do not hang exec -t on Ctrl-Z + +commit 92f72af6168070f9f9e7a45a02f1d1c313286f7a +Merge: 829b0d81e 679e476e1 +Author: Justin +Date: Wed May 22 15:49:13 2019 -0700 + + Merge pull request #616 from microsoft/update_grpc + + Update grpc to 1.20.1 + +commit 679e476e1c9c526f79dea55be84623673509a59d +Author: Justin Terry (VM) +Date: Wed May 22 14:24:15 2019 -0700 + + Update grpc to 1.20.1 + + Signed-off-by: Justin Terry (VM) + +commit 829b0d81ecf9b897c16f597e104381cba9217264 +Merge: 0a2ec9674 2f1cea06b +Author: Justin +Date: Mon May 20 10:28:44 2019 -0700 + + Merge pull request #613 from jstarks/no_lazy_init + + lcow: Eagerly initialize the ext4 inode tables + +commit 0a2ec9674a9dff02c35e1aca1ae0e659dd9b930f +Merge: 0fdb38f3e f377f4ff4 +Author: Justin +Date: Mon May 20 10:27:50 2019 -0700 + + Merge pull request #615 from jstarks/uvmboot_console + + uvmboot: Add tty option + +commit f377f4ff4a74a588898c120ed96076ae853ee62d +Author: John Starks +Date: Fri May 17 10:24:36 2019 -0700 + + uvmboot: Add tty option + + This option enables uvmboot to be used to create an interactive process + in the utility VM. + +commit 2f1cea06b6eae42d0fc991fcf703ae3d1fc946dc +Author: John Starks +Date: Thu May 16 10:58:35 2019 -0700 + + lcow: Eagerly initialize the ext4 inode tables + + This change disables lazily initialization of the sandbox VHDX's inode + tables. This prevents the kernel from subsequently zeroing them in the + background at each container start. + +commit da320e6c75b291753e16d053b67efc94c1cc7f32 +Author: John Starks +Date: Wed May 8 16:39:19 2019 -0700 + + lcow: Remove process creation and copywithtimeout + +commit 0fdb38f3e9bb59932c943ed5503d284bbccf7fa0 +Merge: c809de488 5075adbfa +Author: Justin +Date: Wed May 15 15:46:44 2019 -0700 + + Merge pull request #612 from microsoft/disallow_v2_lcow + + Enable bridge v4 on all v2 LCOW activations + +commit 5075adbfaa68a0a30402c386f76297a09ddcd080 +Author: Justin Terry (VM) +Date: Wed May 15 15:34:58 2019 -0700 + + Enable bridge v4 on all v2 LCOW activations + + Signed-off-by: Justin Terry (VM) + +commit a613c574224782ae10f5dfe9eced6003dead997e +Merge: bde2cc172 a2bc40a2c +Author: Justin +Date: Wed May 15 13:57:07 2019 -0700 + + Merge pull request #314 from jterry75/fix_resize_on_exited + + Separate v1 and v2 bridge interfaces + +commit a2bc40a2c426282eb42609f9185d9c50bffc81ad +Author: Justin Terry (VM) +Date: Wed May 15 10:46:37 2019 -0700 + + Separate v1 and v2 bridge interfaces + + This change breaks apart the v1 and v2 schema interfaces as well as the v3 and + v4+ bridge protocols. It makes the v4+ protocol opt in so that downlevel + clients running v1 Xenons will stay on v3. This allows us to iterate and change + the model for v4+ without risking breaking downlevel. + + Signed-off-by: Justin Terry (VM) + +commit c809de48827f94d52fcc982a9920eac9d11eedd5 +Merge: 547f2201b 70b6c8416 +Author: John Starks +Date: Wed May 15 12:09:20 2019 -0700 + + Merge pull request #609 from jstarks/errors + + gcs: Add ErrorMessage field to RPC response + +commit bde2cc1726750070c3e18079b28effcbf21266bc +Merge: 0a61924c8 1e2df3733 +Author: Justin +Date: Wed May 15 11:45:59 2019 -0700 + + Merge pull request #313 from microsoft/unknown_message_regression + + UnknownMessage for v1 requires E_NOTIMPL + +commit 1e2df3733f8b24cf8dbc6b5cf646456f8eaa05d4 +Author: Justin Terry (VM) +Date: Wed May 15 11:09:50 2019 -0700 + + UnknownMessage for v1 requires E_NOTIMPL + + Signed-off-by: Justin Terry (VM) + +commit 0a61924c8c154ffb4ec98478439aafe0399bd2ae +Merge: 97a5777da 4d3d9c1e7 +Author: Justin +Date: Wed May 15 11:34:44 2019 -0700 + + Merge pull request #312 from jstarks/error + + gcs: Fill out ErrorMessage string for HCS external bridge + +commit 547f2201bce6c61f2af59085f01901300ffc3444 +Merge: 0382e67c8 a79b6216f +Author: John Starks +Date: Wed May 15 10:03:56 2019 -0700 + + Merge pull request #610 from jstarks/external_wcow + + gcs: Add WCOW support + +commit 70b6c8416c76a1d86727046df41ce11cd066b2b0 +Author: John Starks +Date: Wed May 15 09:05:35 2019 -0700 + + gcs: Add ErrorMessage field to RPC response + + The existing RPC protocol's error response is an HRESULT, which loses + information and does not work well for the Linux GCS. The response also + has error records, which can have richer error strings, but it is + ambiguous which of these strings are meant to be user facing and which + are for debugging. + + This change adds an ErrorMessage field that Windows HCS and GCS will + ignore but Linux GCS will fill out with the underlying error string. + This makes it unambiguous which string should be returned to the user. + +commit a79b6216f585a5ec7b4d3514dcbb984804607162 +Author: John Starks +Date: Wed May 15 09:18:26 2019 -0700 + + gcs: Add WCOW support + + This change fixes various bugs to unblock WCOW support for UVMs that + support the RS5+ GCS protocol. + +commit 4d3d9c1e74f12d324f46c597d73955800e2bb1c1 +Author: John Starks +Date: Wed May 15 09:10:08 2019 -0700 + + gcs: Fill out ErrorMessage string for HCS external bridge + + To make it unambiguous which string represents the user-actionable + error, return it in a new field in the bridge response. + +commit 0382e67c84a78dc5abc40172b47e1aadc6405ff4 +Merge: 57bf1ad56 3c9297345 +Author: John Starks +Date: Wed May 15 08:28:39 2019 -0700 + + Merge pull request #608 from jstarks/uvmboot_wcow + + uvmboot: Add WCOW support + +commit 3c9297345421ffa77a4a5492b5237bd442f0f522 +Author: John Starks +Date: Tue May 14 14:26:08 2019 -0700 + + uvmboot: Add WCOW support + +commit 97a5777da139ecce3a1d71d55f963403770e0fcb +Merge: 291ac98c3 630b35470 +Author: Justin +Date: Mon May 13 16:34:43 2019 -0700 + + Merge pull request #311 from jterry75/fix_resize_on_exited + + Ignore ResizeConsole of init process after exit + +commit 630b354703f2bcc5472821d7c8f0c66e0f28a045 +Author: Justin Terry (VM) +Date: Mon May 13 15:37:56 2019 -0700 + + Ignore ResizeConsole of closed tty + + Signed-off-by: Justin Terry (VM) + +commit 57bf1ad56e62ca2c2e097c295c2f6041c2e9640f +Merge: 082bdf52e 5f7954236 +Author: Kevin Parsons +Date: Mon May 13 14:07:23 2019 -0700 + + Merge pull request #603 from microsoft/replace-guid + + Replace hcsshim guid package with the one from go-winio + +commit 5f79542362e1143b7c90089ea4949e559d487555 +Author: Kevin Parsons +Date: Fri May 10 00:25:58 2019 -0700 + + Replace hcsshim guid package with the one from go-winio + + Signed-off-by: Kevin Parsons + +commit 082bdf52e06aa269636ae3a6b025048143b72343 +Merge: 66a6e17a6 954d3d1d2 +Author: Justin +Date: Mon May 13 13:04:05 2019 -0700 + + Merge pull request #607 from jstarks/wcow_shimdiag + + shim: Run diag exec processes on Windows as SYSTEM + +commit 66a6e17a6c9595db8f283177714191b38157a092 +Merge: 1362434f9 2125cb605 +Author: John Starks +Date: Mon May 13 13:02:58 2019 -0700 + + Merge pull request #601 from jstarks/external_bridge + + External bridge + +commit 954d3d1d2f73e885d201bd5ac4fc7627776cf7a1 +Author: John Starks +Date: Mon May 13 12:55:45 2019 -0700 + + shim: Run diag exec processes on Windows as SYSTEM + + The default user for container processes does not exist for the utility + VM. Explicitly set the user to SYSTEM. + +commit 1362434f9841783d4a6d66dbeccccf126314c3b0 +Merge: c7ff2530b b1dcba88d +Author: John Starks +Date: Mon May 13 12:17:30 2019 -0700 + + Merge pull request #606 from jstarks/disable_failing_test + + test: Disable failing RunAsUser test until functionality is enabled + +commit b1dcba88dba12b0547faa029a16b90a371a060f5 +Author: John Starks +Date: Mon May 13 12:11:02 2019 -0700 + + test: Disable failing RunAsUser test until functionality is enabled + +commit 291ac98c3f49514edd3833caf711e5b93282bdef +Merge: f812e6a49 6582bd26f +Author: John Starks +Date: Mon May 13 10:26:05 2019 -0700 + + Merge pull request #310 from jstarks/fix_stretch + + Makefile: Fixes to run in Debian stretch + +commit 6582bd26f1e1506ef57904c14e9246e78b742ce3 +Author: John Starks +Date: Mon May 13 10:04:17 2019 -0700 + + Makefile: Fixes to run in Debian stretch + + This fixes a few limitations that prevent the Makefile from being used + in a Debian stretch environment. It also fixes uses of non-standard Go + paths. + +commit c7ff2530b13cc14e8ab001e93e1cb8a89c927445 +Merge: 21ae840c3 42f683c2b +Author: Justin +Date: Mon May 13 06:43:37 2019 -0700 + + Merge pull request #587 from veerun14/add_RunAs_Test + + Added a test for RunAsUser option for LCOW container + +commit 21ae840c32a642dd3cdb5e263a12825d426434e9 +Merge: b9bc8c6ac 8f86d76de +Author: Justin +Date: Mon May 13 06:08:14 2019 -0700 + + Merge pull request #605 from jstarks/use_cmd + + Use hcsoci.Cmd everywhere + +commit 2125cb605c09d7b775c950f68c0f848d9d950692 +Author: John Starks +Date: Sat May 11 21:25:18 2019 -0700 + + uvm: Use external bridge when requested + + This change hooks the external bridge (gcs package) up to the uvm + package when requested. + +commit ebd08130aff066f5ebc59595fc07e86b0e0e20aa +Author: John Starks +Date: Wed May 8 04:18:03 2019 +0000 + + gcs: Add external bridge implementation + + This change provides a package that implements the external bridge, + which communicates with the GCS in order to create containers and + processes. + + Currently the bridge only supports LCOW, not WCOW. + +commit 8f86d76defc5facf5a57bbf96b004265499f178b +Author: John Starks +Date: Wed May 8 15:05:03 2019 -0700 + + lcow: Convert to use hcsoci.Cmd + +commit 98f2f15e0765f0d91a1dd4d6426ef544e38af965 +Author: John Starks +Date: Wed May 8 15:04:05 2019 -0700 + + shim: Convert to use hcsoci.Cmd + +commit 98284d031c64acc9f2b48d1a018079c440adb3bb +Author: John Starks +Date: Wed May 8 15:03:30 2019 -0700 + + runhcs: Convert to use hcsoci.Cmd + +commit b9bc8c6acd4acab34976e0e70ee7e3320a67a8b8 +Merge: 024c344c8 0d281e0e8 +Author: John Starks +Date: Sat May 11 20:20:33 2019 -0700 + + Merge pull request #604 from thaJeztah/gofmt_all_the_things + + gofmt internal/schema2 package + +commit 0d281e0e887312663fc108b65e795bb48f473b9f +Author: Sebastiaan van Stijn +Date: Fri May 10 14:14:46 2019 -0700 + + gofmt internal/schema2 package + + Signed-off-by: Sebastiaan van Stijn + +commit 024c344c848dfcdb70be4ae9e0981e7f12b22478 +Merge: 1c60725a8 e96782d4a +Author: Justin +Date: Thu May 9 23:37:33 2019 -0700 + + Merge pull request #602 from microsoft/update-vendor-guid + + Update to new go-winio and passing GUID by value + +commit e96782d4af6cfb9df82637f7ee5f1781f8d7d1c5 +Author: Kevin Parsons +Date: Thu May 9 23:13:10 2019 -0700 + + Update code to pass GUID by value + + Signed-off-by: Kevin Parsons + +commit aa52e645636c42172062ca7d87bf139eea4e11df +Author: Kevin Parsons +Date: Thu May 9 23:10:42 2019 -0700 + + Update go-winio and re-vendor + + Signed-off-by: Kevin Parsons + +commit 1c60725a8ee38f5a51f4207e25372a3f218fbada +Merge: ef434c79d ed0490185 +Author: John Starks +Date: Thu May 9 15:27:04 2019 -0700 + + Merge pull request #599 from jstarks/stdio + + hcsoci: Add Cmd type for simplifying process launches + +commit ed0490185e0e3d6403725016583308a689c204b8 +Author: John Starks +Date: Wed May 8 15:03:43 2019 -0700 + + uvmboot: Convert to use hcsoci.Cmd + +commit cd396399bef4ee4c98de86f97eff7b9039551296 +Author: John Starks +Date: Wed May 8 15:00:27 2019 -0700 + + hcsoci: Add Cmd type for simplifying process launches + + Cmd is modeled after os/exec.Cmd, which makes it easy to launch + and wait for processes and relay their stdio. This version of Cmd is + designed to take in an OCI process specification, and it can launch a + process on anything that implements cow.ProcessHost. + +commit a9f15356e3e1f40a414f00a31bbb92c58cdaccef +Author: John Starks +Date: Thu May 9 15:43:54 2019 +0000 + + shimdiag: Do not hang exec -t on Ctrl-Z + + os.Stdin.Read() returns EOF if the user presses Ctrl-Z. This makes sense + for non-terminal execs, where we can close stdin for the process and the + process will generally exit. But it does not make sense for terminal + execs, where Ctrl-Z will just cause the process to hang. + + When using exec in terminal mode, read raw bytes from the stdin + descriptor to avoid this Ctrl-Z translation. + +commit f812e6a491d4b38e3b9ecb46f7dc744b072895f4 +Merge: add1ce4a6 67b5c1768 +Author: Justin +Date: Wed May 8 16:57:02 2019 -0700 + + Merge pull request #301 from microsoft/fix_result + + Return proper ContainerExit result + +commit ef434c79ddb3d5563385a2d4918bcd82fbc81387 +Merge: 4abe7d42e eb84497f7 +Author: Justin +Date: Wed May 8 16:56:41 2019 -0700 + + Merge pull request #600 from jstarks/no_tar2vhd + + lcow: Remove unused tar2vhd code + +commit eb84497f7d76ee01fe3a5785863b1474dda008db +Author: John Starks +Date: Wed May 8 15:04:33 2019 -0700 + + lcow: Remove unused tar2vhd code + +commit 4abe7d42ec0cc21c390430e1f2d15afa2f0121de +Merge: e957390a4 8e4728af8 +Author: John Starks +Date: Wed May 8 16:32:06 2019 -0700 + + Merge pull request #594 from jstarks/container_iface + + cow: Add and use interfaces for containers and processes + +commit 8e4728af846ee8b4531fb1e1a0738c44f4a2c2b6 +Author: John Starks +Date: Wed May 8 16:04:47 2019 -0700 + + cow: Add and use interfaces for containers and processes + + The external bridge will provide an alternate implementation of these + interfaces. + + Note that the external bridge will not be compatible with clients that + call OpenProcess or OpenComputeSystem (since the bridge will run + in-proc). So runhcs, which relies on OpenComputeSystem, does not use + these types and will use a type assertion to get back to an hcs.System. + +commit 67b5c1768df06051b07c23123167cdeac91e97b1 +Author: Justin Terry (VM) +Date: Wed May 1 12:58:26 2019 -0700 + + Return proper ContainerExit result + + 1. Fixes a bug where we were returning an exit code in the ContainerExit.Result + field which was incorrect. This is an HRESULT value of the Wait Result not the + exit code which is returned at Process.Wait. + + 2. Implements v2 to handle Graceful/Forced exit instead of just Unexpected when + the client is responsible for the SIGTERM/SIGKILL that stops the container. + + Signed-off-by: Justin Terry (VM) + +commit e957390a469e0fc5b8bef7523229c1ace1c7e982 +Merge: 54679ca43 fe533edf0 +Author: Justin +Date: Wed May 8 15:43:06 2019 -0700 + + Merge pull request #592 from jstarks/create_container + + uvm: Add UtilityVM.CreateContainer method + +commit 54679ca4397b6caaba7f3c66d7bddf4f0b8a2f15 +Merge: 4e2c99c71 830d954cf +Author: John Starks +Date: Wed May 8 09:02:37 2019 -0700 + + Merge pull request #593 from jstarks/process_cleanup + + hcs: Make Process.Properties private + +commit add1ce4a638f9850353f78af346e4fec2346be1e +Merge: e87221527 dbe114809 +Author: Kevin Parsons +Date: Tue May 7 21:30:45 2019 -0700 + + Merge pull request #308 from microsoft/modules + + Transition to Go modules + +commit 4e2c99c71043b436f25897474afeaa4e5e4b5031 +Merge: 95ef8b986 797e3f6d9 +Author: Kevin Parsons +Date: Tue May 7 21:30:37 2019 -0700 + + Merge pull request #595 from microsoft/modules + + Transition to Go modules + +commit dbe114809a3ce89ade39822599f362f13960e75c +Author: Kevin Parsons +Date: Tue May 7 19:36:51 2019 -0700 + + Run go mod tidy + + Signed-off-by: Kevin Parsons + +commit a1d9046bfb0aac36fcef80e379bac40d4ba7117f +Author: Kevin Parsons +Date: Tue May 7 19:36:05 2019 -0700 + + Transition to Go modules + + Signed-off-by: Kevin Parsons + +commit 797e3f6d9c9cf24ff7dc1524f76a12565b51ee50 +Author: Kevin Parsons +Date: Tue May 7 16:11:16 2019 -0700 + + Run go mod tidy + + Signed-off-by: Kevin Parsons + +commit f4679980a6e6d3b49822d10a73aeca5f24a5844a +Author: Kevin Parsons +Date: Tue May 7 12:44:51 2019 -0700 + + Transition to Go modules + + Signed-off-by: Kevin Parsons + +commit e87221527445903a4324db7042d751ba05681463 +Author: John Starks +Date: Tue May 7 14:40:26 2019 -0700 + + Update Travis CI path + +commit 6218f811c06a33339034300197c2ff2f8f403ba3 +Merge: dcc6ef81a db8d6af96 +Author: John Starks +Date: Tue May 7 13:52:33 2019 -0700 + + Merge pull request #306 from jstarks/godeps + + Makefile: Only rebuild Go targets if a dependency has changed + +commit 830d954cf9595e2f017185500b201d2601a26746 +Author: John Starks +Date: Tue May 7 20:50:48 2019 +0000 + + hcs: Make Process.Properties private + + This function and its associated type are not used outside the package + and are an implementation detail. + +commit fe533edf0170e101569f51a75b5b1f348ebd963e +Author: John Starks +Date: Tue May 7 08:52:01 2019 -0700 + + uvm: Add UtilityVM.CreateContainer method + + This change adds a CreateContainer method to UtilityVM and updates + hcsoci to use it. This change is necessary because if the external + bridge is in use, container creation goes through that instead of + through the HCS. + +commit 95ef8b9865e72a72213f05ab55b0740b45597b10 +Merge: bc65cf167 2443f5f98 +Author: John Starks +Date: Tue May 7 13:40:54 2019 -0700 + + Merge pull request #590 from jstarks/nocs + + uvm: Reduce binding between hcs and uvm interfaces + +commit dcc6ef81a09ebea3df353ba173324ca6ab367a76 +Merge: 036154367 f9edcb475 +Author: Justin +Date: Tue May 7 10:34:16 2019 -0700 + + Merge pull request #304 from jstarks/catcpio_fixes + + hack/catcpio.sh: Pass appropriate flags to cpio -i + +commit 03615436788d566f8fb1ad22d500f432e86ee378 +Merge: 334aff83e 6b38ecb00 +Author: Justin +Date: Tue May 7 10:33:24 2019 -0700 + + Merge pull request #305 from jstarks/nano_time + + gcs: Include nano seconds in JSON log output + +commit db8d6af96e82ae1060fdb3239dc88292aac03ed9 +Author: John Starks +Date: Sat May 4 23:18:51 2019 +0000 + + Makefile: Only rebuild Go targets if a dependency has changed + + This works by retrieving the list of dependencies from Go after building + a Go binary. + +commit 2443f5f9887cef049a82afa9e8f0f5b0c75b83a3 +Author: John Starks +Date: Tue May 7 09:07:49 2019 -0700 + + uvm: Reduce binding between hcs and uvm interfaces + + This change removes the ComputeSystem() call from uvm.UtilityVM and + provides wrapper functions for the few places that needed to get the + underlying compute system. This is necessary because these functions + (such as CreateProcess) will have different implementations depending on + whether the internal or external bridge is in use. + + Also pre-cache some of the properties queries, caching the result of + such queries early rather than querying at each use. + +commit bc65cf167656b14f3115ba543d803b0cf5d8195f +Merge: 10611e616 c69ddac83 +Author: Justin +Date: Tue May 7 09:52:34 2019 -0700 + + Merge pull request #588 from jstarks/unique_messages + + Use constant logrus messages everywhere + +commit 10611e616786c00ed5d986017d0dcfea54bd1662 +Merge: 5a7443890 f92b63313 +Author: Justin +Date: Tue May 7 09:48:44 2019 -0700 + + Merge pull request #589 from jstarks/round_2mb + + uvm: Round requested memory size to 2MB + +commit c69ddac83e608946ced4d8d8946005f78c55106c +Author: John Starks +Date: Sun May 5 05:07:40 2019 +0000 + + Use constant logrus messages everywhere + + This change (intends to) replace all dynamically generated logrus + messages with constant values and to include dynamic data via separate + logrus fields. It does so for all non-test packages except HCN and HNS. + + This makes it easier to extract data from log messages in post + processing, especially when the logrus ETW tracelogging hook is enabled. + + With few exceptions, this change does not change the number of logged + events, nor does it add additional context to existing messages. There + are still many instances where events are redundant, and there are still + many events missing the necessary context to associate the message with + a container, VM, or request. These shortcomings should be addressed in + separate changes. + +commit f92b63313952e44609fd38b8c4b001db7bdf2be0 +Author: John Starks +Date: Sat May 4 14:22:28 2019 +0000 + + uvm: Round requested memory size to 2MB + + Hyper-V only supports 2MB aligned memory sizes (presumably to avoid + splitting large pages). Rather than fail with a cryptic error from the + platform, round the requested memory size up to the next 2MB boundary. + +commit 6b38ecb0090369a0e693bce57b1f18ac12763ae3 +Author: John Starks +Date: Sat May 4 23:21:13 2019 +0000 + + gcs: Include nano seconds in JSON log output + + The logrus JSON output defaults to only second granularity in the + timestamp field. Nano seconds are necessary to accurately measure + guest-side event durations when the host is not keeping up with log + output. + +commit f9edcb475365cb1c83a3cf90e701b16db5e2b61b +Author: John Starks +Date: Sat May 4 23:20:05 2019 +0000 + + hack/catcpio.sh: Pass appropriate flags to cpio -i + + The additional flags overwrite files that already exist, preserve + modification times, and create directories as necessary. + +commit 42f683c2b20b0b578242bf1ebbea34372f1fed24 +Author: Veeraiah Chowdary Nuvvula +Date: Thu May 2 09:25:58 2019 -0700 + + fixed gofmt issue by running gofmt.exe -w execcontainer_test.go + +commit 9399cf1c6b8633e7380b8d89b247536ccf3eced6 +Author: Veeraiah Chowdary Nuvvula +Date: Thu May 2 09:06:55 2019 -0700 + + moved exec tests to a separate file + +commit 698e87d6c13c1432ade721604e3576fa11f2415a +Merge: 2c7780253 8941106ab +Author: Veeraiah Chowdary Nuvvula +Date: Thu May 2 08:50:57 2019 -0700 + + Merge branch 'master' into add_RunAs_Test + +commit 5a7443890943600c562e1f2390ab3fef8c56a45f +Merge: 8941106ab c0fe2176e +Author: John Starks +Date: Thu May 2 08:49:42 2019 -0700 + + Merge pull request #577 from jstarks/wait_context + + hcs: Improve Process and System wait-related interfaces + +commit 8941106abedbc5aa3708266f0dd65f8a49344724 +Merge: 1dcf37ac5 c853b9ac5 +Author: Justin +Date: Wed May 1 17:20:24 2019 -0700 + + Merge pull request #586 from jstarks/hcs_service_crash + + hcs: Fail operations when the HCS service crashes + +commit 1dcf37ac5854bb7733366d78a37582ab74da7dfa +Merge: 41f3a0988 6d67a3085 +Author: Justin +Date: Wed May 1 16:52:39 2019 -0700 + + Merge pull request #573 from nagiesek/ignoreDuplicateHotAttachDetach + + Check whether we are already attached/detached before hot attach/deta… + +commit 6d67a3085946ac311d0b6d382332ce9da487f405 +Author: Nathan Gieseker +Date: Wed May 1 16:28:37 2019 -0700 + + Check whether we are already attached/detached before hot attach/detach + +commit 334aff83eced2534181d2ab47aae1de44719d717 +Merge: 40bf352b6 87c71eb74 +Author: John Starks +Date: Wed May 1 15:36:40 2019 -0700 + + Merge pull request #299 from jstarks/makefile2 + + Makefile: append to archive manually + +commit 87c71eb74fef33d5332116105d1b41e3908d81be +Author: John Starks +Date: Wed May 1 15:17:02 2019 -0700 + + Makefile: append to archive manually + + The bsdtar append step do not interoperate well with some archives or + with our tar2ext4 tool. Extract and rearchive files rather than trying + to append or convert in place. + + This strips any ownership information from the initrd image, so all + files will be owned by root. This should be acceptable because /dev is + always mounted as devtmpfs, and no other files should need special + owners. + +commit 40bf352b62652288ce4ff281a54606766805f504 +Merge: d78556966 9721a2046 +Author: Justin +Date: Wed May 1 15:07:28 2019 -0700 + + Merge pull request #302 from Microsoft/fix_build + + Fix build remove stale test + +commit 9721a204622e75609fe7383061c22297367874c0 +Author: Justin Terry (VM) +Date: Wed May 1 14:51:03 2019 -0700 + + Fix Wrapf format issue missing container id + + Signed-off-by: Justin Terry (VM) + +commit 24abed4f005a17ef34fed95d25eea64bccb8c45f +Author: Justin Terry (VM) +Date: Wed May 1 14:46:01 2019 -0700 + + Fix build remove stale test + + Signed-off-by: Justin Terry (VM) + +commit d785569661c017bf6cda5eb9d19955cb927c39a3 +Merge: 1a87c072f 2742a48fe +Author: Justin +Date: Wed May 1 14:12:48 2019 -0700 + + Merge pull request #300 from jstarks/no_linux_headers + + vsockexec: Remove dependency on Linux headers + +commit 2742a48fe46b112e24decc4a923f0fcf016760c3 +Author: John Starks +Date: Wed May 1 13:23:49 2019 -0700 + + vsockexec: Remove dependency on Linux headers + + This makes it possible to build easily with musl-gcc. + +commit c0fe2176e6f7ebbda9c30eb37d8cd5a90870c807 +Author: John Starks +Date: Wed May 1 08:37:01 2019 -0700 + + hcs: Improve Process and System wait-related interfaces + + This updates Terminate, Shutdown, Kill, and Signal to avoid returning + errors in expected cases, and removes WaitTimeout. + +commit 2c778025318f3ce6e7c8063f127c86d37381dfac +Author: Veeraiah Chowdary Nuvvula +Date: Tue Apr 30 12:41:25 2019 -0700 + + updated with comments from code review + +commit 22e72c72d13ab3f6c6fcd4d42a2c5ac161304c7f +Author: Veeraiah Chowdary Nuvvula +Date: Tue Apr 30 10:59:07 2019 -0700 + + Added a test for RunAsUser option for LCOW container + +commit c853b9ac561f8a4620ae69713bbbbc86d28c0260 +Author: John Starks +Date: Tue Apr 23 15:28:01 2019 -0700 + + hcs: Fail operations when the HCS service crashes + + If the HCS service crashes, then all processes and compute systems get + notified of this. The code was previously ignoring this notification, + meaning outstanding waits would never be satisfied. Now the notification + causes all pending waits to complete with an error. + +commit 41f3a0988b5e2321658612e19301c60a4d895bf0 +Merge: 965235930 6fc80f50d +Author: Justin +Date: Mon Apr 29 16:08:39 2019 -0700 + + Merge pull request #584 from Microsoft/processor_limit_doc_fix + + Fix bug in documentation for UVM processor.limit + +commit 1a87c072f499535ad9537705ac85af8c2af02f2f +Merge: 92d537f8b dfed0c997 +Author: Justin +Date: Mon Apr 29 16:08:29 2019 -0700 + + Merge pull request #298 from Microsoft/golang_1_12_4 + + Update to golang 1.12.4 + +commit dfed0c99798cc08e273c34ac96199693ff2de77e +Author: Justin Terry (VM) +Date: Mon Apr 29 13:47:34 2019 -0700 + + Update to golang 1.12.4 + + Signed-off-by: Justin Terry (VM) + +commit 965235930020a817a95c5bc76ef51fe9c71c84a7 +Merge: 58f8f4bd4 76d1d3a4d +Author: Justin +Date: Mon Apr 29 13:42:25 2019 -0700 + + Merge pull request #585 from Microsoft/golang_1_12_4 + + Move to golang 1.12.4 + +commit 76d1d3a4dec488088c437c5b98f4916d1fa4e641 +Author: Justin Terry (VM) +Date: Mon Apr 29 13:37:54 2019 -0700 + + Move to golang 1.12.4 + + Signed-off-by: Justin Terry (VM) + +commit 6fc80f50d764c1a621900d54f6eaeb298a75473f +Author: Justin Terry (VM) +Date: Mon Apr 29 13:34:16 2019 -0700 + + Fix bug in documentation for UVM processor.limit + + Signed-off-by: Justin Terry (VM) + +commit ef775b6a90143374b7d5d99ed8e44a512e3cd162 +Author: Sebastiaan van Stijn +Date: Fri Apr 26 10:26:41 2019 -0700 + + Fix Windows Server version for RS4 in comment + + Signed-off-by: Sebastiaan van Stijn + +commit 58f8f4bd40f183ca7697fc978e9f3b4cac9a7a8c +Merge: 0d86597ce ad87c9209 +Author: Justin +Date: Tue Apr 23 15:52:35 2019 -0700 + + Merge pull request #578 from jstarks/shimdiag_stacks + + shimdiag: Add stacks command to dump stacks + +commit 0d86597ce55f24b735815d0152362ef33f7985ec +Merge: e38f6590a 20158f49b +Author: Justin +Date: Tue Apr 23 15:51:11 2019 -0700 + + Merge pull request #580 from Microsoft/shimdiag_fix + + Fix shimdiag + +commit ad87c9209ca3465af1cf59c399a31d228b8d7558 +Author: John Starks +Date: Mon Apr 22 12:14:21 2019 -0700 + + shimdiag: Add stacks command to dump stacks + +commit 20158f49bf79623d48228d82a093e8c447a58f84 +Author: Justin Terry (VM) +Date: Tue Apr 23 14:50:02 2019 -0700 + + Fix shimdiag + + Signed-off-by: Justin Terry (VM) + +commit e38f6590af69e45ff38af046b7bf4d395e3e1142 +Merge: 8c442edd4 f2a4e6f63 +Author: John Starks +Date: Tue Apr 23 14:50:30 2019 -0700 + + Merge pull request #579 from jstarks/fix_build + + shim: Fix build break + +commit f2a4e6f63ac499a3518df5ab2fc6b00259564fd8 +Author: John Starks +Date: Tue Apr 23 14:46:16 2019 -0700 + + shim: Fix build break + +commit 8c442edd4f71f556f7cd6c1b346c36fd57354b61 +Merge: f072d47a5 0dcdb44b8 +Author: John Starks +Date: Tue Apr 23 14:14:02 2019 -0700 + + Merge pull request #575 from jstarks/shimdiag + + shimdiag: New tool to diagnose runhcs shims + +commit f072d47a533cf2dcdc8aedd12d415206e775ef3c +Merge: c5f1ca9ee 741b914f1 +Author: John Starks +Date: Mon Apr 22 12:17:36 2019 -0700 + + Merge pull request #572 from jstarks/stdio + + internal/hcs: Improve process stdio lifetime + +commit c5f1ca9ee8bd64317296ff0ce30002dfe013baa1 +Merge: 2226e083f 40e0b86ac +Author: John Starks +Date: Mon Apr 22 12:15:17 2019 -0700 + + Merge pull request #576 from jstarks/hvsock + + Replace linuxkit's hvsock support with go-winio's + +commit 40e0b86ace8a904c599158c97f7a0870103716ff +Author: John Starks +Date: Wed Apr 17 15:29:38 2019 -0700 + + Replace linuxkit's hvsock support with go-winio's + + This fixes some race conditions when Close is called concurrently with + other operations. + +commit 92d537f8bdb3deec5ae1a8fe66fc55f6acb2cdbf +Merge: e979295b7 7009c9ee3 +Author: John Starks +Date: Mon Apr 22 09:31:00 2019 -0700 + + Merge pull request #297 from jstarks/ctty + + gcs: Prevent GCS crashing when external process exits + +commit 0dcdb44b887a6a528ca916a8eac85104efca39ff +Author: John Starks +Date: Sun Apr 21 16:49:19 2019 -0700 + + shimdiag: New tool to diagnose runhcs shims + + Currently this tool allows listing running shims and execing a process + in the shim's associated utility VM. + +commit 741b914f1849708bf7fd9a3c0a4cf729597b8503 +Author: John Starks +Date: Sun Apr 21 15:43:45 2019 -0700 + + internal/hcs: Improve process stdio lifetime + + To better support the external bridge, associate the stdio handles with + the owning process and close them when the process object is closed. + +commit 7009c9ee3a39777135831d7ef6de7ff31e7ac0eb +Author: John Starks +Date: Sun Apr 21 14:42:08 2019 -0700 + + gcs: Prevent GCS crashing when external process exits + + Currently, when the GCS launches an external process with a pty, that + pty becomes the controlling terminal for the GCS. This causes the kernel + to deliver a SIGHUP signal when the pty is torn down, which causes the + GCS to exit. + + To resolve this, the GCS explicitly opens the terminal with O_NOCTTY so + to avoid making it the controlling terminal. It also now marks the child + as the leader of a new session and has the child make the new pty the + controlling terminal of the child process. + +commit e979295b7e7340a6d855faf371e3f328c68f42bb +Merge: ae778f0c0 c66c35bb8 +Author: Justin +Date: Fri Apr 19 15:05:22 2019 -0700 + + Merge pull request #296 from Microsoft/exit_status + + Upgrade to cmd.ProcessState.ExitCode() with golang 1.12 + +commit c66c35bb8ef3ba16183b0b042caa084cad2bd765 +Author: Justin Terry (VM) +Date: Fri Apr 19 14:20:06 2019 -0700 + + Upgrade to cmd.ProcessState.ExitCode() with golang 1.12 + + Signed-off-by: Justin Terry (VM) + +commit 2226e083fc390003ae5aa8325c3c92789afa0e7a +Merge: 672e52e92 92cb5b697 +Author: John Howard +Date: Fri Apr 19 09:18:50 2019 -0700 + + Merge pull request #569 from thaJeztah/add_build_function + + Enhancement: add osversion.Build() utility + +commit ae778f0c05216ef4a0cef00c2acf88fb8dd2f682 +Merge: fefd0ad73 97d538429 +Author: Justin +Date: Thu Apr 18 14:10:13 2019 -0700 + + Merge pull request #295 from jstarks/clean_close_sockets + + gcs: Cleanly shut down stdio sockets to avoid missing data + +commit 97d5384298d150ffbdabe30828466f695dd3adbd +Author: John Starks +Date: Thu Apr 18 08:38:02 2019 -0700 + + gcs: Cleanly shut down stdio sockets to avoid missing data + + Without this change, data written by a process is sometimes discarded + due to vsock timeouts. + +commit 92cb5b6976045984f6f746ca62c37ba952d37cae +Author: Sebastiaan van Stijn +Date: Wed Apr 17 11:39:39 2019 +0200 + + Enhancement: add osversion.Build() utility + + Signed-off-by: Sebastiaan van Stijn + +commit 672e52e9209d1e53718c1b6a7d68cc9272654ab5 +Merge: 2de31e668 d26c179aa +Author: Justin +Date: Wed Apr 17 14:10:21 2019 -0700 + + Merge pull request #571 from Microsoft/shim_mitigations + + Handle Process/Container not found errors and force exits + +commit d26c179aaf72ab2222f1b4a15e533e062b73a7df +Author: Justin Terry (VM) +Date: Wed Apr 17 12:59:08 2019 -0700 + + Force UVM exit after 30 seconds of issuing SIGKILL + + 1. When a SIGKILL is sent to the init process we force the UVM exit after 30 + seconds in order to make sure that whatever state the guest is in the exit is + honored. + + Signed-off-by: Justin Terry (VM) + +commit ac05b8e8289e8406c8b14ea04b336d6201f90fe0 +Author: Justin Terry (VM) +Date: Wed Apr 17 12:58:05 2019 -0700 + + Force HCS process exit on ERROR_NOT_FOUND + + Signed-off-by: Justin Terry (VM) + +commit fefd0ad73f6bfa33b8cce597be303e134fddc408 +Merge: 74a636ccd 9cdd8fa77 +Author: Justin +Date: Wed Apr 17 12:53:21 2019 -0700 + + Merge pull request #294 from Microsoft/fix_errors + + Fix errors returned by GCS to align with expectations in the HCS + +commit 9cdd8fa778ca8d289794655b08bf76cd16e75cb4 +Author: Justin Terry (VM) +Date: Wed Apr 17 12:16:24 2019 -0700 + + Return ERROR_VMCOMPUTE_SYSTEM_ALREADY_EXISTS on CreateContainer with existing ID + + Signed-off-by: Justin Terry (VM) + +commit 0a590cc016959494be0aa75056211215f3e1fffc +Author: Justin Terry (VM) +Date: Tue Apr 16 14:46:01 2019 -0700 + + Return ERROR_VMCOMPUTE_SYSTEM_NOT_FOUND on runc kill error + + 1. When a container is not found the HCS expects a GCS to return an HRESULT + error ERROR_VMCOMPUTE_SYSTEM_NOT_FOUND to indicate this condition. + + Signed-off-by: Justin Terry (VM) + +commit a25d497014a31e86a08bfd47b432a2ea269c6351 +Author: Justin Terry (VM) +Date: Tue Apr 16 14:39:16 2019 -0700 + + Return HR ERROR_NOT_FOUND after process exit + + Signed-off-by: Justin Terry (VM) + +commit a30d1c40be12f2ce533acd66f7c26330781c6d2e +Author: Justin Terry (VM) +Date: Wed Apr 17 12:33:53 2019 -0700 + + Fix panic on hcs/process.Close() with nil error + + Signed-off-by: Justin Terry (VM) + +commit 2de31e66884b1ca0d34b02050c3f17a30483d67e +Merge: 65cc4d08a e0408a63d +Author: John Howard +Date: Wed Apr 17 10:01:18 2019 -0700 + + Merge pull request #570 from thaJeztah/make_linux_compat + + osversion: enable using constants on other platforms + +commit 65cc4d08a3eb1f82bb8c43f121f2d96c9a8cd859 +Merge: d626b5ed8 73d28eadd +Author: John Howard +Date: Wed Apr 17 09:49:23 2019 -0700 + + Merge pull request #568 from thaJeztah/add_more_version_details + + Add more information to osversion build numbers + +commit e0408a63d651323e0c1eca5268c65a603d457e9b +Author: Sebastiaan van Stijn +Date: Wed Apr 17 14:22:08 2019 +0200 + + osversion: enable using constants on other platforms + + Signed-off-by: Sebastiaan van Stijn + +commit 73d28eadd65466bcb6dfd92096909ccdf1bd6ee8 +Author: Sebastiaan van Stijn +Date: Wed Apr 17 11:10:07 2019 +0200 + + Add more information to osversion build numbers + + This adds some additional comments to the build-numbers, + to help correlate versions to specific Windows Server + and Windows Client releases. + + Signed-off-by: Sebastiaan van Stijn + +commit 7c24cb2992fcdbcf0f608e3af197d9b6d97be6d7 +Author: Justin Terry (VM) +Date: Tue Apr 16 14:32:02 2019 -0700 + + Remove unused error types + + Signed-off-by: Justin Terry (VM) + +commit 74a636ccd2413c624e76b1e43014f985d69296df +Merge: b44ca09d9 94f619b98 +Author: Justin +Date: Mon Apr 15 16:21:28 2019 -0700 + + Merge pull request #293 from Microsoft/move_v2_runtime + + Refactor the v2 runtime into its own packages + +commit d626b5ed8558681876445a76bd15adf93d88fe52 +Merge: 9b6bfe997 84caab8be +Author: Justin +Date: Mon Apr 15 15:21:58 2019 -0700 + + Merge pull request #566 from Microsoft/jjh/combinedlayers + + Remove combinedlayers: rootfs not scratch + +commit 84caab8be6d75ce0599ac07ec14b39fffac81d5a +Author: John Howard +Date: Mon Apr 15 14:05:43 2019 -0700 + + Remove combinedlayers: rootfs not scratch + + Signed-off-by: John Howard + +commit 9b6bfe997ff9fdfc2fc1652baa0428701fd62361 +Merge: 2ff26cfd6 3cc8994ee +Author: Justin +Date: Mon Apr 15 13:25:57 2019 -0700 + + Merge pull request #565 from Microsoft/hcs_notification_string + + Force log NotificationType to string + +commit 3cc8994eeab9449776a4e6831bbf5c9bdc4620cb +Author: Justin Terry (VM) +Date: Mon Apr 15 12:06:59 2019 -0700 + + Force log NotificationType to string + + Signed-off-by: Justin Terry (VM) + +commit 2ff26cfd637d52367df40cfafdc5a82707a9d245 +Merge: 21d3401b7 dca6e46c0 +Author: John Starks +Date: Mon Apr 15 11:06:44 2019 -0700 + + Merge pull request #564 from jstarks/uvmboot_gcs + + uvmboot: Optionally launch process through GCS + +commit 21d3401b73e708e918afb338cfb191c6cee175ad +Merge: ff9e4e053 c8890a691 +Author: John Starks +Date: Mon Apr 15 11:06:27 2019 -0700 + + Merge pull request #563 from jstarks/opengcs_log_id + + uvm: Include VM ID in opengcs logs + +commit ff9e4e05380872d452f60654dcde6035b39a8651 +Merge: 2cdaeca8c afbc0d927 +Author: Kevin Parsons +Date: Mon Apr 15 10:55:23 2019 -0700 + + Merge pull request #562 from Microsoft/etw-capture-state + + Dump stacks on ETW capture state + +commit 94f619b9886943fc5e8473eba5247fef60de747a +Author: Justin Terry (VM) +Date: Thu Apr 11 10:40:42 2019 -0700 + + Fix issue in storage v1 overlay when readonly==true + + Signed-off-by: Justin Terry (VM) + +commit c8890a6919c732e3124b2ba4503dba8b6986f04f +Author: John Starks +Date: Sat Apr 13 10:47:27 2019 -0700 + + uvm: Include VM ID in opengcs logs + + This also cleans up the opengcs log output a bit. + +commit dca6e46c05cbe4999769ca34fcad05db26563075 +Author: John Starks +Date: Sat Apr 13 14:06:08 2019 -0700 + + uvmboot: Optionally launch process through GCS + +commit afbc0d9278737187b7371390044395c0c562b78e +Author: Kevin Parsons +Date: Fri Apr 12 12:40:57 2019 -0700 + + Dump stacks on ETW capture state + +commit 2d6fc9761345249323b83e969ab853793d783b85 +Author: Justin Terry (VM) +Date: Wed Apr 10 20:02:24 2019 -0700 + + Retry SCSI mount on source ENOENT + + Signed-off-by: Justin Terry (VM) + +commit b43e2805cfded49f20ce24c09fc80eed4d511680 +Author: Justin Terry (VM) +Date: Tue Apr 9 07:48:15 2019 -0700 + + Seperate UVM.go into Host/Container/Process + + Signed-off-by: Justin Terry (VM) + +commit de5eaeff2551d5cecc0590633db835cb14c4f2be +Author: Justin Terry (VM) +Date: Tue Apr 9 07:44:37 2019 -0700 + + Remove v2 runc devices.HostDevices clone to actual runc package + + Signed-off-by: Justin Terry (VM) + +commit 94ff9eb3f04d742921abb60fd44310b398bfcf2e +Author: Justin Terry (VM) +Date: Mon Apr 8 21:23:45 2019 -0700 + + Convert all v2 code to LF + + Signed-off-by: Justin Terry (VM) + +commit a691da48155cd76b351bf1e03269d0a32ae5f2bb +Author: Justin Terry (VM) +Date: Mon Apr 8 21:20:33 2019 -0700 + + Move v2 devicemapper to internal package + + Signed-off-by: Justin Terry (VM) + +commit fb1e76415036162c169ff8f4ef8933b8b12dc20a +Author: Justin Terry (VM) +Date: Mon Apr 8 21:13:32 2019 -0700 + + Move v2 HCS runtime to internal package + + Signed-off-by: Justin Terry (VM) + +commit 259620a62d80d3edfae6ca9b3844881d2d46f4cf +Author: Justin Terry (VM) +Date: Mon Apr 8 21:04:52 2019 -0700 + + Move v2 network calls to golang packages + + Signed-off-by: Justin Terry (VM) + +commit 146630234cbf7dc5db90f22e0be3215b38954ee8 +Author: Justin Terry (VM) +Date: Mon Apr 8 08:41:22 2019 -0700 + + Move v2 storage calls to golang packages + + Signed-off-by: Justin Terry (VM) + +commit b44ca09d9c8990555b282f0cf54509e4bb8c7c67 +Merge: fb92ea943 1edcb065d +Author: Justin +Date: Wed Apr 10 11:25:07 2019 -0700 + + Merge pull request #292 from Microsoft/jjh/go1.12 + + Bump to golang 1.12.2 + +commit 2cdaeca8ccc9d3f1a34933b38e14bd88cafb9b60 +Merge: 9972f06ea f5310758b +Author: John Howard +Date: Wed Apr 10 11:01:48 2019 -0700 + + Merge pull request #561 from Microsoft/process_element_not_found + + Handle ERROR_NOT_FOUND for HcsSignalProcess + +commit f5310758b272932825bcf5693d955cb550f5c21b +Author: Justin Terry (VM) +Date: Tue Apr 9 15:36:01 2019 -0700 + + Handle ERROR_NOT_FOUND for HcsSignalProcess + + Handles ERROR_NOT_FOUND for HcsSignalProcess and properly coverts this to the + containerd errdefs.ErrNotFound so upstream callers handle the exit + appropriately. + + Signed-off-by: Justin Terry (VM) + +commit 9972f06ea8ba09cdddeb5469c2b420c39d402293 +Merge: 3872cadcf 04d6f9d25 +Author: Justin +Date: Tue Apr 9 13:01:23 2019 -0700 + + Merge pull request #558 from Microsoft/jjh/go1.12 + + Bump appveyor to go 1.12.2 + +commit 3872cadcf58544e0828ab66565c57e4a71b3917e +Merge: cb301955a 171ecf14b +Author: Justin +Date: Tue Apr 9 13:00:54 2019 -0700 + + Merge pull request #560 from Microsoft/jjh/containerlogs + + Improvements to Get-ContainerLogs.ps1 + +commit cb301955a09002a2ba89e41de58f8be8eed51644 +Merge: 063ae4a83 7368ff639 +Author: Justin +Date: Tue Apr 9 13:00:02 2019 -0700 + + Merge pull request #557 from Microsoft/jjh/bumpgowinio + + Vendor go-winio@84b4ab48 + +commit 171ecf14b4727b58a691253372372520523998f1 +Author: John Howard +Date: Mon Apr 8 16:04:30 2019 -0700 + + More in Get-ContainerLogs.ps1 + + Signed-off-by: John Howard + +commit 063ae4a83d78bdb93f76b18cc894c6342fa85c15 +Merge: 2164cfd2b d9b0d4eab +Author: Justin +Date: Mon Apr 8 15:16:05 2019 -0700 + + Merge pull request #559 from jstarks/rootwait + + uvm: Add rootwait kernel param to wait for pmem enumeration + +commit d9b0d4eab515062dbdf42ca98b777eebd90abc2b +Author: John Starks +Date: Mon Apr 8 14:48:21 2019 -0700 + + uvm: Add rootwait kernel param to wait for pmem enumeration + +commit 1edcb065d3e3bbe53582acaa3c12c1fb24713381 +Author: John Howard +Date: Mon Apr 8 10:47:37 2019 -0700 + + Bump to golang 1.12.2 + + Signed-off-by: John Howard + +commit 04d6f9d256b0dd21c6c85e078ff70a17315a6113 +Author: John Howard +Date: Mon Apr 8 10:45:57 2019 -0700 + + Bump appveyor to go 1.12.2 + + Signed-off-by: John Howard + +commit 7368ff6398231e05c804df9d8927980805e3b9e9 +Author: John Howard +Date: Mon Apr 8 10:41:03 2019 -0700 + + Vendor go-winio@84b4ab48 + + Signed-off-by: John Howard + +commit 2164cfd2b36485c89c005d62a7775db8ecafa2d5 +Merge: 5cfbffa6f 1aeec512e +Author: John Howard +Date: Fri Apr 5 21:51:37 2019 -0700 + + Merge pull request #553 from Microsoft/nil_exec_io + + Stop setting UpstreamIO to nil on Close + +commit 5cfbffa6fcc820f02db5ac8fd689c3b5eab7a8dd +Merge: 54eefb59e 6efbfe7b6 +Author: John Howard +Date: Fri Apr 5 21:33:02 2019 -0700 + + Merge pull request #554 from Microsoft/jjh/getcontainerlogs + + Get-ContainerLogs.ps1 for later analysis + +commit 54eefb59e631f960b9062bb24921fc6f7dae60cc +Merge: fe65d3a22 07fdeeb6f +Author: Justin +Date: Fri Apr 5 20:43:59 2019 -0700 + + Merge pull request #551 from Microsoft/parallel_scsi + + Always send guest eject for SCSI LCOW HotRemove + +commit 6efbfe7b6f62205f2824f86b7b7d4b50b51a2fd9 +Author: John Howard +Date: Fri Apr 5 20:37:51 2019 -0700 + + Add Get-ContainerLogs.ps1 for later analysis + + Signed-off-by: John Howard + +commit 1aeec512ec7c709bd838e54d6f1f0b7e3f644e5e +Author: Justin Terry (VM) +Date: Fri Apr 5 19:24:43 2019 -0700 + + Stop setting UpstreamIO to nil on Close + + 1. Stops setting UpstreamIO to nil on Close or CloseStdin. This means that the + call will always return a valid non-nil connection even if that connection has + been previously closed. This will stop the shim from panic'ing and instead + return a "connection already closed" error if used. + 2. Adds a check on the invariant state of in, out, serr returned from the + platform and makes sure it matches the requested state on creation. + + Signed-off-by: Justin Terry (VM) + +commit fe65d3a22edb981dd6b43349a4b14eade8877c03 +Merge: ca6ca4a84 69593ae4b +Author: John Howard +Date: Fri Apr 5 19:23:17 2019 -0700 + + Merge pull request #552 from Microsoft/jjh/stack2file + + shim:dump stack to file as well + +commit 69593ae4b5b81ec7798eab1d78cdffe920bfc0e4 +Author: John Howard +Date: Fri Apr 5 19:16:20 2019 -0700 + + shim:dump stack to file as well + + Signed-off-by: John Howard + +commit 07fdeeb6fbcd470c3e108c2cda305d577ec859f9 +Author: Justin Terry (VM) +Date: Fri Apr 5 18:18:53 2019 -0700 + + Always send guest eject for SCSI LCOW HotRemove + + It turns out that the Linux kernel can get very confused if a HotRemove + on the SCSI happens without a guest initiated eject. This change will always + initiate a guest request to eject the SCSI controller/lun before removing the + virtual disk from the host UVM. + + Signed-off-by: Justin Terry (VM) + +commit ca6ca4a843cb116b52999c48991c58e9a2fb8432 +Merge: cf1c2137f 301b57806 +Author: Justin +Date: Fri Apr 5 10:47:08 2019 -0700 + + Merge pull request #549 from Microsoft/jjh/cwd + + Move panic log to bundle dir + +commit 301b57806b2f44d884758c9946f333b21342f664 +Author: John Howard +Date: Fri Apr 5 10:34:43 2019 -0700 + + Move panic log to bundle dir + + Signed-off-by: John Howard + +commit fb92ea943aae21d45b03d8e553f85aabdd7b4332 +Merge: 349ae4363 216a74135 +Author: Justin +Date: Thu Apr 4 15:05:07 2019 -0700 + + Merge pull request #291 from Microsoft/jterry75/revendor + + Change to lk4d4/vndr + +commit 216a7413536343046d89406ceb6464e7113ffba2 +Author: Justin Terry (VM) +Date: Tue Oct 2 12:13:32 2018 -0700 + + Change to lk4d4/vndr + + Does a sweeping update to our vendor system and the vendor files to more + recent versions. + + Signed-off-by: Justin Terry (VM) + +commit cf1c2137fae1541cf405f1e9c5a1aaa0f53dd96a +Merge: 4e93834c8 188324048 +Author: John Howard +Date: Thu Apr 4 13:56:35 2019 -0700 + + Merge pull request #547 from Microsoft/panic_log + + Hook up a panic.log on shim serve + +commit 188324048cd81b5b6d149ebe49fc22e7506e3d0e +Author: Justin Terry (VM) +Date: Thu Apr 4 13:48:14 2019 -0700 + + Hook up a panic.log on shim serve + + Signed-off-by: Justin Terry (VM) + +commit 4e93834c8eda905fd06c8d71e6f982faa84294a9 +Merge: 2e6420689 3014ea00a +Author: Justin +Date: Wed Apr 3 16:02:48 2019 -0700 + + Merge pull request #546 from Microsoft/fix_notification_hang + + Fix real deadlock in notification delivery + +commit 3014ea00aca9d8e664a8fbcb34d4bb5f760d82ab +Author: Justin Terry (VM) +Date: Wed Apr 3 15:00:07 2019 -0700 + + Fix real deadlock in notification delivery + + Signed-off-by: Justin Terry (VM) + +commit 2e6420689588596b88cfd75ec2398b943138c024 +Merge: 5e4b87435 6b1e170c0 +Author: John Howard +Date: Tue Apr 2 11:49:42 2019 -0700 + + Merge pull request #545 from Microsoft/runhcs_test_tag + + Move 'integration' to 'functional' tag for runhcs tests + +commit 5e4b87435fe3edac66b977760e2f1d86a61bc4e4 +Merge: b297343be be79e1d9e +Author: John Howard +Date: Tue Apr 2 11:44:53 2019 -0700 + + Merge pull request #544 from Microsoft/get_properties_log + + Fix system.Properties log message + +commit 6b1e170c08c811f50e4087ed6fdc6661f94722ba +Author: Justin Terry (VM) +Date: Tue Apr 2 11:43:45 2019 -0700 + + Move 'integration' to 'functional' tag for runhcs tests + + Signed-off-by: Justin Terry (VM) + +commit b297343becffcd6b627704a6c41a7c1aaca5894e +Merge: 5f3c4ba7a bc4fd1919 +Author: John Howard +Date: Tue Apr 2 11:42:06 2019 -0700 + + Merge pull request #543 from Microsoft/wait_uvm_stop + + Convert all users of uvm.Terminate to uvm.Close() + +commit be79e1d9e80415f30780138c34c2c72b58a03c5a +Author: Justin Terry (VM) +Date: Tue Apr 2 11:41:11 2019 -0700 + + Fix system.Properties log message + + Signed-off-by: Justin Terry (VM) + +commit bc4fd19197f371cf367228720297436faf67f233 +Author: Justin Terry (VM) +Date: Tue Apr 2 11:33:58 2019 -0700 + + Convert all users of uvm.Terminate to uvm.Close() + + Signed-off-by: Justin Terry (VM) + +commit 349ae436354479669671ad88fda9df48a29b9983 +Merge: a8a6fa155 863e4ec81 +Author: Justin +Date: Tue Apr 2 10:40:35 2019 -0700 + + Merge pull request #290 from Microsoft/jjh/lostandfound + + Exclude lost+found from tar stream + +commit 863e4ec81587b0940d3cc47c703a7d14e0d31a4a +Author: John Howard +Date: Tue Apr 2 10:06:31 2019 -0700 + + Exclude lost+found from tar stream + + Signed-off-by: John Howard + +commit 5f3c4ba7af30b0c3a6aee5b98982b8b2a9886aa1 +Merge: defb34daf e906b8d14 +Author: John Howard +Date: Mon Apr 1 18:47:24 2019 -0700 + + Merge pull request #542 from Microsoft/fix_2nd_kill + + Serialize all shim errors to gRPC known types + +commit e906b8d14d5bccc09c0afedbcf71d94f387914f9 +Author: Justin Terry (VM) +Date: Mon Apr 1 15:47:38 2019 -0700 + + Shims MUST return errdefs.ErrNotFound in process exited state + + Signed-off-by: Justin Terry (VM) + +commit 3d479932af6fd65760672f2ee125adeb4f958634 +Author: Justin Terry (VM) +Date: Mon Apr 1 15:45:41 2019 -0700 + + Serialize all shim errors to gRPC known types + + We should be using errdefs.ToGRPC when sending errors as a return value from + the shim. This converts known error types to a propery serialized chain and + maintains the Causer interface associated with the proper underlying error. + + Signed-off-by: Justin Terry (VM) + +commit defb34daf263bd3f06d369908ff07fd8733e4eec +Merge: 6aaa89c07 0bbe10215 +Author: Justin +Date: Mon Apr 1 15:11:05 2019 -0700 + + Merge pull request #541 from Microsoft/fix_signal_syscall + + Fix signal support for WCOW + +commit 0bbe10215f4c337cd5a404f3fa31da269e26de37 +Author: Justin Terry (VM) +Date: Mon Apr 1 08:19:29 2019 -0700 + + Fix Signal support for WCOW + + Signal support on WCOW based on the HCS API is actually marshalled by string + value rather than integer value. This change makes sure that the signal struct + created for WCOW validates and uses the appropriate Ctrl* string. + + Signed-off-by: Justin Terry (VM) + +commit 9bbcd877c24e80e42f6e5b4c10d7e81bdfef3298 +Author: Justin Terry (VM) +Date: Fri Mar 29 14:20:49 2019 -0700 + + Fix an issue with Signal calling the wrong syscall + + There was a bug in hcs.go where hcsSignalProcess was actually the syscall for + HcsTerminateProcess due to a copy paste bug. + + Signed-off-by: Justin Terry (VM) + +commit 6aaa89c07dd2364377681486e0158414ef1df924 +Merge: ba3d66677 85f41cb97 +Author: John Howard +Date: Thu Mar 28 15:00:33 2019 -0700 + + Merge pull request #540 from Microsoft/exec_created_delete + + Change the state model allow Delete from Created + +commit 85f41cb97de5b86f1c908f475ebc920bb26bfae1 +Author: Justin Terry (VM) +Date: Thu Mar 28 12:35:14 2019 -0700 + + Change the state model allow Delete from Created + + Signed-off-by: Justin Terry (VM) + +commit ba3d6667710fa905116f39a19d059c4c1016be7c +Merge: eb44e6f81 295e58048 +Author: John Howard +Date: Wed Mar 27 14:08:02 2019 -0700 + + Merge pull request #537 from Microsoft/task_exit_for_real + + Fix a bug in Wait when waiting on the init task + +commit 295e580485711cd514fd54bf6fa42beafadef840 +Author: Justin Terry (VM) +Date: Wed Mar 27 13:53:27 2019 -0700 + + Fix panic in WCOW Hypervisor activations + + Signed-off-by: Justin Terry (VM) + +commit 38d2294a57126fab4564ff0a0949161ebc5dded6 +Author: Justin Terry (VM) +Date: Wed Mar 27 11:13:24 2019 -0700 + + Forcibly unblock Waiters when a client closes its HCS Handle + + Code could cause a Wait forever hang if the HCS Handle was closed + without a proper ComputeSystemExit notification. This will forcibly + unblock all Waiters in this case. + + Signed-off-by: Justin Terry (VM) + +commit 7e8e68edc8b3e2f5b8303f26254caed785943541 +Author: Justin Terry (VM) +Date: Wed Mar 27 10:18:46 2019 -0700 + + Fix a bug in Wait when waiting on the init task + + The async event TaskExit is sent post container/UVM shutdown but the actual + caller may have been unblocked on the call to Wait. We now return form Wait + after the container/UVM shutdown and alerting async TaskExit. + + Signed-off-by: Justin Terry (VM) + +commit eb44e6f81a7f48450a06f90578105b4da2a36f0e +Merge: 8abdbb820 c42360e09 +Author: Justin +Date: Tue Mar 26 11:53:38 2019 -0700 + + Merge pull request #535 from Microsoft/jjh/shimopts + + Don't nil deref on no shim options + +commit c42360e090ac16f41e5ce912445653250b21b91f +Author: John Howard +Date: Tue Mar 26 11:36:33 2019 -0700 + + Don't nil deref on no shim options + + Signed-off-by: John Howard + +commit 8abdbb8205e4192c68b5f84c31197156f31be517 +Merge: b849a6eab b672b668a +Author: John Howard +Date: Mon Mar 25 09:49:09 2019 -0700 + + Merge pull request #533 from Microsoft/wait_vm_or_container + + Change HCS TaskExit ownership responsibility + +commit b849a6eabf6b418649f1dbdec4a0382e856bb686 +Merge: a003d6e08 368cb2d5f +Author: Justin +Date: Fri Mar 22 16:01:36 2019 -0700 + + Merge pull request #534 from Microsoft/alphabetical + + G comes before U and Zed + +commit 368cb2d5f834c60b0a8b2f3b7c0f7b4ef541e296 +Author: John Howard +Date: Fri Mar 22 15:58:16 2019 -0700 + + G comes before U and Zed + + Signed-off-by: John Howard + +commit a003d6e089ca301c0ca1eab379cf22aa160c93f6 +Merge: 6fd620859 39389a22e +Author: Justin +Date: Fri Mar 22 15:51:30 2019 -0700 + + Merge pull request #520 from nagiesek/fixDefGWbug + + Fix bug where we error on network creation if no subnet was provided + +commit a8a6fa155cb3f3896813efa50db429c51931fccf +Merge: 92ea373dc aa707760e +Author: Justin +Date: Fri Mar 22 15:50:38 2019 -0700 + + Merge pull request #289 from Microsoft/go1.12.1 + + Bump go to 1.12.1 + +commit 6fd620859db4933bd861491a1d8e639a02ddb6ee +Merge: 5eaaf4090 692f817c5 +Author: John Howard +Date: Fri Mar 22 14:43:15 2019 -0700 + + Merge pull request #532 from Microsoft/jjh/grantvmgroupaccess + + Add grantvmgroupaccess.exe; Move uvmboot/zapdir to internal + +commit b672b668a733ccc1c9752a93d57de066ad098542 +Author: Justin Terry (VM) +Date: Fri Mar 22 13:07:09 2019 -0700 + + Fix deadlock in System/Process Wait + + If more than one thread called Wait* on the same hcs system/process handle the + exit notification would only be sent to one of the callers. This would cause + the other caller to wait for another event to be delivered on the channel that + would never come. + + This makes the model honor a single internal waiter on the platform + notification but allows for multiple Wait* calls from any number of goroutines. + + Signed-off-by: Justin Terry (VM) + +commit aa707760eadd77bd509a0090f058f91957f76085 +Author: John Howard +Date: Fri Mar 22 12:19:19 2019 -0700 + + Bump go to 1.12.1 + + Signed-off-by: John Howard + +commit d6e4ea4871ee8941d7a92119a5bbbac8ab2f05a9 +Author: Justin Terry (VM) +Date: Fri Mar 22 10:49:49 2019 -0700 + + Change HCS TaskExit ownership responsibility + + It turns out that eventing the TaskExit at the end of a process is not the + correct time on Windows. In all cases there is a container Silo seperate from + the init process and in Hypervisor isolated cases there is a parent UtilityVM. + + This change makes the init process TaskExit notification only fire once the + Silo/UtilityVM are successfully torn down making sure there are no resources in + use when the TaskExit is sent. + + Signed-off-by: Justin Terry (VM) + +commit 692f817c56520956834a23c1b9ebc4802d650817 +Author: John Howard +Date: Fri Mar 22 10:31:28 2019 -0700 + + Vendor Microsoft/go-winio@c599b533 + + Signed-off-by: John Howard + +commit 73f530d6f91b3cf16ef6309b5e3c0ef67937a307 +Author: John Howard +Date: Fri Mar 22 10:27:38 2019 -0700 + + Add grantvmgroupaccess.exe; Move uvmboot/zapdir to internal + + Signed-off-by: John Howard + +commit 5eaaf4090cae3203685bf7cc793ed5295b1e7c33 +Merge: e89c9396d 9884e156e +Author: Justin +Date: Thu Mar 21 14:49:13 2019 -0700 + + Merge pull request #531 from Microsoft/remove_grantvmaccess + + Stop setting grantvmaccess per layer.vhd + +commit 9884e156e4b1661202996e1ade1f6616867dbc47 +Author: Justin Terry (VM) +Date: Thu Mar 21 14:41:45 2019 -0700 + + Stop setting grantvmaccess per layer.vhd + + Signed-off-by: Justin Terry (VM) + +commit 39389a22ebda9afe576619ffc49bab3560321c33 +Author: Nathan Gieseker +Date: Wed Mar 20 17:04:20 2019 -0700 + + Fix bug where we error on network creation if no subnet was provided. Add test for case + +commit e89c9396dd628520b19e9bfe9cd9e35a01724dbb +Merge: dd292d70f 8439a2ae6 +Author: Justin +Date: Wed Mar 20 14:23:48 2019 -0700 + + Merge pull request #526 from Microsoft/uvm_qos + + Add support for WCOW/LCOW QoS + +commit 8439a2ae623e346eb1002d96cfe12b9df0291339 +Author: Justin Terry (VM) +Date: Wed Mar 20 13:42:08 2019 -0700 + + Add temporary workaround for Windows Process CPU QoS + + Windows RS5 has a bug in Windows Process Container CPU QoS that if the + Processor structure is passed at all it assumes the Count variable first and + does not allow setting Limit or Weight. For now silently ignore these + additional QoS features and succeed the activation to run the process. + + Signed-off-by: Justin Terry (VM) + +commit ee50c30a22620b5f90d6befc64e6e37c26e19aa9 +Author: Justin Terry (VM) +Date: Wed Mar 20 12:44:32 2019 -0700 + + Verify that Windows Process Container CPU Count, Limit, Weight are mutually exclusive + + Signed-off-by: Justin Terry (VM) + +commit b24f7834147de1e8571fd5065a514c370ec3d885 +Author: Justin Terry (VM) +Date: Mon Mar 18 15:03:26 2019 -0700 + + Add CRI Pod/Container tests for QoS settings + + Signed-off-by: Justin Terry (VM) + +commit a69324df03ad189d775d7410847d6a1b2926980a +Author: Justin Terry (VM) +Date: Mon Mar 18 15:03:07 2019 -0700 + + Add support for LCOW CPU/Memory QoS + + Signed-off-by: Justin Terry (VM) + +commit b97dccccf12999d096e57f7424cdfcfac46fa32a +Author: Justin Terry (VM) +Date: Mon Mar 18 08:45:11 2019 -0700 + + Add support for WCOW Container CPU/Memory/Storage QoS + + Signed-off-by: Justin Terry (VM) + +commit 4bd9a3d7a389e3f75daccdbf1b0ccff56864647b +Author: Justin Terry (VM) +Date: Mon Mar 18 07:35:21 2019 -0700 + + Add support for UVM CPU/Memory/Storage QoS + + Signed-off-by: Justin Terry (VM) + +commit dd292d70f832102200f2051eb1b7cec62d78c373 +Merge: 077e62580 8f652be72 +Author: Justin +Date: Wed Mar 20 12:19:55 2019 -0700 + + Merge pull request #530 from Microsoft/fix_cpu_count_settings + + Automatically verify and downgrade user CPUCount to runtime.NumCPU + +commit 8f652be7202918a51a52098b047746e277d32f8e +Author: Justin Terry (VM) +Date: Wed Mar 20 11:54:53 2019 -0700 + + Automatically verify and downgrade user CPUCount to runtime.NumCPU + + Signed-off-by: Justin Terry (VM) + +commit 077e625804dcda7d01c1f476d66d048ef64e16b4 +Merge: 1ad3514ad ccc74aa1b +Author: Justin +Date: Wed Mar 20 10:59:49 2019 -0700 + + Merge pull request #529 from kevpar/cri-runtime-names + + Update tests to new CRI runtime names + +commit ccc74aa1b59e9ff9fe122ce74a0fa51ca14440e0 +Author: Kevin Parsons +Date: Tue Mar 19 17:34:37 2019 -0700 + + Update tests to new CRI runtime names + +commit 1ad3514ad597919f266cd0a43289a62976110bcf +Merge: cdb2e93ab a3cc970d2 +Author: Kevin Parsons +Date: Tue Mar 19 15:59:52 2019 -0700 + + Merge pull request #527 from kevpar/shim-start-logging + + Log message when shim starts + +commit a3cc970d2e3928a4b6b3c0da3a46b1539cd81731 +Author: Kevin Parsons +Date: Tue Mar 19 15:47:36 2019 -0700 + + Log event at shim launch + +commit 5776786a50f3230a36b8255c9187655b57c26047 +Author: Kevin Parsons +Date: Tue Mar 19 15:27:57 2019 -0700 + + Vendor updated etw package from go-winio + +commit cdb2e93abad1a01ec5034fefbcc470ed0fa95769 +Merge: 49875ffd1 bd87a899f +Author: Kevin Parsons +Date: Tue Mar 19 15:16:55 2019 -0700 + + Merge pull request #528 from Microsoft/vendor + + Update vendor since opengcs cleanups + +commit bd87a899f3997d6c015ec3c065e2f71faa396bcc +Author: Justin Terry (VM) +Date: Tue Mar 19 15:12:29 2019 -0700 + + Update vendor since opengcs cleanups + + Signed-off-by: Justin Terry (VM) + +commit 49875ffd15a5cd2a9c00ab3a3eec2446748542ff +Merge: 6e3bb06e9 12c9a45c4 +Author: Justin +Date: Mon Mar 18 09:39:33 2019 -0700 + + Merge pull request #525 from Microsoft/oci_uvm_memorymb + + Fix bug in UVM activation when using OCI Windows.Resources.Memory.Limit + +commit 6e3bb06e953c6eddd3a34a2d731409365e79843f +Merge: a00fe2fce e8406e5cb +Author: Justin +Date: Mon Mar 18 09:38:55 2019 -0700 + + Merge pull request #524 from Microsoft/wcow_processor_count + + Fix bug setting WCOW UVM processor count overrides + +commit 12c9a45c45cc1f6a4c7458d58deaf0de0f9ccb67 +Author: Justin Terry (VM) +Date: Mon Mar 18 08:49:59 2019 -0700 + + Fix bug in UVM activation when using OCI Windows.Resources.Memory.Limit + + When using the sandbox override annotation: + "io.microsoft.virtualmachine.computetopology.memory.sizeinmb" in CRI the + setting is expected in MB. When using OCI Windows.Resources.Memory.Limit the + setting is expeced in Bytes. The platform expects the setting in MB. So the + resolver now ALWAYS returns MB regardless if using the annotation override or + OCI spec. + + Signed-off-by: Justin Terry (VM) + +commit e8406e5cb535901398582ade05fc5d42e27a6ee9 +Author: Justin Terry (VM) +Date: Mon Mar 18 07:37:58 2019 -0700 + + Fix bug setting WCOW UVM processor count overrides + + Signed-off-by: Justin Terry (VM) + +commit a00fe2fce5d45292943c7915ac94598cc765da88 +Merge: f3a1ac157 a7fbd2054 +Author: Justin +Date: Fri Mar 15 15:56:03 2019 -0700 + + Merge pull request #523 from Microsoft/uvm_logs + + Update UVM package logging to include context + +commit a7fbd2054c48cf1b0dfc1312886a12fb404042f2 +Author: Justin Terry (VM) +Date: Tue Dec 11 14:36:09 2018 -0800 + + Update UVM package logging to include context + + Signed-off-by: Justin Terry (VM) + +commit f3a1ac15727bba581b32c424411c6078f23b0fe5 +Merge: ada9cb39f edb57c501 +Author: Kevin Parsons +Date: Wed Mar 13 16:49:18 2019 -0700 + + Merge pull request #522 from Microsoft/fix_oom_issue + + Fix bug that fails to return error when out of memory + +commit edb57c5018951655883549b587927220ef7fce08 +Author: Justin Terry (VM) +Date: Wed Mar 13 16:32:53 2019 -0700 + + Fix bug that fails to return error when out of memory + + Fixed a bug when UVM activation fails that we fail to return the error message + and continue to process the setup code. + + Fixed an issue where we nil out the hcsSystem on the UVM after a call to Close + that causes any additional calls to the package to panic the shim rather than + returning the hcs.IsAlreadyClosed(err) error. + + Signed-off-by: Justin Terry (VM) + +commit 92ea373dcfec072a7e9a6153bbeb2405eee9792a +Merge: 73c53b9ad 003597a58 +Author: Justin +Date: Tue Mar 12 22:13:40 2019 -0700 + + Merge pull request #287 from Microsoft/jjh/options + + LCOW(v1) Remove kernel/initrd options + +commit 73c53b9ad7a05d2da289911151bb3deb246a47d9 +Merge: ab045a2bc 8e8fdcd07 +Author: Justin +Date: Tue Mar 12 22:11:41 2019 -0700 + + Merge pull request #288 from Microsoft/jjh/kernelstep1 + + Remove Kernel! + +commit 8e8fdcd070470c727231147279792649c533899f +Author: John Howard +Date: Tue Mar 12 19:40:51 2019 -0700 + + Remove Kernel! + + Signed-off-by: John Howard + +commit 003597a58952b61ef04c86bcc8908abe240977d7 +Author: John Howard +Date: Tue Mar 12 19:02:06 2019 -0700 + + LCOW(v1) Remove kernel/initrd options + + Signed-off-by: John Howard + +commit ab045a2bc5fce7f633426c1376146a1a2671df78 +Merge: aff0cdb81 71f3f033c +Author: Justin +Date: Tue Mar 12 16:03:40 2019 -0700 + + Merge pull request #285 from Microsoft/get_properties_v2 + + Implement GetProperties pids for V2 + +commit ada9cb39f715fb568e1030e7613732bb4f1e4aeb +Merge: 7d988c6d1 24eaac223 +Author: John Howard +Date: Tue Mar 12 16:02:10 2019 -0700 + + Merge pull request #505 from Microsoft/v2_shim_pids + + Implement v2 shim pids query + +commit 71f3f033c12201677c87e2b00d291acb30f5f6f3 +Author: Justin Terry (VM) +Date: Mon Mar 11 13:09:20 2019 -0700 + + Implement GetProperties pids for V2 + + Signed-off-by: Justin Terry (VM) + +commit 24eaac223226d5c571d39c9ef942f0599d6aac01 +Author: Justin Terry (VM) +Date: Tue Mar 5 22:32:11 2019 -0800 + + Implement v2 shim pids query + + Signed-off-by: Justin Terry (VM) + +commit 7d988c6d1cba961fc4d7c0d771da4f6d0074ff17 +Merge: bdb1fd454 49cf94393 +Author: Justin +Date: Tue Mar 12 10:26:02 2019 -0700 + + Merge pull request #506 from Microsoft/jjh/createnetworknamespace + + Logging in createNetworkNamespace + +commit 49cf94393f6cadb619c59e81c4e11b1e832cc39b +Author: John Howard +Date: Wed Mar 6 09:44:47 2019 -0800 + + Logging in createNetworkNamespace + + Signed-off-by: John Howard + +commit aff0cdb81b83e6dc8753bd2f3bffa26e442ff17f +Merge: e8850a5d6 b33538897 +Author: Justin +Date: Mon Mar 11 14:02:52 2019 -0700 + + Merge pull request #286 from Microsoft/v2_hotremove_network + + Change HotRemove NIC to warning instead of error + +commit b335388971b3f9d023d4672093d0f6d5017808ee +Author: Justin Terry (VM) +Date: Mon Mar 11 13:36:18 2019 -0700 + + Change HotRemove NIC to warning instead of error + + We don't actually fully support HotRemove NIC from namespace but since + this only happens on teardown we likely don't need it. For now just log + this as a warning rather than returning an error because we do + actually try to safe remove it from the host side on shutdown which is + returning an error that is silently ignored. + + Signed-off-by: Justin Terry (VM) + +commit bdb1fd4543d3c71c04eb4f6c4c26c4cf6cd8b71c +Merge: 35a24d0f3 89fed83f1 +Author: Justin +Date: Fri Mar 8 20:28:13 2019 -0800 + + Merge pull request #517 from Microsoft/argon_activiation + + Revert removal of WCOW pause container activation + +commit 89fed83f178772eac1b3d52c81480f2ea3c4e8ef +Author: Justin Terry (VM) +Date: Fri Mar 8 18:26:44 2019 -0800 + + Forcibly close stdout, stderr relay after timeout + + Implements a safety fallback when the HCS fails to close the stdout, stderr + IO pipes after a process exit. In this case the ioWg would wait forever and + hang the shim and all cleanup logic waiting for the exit event. This code now + forcibly closes the handles if not already closed naturally after the post + process exit timeout. + + Signed-off-by: Justin Terry (VM) + +commit 3d974573138bbccc5177abc2a943462c1fb21ffa +Author: Justin Terry (VM) +Date: Fri Mar 8 15:13:57 2019 -0800 + + Forcibly terminate running process after signal + + There are cases in Windows where a signal to a process may not actually + cause the process to stop. As a best practice when a signal is expected + to cause the process to stop IE: SIGKILL, SIGTERM we now forcibly + terminate the process after a timeout period if the process does not + stop on its own. + + Signed-off-by: Justin Terry (VM) + +commit 2a9b26d6bcd5950ea0748e3bc6291ddbcfea08d6 +Author: Justin Terry (VM) +Date: Fri Mar 8 15:03:30 2019 -0800 + + Force WCOW pause process to stay alive + + For WCOW because there is no pause image we forcibly change the user + command to be a long running command. This behavior matches how ACI + builds their Windows pause images. + + Signed-off-by: Justin Terry (VM) + +commit ed7342accff7089e81233592747c9289f4a73d5e +Author: Justin Terry (VM) +Date: Fri Mar 8 10:51:51 2019 -0800 + + Revert removal of WCOW pause container activation + + As it turns out on RS5 a Windows Process Isolated container actually + does open the network compartment at the activation of the first + container. So we cannot skip creating the pause container when creating + the pod. This is not true for Windows Hypervisor Isolated which is held + open via the GNS. + + Signed-off-by: Justin Terry (VM) + +commit 35a24d0f3d8c6eb73f108c45316efdd05ce5525c +Merge: eba3ac608 1a8e7e91e +Author: Justin +Date: Fri Mar 8 15:05:53 2019 -0800 + + Merge pull request #518 from Microsoft/fix_cri_containerd_test + + Fix bug in pulling LCOW pause image + +commit 1a8e7e91e7a07e1bbcb03f5eacf85baa4f7d9410 +Author: Justin Terry (VM) +Date: Fri Mar 8 12:46:41 2019 -0800 + + Fix bug in pulling LCOW image with wrong annotations + + Signed-off-by: Justin Terry (VM) + +commit a12b8b82c01e09826ad31c58a3b06d2c36cf99cf +Author: Justin Terry (VM) +Date: Fri Mar 8 12:45:02 2019 -0800 + + Fix bug in pulling LCOW pause image + + Signed-off-by: Justin Terry (VM) + +commit eba3ac60839e86e60eae0f64658a25bd3891de0a +Merge: 001c0419a 74080ae0e +Author: John Howard +Date: Wed Mar 6 15:02:52 2019 -0800 + + Merge pull request #508 from Microsoft/panic-recover-debug + + Panic-Recover log to ETW in shim + +commit 001c0419aa572694e4779a47129c6f937cf24629 +Merge: 289c76d66 cc9f79968 +Author: Kevin Parsons +Date: Wed Mar 6 14:28:04 2019 -0800 + + Merge pull request #495 from kevpar/default-lcow-path + + Change default LCOW OS boot files path + +commit 74080ae0ec3c106fb8cca245693ba338a8e48ca9 +Author: John Howard +Date: Wed Mar 6 12:04:00 2019 -0800 + + Panic-Recover log to ETW + + Signed-off-by: John Howard + +commit cc9f7996884d788e4bc324e7547ec1095c82965a +Author: Kevin Parsons +Date: Mon Mar 4 12:52:18 2019 -0800 + + Change default LCOW OS boot files path + + Signed-off-by: Kevin Parsons + +commit 289c76d66de6a38da3a1c6ea98d8481629f72170 +Merge: a9997c3a9 1aa4a4e93 +Author: Justin +Date: Wed Mar 6 11:33:52 2019 -0800 + + Merge pull request #507 from kevpar/create-scratch-pre-rs5 + + Throw an error if create-scratch attempted pre-RS5 + +commit 1aa4a4e9378c3ac0b8cdbc7d97403f8b78bf4d9f +Author: Kevin Parsons +Date: Wed Mar 6 10:50:48 2019 -0800 + + Throw an error if create-scratch attempted pre-RS5 + + Signed-off-by: Kevin Parsons + +commit a9997c3a96d98feed884046867ca520972f56466 +Merge: 0015687a0 08bbfb729 +Author: Justin +Date: Tue Mar 5 22:16:55 2019 -0800 + + Merge pull request #504 from Microsoft/build_uvmboot + + CI build uvmboot.exe + +commit 08bbfb729a5ecc399ce940ebee3683a43746385c +Author: Justin Terry (VM) +Date: Tue Mar 5 22:13:55 2019 -0800 + + Add zapdir to appveyor + + Signed-off-by: Justin Terry (VM) + +commit d63b2e215d7c7f34aa6b1be0276b3b856c5b7708 +Author: Justin Terry (VM) +Date: Thu Jan 24 13:40:54 2019 -0800 + + CI build uvmboot.exe + + Signed-off-by: Justin Terry (VM) + +commit 0015687a01b82c8c24f2ce607da7f9e0c935af5e +Merge: 486cce1f7 18ad36970 +Author: Justin +Date: Tue Mar 5 12:34:03 2019 -0800 + + Merge pull request #502 from Microsoft/cri_privileged + + Add OCI privileged container support + +commit e8850a5d68ec80007eb63cab6f33df62fe3a019f +Merge: f1b2fa8f4 4b6326866 +Author: Justin +Date: Tue Mar 5 12:07:35 2019 -0800 + + Merge pull request #284 from Microsoft/fix_additional_device_append + + Fix additional append in host device list + +commit 4b6326866f61e7dd6c30610ce3f3c6a7b1a3b8b3 +Author: Justin Terry (VM) +Date: Tue Mar 5 11:54:45 2019 -0800 + + Fix additional append in host device list + + Signed-off-by: Justin Terry (VM) + +commit f1b2fa8f4261fa0e2994d7d9f65f5f109fe3da52 +Merge: eec8f895b 954d71280 +Author: John Howard +Date: Tue Mar 5 11:57:20 2019 -0800 + + Merge pull request #283 from Microsoft/fix_log_message + + Fix comment for privileged container detection + +commit 954d712807ccec91e3dc7049dc347817b8148f05 +Author: Justin Terry (VM) +Date: Tue Mar 5 11:54:45 2019 -0800 + + Fix comment for privileged container detection + + Signed-off-by: Justin Terry (VM) + +commit eec8f895b92684abae4222f3aede764f3fe352d2 +Merge: a10967154 87b593341 +Author: John Howard +Date: Tue Mar 5 11:47:19 2019 -0800 + + Merge pull request #282 from Microsoft/privileged_support + + Add OCI Privileged container support + +commit 87b593341c6deb399f92bfc750e185d9ca575bb3 +Author: Justin Terry (VM) +Date: Fri Mar 1 16:07:28 2019 -0800 + + Add OCI Privileged container support + + Signed-off-by: Justin Terry (VM) + +commit 18ad36970bf220c34b137f7cbcfd6e869d3335f4 +Author: Justin Terry (VM) +Date: Fri Mar 1 16:09:32 2019 -0800 + + Add OCI privileged container support + + Signed-off-by: Justin Terry (VM) + +commit 486cce1f7e15368cbbe7242784dd877afff22800 +Merge: 4dd3466fb 0d5e16494 +Author: Justin +Date: Mon Mar 4 18:07:40 2019 -0800 + + Merge pull request #499 from Microsoft/cri_containerd_create_tests + + Add initial CreateContainer tests + +commit a10967154e143a36014584a6f664344e3bb0aa64 +Merge: 6bae68b4c 68357fd00 +Author: Kevin Parsons +Date: Mon Mar 4 15:48:00 2019 -0800 + + Merge pull request #281 from Microsoft/jjh/unixlineendings + + Unix line endings on .c files + +commit 68357fd0018ebafbe4e3b5cb1868cac2ed42e5d8 +Author: John Howard +Date: Mon Mar 4 15:36:15 2019 -0800 + + Unix line endings on .c files + + Signed-off-by: John Howard + +commit 6bae68b4cbc77c1283a555590f288c7811fbc2e5 +Merge: 1ce616605 2d551da2e +Author: Justin +Date: Mon Mar 4 14:07:18 2019 -0800 + + Merge pull request #280 from Microsoft/jjh/lcow.vhdx + + Remove VHDX booting + +commit 2d551da2ed2452ada55a365f53e989ddc3128033 +Author: John Howard +Date: Mon Mar 4 12:47:47 2019 -0800 + + Remove VHDX booting + + Signed-off-by: John Howard + +commit 4dd3466fb47933ff5df526e7751cdf1f6315bfcf +Merge: 567e65d9f 03f38f92c +Author: Justin +Date: Mon Mar 4 11:14:58 2019 -0800 + + Merge pull request #501 from Microsoft/jjh/delete + + Delete rather than nil + +commit 03f38f92ce1cc48e5a2a7f2fa762f67ba22a2b9a +Author: John Howard +Date: Mon Mar 4 11:10:36 2019 -0800 + + Delete rather than nil + + Signed-off-by: John Howard + +commit 567e65d9f69090d3ea89bf5a9fbad4d57ab87b90 +Merge: 046607f53 ebbed9470 +Author: Justin +Date: Mon Mar 4 09:55:50 2019 -0800 + + Merge pull request #473 from nagiesek/subnetValidation + + We throw if address prefix given but no gateway + +commit 046607f53bc6f9a14901ed85d355fbb6faa5306d +Merge: f7ee4ec62 21d92ba49 +Author: Justin +Date: Mon Mar 4 09:54:24 2019 -0800 + + Merge pull request #500 from Microsoft/jjh/typo + + Fix logging typo + +commit 21d92ba49db9cd6a4c0115e2e46ab04118d136d3 +Author: John Howard +Date: Mon Mar 4 09:01:43 2019 -0800 + + Fix logging typo + + Signed-off-by: John Howard + +commit 0d5e1649489b4f3f29a87f2660dfb57b86021c7c +Author: Justin Terry (VM) +Date: Wed Feb 27 14:10:49 2019 -0800 + + Add initial CreateContainer tests + + Signed-off-by: Justin Terry (VM) + +commit f7ee4ec62b1493c53e699ea11c4ebdd8fd07d837 +Merge: 752e1af1f b92f3496a +Author: Justin +Date: Fri Mar 1 12:23:28 2019 -0800 + + Merge pull request #496 from kevpar/zap-error-reporting + + Improve zapdir error reporting + +commit 752e1af1f79d13ed5ebfe9cbfff5f44d42174521 +Merge: d072923cc 134e29d69 +Author: Justin +Date: Fri Mar 1 12:19:11 2019 -0800 + + Merge pull request #498 from Microsoft/fix_exec_tty + + Fix bug in runhcs shim with tty=true on close + +commit 134e29d694967f9e7a910cefb4470b1555a40db7 +Author: Justin Terry (VM) +Date: Fri Mar 1 12:02:09 2019 -0800 + + Fix bug in runhcs shim with tty=true on close + + On close in the case of a tty the caller does not know the close is taking + place and does not have the ability to unblock the upstream pipes. Since the + caller might not be issuing any stdin even though we close the hcs side of the + pipe there is nothing that alerts go to unblock the io.Copy. + + This fix stops waiting for Stdin to finish the io.Copy on hcs process exit. + + Signed-off-by: Justin Terry (VM) + +commit b92f3496aa8607ed7fe533160cb8484947ab3d2b +Author: Kevin Parsons +Date: Fri Mar 1 02:13:01 2019 -0800 + + Improve zapdir error reporting + + Signed-off-by: Kevin Parsons + +commit ebbed947013a755094849ab922778b0753e40912 +Author: Nathan Gieseker +Date: Thu Feb 28 17:12:11 2019 -0800 + + errors if address prefix present but no gateway, errors if no default gateway, errors if endpont is created with namespace + +commit d072923cc3815b8af9d9562c7578e056b81f695d +Merge: 790944b3d 7c9e5bfca +Author: Justin +Date: Wed Feb 27 13:43:04 2019 -0800 + + Merge pull request #494 from kevpar/pass-boot-files-path + + Allow runtime option to override LCOW OS directory + +commit 7c9e5bfcac509537ecdd98e98b7057542ba2131c +Author: Kevin Parsons +Date: Mon Feb 25 20:11:31 2019 -0800 + + Allow runtime option to override LCOW OS directory + + Signed-off-by: Kevin Parsons + +commit 1ce616605f0cc45f5a4cf4d93db18dad4fbaa124 +Merge: 2a70647e9 50d82729b +Author: John Howard +Date: Tue Feb 26 22:12:24 2019 -0800 + + Merge pull request #278 from Microsoft/go1.11.5 + + Bump runc; golang 1.11.5 + +commit 790944b3d17e185930b487555f53c8017ca2b82e +Merge: 2fc684659 0cb1b01ad +Author: Justin +Date: Tue Feb 26 20:19:32 2019 -0800 + + Merge pull request #492 from Microsoft/cri_scenarios + + Implement RunPodSandbox P0 tests for cri-containerd + +commit 0cb1b01ad7fbfe74e78d93f91609210962d29205 +Author: Justin Terry (VM) +Date: Tue Feb 26 08:09:52 2019 -0800 + + Implement RunPodSandbox P0 tests for cri-containerd + + Signed-off-by: Justin Terry (VM) + +commit 50d82729bdb623c1555d861e743d4aef1fc9fb7a +Author: John Howard +Date: Tue Feb 26 14:07:11 2019 -0800 + + Bump runc; golang 1.11.5 + + Signed-off-by: John Howard + +commit 2fc684659425f895b7c06f70bdf95fe1c387a07e +Merge: d15d58dcd 384f3f656 +Author: Justin +Date: Tue Feb 26 14:03:27 2019 -0800 + + Merge pull request #491 from kevpar/add-zap-tool + + Add zapdir utility to delete data directories + +commit 384f3f656d8e4ce33746274f2d45d2564a6166db +Author: Kevin Parsons +Date: Tue Feb 26 10:38:28 2019 -0800 + + Add zapdir utility to delete data directories + + Signed-off-by: Kevin Parsons + +commit d15d58dcd390f5e57a1046b3a8cbcdfcdbfb899f +Merge: 23874b725 60f0c0c06 +Author: John Howard +Date: Mon Feb 25 15:31:18 2019 -0800 + + Merge pull request #490 from Microsoft/v2_delete_timeout + + Fix delete hang when the platfrom does not return + +commit 60f0c0c06cab1c4beab54cdc48678f7865a0d2fa +Author: Justin Terry (VM) +Date: Mon Feb 25 15:26:50 2019 -0800 + + Fix delete hang when the platfrom does not return + + Signed-off-by: Justin Terry (VM) + +commit 23874b72556e811875c99eb734bebe5b321cc71b +Merge: 2af37ca39 fb0c8a35b +Author: Justin +Date: Mon Feb 25 15:27:28 2019 -0800 + + Merge pull request #489 from jterry75/v2_simplify_hcstask_lifetime + + Simplify the hcstask/exec exit state transitions. + +commit fb0c8a35bfa147dd8c9c5248200c6948ea3cf2b8 +Author: Justin Terry (VM) +Date: Mon Feb 25 11:31:03 2019 -0800 + + Simplify the hcstask/exec exit state transitions. + + There are some very subtile ways in which the code could fail to event the + exit and cause an upstream listener to continue to think the shim is still + running even though the task had indeed exited. + + Signed-off-by: Justin Terry (VM) + +commit 2af37ca39404be7b472784aca21fb4da52f2d2de +Merge: 169f005c6 b06744111 +Author: Justin +Date: Sat Feb 23 12:23:29 2019 -0800 + + Merge pull request #488 from Microsoft/v2_simplify_io + + Simplify v2 shim upstream IO handling + +commit b067441113ed088810330f14215ca67dadce2352 +Author: Justin Terry (VM) +Date: Sat Feb 23 10:41:30 2019 -0800 + + Simplify v2 shim upstream IO handling + + Signed-off-by: Justin Terry (VM) + +commit 169f005c6a7ee9ad1bd85fe732c28497504a3252 +Merge: b6fc2762a 420a1c0ae +Author: Justin +Date: Sat Feb 23 09:56:05 2019 -0800 + + Merge pull request #485 from ksubrmnn/v2_version + + Update minor version for HNS V2 support + +commit b6fc2762a5ec3b03b77e6f55618adce8ad082293 +Merge: 404d53605 49d15bfb4 +Author: Justin +Date: Fri Feb 22 21:35:49 2019 -0800 + + Merge pull request #487 from Microsoft/fix_netns_argon + + Fix panic trying to provision guest network on process container + +commit 49d15bfb4954394e7f3c84e43ace3c6572adaa27 +Author: Justin Terry (VM) +Date: Fri Feb 22 19:12:17 2019 -0800 + + Fix panic trying to provision guest network on process container + + When should only be creating the guest network for WCOW when the container is + hypervisor isolated. + + Signed-off-by: Justin Terry (VM) + +commit 420a1c0ae062cc46542502898f67d5270dfd3254 +Author: ksubrmnn +Date: Fri Feb 22 09:43:41 2019 -0800 + + Update minor version for HNS V2 support + +commit 404d53605b037239c92c4e5cc29ab0a4239c8c29 +Merge: 36fdb84dc 69cb2a424 +Author: Justin +Date: Wed Feb 20 23:16:53 2019 -0800 + + Merge pull request #483 from Microsoft/fix_netns_remove + + Fix bugs in provisioning NetNS on UVM + +commit 36fdb84dcfb65d10febe45ac999dac401166005d +Merge: 2fe644a8d 377459776 +Author: Justin +Date: Wed Feb 20 23:15:22 2019 -0800 + + Merge pull request #484 from Microsoft/fix_signals + + Add SignalSupport check and Signal validation to v2 shim + +commit 377459776326342f61f065e327fa7c39bab78ded +Author: Justin Terry (VM) +Date: Wed Feb 20 16:26:31 2019 -0800 + + Add SignalSupport check and Signal validation to v2 shim + + Signed-off-by: Justin Terry (VM) + +commit 69cb2a424e2c1d323ff0fe53a9d79245c16aa382 +Author: Justin Terry (VM) +Date: Wed Feb 20 06:43:07 2019 -0800 + + Fix bugs in provisioning NetNS on UVM + + 1. We should only run the cleanup logic for a standalone or sandbox container + with networking but not for individual workload containers. + + 2. We now provision the guest NetNS in the UVM for WCOW as a seperate step since + we don't actually provision the container in the guest. + + 3. Add begin/end tracing for networking provisioning to measure time on average. + + Signed-off-by: Justin Terry (VM) + +commit 2a70647e92b2e5d4956453880d3872bab9ee815a +Merge: b9fd6dfdb 372e91c9b +Author: Justin +Date: Tue Feb 19 20:57:53 2019 -0800 + + Merge pull request #273 from Microsoft/resolv_config + + Implement /etc/resolv.conf bind mount for sandbox/workload containers + +commit 372e91c9b1e5afed215ea0caa8ad0f829b53eea6 +Author: Justin Terry (VM) +Date: Wed Jan 16 15:31:45 2019 -0800 + + Implement /etc/resolv.conf bind mount for sandbox/workload containers + + Creates an /etc/resolv.conf file per sandbox/standalone container with a + network namespace and bind mounts that into the running container. For a + Kubernetes sandbox container will bind mount the same /etc/resolv.conf file + into all Workload containers with the same shared namespace. + + Signed-off-by: Justin Terry (VM) + +commit 2fe644a8dd6ff5667319b1b10c46a86255512676 +Merge: 66947b2b7 f8a8e771a +Author: Justin +Date: Tue Feb 19 19:51:49 2019 -0800 + + Merge pull request #482 from Microsoft/shim_shutdown + + Only allow Sandbox Task to shutdown a POD shim + +commit b9fd6dfdb0d8d3abf3a4b17a04f79318d74670f4 +Merge: 6aadcbd53 b912f3073 +Author: Justin +Date: Tue Feb 19 19:49:44 2019 -0800 + + Merge pull request #275 from Microsoft/remove_oslayer + + Remove MockOS/RealOS and Oslayer + +commit 6aadcbd53adc21daa407427a1e0617256618bf49 +Merge: dbb941f38 873bc4823 +Author: Justin +Date: Tue Feb 19 19:49:23 2019 -0800 + + Merge pull request #276 from jstarks/dm + + devicemapper: Code to create and destroy dm devices + +commit dbb941f38a950e06e5f11916ecac0bfb8ca5ee17 +Merge: f06b15959 b593f81cd +Author: Justin +Date: Tue Feb 19 19:48:59 2019 -0800 + + Merge pull request #265 from jterry75/tar2ext4 + + Remove tar2vhd from the OpenGCS + +commit f8a8e771a1bd9762fdecc73daf089e65418a7433 +Author: Justin Terry (VM) +Date: Tue Feb 19 16:45:38 2019 -0800 + + Only allow Sandbox Task to shutdown a POD shim + + Signed-off-by: Justin Terry (VM) + +commit 66947b2b74188ce253d909b471ee32a5b215a98d +Merge: 224f4622e 48e0d4aa1 +Author: John Howard +Date: Fri Feb 15 19:34:06 2019 -0800 + + Merge pull request #480 from Microsoft/jjh/debug + + Setup stackdump correctly; add debugger event + +commit 48e0d4aa1fa8a78e69fb62df89481a3ea5eb6644 +Author: John Howard +Date: Fri Feb 15 15:29:55 2019 -0800 + + Setup stackdump correct; debug event + + Signed-off-by: John Howard + +commit 224f4622ef4c6f75fbf0e58324b2c2a5b5c5d5a3 +Merge: 18f48441e d32815b9b +Author: Justin +Date: Fri Feb 15 19:00:38 2019 -0800 + + Merge pull request #481 from Microsoft/shim_owner + + Only use shim binary name for ComputeSystem owner + +commit d32815b9b2ca688bac235667028b940148bad3fe +Author: Justin Terry (VM) +Date: Fri Feb 15 18:18:24 2019 -0800 + + Only use shim binary name for ComputeSystem owner + + Signed-off-by: Justin Terry (VM) + +commit 18f48441ece05fa28868da3106713ac1a038ae9e +Merge: 0bac3090e 8420ac58d +Author: Justin +Date: Fri Feb 15 18:11:01 2019 -0800 + + Merge pull request #479 from Microsoft/shim_exit_logging + + Add better hcsTask exit logging and handling + +commit 8420ac58de8d15d4b71dd7a35e0d3aca84733468 +Author: Justin Terry (VM) +Date: Fri Feb 15 14:45:52 2019 -0800 + + Add better hcsTask exit logging and handling + + Signed-off-by: Justin Terry (VM) + +commit 0bac3090ef2785d90967a524117d502258d549d3 +Merge: 4276f6583 b948989a1 +Author: Justin +Date: Fri Feb 15 12:25:10 2019 -0800 + + Merge pull request #478 from Microsoft/fix_standalone_xenon_rs1 + + Fixes a bug in Xenon activation on RS1-RS4 hosts + +commit b948989a1789e5b278450e4fb3a68c6d00c865d5 +Author: Justin Terry (VM) +Date: Fri Feb 15 12:21:11 2019 -0800 + + Fixes a bug in Xenon activation on RS1-RS4 hosts + + For RS1-RS4 hosts the utility VM was not managed directly but the OCI spec + still used the presence of the HyperV section to determine the isolation level. + This change will only craete the Utility VM if the Host OS is >= RS5. + + Signed-off-by: Justin Terry (VM) + +commit 4276f6583edd79b96441207cf1b61af34060b12c +Merge: 2a3fb4feb 899887866 +Author: Justin +Date: Fri Feb 15 11:44:23 2019 -0800 + + Merge pull request #477 from Microsoft/exec_exit + + Stop resetting Pid to 0 on exec exit + +commit 899887866f7e4c913ca45aa3c906226cd59dbe5b +Author: Justin Terry (VM) +Date: Fri Feb 15 10:43:21 2019 -0800 + + Stop resetting Pid to 0 on exec exit + + Signed-off-by: Justin Terry (VM) + +commit 2a3fb4feb46b8363cf850a7d3eb82add2f736a69 +Merge: e2a4b598a 5a905ed70 +Author: Justin +Date: Thu Feb 14 14:40:26 2019 -0800 + + Merge pull request #475 from jterry75/execid_events + + Add ExecID to TaskDelete and StateResponse + +commit 5a905ed70752d50113d61813f5d71c8e3d62b327 +Author: Justin Terry (VM) +Date: Thu Feb 14 13:30:12 2019 -0800 + + Fix bug calling Kill in the exited state + + Signed-off-by: Justin Terry (VM) + +commit b77dd2c60afa6c62e9fb8d5656a43a7e72fcd900 +Author: Justin Terry (VM) +Date: Thu Feb 14 12:37:32 2019 -0800 + + Fix test error strings + + Signed-off-by: Justin Terry (VM) + +commit 08ea4e772b8e4c4026836e56152a37700e86c02e +Author: Justin Terry (VM) +Date: Thu Feb 14 07:59:03 2019 -0800 + + Add ExecID to TaskDelete and StateResponse + + Signed-off-by: Justin Terry (VM) + +commit e2a4b598a05a864bb19e832521d9d4c740b19bff +Merge: 687dfed69 aa654d43f +Author: John Howard +Date: Thu Feb 14 10:00:33 2019 -0800 + + Merge pull request #474 from Microsoft/jjh/waitfornotificationpanic + + Avoid panic in waitForNotification + +commit aa654d43fa793509a294cdea771d50cc8fca14b6 +Author: John Howard +Date: Thu Feb 14 09:37:18 2019 -0800 + + Avoid panic in waitForNotification + + Signed-off-by: John Howard + +commit 687dfed698c7d9de01ce63ee8b52651f2d8e8f47 +Merge: 94c0bafaf 186722515 +Author: Justin +Date: Wed Feb 13 20:44:35 2019 -0800 + + Merge pull request #472 from jterry75/containerd_shim + + Implements the "out of tree" containerd-shim-runhcs-v1 + +commit 186722515afc70a67a753bbb3e3e6b1443635d37 +Author: Justin Terry (VM) +Date: Wed Feb 13 12:53:47 2019 -0800 + + Return TaskID for StateResponse.ID + + Signed-off-by: Justin Terry (VM) + +commit 98e294432f07e143df9b693e8ba4a5648d4ea4b7 +Author: Justin Terry (VM) +Date: Wed Feb 13 11:12:57 2019 -0800 + + CR Feedback + + Signed-off-by: Justin Terry (VM) + +commit c9c88da8a37a02af6d515cd70e0fcef4f3524136 +Author: Justin Terry (VM) +Date: Wed Feb 13 08:16:39 2019 -0800 + + Pod Kill all should skip exited tasks + + Signed-off-by: Justin Terry (VM) + +commit b0155ea650a635afef6a26da811cbaad0dbd0292 +Author: Justin Terry (VM) +Date: Tue Feb 12 10:53:35 2019 -0800 + + Fix AppVeyor CI format issue + + Signed-off-by: Justin Terry (VM) + +commit 219489c8cd083701c1a23f161b262a34b4bfb993 +Author: Justin Terry (VM) +Date: Tue Feb 12 10:48:29 2019 -0800 + + Fix unit test dereference on fake hcs.System ptr + + Signed-off-by: Justin Terry (VM) + +commit fd44906922588fc55b12add372e10f1374914227 +Author: Justin Terry (VM) +Date: Tue Feb 12 10:41:26 2019 -0800 + + Fix regression in WCOW PodSandbox Exec deadlock + + Signed-off-by: Justin Terry (VM) + +commit 63004f707c6b4bfb12125cef532ba3a70113617a +Author: Justin Terry (VM) +Date: Tue Feb 12 08:13:39 2019 -0800 + + Add containerd-shim-runhcs-v1 to AppVeyor + + Signed-off-by: Justin Terry (VM) + +commit 1f60e91bdb6dbd88f285a79ebfad8826e57da514 +Author: Justin Terry (VM) +Date: Tue Feb 12 09:54:33 2019 -0800 + + Implement containerd async events + + Signed-off-by: Justin Terry (VM) + +commit 03532f1f1b2467dc218272f35212c6179ed695cd +Author: Justin Terry (VM) +Date: Tue Feb 12 00:17:56 2019 -0800 + + Implement CreateExec for *COW + + Signed-off-by: Justin Terry (VM) + +commit 1c08b2b389af30a7a0f693a7e6a6d57728b5a3f8 +Author: Justin Terry (VM) +Date: Mon Feb 11 23:41:42 2019 -0800 + + Implement shim Shutdown when not using 'now' + + Signed-off-by: Justin Terry (VM) + +commit bcd456a263b813679038daf242bb15d1debad6df +Author: Justin Terry (VM) +Date: Mon Feb 11 23:26:21 2019 -0800 + + Fix issue in WCOW isolated activation + + Signed-off-by: Justin Terry (VM) + +commit 0b5a9fa2e40534d1efe50673babf5868c1509100 +Author: Justin Terry (VM) +Date: Mon Feb 11 10:16:27 2019 -0800 + + Change LCOW task/exec to HCS task/exec + + Signed-off-by: Justin Terry (VM) + +commit b912f307310d7273c739d302dd9692a5d5a16241 +Author: Justin Terry (VM) +Date: Mon Feb 11 09:06:16 2019 -0800 + + Remove MockOS/RealOS and Oslayer + + Signed-off-by: Justin Terry (VM) + +commit 7189a1c9c0257878e18c0b1191bb59a01f36ed94 +Author: Justin Terry (VM) +Date: Wed Feb 6 16:28:46 2019 -0800 + + Implement shim Create + + Implements the lcow standalone task and pod creation workflows. + Fixes a bug in the shim serve command where the logs pipe was expecting + a different address. + + Signed-off-by: Justin Terry (VM) + +commit 1df48976fd03ae1b88d61c093f667a1799f53843 +Author: Justin Terry (VM) +Date: Wed Feb 6 14:49:45 2019 -0800 + + Refactor OCI->UVM create logic for reuse + + Signed-off-by: Justin Terry (VM) + +commit 14759043848f19a610777c4e18209b60d530b528 +Author: Justin Terry (VM) +Date: Wed Feb 6 11:03:25 2019 -0800 + + Implement SandboxTask/Exec fakes for WCOW + + On WCOW for various reasons we dont need to actually create a Task/Exec + that is really backed by a container/process in the platform. These + fakes implement the model and manage the lifetime so that we can save + perf on POD creation for WCOW. + + Signed-off-by: Justin Terry (VM) + +commit 83c1452d263a7599c94553755e31f6d53cdcff9d +Author: Justin Terry (VM) +Date: Tue Feb 5 11:03:04 2019 -0800 + + Implement LCOW Exec + + Signed-off-by: Justin Terry (VM) + +commit 0c66b52c96b4d1cf3764e944f5a4730ea6052e07 +Author: Justin Terry (VM) +Date: Tue Feb 5 11:02:11 2019 -0800 + + Implement LCOW Task + + Signed-off-by: Justin Terry (VM) + +commit 9f97fdf1d972b44d1fa77128292e8b66a3effd62 +Author: Justin Terry (VM) +Date: Fri Feb 1 14:29:39 2019 -0800 + + Add ETW logging support + + Signed-off-by: Justin Terry (VM) + +commit 0fd48be0873f43ff1ff21f98f2cc9875083f33e1 +Author: Justin Terry (VM) +Date: Wed Jan 30 15:59:45 2019 -0800 + + Implement the actual pod manager + + Signed-off-by: Justin Terry (VM) + +commit 41c3d231706d3517de911ed1be2f1547ba444ce5 +Author: Justin Terry (VM) +Date: Tue Jan 29 17:15:43 2019 -0800 + + Implement the Pod/Task/Exec interfaces and lifetime model + + Adds the interfaces for Pod's/Task's/Exec's and implements the RuntimeV2 + service calls into these various interfaces. + + Adds unit tests for all RuntimeV2 calls in either a Pod runtime or a Task + runtime model. Implements the Pod/Task/Exec test impls for the UnitTests. + + Signed-off-by: Justin Terry (VM) + +commit e8124fcaee5f043a38c8b15c234aec078af2e3ba +Author: Justin Terry (VM) +Date: Mon Jan 28 22:07:49 2019 -0800 + + Fix bug in error capture + + Signed-off-by: Justin Terry (VM) + +commit 47f195b2654364a6ab056570e411343b6f981794 +Author: Justin Terry (VM) +Date: Mon Jan 28 21:44:39 2019 -0800 + + Implement the task vs sandbox start/serve sequence + + Signed-off-by: Justin Terry (VM) + +commit a9435aaf515a6c6c2bc9527512d3ea00d168781a +Author: Justin Terry (VM) +Date: Tue Dec 18 16:09:45 2018 -0800 + + Implement tests for start/delete commands + + Signed-off-by: Justin Terry (VM) + +commit 9641979cd9a9fc8fffc4222539b5b2a8a785913a +Author: Justin Terry (VM) +Date: Tue Dec 18 09:52:24 2018 -0800 + + Implement shim serve + + Implements the internal serve command that is used when we detect the case that + we should start a new shim. + + Signed-off-by: Justin Terry (VM) + +commit 04e241b1dfcc2df13c50c3867c3178dac10346f5 +Author: Justin Terry (VM) +Date: Tue Dec 18 09:46:54 2018 -0800 + + Add containerd-shim Windows manifest + + Signed-off-by: Justin Terry (VM) + +commit 3a4ef8190dcf8f3d314f0777b27b8ed02f4c6d6b +Author: Justin Terry (VM) +Date: Mon Dec 17 16:28:11 2018 -0800 + + Implement shim start. + + Signed-off-by: Justin Terry (VM) + +commit 7d4150fd170758a6e207defbf73a76d780c69aed +Author: Justin Terry (VM) +Date: Mon Dec 17 14:10:00 2018 -0800 + + Implement shim delete + + Signed-off-by: Justin Terry (VM) + +commit 5f2c3c5ebd0e73a859343ca384c56a96924e3902 +Author: Justin Terry (VM) +Date: Mon Dec 17 13:10:33 2018 -0800 + + Fixing incorrect binary name for containerd shim + + Signed-off-by: Justin Terry (VM) + +commit 445db8ad5105b5929cfe6445fbdb5f5bc8cf5612 +Author: Justin Terry (VM) +Date: Mon Dec 17 13:07:07 2018 -0800 + + Add service begin/end activity tracing + + Signed-off-by: Justin Terry (VM) + +commit 4b8d7864b87cc063382fe529ff1161600252f0db +Author: Justin Terry (VM) +Date: Wed Dec 12 22:20:28 2018 -0800 + + Adding initial shim + + Signed-off-by: Justin Terry (VM) + +commit 873bc482351007d1380815a5fc037e3a18d049b1 +Author: John Starks +Date: Sat Feb 9 14:03:08 2019 -0800 + + devicemapper: Code to create and destroy dm devices + +commit f06b159599df58cb02aa8a8d842edf425a906964 +Merge: 398a7f136 67205db91 +Author: Justin +Date: Fri Feb 8 08:44:08 2019 -0800 + + Merge pull request #274 from Microsoft/jjh/runtimespec + + (Manual)Vendor opencontainers/runtime-spec + +commit 94c0bafafd01e2b330935dd38b7aeb1dadedeee7 +Merge: 3ad134c0f 31fdae303 +Author: John Howard +Date: Thu Feb 7 20:43:18 2019 -0800 + + Merge pull request #467 from Microsoft/jjh/commandline + + WCOW: Use commandline in spec if populated + +commit 3ad134c0fad2f3f84a6b5ce1fc6595aa8ae0757a +Merge: 7226164ef e97e490fa +Author: John Howard +Date: Thu Feb 7 20:37:45 2019 -0800 + + Merge pull request #471 from Microsoft/fix_shutdown_endop + + Stop logging failure for pending shutdown + +commit e97e490fa984c36cc29eadb3eb7b1cb8b51e36f5 +Author: Justin Terry (VM) +Date: Thu Feb 7 20:21:10 2019 -0800 + + Stop logging failure for pending shutdown + + Signed-off-by: Justin Terry (VM) + +commit 67205db91690e5d298a80d12e6b387abe9b2a184 +Author: John Howard +Date: Thu Feb 7 13:12:23 2019 -0800 + + (Manual)Vendor opencontainers/runtime-spec + + Signed-off-by: John Howard + +commit 31fdae303f6fbb0c5d4060d6cedea81468747219 +Author: John Howard +Date: Fri Feb 1 13:12:03 2019 -0800 + + Vendor opencontainers/runtime-spec @ 29686dbc + + Signed-off-by: John Howard + + This is the version with `CommandLine` added. + +commit de2922b3440521abf66dd9ca3663b4f0543e9177 +Author: John Howard +Date: Fri Feb 1 13:18:50 2019 -0800 + + WCOW:Use commandline in spec if populated + + Signed-off-by: John Howard + +commit 7226164ef24d1f2aa2d7efa786aaaf35e355cc2d +Merge: f92b8fb9c e59d820ac +Author: Justin +Date: Mon Feb 4 18:47:26 2019 -0800 + + Merge pull request #463 from jstarks/plan9_single_file_map + + Add single-file mapping support to Plan9 + +commit f92b8fb9c92e17da496af5a69e3ee13fbe9916e1 (tag: v0.8.6) +Merge: f1e23b813 0720cb649 +Author: Justin +Date: Sun Feb 3 13:25:52 2019 -0800 + + Merge pull request #469 from Quasilyte/patch-1 + + internal/safeopen: fix strings.Contains args order + +commit 0720cb6492ac79891cc40a2cc66f2c8f59d84c26 +Author: Iskander (Alex) Sharipov +Date: Sat Feb 2 09:24:00 2019 +0300 + + internal/safeopen: fix strings.Contains args order + + The following (old) code: + + strings.Contains(":", path) + + Only returns true if path is ":" or an empty string. + This is not what was intended. + The proper ":" check is: + + strings.Contains(path, ":") + + Found by using new go-critic linter check. + + Signed-off-by: Iskander Sharipov + +commit f1e23b81346ce74074d0055eb4f6753009c6ee63 +Merge: df9dc97a4 337d9040c +Author: Justin +Date: Fri Feb 1 11:49:56 2019 -0800 + + Merge pull request #466 from Microsoft/fix_log_race + + Fix race in endoperation syscall logging + +commit df9dc97a434b1a8c0a6c9c35063e476a33153b5b +Merge: bc49f75c7 109740e34 +Author: Justin +Date: Fri Feb 1 09:52:56 2019 -0800 + + Merge pull request #461 from Microsoft/create_scratch_uvm_size + + Shrink the size of the create-scratch uvm + +commit 337d9040cd6472ea127443aec0b6d6af47cf4bdb +Author: Justin Terry (VM) +Date: Thu Jan 31 14:15:51 2019 -0800 + + Fix race in endoperation syscall logging + + Signed-off-by: Justin Terry (VM) + +commit 109740e343f2aeefb544201aa29966b6766d00d2 +Author: Justin Terry (VM) +Date: Mon Jan 28 14:30:41 2019 -0800 + + Shrink the size of the create-scratch uvm + + Signed-off-by: Justin Terry (VM) + +commit e59d820acee91f41ab1f6f7f29fd35e452285aca +Author: John Starks +Date: Tue Jan 29 13:15:17 2019 -0800 + + Add single-file mapping support to Plan9 + +commit bc49f75c72216a28ffc7443177f477aae7e61d1f +Merge: ea73c6043 050bc8ab2 +Author: Justin +Date: Tue Jan 29 06:55:42 2019 -0800 + + Merge pull request #462 from Microsoft/9p_regression + + Fix bug in Plan9 case sensitivity + +commit 050bc8ab2d34df5406c7c992a9315c63791745ba +Author: Justin Terry (VM) +Date: Mon Jan 28 19:44:40 2019 -0800 + + Fix bug in Plan9 case sensitivity + + Case sensitivity can only be set on a Plan9 share in the guest if the + source Windows directory supports it. Until we have this detection logic + make all shares case insensitive. + + Signed-off-by: Justin Terry (VM) + +commit ea73c60434fae8d3b1d02fc28391d628b0306ff4 (tag: v0.8.5) +Merge: 79a8f772c 60d6848f7 +Author: Justin +Date: Mon Jan 28 12:29:06 2019 -0800 + + Merge pull request #460 from Microsoft/go_runhcs_path + + Allow relative path match for runhcs.exe + +commit 60d6848f70e29970339cc47e3875cb9267a0613e +Author: Justin Terry (VM) +Date: Mon Jan 28 12:14:13 2019 -0800 + + Allow relative path match for runhcs.exe + + Signed-off-by: Justin Terry (VM) + +commit 79a8f772c4265236cf9da6af7f766b5caf2afb80 (tag: v0.8.4) +Merge: 722afe9f4 466e92f6e +Author: Justin +Date: Thu Jan 24 13:16:28 2019 -0800 + + Merge pull request #459 from Microsoft/vmlinux + + Add decompressed kernel support for LCOW start + +commit 466e92f6ed1b4b24e5aa4c9b7488d1708f02007b +Author: Justin Terry (VM) +Date: Thu Jan 24 12:53:15 2019 -0800 + + Add decompressed kernel support for LCOW start + + Signed-off-by: Justin Terry (VM) + +commit 722afe9f4aaf77358c1344c890f8e538bd1bd69d +Merge: 54042daa2 6fc8f670f +Author: Justin +Date: Wed Jan 23 07:53:15 2019 -0800 + + Merge pull request #458 from Microsoft/signal_support + + Fix support for Docker signal by value + +commit 6fc8f670f1bb3f946554652916ec817951b2bfe5 +Author: Justin Terry (VM) +Date: Tue Jan 22 16:38:22 2019 -0800 + + Fix support for Docker signal by value + + Signed-off-by: Justin Terry (VM) + +commit 54042daa2d15f2d98362667d702357c4f0659b27 +Merge: 6efef912c edea6f2b5 +Author: Justin +Date: Tue Jan 22 14:20:32 2019 -0800 + + Merge pull request #456 from ksubrmnn/mux + + Update DSR flags + +commit edea6f2b558caefab722b8f166a7570b221885e7 +Author: K Subramanian +Date: Fri Jan 18 11:13:01 2019 -0800 + + Add flags + +commit f7b83d7d5668aef1a90c5f52040bfd7dbbfbfd69 +Author: K Subramanian +Date: Fri Jan 18 09:28:53 2019 -0800 + + Update DSR flags + +commit 6efef912cc0ecd8778bab95d105662d4f73f8ccd +Merge: 63fd3694b d539e89ff +Author: Justin +Date: Thu Jan 17 15:03:02 2019 -0800 + + Merge pull request #455 from Microsoft/log_error_cleanup + + Stop logging operation errors when they are expected + +commit 398a7f13647b011fe0bdbc3abac0ba7b62dcc616 +Merge: fe757378b 32e28a183 +Author: Justin +Date: Thu Jan 17 15:01:21 2019 -0800 + + Merge pull request #270 from jstarks/better_init + + init: Replace with C implementation + +commit d539e89ff21ff9ae4abb54daef8f49d5238f4730 +Author: Justin Terry (VM) +Date: Thu Jan 17 14:28:13 2019 -0800 + + Stop logging operation errors when they are expected + + Signed-off-by: Justin Terry (VM) + +commit fe757378bac4414f81cb2ead4b92cfb17640b274 +Merge: 02639f308 9499fd270 +Author: Justin +Date: Thu Jan 17 13:43:48 2019 -0800 + + Merge pull request #272 from Microsoft/resize_console_v2 + + Implement missing ResizeConsole for V2 + +commit 63fd3694b44f6516c03a74430427341bfed2fceb +Merge: 69faf5ffd 43dc4c827 +Author: Justin +Date: Thu Jan 17 13:43:21 2019 -0800 + + Merge pull request #451 from Microsoft/vendor + + Vendor hcsshim dependencies for runhcs + +commit 69faf5ffdd744f172d39881e007a9a7c0c135612 +Merge: 62857588e d4be73454 +Author: Kevin Parsons +Date: Thu Jan 17 13:17:08 2019 -0800 + + Merge pull request #453 from kevpar/uvm-output-hang + + Refactor UVM output handling + +commit 62857588ee45f569e3e0369f3a4a63bbc34d042c +Merge: 8d67cb384 fb6277ba0 +Author: Justin +Date: Thu Jan 17 13:09:32 2019 -0800 + + Merge pull request #454 from Microsoft/support_unix_signal_for_windows + + Fix issue with Docker SignalMap + +commit fb6277ba05d2639b9566068693a8ecd86dda40d6 +Author: Justin Terry (VM) +Date: Thu Jan 17 12:55:56 2019 -0800 + + Fix issue with Docker SignalMap + + The Docker SignalMap for Windows passes the UNIX scheme so TERM and KILL. We + will no longer fail on Windows if a signal query comes in we simply convert it + to the correct Windows signal. + + TERM = CTRLC + KILL = CTRLSHUTDOWN + + Signed-off-by: Justin Terry (VM) + +commit 9499fd270b7cffd45ef06fe6c0fb2081504362a7 +Author: Justin Terry (VM) +Date: Thu Jan 17 12:10:03 2019 -0800 + + Implement missing ResizeConsole for V2 + + Signed-off-by: Justin Terry (VM) + +commit 02639f30849b40b9d48f365d30dcef2315ac3706 +Merge: d6587b1e6 4f682669b +Author: Justin +Date: Thu Jan 17 12:10:54 2019 -0800 + + Merge pull request #271 from Microsoft/logs_withfields + + Add logrus.WithFields for all V2 calls + +commit 4f682669b5f334d2dc00ef3df749e5c3d11fd48d +Author: Justin Terry (VM) +Date: Wed Jan 16 12:48:15 2019 -0800 + + Add logrus.WithFields for all V2 calls + + Signed-off-by: Justin Terry (VM) + +commit 32e28a18357f1f288a8d816bd200866273168ff1 +Author: John Starks +Date: Thu Jan 17 09:34:09 2019 -0800 + + init: Replace with C implementation + +commit d4be73454f597c11f73e3b4450ef7036edec03ab +Author: Kevin Parsons +Date: Wed Jan 16 15:40:42 2019 -0800 + + Fix UVM hang waiting for output when vsockexec failed to run + + Signed-off-by: Kevin Parsons + +commit 43dc4c8275caeada55e7efe8ac88b5cf783f08a8 +Author: Justin Terry (VM) +Date: Wed Jan 16 08:32:25 2019 -0800 + + Vendor hcsshim dependencies for runhcs + + Signed-off-by: Justin Terry (VM) + +commit 8d67cb3847c5817d3aeba79831bde54516790f72 +Merge: 993649bfc 332962ef0 +Author: Justin +Date: Tue Jan 15 21:26:30 2019 -0800 + + Merge pull request #447 from Microsoft/fix_plan9share + + Implement proper Plan9Share support for LCOW + +commit 993649bfc48232d3487b1d94e59b0a063c4dd6ad +Merge: 9715ee2c1 727e9dfff +Author: Kevin Parsons +Date: Tue Jan 15 16:54:07 2019 -0800 + + Merge pull request #450 from kevpar/fix-vhd-stat + + Fix rootfs.vhd check to not be inverted + +commit 727e9dfffba1246bbddd22d2ddc3c4e36ee8ee88 +Author: Kevin Parsons +Date: Tue Jan 15 16:20:24 2019 -0800 + + Fix rootfs.vhd check to not be inverted + + Signed-off-by: Kevin Parsons + +commit 9715ee2c137e80c7f975c59b0513f6f72c9ec32e +Merge: 53d38395f 22bdc2e02 +Author: Justin +Date: Tue Jan 15 15:57:30 2019 -0800 + + Merge pull request #448 from pradipd/NetworkFlags + + Add NetworkFlags to create NonPersistent networks. + +commit 22bdc2e02a460c9e1cda09b90f857f1f9ad15127 +Author: Pradip Dhara +Date: Tue Jan 15 15:28:22 2019 -0800 + + Add NetworkFlags to create NonPersistent networks. + +commit 53d38395f1c31f730f4384b698f1a6eebbe2e37a +Merge: 0ec87e6b5 9b58be8d7 +Author: Justin +Date: Tue Jan 15 12:38:10 2019 -0800 + + Merge pull request #446 from pradipd/master + + Adding HostRoute policy. + +commit 332962ef0274c44a029f59a09c1ae771fdf04cf1 +Author: Justin Terry (VM) +Date: Tue Jan 15 12:05:49 2019 -0800 + + Implement proper Plan9Share support for LCOW + + Signed-off-by: Justin Terry (VM) + +commit 9b58be8d7f36a803de871eca7a22ce8951466b41 +Author: Pradip Dhara +Date: Fri Jan 11 00:28:46 2019 -0800 + + Adding HostRoute policy. + +commit d6587b1e645af2a2e42c01b3e79ef402698a5a31 +Merge: ab42920e3 4ef5b0f48 +Author: Justin +Date: Tue Jan 15 09:47:51 2019 -0800 + + Merge pull request #268 from jterry75/loopback_up + + Set the local loopback interface up on init + +commit 0ec87e6b5263cb154fac39f62b0fafab7d07572a +Merge: 69ac8d3f7 11498c069 +Author: Kevin Parsons +Date: Mon Jan 14 15:25:55 2019 -0800 + + Merge pull request #445 from kevpar/use-etw-hook + + Use ETW Logrus hook in RunHCS + +commit 11498c069a9b67caec84904c62e2f344b2e67987 +Author: Kevin Parsons +Date: Mon Jan 14 12:07:26 2019 -0800 + + Let hook be cleaned up by process exit + + Signed-off-by: Kevin Parsons + +commit 4f42e4098f90c592eb1d187dd5d1dd317faaf038 +Author: Kevin Parsons +Date: Fri Jan 11 15:49:50 2019 -0800 + + Fix provider name + + Signed-off-by: Kevin Parsons + +commit afa1b263107170231b75c9d620f0f8b230b8d4d1 +Author: Kevin Parsons +Date: Fri Jan 11 14:32:27 2019 -0800 + + Use ETW Logrus hook in RunHCS + + Signed-off-by: Kevin Parsons + +commit 4ef5b0f48a84828a44146a2029fa46afc88c3962 +Author: Justin Terry (VM) +Date: Thu Jan 10 09:28:18 2019 -0800 + + Set the local loopback interface up on init + + Signed-off-by: Justin Terry (VM) + +commit 69ac8d3f7fc10a0623f3a2655958a1a5bb71f58f +Merge: 459af24a0 9979663d6 +Author: Justin +Date: Thu Jan 10 12:53:07 2019 -0800 + + Merge pull request #444 from ksubrmnn/dsr_version + + DSR version + +commit 9979663d6d57fc36616c58531aca77fa09d9140d +Author: ksubrmnn +Date: Thu Jan 10 11:12:05 2019 -0800 + + DSR version + +commit 459af24a02d1c9d578dbab8d491ad552e5b4d99c +Merge: eb3cd7b41 a41e5177e +Author: Justin +Date: Wed Jan 9 15:35:51 2019 -0800 + + Merge pull request #442 from jterry75/lcow_networking_v2 + + Implement LCOW V2 NetworkNamespace support + +commit ab42920e3bd507c8c21d7e731b20cf849866415c +Merge: 3b26b4d50 809bd0fd2 +Author: Justin +Date: Wed Jan 9 15:04:52 2019 -0800 + + Merge pull request #267 from jterry75/v2_networking + + Implement V2 Network HotAdd/Remove + +commit eb3cd7b416f554dc17c39f70209f00222372643a +Merge: eeeb8bf47 463bdb6d9 +Author: Justin +Date: Wed Jan 9 10:13:05 2019 -0800 + + Merge pull request #443 from Microsoft/remove_duplicate_write + + Remove duplicate error message write on runhcs failure + +commit a41e5177e465bd2d999a76a95071b1339329446b +Author: Justin Terry (VM) +Date: Wed Dec 12 14:54:33 2018 -0800 + + Implement LCOW V2 NetworkNamespace support + + Signed-off-by: Justin Terry (VM) + +commit 809bd0fd2cbe2f0e59f4998f777c133eb019c5f3 +Author: Justin Terry (VM) +Date: Wed Dec 5 13:58:20 2018 -0800 + + Implement V2 Network HotAdd/Remove + + Adds the ability to do a HotAdd/Remove to either a pre-created container or + to an existing container that already holds a network namespace. + + Signed-off-by: Justin Terry (VM) + +commit 463bdb6d90638a4ab41813a369f76f7772e5627d +Author: Justin Terry (VM) +Date: Mon Dec 17 11:01:58 2018 -0800 + + Remove duplicate error message write on runhcs failure + + Signed-off-by: Justin Terry (VM) + +commit b593f81cd3a91a690cf0352d5a9fbe27fb21728a +Author: Justin Terry (VM) +Date: Wed Dec 5 15:22:06 2018 -0800 + + Remove tar2vhd from the OpenGCS + + tar2vhd is a tool that converted a Docker layer tar to a vhd by use of + streaming the tar to a LCOW UtilityVM and extracting the tar to an ext4 + filesystem and streaming back the vhd. This tool has been replaced by a tool + in github.com/Microsoft/hcsshim/cmd/tar2ext4 that can do all of this locally + on a host without the need of a UtilityVM and is much faster. Use this tool + instead moving forward. + + Signed-off-by: Justin Terry (VM) + +commit eeeb8bf47a171360e5475d42077edb0e02a300ec +Merge: 1028f47e5 92028eb5c +Author: Justin +Date: Fri Jan 4 10:56:44 2019 -0800 + + Merge pull request #441 from Microsoft/fix_outputhandler_regression + + Fix regression in OutputHandler serialization + +commit 1028f47e5f41d65b81f45d6913640f47f8becc7c +Merge: 72cd9b58c 385c76f73 +Author: John Howard +Date: Fri Jan 4 10:34:43 2019 -0800 + + Merge pull request #438 from Microsoft/change_lcow_boot_default + + Enable KernelDirect and VHD boot by default + +commit 92028eb5c26859228ce28d93cd1ce5864ae6be5c +Author: Justin Terry (VM) +Date: Fri Jan 4 10:02:52 2019 -0800 + + Fix regression in OutputHandler serialization + + Signed-off-by: Justin Terry (VM) + +commit 72cd9b58ca71504a8a054bbca6a12fe10fea38b9 +Merge: 3cbb09db6 3bccdb6c8 +Author: Justin +Date: Thu Jan 3 17:05:33 2019 -0800 + + Merge pull request #439 from Microsoft/fliperrout + + Flips ForwardStdout/Err defaults + +commit 385c76f73231d9cabe093caa6a42a51a7e695227 +Author: Justin Terry (VM) +Date: Thu Jan 3 15:49:16 2019 -0800 + + Use const for rootfs.vhd and initrd.img strings + + Signed-off-by: Justin Terry (VM) + +commit 3bccdb6c8a658a996e4df61e85f3a92ee9ffe0ba +Author: John Howard +Date: Thu Jan 3 15:01:45 2019 -0800 + + Flips ForwardStdout/Err defaults + + Signed-off-by: John Howard + +commit e4b5959c70779097f7da59d9fcf92270b4c95ab4 +Author: Justin Terry (VM) +Date: Thu Jan 3 14:25:51 2019 -0800 + + Enable KernelDirect and VHD boot by default + + Signed-off-by: Justin Terry (VM) + +commit 3cbb09db6e047cf6284ab0bbd20618743492273a +Merge: 29678c03d 396eecb82 +Author: Justin +Date: Sat Dec 22 20:23:24 2018 -0800 + + Merge pull request #436 from ksubrmnn/remote_subnet + + Remote Subnet version + +commit 29678c03dd36d1093d0b84519df71f298359b7e3 +Merge: 6ea6731a1 dba5d1f28 +Author: Justin +Date: Fri Dec 21 06:31:50 2018 -0800 + + Merge pull request #433 from zawachte-msft/zawachte/DNS-Suffix-Domain + + DNS Suffix Change for Alignment with Container Network Interface Specification + +commit 396eecb82f2362cfca58af4eab71d5279e16605b +Author: ksubrmnn +Date: Thu Dec 20 15:23:07 2018 -0800 + + Remote Subnet version + +commit 6ea6731a1275ab8ee01920facc942cdd919993d8 +Merge: d0b3bfc2e 607e5df88 +Author: Justin +Date: Wed Dec 19 13:17:48 2018 -0800 + + Merge pull request #434 from jstarks/lcow_no_vsmb + + uvm: Don't use vsmb for LCOW boot files + +commit d0b3bfc2ea9303a6a506da319f67fe827530b91e +Merge: 218ab382f 798d328b9 +Author: Justin +Date: Wed Dec 19 13:09:39 2018 -0800 + + Merge pull request #413 from Microsoft/move_functional + + Move all end-to-end tests to the tests folder + +commit 607e5df881ef9ae4dc34424585a547611ff88384 +Author: John Starks +Date: Wed Dec 19 11:45:09 2018 -0800 + + uvm: Don't use vsmb for LCOW boot files + +commit 218ab382faf7089460168270998f0424c61453fa +Merge: 958687058 6a8ab8313 +Author: Justin +Date: Wed Dec 19 08:53:49 2018 -0800 + + Merge pull request #431 from greenhouse-org/fix-syscall-race + + Fix race in syscallWatcher + +commit 6a8ab8313de358dfbaa6c6b10fb30999450681bf +Author: Yechiel Kalmenson +Date: Wed Dec 19 09:41:07 2018 -0500 + + typo + +commit 798d328b92ae5b0f44d0b318f31ee2b68ad9e261 +Author: Justin Terry (VM) +Date: Wed Dec 5 13:52:07 2018 -0800 + + Move all end-to-end tests to the tests folder + + To better align with the golang project recommended layout moving all non-unit + tests to the /tests folder. These require full e2e running of containers in + various ways. All unit test's should still be written inline with the package + under test as normal. + + Signed-off-by: Justin Terry (VM) + +commit 958687058f7b536aae98ff64120d3d8e33994fbf +Merge: a0817b7c6 b9b5647b4 +Author: Justin +Date: Tue Dec 18 21:30:17 2018 -0800 + + Merge pull request #426 from Microsoft/simplify_uvm_ots + + Simplify WCOW/LCOW opts passing + +commit dba5d1f282a3a0f40260fdc1f1a4f42aafa05727 +Author: Zachary Wachtel +Date: Tue Dec 18 14:31:47 2018 -0800 + + DNS Suffix to Domain for CNCF Alignment + +commit a7b24f460bcdeaaefe35dcfc059113d45a408577 +Author: Sam Smith +Date: Tue Dec 18 14:22:49 2018 -0500 + + Fix race in syscallWatcher + + Signed-off-by: Yechiel Kalmenson + +commit b9b5647b408682e726ef3b8bd25f1cc3af2da263 +Author: Justin Terry (VM) +Date: Mon Dec 17 15:06:26 2018 -0800 + + Make lcow tests explicitly set RootFS + + Signed-off-by: Justin Terry (VM) + +commit 7da07fe161d1699afccf2a353fb329097d3b97ae +Author: Justin Terry (VM) +Date: Mon Dec 17 15:01:11 2018 -0800 + + Cleanup annotations parsing + + Signed-off-by: Justin Terry (VM) + +commit a0817b7c6113f929c90db0abad39a45fa42ec498 +Merge: 056bbe1bd 58eb2ac5a +Author: Justin +Date: Mon Dec 17 13:29:06 2018 -0800 + + Merge pull request #428 from Microsoft/stoponreset + + Forcibly set StopOnReset for all UVM's + +commit 056bbe1bd61d2ebb0e69e733d18a83dc8e647b6f +Merge: a9bf4b1ca a02aabe39 +Author: Justin +Date: Mon Dec 17 13:28:27 2018 -0800 + + Merge pull request #430 from jstarks/uvmboot_cp + + tools/uvmboot: Add --console-pipe argument + +commit a02aabe3912eefa9709142439712f524a9f1083d +Author: John Starks +Date: Mon Dec 17 12:04:31 2018 -0800 + + tools/uvmboot: Add --console-pipe argument + +commit a9bf4b1cab9da8224fdc1346aaaf695191deb64d +Merge: 2bf3a7ac4 35ed63b84 +Author: Justin +Date: Mon Dec 17 11:01:00 2018 -0800 + + Merge pull request #427 from erfrimod/erfrimod/delete-methods-stop-returning-objects + + Removing nil objects from returns of Delete functions. + +commit 35ed63b84ba92a02e281227747307d69e6925124 +Author: Erik Frimodig +Date: Fri Dec 14 15:14:14 2018 -0800 + + Fix tests. + +commit 58eb2ac5aceca7ae272b7cae97c9a4a659cdd29a +Author: Justin Terry (VM) +Date: Fri Dec 14 13:29:49 2018 -0800 + + Forcibly set StopOnReset for all UVM's + + Signed-off-by: Justin Terry (VM) + +commit 68a9cf73b5facf38adee985aa50a954da13edf8a +Author: Erik Frimodig +Date: Fri Dec 14 11:58:03 2018 -0800 + + Removing objects from returns of Delete functions. + +commit d144c3909d961ceda03c8a7fb749968ba4d0d96f +Author: Justin Terry (VM) +Date: Thu Dec 13 15:18:06 2018 -0800 + + Simplify WCOW/LCOW opts passing + + Signed-off-by: Justin Terry (VM) + +commit 2bf3a7ac42318aacfffd0805be705ff2e4d1138f +Merge: f5a45d840 65d14ed38 +Author: Justin +Date: Thu Dec 13 13:28:56 2018 -0800 + + Merge pull request #425 from Microsoft/remove_oci_from_uvm + + Remove OCI usage from UVM activation + +commit 65d14ed384062191624737e7fdbf82650e086546 +Author: Justin Terry (VM) +Date: Thu Dec 13 10:55:38 2018 -0800 + + Remove OCI usage from UVM activation + + Signed-off-by: Justin Terry (VM) + +commit f5a45d8404a2c1aae81be743af26bdbbd87c79d2 +Merge: ea3930ef4 dfade3cec +Author: Kevin Parsons +Date: Thu Dec 13 10:19:40 2018 -0800 + + Merge pull request #420 from kevpar/uvmboot + + Add uvmboot tool + +commit dfade3cecafe6e630f7586e22a4ca88c2cafd8f6 +Author: Kevin Parsons +Date: Tue Dec 11 18:05:32 2018 -0800 + + Address PR feedback + +commit cfc3a00ce0843b1eb6896a8bb352e1f9368c5aa6 +Author: Kevin Parsons +Date: Tue Dec 11 14:48:15 2018 -0800 + + Run gofmt + +commit 72109e2fe35ed969260fb4d6f5cc61eeca5dff7c +Author: Kevin Parsons +Date: Tue Dec 11 10:38:56 2018 -0800 + + Improve output handling for uvmboot case + +commit 2319dd503c8702ae0eee48ff14f7caf04be2cd18 +Author: Kevin Parsons +Date: Fri Dec 7 13:21:47 2018 -0800 + + Clean up logging and add --debug parameter to uvmboot + +commit 020663cc0803a03913f733f4bc7ef7497b38e683 +Author: Kevin Parsons +Date: Fri Dec 7 13:11:41 2018 -0800 + + Add new flags and use flag defaults in create_lcow for unspecified values + +commit 52d6822e7d24929b7acde9a212d65096ed6888e0 +Author: Kevin Parsons +Date: Fri Nov 30 12:09:37 2018 -0800 + + Add uvmboot tool + +commit ea3930ef439f3b023a9d4d474a3878d9555a27b5 +Merge: e1dc7c81e 189f68ca1 +Author: Justin +Date: Wed Dec 12 12:41:24 2018 -0800 + + Merge pull request #423 from kevpar/terminate_terminated_system + + Don't return an error when terminating an already stopped compute system + +commit e1dc7c81eded94c3146eca742dfe51fab240f311 +Merge: c1105fa0a 317478873 +Author: Justin +Date: Wed Dec 12 12:40:53 2018 -0800 + + Merge pull request #424 from kevpar/new_notification_types + + Add new notification types to callback handler + +commit c1105fa0acfa8d43319349092e36c7eaffca6567 +Merge: 4029deb81 bcd9fa332 +Author: Justin +Date: Wed Dec 12 12:40:25 2018 -0800 + + Merge pull request #422 from Microsoft/terminate_on_last_handle + + Use TerminateOnLastHandleClosed for UVM + +commit 317478873f62a5212c329a04cde07cded23d8d98 +Author: Kevin Parsons +Date: Wed Dec 12 12:29:22 2018 -0800 + + Add new notification types to callback handler + +commit 189f68ca1102dc2c3b419fcd98d7bbfb7765561a +Author: Kevin Parsons +Date: Wed Dec 12 12:26:36 2018 -0800 + + Don't return an error when terminating an already stopped compute system + +commit bcd9fa3323e6c5949d4a6a4f745db87d454ec07d +Author: Justin Terry (VM) +Date: Wed Dec 12 09:29:32 2018 -0800 + + Use TerminateOnLastHandleClosed for UVM + + Resolves: #421 + + Signed-off-by: Justin Terry (VM) + +commit 4029deb818d4f98ffd7e01b20990dfceac503843 +Merge: e5a0893d5 e4fe4931d +Author: Justin +Date: Tue Dec 11 14:35:08 2018 -0800 + + Merge pull request #418 from Microsoft/uvm_counter + + Stop using a global container counter for all UVM's + +commit e5a0893d54a2a1c7faf467f700c72c3166547a77 +Merge: 320804d04 44b6ec825 +Author: Justin +Date: Tue Dec 11 14:34:21 2018 -0800 + + Merge pull request #415 from jterry75/passthrough + + Add OCI passthrough mount support for WCOW/LCOW + +commit 320804d049d824e7b5253796413c46dc6ceb605e +Merge: 4dbd1827b 99705983c +Author: Justin +Date: Tue Dec 11 14:33:47 2018 -0800 + + Merge pull request #419 from jstarks/no_ole32 + + interop: Get CoTaskMemAlloc from API set instead of ole32 + +commit 99705983c1fdde6570a7d266140346374109e5b3 +Author: John Starks +Date: Tue Dec 11 13:11:18 2018 -0800 + + interop: Get CoTaskMemAlloc from API set instead of ole32 + + ole32 pulls in several unnecessary DLLs, increasing load time by 5 or 10 + milliseconds. + + This change also updates mksyscall_windows to support API sets. + +commit 2c7fd4c0580e42f2cd790c9ef13ab820a1f18d36 +Author: John Starks +Date: Tue Dec 11 13:19:12 2018 -0800 + + mksyscall_windows: Remove interop dependency + +commit e4fe4931db9533a2ac4aca6d7c0a3a3d44ab8637 +Author: Justin Terry (VM) +Date: Tue Dec 11 12:51:23 2018 -0800 + + Stop using a global container counter for all UVM's + + Signed-off-by: Justin Terry (VM) + +commit 44b6ec825113650b2a5ba1074312c39125cc31a8 +Author: Justin Terry (VM) +Date: Thu Nov 15 23:50:07 2018 -0800 + + Add OCI passthrough mount support for WCOW/LCOW + + This PR adds support for passthrough mounts to the UVM for WCOW/LCOW. This can + be accomplished by passing a mount in the OCI spec as follows: + + { + "type": "physical-disk", + "destination": "", + "source": "\\.\PHYSICALDRIVE", + "options": ["rbind", "rw"] + } + + { + "type": "virtual-disk", + "destination": "", + "source": "C:\\test.vhd", + "options": ["rbind", "rw"] + } + + Signed-off-by: Justin Terry (VM) + +commit 4dbd1827b31ad606a763ecabd8c940b6d6e38d09 +Merge: de207593c d475b3d66 +Author: Justin +Date: Mon Dec 10 09:51:03 2018 -0800 + + Merge pull request #414 from kevpar/defer_operation_fix + + Fix operation-end logging + +commit d475b3d669908593c515c26e7cae1b53a02bedb7 +Author: Kevin Parsons +Date: Fri Dec 7 16:16:37 2018 -0800 + + Fix operation-end logging + +commit de207593c9a568d756b4310644db967edf1624bc +Merge: 21b9ff6ae 460f5d30a +Author: Justin +Date: Thu Dec 6 12:34:08 2018 -0800 + + Merge pull request #412 from Microsoft/remove_rootfs2vhd + + Removing rootfs2vhd use tar2ext4 + +commit 460f5d30a058da4db5503aa0f0bdc035d8444f2d +Author: Justin Terry (VM) +Date: Wed Dec 5 13:25:43 2018 -0800 + + Removing rootfs2vhd use tar2ext4 + + The command rootfs2vhd was used to create a rootfs.vhd from an OpenGCS + rootfs.tar.gz. In order to use this it was necessary to start a UVM on an + actual machine. The tool tar2ext4 creates a better optimized version of + rootfs.vhd and can do so without a UVM creation. Use this tool instead. + + Signed-off-by: Justin Terry (VM) + +commit 21b9ff6ae68cea4aa1326192b44f02b6925cb57a +Merge: 504c18040 0fa0ccfef +Author: Justin +Date: Tue Dec 4 22:21:42 2018 -0800 + + Merge pull request #410 from Microsoft/uvm_create_refactor + + Split UVM create into WCOW/LCOW + +commit 504c18040421a61669db4533d18f5c2d657f8c2e +Merge: a83b08327 cb3af812e +Author: Justin +Date: Tue Dec 4 10:19:14 2018 -0800 + + Merge pull request #411 from Microsoft/wclayer_logrus + + Convert wclayer to use logrus.Fields + +commit cb3af812ee57536b3f3dfe025534e914508efa70 +Author: Justin Terry (VM) +Date: Mon Dec 3 23:15:11 2018 -0800 + + Convert wclayer to use logrus.Fields + + Signed-off-by: Justin Terry (VM) + +commit 0fa0ccfef020f37ca03192677f6f8ad323a6822b +Author: Justin Terry (VM) +Date: Tue Nov 20 15:48:25 2018 -0800 + + Split UVM create into WCOW/LCOW + + Splits up the internal uvm.Create into uvm.CreateWCOW and uvm.CreateLCOW which + enables us to have options for each. This makes the code significantly easier + to read and maintain. + + Signed-off-by: Justin Terry (VM) + +commit a83b08327360d83bedf49f8d9f732596dfc13df4 (tag: v0.8.3) +Merge: ac0c7acbe f9f4940bd +Author: Justin +Date: Mon Dec 3 13:42:18 2018 -0800 + + Merge pull request #409 from Microsoft/uvm_lcow_kernel_opts + + More LCOW boot opts + +commit f9f4940bd171e06ba5d24301ba35d9e0c41b40f0 +Author: Justin Terry (VM) +Date: Mon Dec 3 13:32:51 2018 -0800 + + Add LCOW pmtmr=0 boot opt + + Signed-off-by: Justin Terry (VM) + +commit d9e7874ec132a7d8de98132d6fb8f5b13efeb7f1 +Author: Justin Terry (VM) +Date: Mon Dec 3 13:08:20 2018 -0800 + + Add LCOW brd.rd_nr=0 boot opt + + Signed-off-by: Justin Terry (VM) + +commit ac0c7acbee2166d95505fc582649fdc10308b226 +Merge: e9983bad2 d623cb8b8 +Author: Justin +Date: Mon Dec 3 11:35:25 2018 -0800 + + Merge pull request #408 from Microsoft/wclayer_filterrw + + Remove FilterLayerReader/Writer as it is unused + +commit d623cb8b8acd8c88ad94449bd6a4732b5a870640 +Author: Justin Terry (VM) +Date: Sat Dec 1 13:54:20 2018 -0800 + + Remove FilterLayerReader/Writer as it is unused + + Signed-off-by: Justin Terry (VM) + +commit e9983bad27edda3d48e66b28a878bb1a3c5cedea +Merge: 67ddf37f4 f64ae7f68 +Author: Justin +Date: Sat Dec 1 12:51:40 2018 -0800 + + Merge pull request #406 from jstarks/ro_root + + uvm: Mark pmem0 root fs readonly + +commit f64ae7f68f4bb4cbda1212c67e6534a482a4744d +Author: John Starks +Date: Fri Nov 30 23:25:28 2018 -0800 + + uvm: Mark pmem0 root fs readonly + + Not doing this causes spurious machine checks during boot in some cases. + +commit 67ddf37f404e05299e33b83ff8867bf1275a3b79 +Merge: 7f5118e35 6290b5839 +Author: Justin +Date: Fri Nov 30 20:49:27 2018 -0800 + + Merge pull request #387 from Microsoft/log_kvp + + Changing logging to use logrus.WithFields + +commit 6290b58393c3047b6c0198751656088b207f88f1 +Author: Justin Terry (VM) +Date: Wed Nov 21 14:06:41 2018 -0800 + + Changing logging to use logrus.WithFields + + Signed-off-by: Justin Terry (VM) + +commit 7f5118e353221132688b2ecc1ffbc64dd539ad16 +Merge: 25fcd6a79 99fce7d68 +Author: Justin +Date: Fri Nov 30 15:43:07 2018 -0800 + + Merge pull request #405 from kevpar/callback-hang-fix + + Don't attempt to write to callback channels that we don't support + +commit 25fcd6a794cc95e8948e38396b86a55371720286 +Merge: 132be6d33 6763b8d86 +Author: Justin +Date: Fri Nov 30 15:31:10 2018 -0800 + + Merge pull request #402 from Microsoft/oci_uvm_cpu_mem_override + + Adding CPU and Memory override OCI annotations + +commit 132be6d33406394fc0430b6bd54be73a1e5271de +Merge: 3a08484f1 63dd75c8b +Author: Justin +Date: Fri Nov 30 15:29:32 2018 -0800 + + Merge pull request #401 from Microsoft/revertdsr + + Revert breaking change to AddLoadBalancer + +commit 3a08484f11b2ea62c29d004b46a7550cbad0086b +Merge: d98a2594a be27fce3e +Author: Justin +Date: Fri Nov 30 15:28:46 2018 -0800 + + Merge pull request #404 from Microsoft/machine_generated + + Update generated file headers for mksyscall_windows + +commit d98a2594a3121d0b2e196830ece25f20a3f1e765 +Merge: 7f79371e7 b111b2465 +Author: Justin +Date: Fri Nov 30 14:58:44 2018 -0800 + + Merge pull request #400 from Microsoft/linux_kernel_direct + + Adding LinuxKernelDirect boot support + +commit 99fce7d68cfc6f3acd993cfef02d3f41dcbb7549 +Author: Kevin Parsons +Date: Fri Nov 30 12:42:06 2018 -0800 + + Don't attempt to write to callback channels that we don't support + +commit be27fce3ec340ea2db0501dfb9412c86a47cc7e1 +Author: Justin Terry (VM) +Date: Fri Nov 30 12:03:49 2018 -0800 + + Update generated file headers for mksyscall_windows + + Update to comply with the go standard for generated files found here: + https://github.com/golang/go/issues/13560#issuecomment-288457920 + + Signed-off-by: Justin Terry (VM) + +commit 63dd75c8beaf951849dcc4ac99a241e852dfc3c3 +Author: John Howard +Date: Fri Nov 30 10:27:21 2018 -0800 + + Rever isDSR breaking change to HNSAddLoadBalancer + + Signed-off-by: John Howard + +commit b111b24658f6ca506c4d9c47a62c3a91de6ba2b4 +Author: Justin Terry (VM) +Date: Thu Nov 29 15:34:38 2018 -0800 + + Adding LinuxKernelDirect boot support + + Signed-off-by: Justin Terry (VM) + +commit 7f79371e7bf92cb4953e9b9ca70cc3b7ef01602d +Merge: 371bbcbe2 1bbe025bc +Author: Justin +Date: Fri Nov 30 10:27:28 2018 -0800 + + Merge pull request #397 from Microsoft/scsi_uint32_uvm + + UVMOptions.SCSIControllerCount should be uint + +commit 371bbcbe229706caee37a1898e0b2317cdc39aa6 +Merge: f827be4ff d2e9ace33 +Author: Justin +Date: Fri Nov 30 10:11:42 2018 -0800 + + Merge pull request #403 from tfenster/patch-1 + + fix typo + +commit d2e9ace33c4e0ce6e1cc90e50946646557032919 +Author: Tobias Fenster +Date: Fri Nov 30 19:07:42 2018 +0100 + + fix typo + +commit 6763b8d8663690f4500d444c935564bada5f0e35 +Author: Justin Terry (VM) +Date: Thu Nov 29 22:07:30 2018 -0800 + + Adding CPU and Memory override OCI annotations + + Signed-off-by: Justin Terry (VM) + +commit f827be4ff656e1fb4956c994cb193e22a9a76942 +Merge: 3f7661148 e93d509eb +Author: Justin +Date: Thu Nov 29 15:42:33 2018 -0800 + + Merge pull request #399 from Microsoft/uvm_create_opts_test + + Cleanup uvm functional tests to use opts + +commit e93d509eb01c5c74008a7739e4bfb6e1f634f865 +Author: Justin Terry (VM) +Date: Thu Nov 29 14:45:53 2018 -0800 + + Cleanup uvm functional tests to use opts + + Signed-off-by: Justin Terry (VM) + +commit 1bbe025bc8eab69ef7c27c0cfc85e6f5787bb1a7 +Author: Justin Terry (VM) +Date: Thu Nov 29 10:39:41 2018 -0800 + + UVMOptions.SCSIControllerCount should be uint + + Signed-off-by: Justin Terry (VM) + +commit 3f76611480813aaa40a6401d1b0db8db5b5dd8a2 +Merge: 2da02d8fe cec2b0df5 +Author: Justin +Date: Thu Nov 29 13:33:51 2018 -0800 + + Merge pull request #398 from Microsoft/uart_enable_vmdebug + + Moving uart kernel config to ComPort creation + +commit cec2b0df57b633581ec98d17b6342e30faad590a +Author: Justin Terry (VM) +Date: Thu Nov 29 10:43:28 2018 -0800 + + Moving uart kernel config to ComPort creation + + Signed-off-by: Justin Terry (VM) + +commit 2da02d8feae6d5e622e39b196f570849aa286768 +Merge: 263722c20 f2636a732 +Author: Justin +Date: Thu Nov 29 13:21:54 2018 -0800 + + Merge pull request #396 from Microsoft/jjh/envoverride + + Annotation for preferred rootfs type + +commit f2636a732b85ba6ef82ed2c571107c9560f09f2e +Author: John Howard +Date: Thu Nov 29 09:51:22 2018 -0800 + + Annotation for preferred rootfs type + + Signed-off-by: John Howard + +commit 263722c202f3e3cbe07f1491e645acf24961f3a3 +Merge: 113ee11be c96ef8c64 +Author: Justin +Date: Wed Nov 28 17:16:26 2018 -0800 + + Merge pull request #394 from Microsoft/lcow_quiet + + Set LCOW kernel boot quiet for production + +commit c96ef8c64bb4ab422e40dd01babeabdc6a46cf2f +Author: Justin Terry (VM) +Date: Wed Nov 28 16:22:07 2018 -0800 + + Set LCOW kernel boot quiet for production + + Signed-off-by: Justin Terry (VM) + +commit 113ee11be1e5fd17ecd0a055315bf1447ca26e1d +Merge: 4b8e5951c 9720f99de +Author: Justin +Date: Wed Nov 28 15:36:09 2018 -0800 + + Merge pull request #393 from Microsoft/no_serial + + Skip uart enumeration on production boot + +commit 9720f99def3d978a4d9dbcec3854d41d070791b7 +Author: Justin Terry (VM) +Date: Wed Nov 28 15:28:18 2018 -0800 + + Skip uart enumeration on production boot + + Signed-off-by: Justin Terry (VM) + +commit 4b8e5951c74b714bcf02deaedfce3258e7c164bb +Merge: eb23b2c8d 49789112b +Author: Justin +Date: Wed Nov 28 14:56:46 2018 -0800 + + Merge pull request #392 from Microsoft/pci_off + + Turn pci devices off for LCOW + +commit 49789112bc73951e66600c891b2e39f0c60ea1ee +Author: Justin Terry (VM) +Date: Wed Nov 28 14:19:12 2018 -0800 + + Turn pci devices off for LCOW + + Signed-off-by: Justin Terry (VM) + +commit eb23b2c8d8548b28c989340264351ca25e82008f +Merge: cf26dff31 440ef2fc1 +Author: Justin +Date: Tue Nov 27 15:03:03 2018 -0800 + + Merge pull request #391 from Microsoft/runhcs_cmd_context_master + + Store the runhcs.exe path for faster invocation + +commit 440ef2fc185b1358e440ac49d92fec8dde6b1155 +Author: Justin Terry (VM) +Date: Tue Nov 27 12:40:36 2018 -0800 + + Store the runhcs.exe path for faster invocation + + Signed-off-by: Justin Terry (VM) + +commit cf26dff31d80f0c692725570e369ff127b7e9313 +Merge: 1e4444511 3e9e94dc2 +Author: Justin +Date: Tue Nov 20 19:33:54 2018 -0800 + + Merge pull request #385 from Microsoft/fix_owner_on_createscratch + + Forward Owner to runhcs create-scratch + +commit 1e44445110e5bae589513fc17e02ac68c5d2e0a5 +Merge: 62c7eb6ea 44fd3f569 +Author: John Starks +Date: Tue Nov 20 16:26:19 2018 -0800 + + Merge pull request #386 from jiria/jiria/fix-arm32-int-overflow + + Fix int overflow for ARM32 builds + +commit 44fd3f56932b844aad316a304020daabe6949abb +Author: Jiri Appl +Date: Tue Nov 20 16:21:59 2018 -0800 + + Fix int overflow for ARM32 builds + +commit 3e9e94dc2eb5a59808ae4c05aefa678b30b2704c +Author: Justin Terry (VM) +Date: Tue Nov 20 15:43:44 2018 -0800 + + Forward Owner to runhcs create-scratch + + Signed-off-by: Justin Terry (VM) + +commit 62c7eb6ea169ccab0a1b0fb7c2915de611950236 +Merge: 6040dd26d 73aa4feb1 +Author: Justin +Date: Tue Nov 20 15:31:34 2018 -0800 + + Merge pull request #384 from Microsoft/fix_schemaversion_tests + + Fix schemaversion tests on RS5+ + +commit 73aa4feb1d0c76a85d1dce1eb895d75c3528a66e +Author: Justin Terry (VM) +Date: Tue Nov 20 13:50:15 2018 -0800 + + Fix schemaversion tests on RS5+ + + Signed-off-by: Justin Terry (VM) + +commit 6040dd26d8de28ff4637b34e21929f52898ca1a0 +Merge: 6abe1bb09 5030fb027 +Author: Justin +Date: Mon Nov 19 15:13:30 2018 -0800 + + Merge pull request #383 from Microsoft/remove_unused_cmd + + Remove unused test cmd + +commit 6abe1bb098661c9b5c40f48ed28c4bf5decc1223 +Merge: 643242df9 ec43188ac +Author: Justin +Date: Mon Nov 19 14:55:17 2018 -0800 + + Merge pull request #382 from Microsoft/ext4_test_fix + + Fix ext4 compact_test leak testfs.img + +commit 5030fb0275a7fff626964670b06ea718ec7329cb +Author: Justin Terry (VM) +Date: Mon Nov 19 14:55:08 2018 -0800 + + Remove unused test cmd + + Signed-off-by: Justin Terry (VM) + +commit 643242df94f2a78262aef991e67428e69e293dcd +Merge: 1386fb103 8bd16a0bb +Author: Justin +Date: Mon Nov 19 14:45:17 2018 -0800 + + Merge pull request #381 from Microsoft/fix_vmmem_size + + Update uvm_mem tests to use 512MB by default + +commit ec43188ac2d9a7909303e48e32dfa19d91c52488 +Author: Justin Terry (VM) +Date: Mon Nov 19 14:40:29 2018 -0800 + + Fix ext4 compact_test leak testfs.img + + Signed-off-by: Justin Terry (VM) + +commit 1386fb10368146b6b76635faffcda6fcead3aba9 +Merge: 2d97ca3b8 94f0b7012 +Author: Justin +Date: Mon Nov 19 14:29:24 2018 -0800 + + Merge pull request #380 from Microsoft/runhcs_vm_layerfolders + + Stop passing appending \vm to Windows scratch LayerFolders + +commit 94f0b70126a1e3ca2802374744ab89f908b0e113 +Author: Justin Terry (VM) +Date: Mon Nov 19 14:21:29 2018 -0800 + + Add comment about why runhcs uses the sandbox layer folder \vm + + Signed-off-by: Justin Terry (VM) + +commit 2d97ca3b89d1126945e579e181f248994989d832 +Merge: 56dc43e39 66224090e +Author: Justin +Date: Mon Nov 19 14:08:59 2018 -0800 + + Merge pull request #379 from Microsoft/update_test_tags + + Change runhcs_test build tag to 'integration' to match other tests. + +commit 8bd16a0bb9fca7fe1226276906958929fdec6d45 +Author: Justin Terry (VM) +Date: Mon Nov 19 13:58:32 2018 -0800 + + Update uvm_mem tests to use 512MB by default + + Signed-off-by: Justin Terry (VM) + +commit 56dc43e39c4ba67ae6680ad910a5bc956bfec1d5 +Merge: 98eb7f01e f8edcce24 +Author: Justin +Date: Mon Nov 19 13:56:15 2018 -0800 + + Merge pull request #378 from Microsoft/uvm_close_tests + + Use uvm.Close() rather than uvm.Terminate() + +commit 66224090ea71aa6a3ca7109a0828907f68a60e04 +Author: Justin Terry (VM) +Date: Mon Nov 19 13:22:33 2018 -0800 + + Change runhcs_test build tag to 'integration' to match other tests. + + Signed-off-by: Justin Terry (VM) + +commit f8edcce246161cb0af989e01273bd03305146f30 +Author: Justin Terry (VM) +Date: Mon Nov 19 13:15:44 2018 -0800 + + Use uvm.Close() rather than uvm.Terminate() + + Signed-off-by: Justin Terry (VM) + +commit 98eb7f01e55c55488617a7316f18b1fae14cf3b1 +Merge: a246220a7 598dda9a6 +Author: Justin +Date: Mon Nov 19 12:32:16 2018 -0800 + + Merge pull request #375 from Microsoft/runhcs_simplify_annotations + + Simplify annotations for easier use across types + +commit a246220a704d3a3e0c44ba391e90dc53e7856b5b +Merge: 38d162f40 ae0393202 +Author: John Howard +Date: Mon Nov 19 10:01:33 2018 -0800 + + Merge pull request #376 from Microsoft/persisted_state_json + + Add JSON tagging and comments to persistedState fields + +commit 598dda9a6d21153c897953a253c080daaa0abc01 +Author: Justin Terry (VM) +Date: Mon Nov 19 09:24:26 2018 -0800 + + Convert annotation parse failure to Warning + + Signed-off-by: Justin Terry (VM) + +commit ae039320286b78474bc46522733c2f8d761bf675 +Author: Justin Terry (VM) +Date: Mon Nov 19 09:08:59 2018 -0800 + + Add JSON tagging and comments to persistedState fields + + Signed-off-by: Justin Terry (VM) + +commit c8b3ad04832a078f9bb5003b379a79042f6009fd +Author: Justin Terry (VM) +Date: Mon Nov 19 08:47:00 2018 -0800 + + Fix issue not forwarding UVM resources for LCOW activations + + Signed-off-by: Justin Terry (VM) + +commit 093c0cea288f637de6ecfab4c59dfa44f4318661 +Author: Justin Terry (VM) +Date: Mon Nov 19 08:45:10 2018 -0800 + + Simplify annotations parsing and assignment for custom opts + + Signed-off-by: Justin Terry (VM) + +commit 38d162f40e8cf02413292c30c5d337b49911d62d +Merge: ea14d179e d0edf8f46 +Author: Justin +Date: Mon Nov 19 08:47:19 2018 -0800 + + Merge pull request #374 from Microsoft/runhcs_fix_owner + + Forward --owner from runhcs command to UVM/container creation + +commit d0edf8f46614643ce997ada46b6ad8d399ff75d1 +Author: Justin Terry (VM) +Date: Mon Nov 19 08:30:48 2018 -0800 + + Forward --owner from runhcs command to UVM/container creation + + Signed-off-by: Justin Terry (VM) + +commit ea14d179ee5442cd8af532787aa4afda68f81d8b +Merge: 4f64a5980 7de83b9c7 +Author: Justin +Date: Fri Nov 16 14:46:24 2018 -0800 + + Merge pull request #373 from Microsoft/fix_assign_pmem + + Assign uvm.vpmemMaxSizeBytes on create to avoid SCSI fallback + +commit 7de83b9c7feb886bb53c1f99f55faf82f698a2df +Author: Justin Terry (VM) +Date: Fri Nov 16 14:37:34 2018 -0800 + + Assign uvm.vpmemMaxSizeBytes on create to avoid SCSI fallback + + Signed-off-by: Justin Terry (VM) + +commit 4f64a598035b09da04155f7dfd76b63edf04fca1 (tag: v0.8.1) +Merge: 02bd6848d 102a6f0be +Author: Justin +Date: Fri Nov 9 15:38:14 2018 -0800 + + Merge pull request #370 from Microsoft/jjh/annotations2 + + Fix panic + +commit 102a6f0bed0c012f3484a44a6a0f5098fca1dab1 +Author: John Howard +Date: Fri Nov 9 14:38:53 2018 -0800 + + Fix panic + + Signed-off-by: John Howard + +commit 02bd6848d53d2e82b2adc5ffacf556f16e4c1f9c (tag: v0.8.0) +Merge: af4e2cd5b 1c613a083 +Author: Justin +Date: Fri Nov 9 11:38:20 2018 -0800 + + Merge pull request #369 from Microsoft/jjh/annotations + + Update annotation fields + +commit 1c613a083ed94c0923f8c0829beedcdbce44417e +Author: John Howard +Date: Fri Nov 9 10:42:12 2018 -0800 + + Review comments + + Signed-off-by: John Howard + +commit 6224e34b7893600ede17b4edf9c285cd6e5eec46 +Author: John Howard +Date: Thu Nov 8 15:55:15 2018 -0800 + + Compile functional tests + + Signed-off-by: John Howard + +commit dd319b3505dd80377edf9b29c0c5fcc667804c08 +Author: John Howard +Date: Thu Nov 8 15:06:37 2018 -0800 + + Fix functional tests + + Signed-off-by: John Howard + +commit ea1ae19186da497eeac2db35c06f99007abf6003 +Author: John Howard +Date: Thu Nov 8 08:55:11 2018 -0800 + + Update annotation fields + + Signed-off-by: John Howard + +commit af4e2cd5ba2e53235f6fbaed93786793e219f5b3 +Merge: 3f8501726 a8d67a7d9 +Author: Justin +Date: Wed Nov 7 10:27:49 2018 -0800 + + Merge pull request #366 from Microsoft/runhcs_test_matrix + + Add runhcs E2E matrix tests for Windows + +commit a8d67a7d9b7a3ce799261450ea6b9416133b4900 +Author: Justin Terry (VM) +Date: Tue Nov 6 14:40:53 2018 -0800 + + Publish go-runhcs functional tests as part of build + + Signed-off-by: Justin Terry (VM) + +commit 3f850172656f5158580526774b4a76186f0a1dfb (tag: v0.7.14) +Merge: 3270136cc 82bb745e7 +Author: Justin +Date: Tue Nov 6 15:22:58 2018 -0800 + + Merge pull request #364 from Microsoft/jjh/movegrantvmaccess + + Move GrantVmAccess calls + +commit 3270136cc589ce6d7ba35a3e9bb19735535f99bb +Merge: 1d3e1d927 1a9ef3397 +Author: Justin +Date: Tue Nov 6 15:22:38 2018 -0800 + + Merge pull request #367 from Microsoft/uvm_mem_backing + + AllowOvercommit has replaced Backing and should be used instead. + +commit 1a9ef33975b77415e71cd9cd62445cd2d671abc5 +Author: Justin Terry (VM) +Date: Tue Nov 6 15:06:06 2018 -0800 + + AllowOvercommit has replaced Backing and should be used instead. + + Signed-off-by: Justin Terry (VM) + +commit 1d3e1d927be33a51b8d9cc1f25df4d3b26640bd2 +Merge: 1cb5e2cf2 31d279894 +Author: Justin +Date: Tue Nov 6 14:43:56 2018 -0800 + + Merge pull request #365 from Microsoft/jjh/runmemstartwcowtest + + Use Scratch in TestMemBackingTypeWCOW + +commit aa1ff4dcded088edbe159ff4c43968798833a97e +Author: Justin Terry (VM) +Date: Tue Nov 6 14:38:10 2018 -0800 + + Add runhcs E2E matrix tests for Windows + + Signed-off-by: Justin Terry (VM) + +commit 31d279894d360203c33e3144157a78f765323f6e +Author: John Howard +Date: Tue Nov 6 10:48:54 2018 -0800 + + Use Scratch in TestMemBackingTypeWCOW + + Signed-off-by: John Howard + +commit 82bb745e76eeb99aa23757d2799ea873ff5cb0bd +Author: John Howard +Date: Tue Nov 6 10:46:01 2018 -0800 + + Move GrantVmAccess calls + + Signed-off-by: John Howard + +commit 1cb5e2cf2b55d25154919d86acd2706c374d3e9f +Merge: 1565ec37a 46ddede47 +Author: Justin +Date: Mon Nov 5 08:51:37 2018 -0800 + + Merge pull request #363 from Microsoft/v0.7.9-dev + + V0.7.9 dev + +commit 46ddede4768e56935b0739edbb81e796304a25e2 (tag: v0.7.9-1, upstream-hcshsim/v0.7.9-dev, origin/v0.7.9-dev, hcsshim/v0.7.9-dev) +Merge: 521d0b77d d35ef6950 +Author: Justin +Date: Mon Nov 5 08:29:42 2018 -0800 + + Merge pull request #362 from Microsoft/export_assigned_device + + Export AssignedDevice in V1 + +commit d35ef6950e397b74b1d0fe106732c148fc358181 +Author: Justin Terry (VM) +Date: Mon Nov 5 08:21:51 2018 -0800 + + Export AssignedDevice in V1 + + Signed-off-by: Justin Terry (VM) + +commit 1565ec37a5a5bf580e349139d8c9bd0e2b32571b (tag: v0.7.13) +Merge: c5c7c5c42 f1772354a +Author: Justin +Date: Fri Nov 2 10:02:55 2018 -0700 + + Merge pull request #360 from Microsoft/memory_opt + + Adding MemoryBackingType support via OCI annotations + +commit c5c7c5c423f271a26bfea9e504d4d2f2d281583b +Merge: 04fd3112a bdb1952d6 +Author: Justin +Date: Wed Oct 31 11:46:20 2018 -0700 + + Merge pull request #359 from Microsoft/jjh/lcowlargelayeronscsi + + LCOW: Use SCSI for layers over 512MB rather than PMEM + +commit f1772354adff103f9b4b7a9c00c4f68eaf767ec4 +Author: Justin Terry (VM) +Date: Wed Oct 31 10:44:16 2018 -0700 + + Adding MemoryBackingType support via OCI annotations + + Signed-off-by: Justin Terry (VM) + +commit bdb1952d6a717ee4736b19ed6b1f9953d4793914 +Author: John Howard +Date: Wed Oct 24 14:59:01 2018 -0700 + + LCOW: Use SCSI for layers over 512MB + + Signed-off-by: John Howard + +commit 04fd3112a484505898a175773ae751928efa67a8 +Merge: 94038f203 fa0fcc423 +Author: Justin +Date: Fri Oct 19 13:18:07 2018 -0700 + + Merge pull request #358 from pradipd/remotesubnet + + Adding functions to modify network settings and policies. Adding RemoteSubnetRoutePolicy. + +commit fa0fcc423e891a506ae5fed8bc0b9b4272cbfaba +Author: Pradip Dhara +Date: Fri Oct 19 12:20:26 2018 -0700 + + Fixing tests. + +commit f18977c9bc3bb78f606fd8f54f7b263e3ab9f22b +Author: Pradip Dhara +Date: Fri Oct 19 11:18:24 2018 -0700 + + More PR changes. + +commit b19dd74b6caee626b89b8c6a07185a9a770d4379 +Author: Pradip Dhara +Date: Fri Oct 19 11:06:24 2018 -0700 + + fixing test. + +commit 119a079670884c832666d52f61c99ee4174deb30 +Author: Pradip Dhara +Date: Fri Oct 19 11:03:17 2018 -0700 + + PR changes. + +commit c2d44082e8793cd5e7d045375ed35293b2898efc +Author: Pradip Dhara +Date: Fri Oct 19 10:42:09 2018 -0700 + + gofmt -s -w hcnutils_test.go + +commit 3a3001e0d71a593cd9dbe2ea41d8f24a133946d4 +Author: Pradip Dhara +Date: Wed Oct 10 10:35:26 2018 -0700 + + Adding functions to modify network settings and policies. Adding RemoteSubnetRoutePolicy. + +commit 94038f203f488410f56c2efb61c0ef30e3d940bd +Merge: 4c3e966e0 f670ba5ae +Author: Justin +Date: Fri Oct 19 10:54:09 2018 -0700 + + Merge pull request #356 from madhanrm/elbdsr + + Expose DSR Settings in Load Balancer + +commit 4c3e966e0114c45dca094eebba6323342385a4fd +Merge: fb82daad4 4898b4ef9 +Author: Justin +Date: Fri Oct 19 10:51:55 2018 -0700 + + Merge pull request #355 from Microsoft/argon_signal_support + + Adding Signal support for RS5 Argon + +commit fb82daad433bcca016238d13d13a3a3f47f6bd12 +Merge: 6cca3cb41 5ed37087c +Author: Justin +Date: Fri Oct 19 10:49:06 2018 -0700 + + Merge pull request #357 from Microsoft/enable_hot_hint + + Enable HotHint for Windows + +commit 5ed37087cb6dc37171d0b3cac7637584d9b5014f +Author: Justin Terry (VM) +Date: Fri Oct 19 10:25:32 2018 -0700 + + Enable HotHint for Windows + + Signed-off-by: Justin Terry (VM) + +commit f670ba5ae4e2f8921d3cd1c6eb651abf7a1ed222 +Author: Madhan Raj Mookkandy +Date: Thu Oct 11 22:30:56 2018 -0700 + + Fix tests to fail and continue + + Expose ELB DSR flag + +commit 4898b4ef9773740f0e990f246fc253c4c63e3e6b +Author: Justin Terry (VM) +Date: Thu Oct 18 10:29:42 2018 -0700 + + Adding Signal support for RS5 Argon + + Signed-off-by: Justin Terry (VM) + +commit 6cca3cb411c22d34aa97c81c98532500cff4860c +Merge: 5b3eff572 8a23738a9 +Author: Justin +Date: Thu Oct 18 07:50:41 2018 -0700 + + Merge pull request #354 from erfrimod/erfrimod/adding-debugprint + + Debug prints out the json provided to HNS on CreateX calls. + +commit 8a23738a92666bbebb5f7f88766ad1eee3af76c2 +Author: Erik Frimodig +Date: Wed Oct 17 16:51:05 2018 -0700 + + Debug prints out the json provided to HNS. + +commit 5b3eff572681588b6ce3df295d3d23b72f053f32 (tag: v0.7.12) +Merge: 2ef465979 234770f9b +Author: Justin +Date: Mon Oct 15 13:22:33 2018 -0700 + + Merge pull request #353 from Microsoft/fix_close + + Fix issue failing to close handle in some cases + +commit 234770f9bb86130becd2d489a0bbb7f4b9e52d82 +Author: Justin Terry (VM) +Date: Mon Oct 15 13:22:08 2018 -0700 + + Fix issue failing to close handle in some cases + + Signed-off-by: Justin Terry (VM) + +commit 2ef465979b68863164ec5babcccd8a6ed4b7881e +Merge: 97ac67c39 1b90ca682 +Author: Justin +Date: Mon Oct 15 13:08:38 2018 -0700 + + Merge pull request #352 from Microsoft/mv_to_pkg + + go-runhcs should not be in cmd/ + +commit 1b90ca68286272b8055d1fe76a7166ec93ec2715 +Author: Justin Terry (VM) +Date: Mon Oct 15 12:58:20 2018 -0700 + + go-runhcs should not be in cmd/ + + Signed-off-by: Justin Terry (VM) + +commit 97ac67c39fcc2c5b576f0e403057d6695403e6d3 +Merge: 21c9d90b5 cc9aad746 +Author: Justin +Date: Mon Oct 15 12:52:48 2018 -0700 + + Merge pull request #349 from Microsoft/fix_signal + + Implement signal support + +commit cc9aad74674a51b9b9fa1b9dd476d925e3a2160a +Author: Justin Terry (VM) +Date: Mon Oct 15 12:38:09 2018 -0700 + + Fix issue failing to close handle in some cases + + Signed-off-by: Justin Terry (VM) + +commit 35bf3db14489d1ba27e09d6dd29d9a0d19bfaa96 +Author: Justin Terry (VM) +Date: Fri Oct 12 15:37:06 2018 -0700 + + Implement signal support + + Signed-off-by: Justin Terry (VM) + +commit 3b26b4d506948473ad90b504a1c563ea792a5b32 +Merge: 94030be22 b291a0068 +Author: John Howard +Date: Mon Oct 15 10:07:40 2018 -0700 + + Merge pull request #262 from Microsoft/signal_support + + Return GuestDefinedCapabilities with SignalProcess support + +commit 94030be225b7d6398c92ac37cbf438dd5b0d91be +Merge: 6ca2495a8 12c75e34e +Author: Justin +Date: Mon Oct 15 10:07:32 2018 -0700 + + Merge pull request #261 from franksinankaya/sinankaya/unittests + + Sinankaya/unittests + +commit b291a00688efa4f6e403270feebe1adc5542252a +Author: Justin Terry (VM) +Date: Mon Oct 15 09:33:29 2018 -0700 + + Return GuestDefinedCapabilities with SignalProcess support + + Signed-off-by: Justin Terry (VM) + +commit 12c75e34e4a3b399eb262186567f227da8506885 +Author: Sinan Kaya +Date: Fri Oct 12 05:57:43 2018 +0000 + + runc: look for whoami string instead of match + + Search for whoami rather than looking for an exact match. + Command prompt is different between OS flavors. + +commit 44bfe35c5a9e39ae3cc7bc8b24619122f68fef2b +Author: Sinan Kaya +Date: Fri Oct 12 04:02:53 2018 +0000 + + Support OS with sysvinit in PathIsMounted + + tmpfs is mounted at /var/volatile on some sysvinit based operating + systems. + + Search mount point in PathIsMounted with /var/volatile prefixed as + an alternative. + +commit 21c9d90b535b6009e17bae665ce1334006ee7820 (tag: v0.7.11) +Merge: 0e76f28bd c8634ebcf +Author: Justin +Date: Thu Oct 11 14:11:58 2018 -0700 + + Merge pull request #343 from Microsoft/runhcs_argon_volumematch + + Runhcs argon/xenon fixes + +commit c8634ebcfea55077dd0718f6a9886dd2bac7ba32 +Author: Justin Terry (VM) +Date: Wed Oct 10 15:48:14 2018 -0700 + + Fix runhcs create issue for Windows Xenon + + Signed-off-by: Justin Terry (VM) + +commit 0e76f28bdb8ed162ab07a53d17048ecb3fcc8a1e +Merge: 022ce5861 2e0fd1229 +Author: Justin +Date: Thu Oct 11 13:13:55 2018 -0700 + + Merge pull request #345 from madhanrm/winNsRs4 + + Fix runhcs to setup networking for RS4 WCOW images + +commit 2e0fd1229103c345bee4b24a1129dc38c122bafb +Author: Madhan Raj Mookkandy +Date: Thu Oct 11 13:08:16 2018 -0700 + + Fix runhcs to setup networking for RS4 WCOW images + +commit 022ce5861e3ccd2396688c77993765d526eb179e (tag: v0.7.10) +Merge: ec67d8ada e59750fd9 +Author: John Howard +Date: Thu Oct 11 12:06:42 2018 -0700 + + Merge pull request #344 from Microsoft/jjh/namespace + + Add GuestConnection query + +commit e59750fd9693351117b48290b8e358a240ea6078 +Author: John Howard +Date: Thu Oct 11 11:49:39 2018 -0700 + + Add GuestConnection query + + Signed-off-by: John Howard + +commit e6bc263fc0948b63a3fad41be228a133f55ae6dc +Author: Justin Terry (VM) +Date: Wed Oct 10 15:23:44 2018 -0700 + + Properly check Root.Path regexp + + Signed-off-by: Justin Terry (VM) + +commit ec67d8adabb094c359828e3048c6eccc5c4a83ac +Merge: 521d0b77d 829ca83b0 +Author: Justin +Date: Wed Oct 10 11:31:27 2018 -0700 + + Merge pull request #340 from Microsoft/linter + + Add gofmt linter on all PR's + +commit 829ca83b0d591c18363e4b0a274fa44870a34c89 +Author: Justin Terry (VM) +Date: Wed Oct 10 11:09:00 2018 -0700 + + Add gofmt linting + + Signed-off-by: Justin Terry (VM) + +commit 1825d4a6244821a4a87e528ac466ebf3eeb3a8b1 +Author: Justin Terry (VM) +Date: Wed Oct 10 11:08:38 2018 -0700 + + Fix gofmt -s -w on all files + + Signed-off-by: Justin Terry (VM) + +commit 521d0b77d0302dd078f23c5b0d50c25b11de1849 (tag: v0.7.9) +Merge: 61e11b9f7 0940539b8 +Author: John Howard +Date: Tue Oct 9 16:19:20 2018 -0700 + + Merge pull request #339 from Microsoft/jjh/dos2unix + + Line endings again! + +commit 0940539b88302ff18e11d3ba83dd3177f3405dc6 +Author: John Howard +Date: Tue Oct 9 16:13:01 2018 -0700 + + Line endings again! + + Signed-off-by: John Howard + +commit 61e11b9f70596fc851c47fd04cc1066ae0bc4983 (tag: v0.7.8) +Merge: b92933868 a044a4d28 +Author: Justin +Date: Tue Oct 9 11:47:14 2018 -0700 + + Merge pull request #338 from Microsoft/tar2ext + + Add tar2ext4 to artifacts + +commit a044a4d289abd0e7f4874d5f7217e5a0fdcf0b10 +Author: John Howard +Date: Tue Oct 9 10:14:02 2018 -0700 + + Add tar2ext4 to artifacts + + Signed-off-by: John Howard + +commit b929338687bb4a06318ed63f20d7f3731d3574e7 +Merge: 9fa70dd6d ccedcbad8 +Author: John Howard +Date: Tue Oct 9 10:10:18 2018 -0700 + + Merge pull request #337 from jstarks/ext4_limit + + tar2ext4: Make disk size limit configurable + +commit ccedcbad83af7549c7bf771e2e18edfd8394f549 +Author: John Starks +Date: Thu Oct 4 11:46:29 2018 -0700 + + tar2ext4: Make disk size limit configurable + + The limit is necessary to reduce the group descriptor block size + overhead. It may be unnecessary in the future if metabg support is + implemented. + +commit 9fa70dd6de77ea6d6298d4b939a3fda324c00684 (tag: v0.7.7) +Merge: a92717667 0e65f42cc +Author: John Howard +Date: Mon Oct 8 14:59:04 2018 -0700 + + Merge pull request #336 from Microsoft/initxattrs + + ext4:Init Xattrs in Stat() + +commit 0e65f42ccc7063803b8bd900cbbb4f93dd4f27c8 +Author: John Howard +Date: Mon Oct 8 14:35:49 2018 -0700 + + ext4:Init Xattrs in Stat() + + Signed-off-by: John Howard + +commit a9271766729f3397fb446085a2c42cdb816a199d +Merge: baac74f0e 55f47474c +Author: John Howard +Date: Mon Oct 8 11:30:38 2018 -0700 + + Merge pull request #335 from Microsoft/runhcs_fix_namespace_config + + Only store namespace in registry for sandbox/uvm + +commit baac74f0e273933d7a50ecbefa2fa0e322ceeaef +Merge: c99722adf 776445ec4 +Author: John Howard +Date: Mon Oct 8 11:30:01 2018 -0700 + + Merge pull request #334 from jstarks/ext4_link_overflow + + tar2ext4: Enforce maximum link count + +commit c99722adf8edfffcb196344cafb0e87baa2ce0d1 +Merge: c9c35b22e d9ae28c05 +Author: John Howard +Date: Mon Oct 8 11:29:31 2018 -0700 + + Merge pull request #333 from jstarks/ext4_dir_determine + + tar2ext4: Eliminate non-determinism in directory entries + +commit c9c35b22e1ff87db3ba5290b7e1b29b462ccef8e +Merge: 548046cb2 acf618d08 +Author: John Howard +Date: Mon Oct 8 11:28:59 2018 -0700 + + Merge pull request #331 from jstarks/ext4_whiteout + + tar2ext4: Add opaque whiteout support + +commit 55f47474c23e295e0a52636f98110b0b5a6138d9 +Author: Justin Terry (VM) +Date: Thu Oct 4 14:11:19 2018 -0700 + + Only store namespace in registry for sandbox/uvm + + Signed-off-by: Justin Terry (VM) + +commit 548046cb2f0495eb2acd7682a0035d465bf05ea9 +Merge: 11a4334f3 99957fd4e +Author: Justin +Date: Thu Oct 4 13:13:50 2018 -0700 + + Merge pull request #332 from Microsoft/nit_networking_fixes + + A few network fixes + +commit 776445ec4efad99af0d7e7491c64ed6d85d8087e +Author: John Starks +Date: Thu Oct 4 12:21:36 2018 -0700 + + tar2ext4: Enforce maximum link count + +commit d9ae28c05cce49eb64c1e8ee76337acf42e599f1 +Author: John Starks +Date: Thu Oct 4 11:58:22 2018 -0700 + + tar2ext4: Eliminate non-determinism in directory entries + +commit acf618d08fa1453f74c92c3255c84333cbfbaa96 +Author: John Starks +Date: Thu Oct 4 11:17:59 2018 -0700 + + tar2ext4: Support opaque directories even with large xattrs + +commit 99957fd4e5860d07022dd1fc5ed51b5194cddcb4 +Author: Justin Terry (VM) +Date: Thu Oct 4 10:59:55 2018 -0700 + + A few network fixes + + Signed-off-by: Justin Terry (VM) + +commit 11a4334f3a724c44bfee9c3e02cf5ec82ed3c69c +Merge: ff1452791 8497e0360 +Author: Justin +Date: Thu Oct 4 10:49:42 2018 -0700 + + Merge pull request #320 from madhanrm/winNamespace + + Implement namespace support + +commit c7709814919e789021a733bad4dd3c196c9bc7de +Author: John Starks +Date: Thu Oct 4 08:31:30 2018 -0700 + + tar2ext4: Add opaque whiteout support + + There may still be some rare cases where opaque whiteouts are not + supported (specifically if there are large xattrs already on the + directory that is being removed). + +commit 8497e036063e0f8a9aa0ab034fa46e9eb06a85a5 +Author: Madhan Raj Mookkandy +Date: Wed Oct 3 16:33:37 2018 -0700 + + Comment out GuestNetworkSettings for LCOW + +commit ff14527911561feca991ff4264eab076de238811 +Merge: 4d90387f0 4241699d6 +Author: Justin +Date: Wed Oct 3 14:25:32 2018 -0700 + + Merge pull request #330 from jstarks/ext4_lostfound + + tar2ext4: Allow limited duplication of files + +commit 4241699d60d5730f0c05cf6d12930657347f282e +Author: John Starks +Date: Wed Oct 3 14:06:11 2018 -0700 + + tar2ext4: Allow limited duplication of files + + In some cases, tar files will have root directories, lost+found + directories, or duplicate file or directory entries. Support this when + possible. + +commit 4d90387f0d0830cba45e691ad9d5ed990d757a20 +Merge: d88aa6c58 6caa64a5b +Author: Justin +Date: Wed Oct 3 13:01:18 2018 -0700 + + Merge pull request #329 from Microsoft/remove_runhcs_tar2vhd + + Remove runhcs.exe tar2vhd command + +commit 6caa64a5bfe41aee514700e26779f7c9408494d8 +Author: Justin Terry (VM) +Date: Wed Oct 3 12:54:05 2018 -0700 + + Remove runhcs.exe tar2vhd command + + Signed-off-by: Justin Terry (VM) + +commit d88aa6c58eea88fbe92cd2c25c6f2e9761f68fd3 +Merge: 5291dc935 0c73b83e4 +Author: John Howard +Date: Wed Oct 3 11:52:15 2018 -0700 + + Merge pull request #328 from jstarks/ext4_dax + + tar2ext4: Make inline data optional for DAX support + +commit 187b8a19745f662880f80c0b6f729a8f312ebdb3 +Author: Madhan Raj Mookkandy +Date: Wed Oct 3 11:37:16 2018 -0700 + + Address review comments + +commit 0c73b83e4b996a762d437a99244aeb7dddc01e1f +Author: John Starks +Date: Wed Oct 3 11:13:38 2018 -0700 + + tar2ext4: Make inline data optional for DAX support + +commit 9bb66796a9328ef4198c275c1bfb48f0aadd5a2b +Author: Madhan Raj Mookkandy +Date: Tue Oct 2 19:13:18 2018 -0700 + + Fix NetworkModifyRequest to use rs5 schema AdapterInstanceId=>AdapterId + +commit 4d46ba31948105e6bfd1aa51bdf866025c396e02 +Author: Madhan Raj Mookkandy +Date: Fri Sep 14 23:11:57 2018 -0700 + + Fix Namespace from oci spec + + Implement Guest Namespace creation & removal + + Change default schema version for RS5 + +commit 5291dc935b8c3065c4266ece9ef1e210ac2e9e79 +Merge: e7c6aca27 176e1670a +Author: Justin +Date: Tue Oct 2 15:50:28 2018 -0700 + + Merge pull request #327 from Microsoft/user/jostarks/fix_overlayfs_wo + + tar2ext4: Use correct overlayfs whiteout format + +commit 176e1670a1e0fd2cee5cd019d07bf73b7b9008cc +Author: John Starks +Date: Tue Oct 2 15:35:21 2018 -0700 + + tar2ext4: Use correct overlayfs whiteout format + +commit e7c6aca2745c210f528d3a15fe7948edc10c2ed5 +Merge: d6582adb2 c9559c40f +Author: John Howard +Date: Tue Oct 2 15:20:18 2018 -0700 + + Merge pull request #326 from jstarks/tar2ext4 + + tar2ext4: Converter from tar to compact ext4 + +commit c9559c40fff1a7cb4b113d4eacad57c51b26a776 +Author: John Starks +Date: Tue Oct 2 13:37:33 2018 -0700 + + tar2ext4: Converter from tar to compact ext4 + +commit 6ca2495a82e0a58118a1265bf8a6fc1f6f4739be +Merge: f9d9074b6 825fa0ced +Author: Justin +Date: Tue Oct 2 14:56:05 2018 -0700 + + Merge pull request #260 from Quasilyte/quasilyte/unslice + + service/gcsutil/gcstools: simplify s[:] to s + +commit 825fa0ced8b5026f3bb3d3dd50a53a247fca2500 +Author: Iskander Sharipov +Date: Tue Oct 2 23:55:39 2018 +0300 + + service/gcsutil/gcstools: simplify s[:] to s + + For s which is slice `s[:]` is identical to just `s`. + + https://open.microsoft.com/2018/09/30/join-hacktoberfest-2018-celebration-microsoft + +commit d6582adb25036766085eddc70fec73526aa4b186 +Merge: dab4aa72a 7932b7601 +Author: Justin +Date: Tue Oct 2 11:14:34 2018 -0700 + + Merge pull request #325 from erfrimod/erfrimod/adding-error-logging + + Erfrimod/adding error logging + +commit 7932b760180d29425580d18b06d11d84d5f36a7d +Author: Erik Frimodig +Date: Mon Oct 1 17:04:56 2018 -0700 + + Namespace Guest test + +commit ac9ccdec7224ee7f7bbd2700a33357baaef6a4c0 +Author: Erik Frimodig +Date: Mon Oct 1 15:55:21 2018 -0700 + + All HNS errors are debug logged. + +commit dab4aa72aed3e95180464bed8039025cce1d1a8c +Merge: bd3a676ef 6672b6296 +Author: Justin +Date: Mon Oct 1 11:42:21 2018 -0700 + + Merge pull request #323 from Microsoft/removeIsTP4 + + Remove redundant no-op IsTP4() + +commit bd3a676ef98d1039e1f7e93138e68bd16084eda2 +Merge: 45b89a72e bb6b18cdb +Author: Justin +Date: Mon Oct 1 11:41:51 2018 -0700 + + Merge pull request #324 from Microsoft/jjh/rs5andpromote + + Bump RS5; Promote osversion + +commit bb6b18cdb527145747b43a770efdea50491dd1d5 +Author: John Howard +Date: Mon Oct 1 09:41:02 2018 -0700 + + Bump RS5; Promote osversion + + Signed-off-by: John Howard + +commit 6672b6296999f4ff1c8db1d6f7aeeacbae5b42d4 +Author: John Howard +Date: Mon Oct 1 09:32:31 2018 -0700 + + Remove redundant no-op IsTP4() + + Signed-off-by: John Howard + +commit 45b89a72ee34e75f68da9073f5b71ba06a8e55cf +Merge: 28a1d8996 fb694104f +Author: John Howard +Date: Mon Oct 1 09:10:10 2018 -0700 + + Merge pull request #322 from Microsoft/runhcs_support_runas + + V2 support process User + +commit fb694104f3ed1c4c62de1f37b95a6ea2e8339382 +Author: Justin Terry (VM) +Date: Fri Sep 28 12:27:43 2018 -0700 + + V2 support process User + + Signed-off-by: Justin Terry (VM) + +commit 28a1d899607f76c1354eebd8ea9be874db71ee7d +Merge: a2dfd2894 c30f6fe43 +Author: Justin +Date: Fri Sep 28 11:50:25 2018 -0700 + + Merge pull request #321 from erfrimod/erfrimod/namespace-sync-tests + + Erfrimod/namespace sync tests + +commit c30f6fe438d516d566f6f46ead04aabf24b97d0a +Author: Erik Frimodig +Date: Thu Sep 27 15:27:37 2018 -0700 + + Adding tests for Namespace Sync. + +commit cc34845b3b0ff8a4c6c96f87e1b666827a57f851 +Author: Justin Terry (VM) +Date: Thu Sep 27 10:40:31 2018 -0700 + + Add SyncNamespace support to the CNI package. + + Implements the logic for the CNI package to look up the VMPipe to the VM shim + started via runhcs.exe and issue a Sync Namespace query to it. + + Signed-off-by: Justin Terry (VM) + +commit a2dfd28944fb2ac50e97b016c05e61ecd3321c7d (tag: v0.7.6) +Merge: 9db405e96 fbb921aa2 +Author: Justin +Date: Wed Sep 26 13:17:43 2018 -0700 + + Merge pull request #319 from Microsoft/fix_exec + + Reorder shim cmd args + +commit fbb921aa2fb10965c9d54635a06cadc302c19acc +Author: Justin Terry (VM) +Date: Wed Sep 26 12:57:55 2018 -0700 + + Reorder shim cmd args + + Signed-off-by: Justin Terry (VM) + +commit 9db405e9624c89f9666cfd87a3c27b548c4d9a70 (tag: v0.7.5) +Merge: 37e922b44 79973cc72 +Author: Justin +Date: Wed Sep 26 10:39:20 2018 -0700 + + Merge pull request #317 from Microsoft/jjh/nilcheck + + Nil check in allocateWindowsResources + +commit 79973cc72650220556e9ce2d31b9c4c0f2473b24 +Author: John Howard +Date: Tue Sep 25 14:20:36 2018 -0700 + + Nil check in allocateWindowsResources + + Signed-off-by: John Howard + +commit 37e922b44ed135ea2cd05d9855f61e9bbf51a335 +Merge: d79ba17d2 96762ff13 +Author: John Howard +Date: Wed Sep 26 10:30:47 2018 -0700 + + Merge pull request #318 from Microsoft/runhcs_upstream_logging + + Adds named pipe logging for debug/shim/vmshim logs + +commit 96762ff134196ce4fbeeb91dd8eab084f4ef2664 +Author: Justin Terry (VM) +Date: Tue Sep 25 10:38:54 2018 -0700 + + Adds named pipe logging for debug/shim/vmshim logs + + Signed-off-by: Justin Terry (VM) + +commit d79ba17d248084116e0ea526205c3d08518729f2 +Merge: 5c4225d59 2a2a68c3a +Author: Justin +Date: Tue Sep 25 11:07:49 2018 -0700 + + Merge pull request #316 from Microsoft/runhcs_resize_tty_pid + + Adding map between host pid and guest pid + +commit 2a2a68c3acef805be18f45a829c3853a29c2404c +Author: Justin Terry (VM) +Date: Tue Sep 25 10:44:28 2018 -0700 + + Adding map between host pid and guest pid + + Signed-off-by: Justin Terry (VM) + +commit 5c4225d59b00bd1a1475b5b88aef059cdc9befe2 +Merge: dc8e9cba3 8195945ef +Author: Justin +Date: Mon Sep 24 10:20:50 2018 -0700 + + Merge pull request #314 from erfrimod/erfrimod/hcn-better-errors-networktype + + Better errors, NetworkType added. + +commit 8195945eff997505c502d102b537f07378b09555 +Author: Erik Frimodig +Date: Fri Sep 21 17:30:37 2018 -0700 + + Responding to PR comments. + +commit dc8e9cba31b78bfbe1ead8416fb615699df44819 +Merge: 076e38820 1311d5610 +Author: Justin +Date: Fri Sep 21 12:44:45 2018 -0700 + + Merge pull request #315 from Microsoft/fix_exec_linux + + Fix issue with exec on linux oci spec + +commit 1311d5610b5027877ae904eaa1d69262cd495491 +Author: Justin Terry (VM) +Date: Fri Sep 21 12:18:26 2018 -0700 + + Fix issue with exec on linux oci spec + + Signed-off-by: Justin Terry (VM) + +commit 1aa738f3759dfbb06516f5780c5bbd35d1d56af0 +Author: Erik Frimodig +Date: Thu Sep 20 14:41:23 2018 -0700 + + Better errors, NetworkType added. + +commit 076e388208683a4ce9db9544ab507040be9c7d7c +Merge: e44e499d2 01dc11937 +Author: Justin +Date: Thu Sep 20 13:57:31 2018 -0700 + + Merge pull request #311 from erfrimod/erfrimod/hns-v1-exports-Namespace + + Adding Namespace to HNS exports. + +commit e44e499d29527b244d6858772f1b9090eeaddc4e (tag: v0.7.4) +Merge: 18b832695 9cb7bad9a +Author: Justin +Date: Wed Sep 19 14:29:14 2018 -0700 + + Merge pull request #313 from Microsoft/go_runhcs_bindings + + Go runhcs bindings + +commit 9cb7bad9a8adc8b10e06919b1d47792a000a6474 +Author: Justin Terry (VM) +Date: Wed Sep 19 12:34:12 2018 -0700 + + Adding runhcs resize-tty go bindings + + Signed-off-by: Justin Terry (VM) + +commit 84a2586da1d0de9f8f98a4e7981f683613c1cdf1 +Author: Justin Terry (VM) +Date: Wed Sep 19 12:17:36 2018 -0700 + + Adding runhcs state go bindings + + Signed-off-by: Justin Terry (VM) + +commit 856540a9052abf8cb5f9e789e6c5630a290cec72 +Author: Justin Terry (VM) +Date: Wed Sep 19 12:17:15 2018 -0700 + + Adding runhcs ps go bindings + + Signed-off-by: Justin Terry (VM) + +commit 1ccfe28bc73c33d66dccc867dbd8915d2cbde5b8 +Author: Justin Terry (VM) +Date: Wed Sep 19 12:16:53 2018 -0700 + + Adding runhcs pause/resume go bindings + + Signed-off-by: Justin Terry (VM) + +commit 4607c97ded436c88627eae1fa722d0756fee013a +Author: Justin Terry (VM) +Date: Wed Sep 19 11:47:34 2018 -0700 + + Add runhcs create-scratch and list tests + + Signed-off-by: Justin Terry (VM) + +commit aba89567c200a267dbe977203f2528611a84a0a9 +Author: Justin Terry (VM) +Date: Wed Sep 19 11:29:08 2018 -0700 + + Add runhcs list go binding + + Signed-off-by: Justin Terry (VM) + +commit 1c55295f4e39b34925521b8cbafc7324cc57ab8f +Author: Justin Terry (VM) +Date: Wed Sep 19 11:23:15 2018 -0700 + + Adding create-scratch go binding + + Signed-off-by: Justin Terry (VM) + +commit 18b83269570bb7954e8dc2db72c181972476304f +Merge: 943d8fec2 f25353d9f +Author: Justin +Date: Wed Sep 19 10:49:34 2018 -0700 + + Merge pull request #312 from Microsoft/unify_runhcs_stopped_error + + Unify runhcs container stopped error + +commit f25353d9ff62092a879cd6ff6480d0a002970874 +Author: Justin Terry (VM) +Date: Wed Sep 19 10:40:35 2018 -0700 + + Unify runhcs container stopped error + + Signed-off-by: Justin Terry (VM) + +commit 01dc11937f222484a544083490b7cdbc36929ee2 +Author: Erik Frimodig +Date: Mon Sep 17 17:56:21 2018 -0700 + + Adding Namespace to HNS exports. Required for CNI to provide Endpoint Namespace in HNS V1. + +commit 943d8fec26ba5ba845f6ab59ce9078db68b4e352 +Merge: 3afd75b67 51ed347ce +Author: John Howard +Date: Thu Sep 13 13:23:56 2018 -0700 + + Merge pull request #309 from Microsoft/jjh/fixlogging + + Fix logging in CreateLayer + +commit 51ed347ce8dd1219b66a011999c84412610308ea +Author: John Howard +Date: Thu Sep 13 10:41:34 2018 -0700 + + Fix logging in CreateLayer + + Signed-off-by: John Howard + +commit 3afd75b67fe9ec0c8ce72c2d2c160fcddd0fc532 +Merge: f3c754d16 c782eb992 +Author: John Howard +Date: Mon Sep 10 10:17:02 2018 -0700 + + Merge pull request #308 from Microsoft/jjh/morelineendings + + More unix line ending fixes + +commit c782eb992265b610a9ce00bb44b15ca08016b933 +Author: John Howard +Date: Mon Sep 10 09:52:01 2018 -0700 + + More unix line ending fixes + + Signed-off-by: John Howard + +commit f3c754d1689c1a2028ca5d96103695422f131df3 (tag: v0.7.3) +Merge: 3b3d80e14 d8163de56 +Author: Justin +Date: Fri Sep 7 14:18:39 2018 -0700 + + Merge pull request #306 from Microsoft/fix_guid + + Updates the GUID type to marshal as string. + +commit 3b3d80e14345c17de713b5c6f3e600cba652002b +Merge: 939ef9a51 67937587e +Author: Justin +Date: Fri Sep 7 14:03:34 2018 -0700 + + Merge pull request #307 from erfrimod/erfrimod/hcn-fixes-tests + + Erfrimod/hcn fixes tests + +commit 67937587e909cad662a327cc2f31599797434aa8 +Author: Erik Frimodig +Date: Fri Sep 7 13:53:33 2018 -0700 + + Adding test to verify passing v1 schema to RPC. + +commit d8163de5658ec56c7ac69fc24223363436c1bdae +Author: Justin Terry (VM) +Date: Fri Sep 7 13:40:10 2018 -0700 + + Updates the GUID type to marshal as string. + + Signed-off-by: Justin Terry (VM) + +commit cacccd2dbf84a317c0fa022cd030d38c066e048d +Author: Erik Frimodig +Date: Fri Sep 7 12:47:08 2018 -0700 + + Get functions return an error if no matches exist. + +commit 939ef9a5179232988ba79372d158b473146bf1c1 (tag: v0.7.2) +Merge: 839a2fd93 1d65daa2d +Author: John Howard +Date: Thu Sep 6 11:39:54 2018 -0700 + + Merge pull request #304 from Microsoft/jjh/lineneding + + Fix line ending in guid.go + +commit 1d65daa2d58a543c977041d57bb011e79b3d3a8e +Author: John Howard +Date: Thu Sep 6 11:36:58 2018 -0700 + + Fix line ending in guid.go + + Signed-off-by: John Howard + +commit 839a2fd931c148a08d4d264804dace156bdd5641 (tag: v0.7.1) +Merge: 42f0e04dc 7d25762d8 +Author: John Howard +Date: Thu Sep 6 10:17:57 2018 -0700 + + Merge pull request #303 from Microsoft/fix_tar2vhd_rs5 + + Adding VHD Access for tart2vhd + +commit 7d25762d86972c4b174b9e8df0832d414530edcc +Author: Justin Terry (VM) +Date: Wed Sep 5 10:08:57 2018 -0700 + + Adding VHD Access for tart2vhd + + Signed-off-by: Justin Terry (VM) + +commit 42f0e04dcaf638772466e252fac3703bcb13dccd +Merge: 3cbd119df 5181bb7e3 +Author: Justin +Date: Tue Sep 4 12:04:31 2018 -0700 + + Merge pull request #302 from Microsoft/jjh/syscallwatcher + + Add syscall watcher + +commit 5181bb7e3f8eacdabfc05b14853b956790f9b125 +Author: John Howard +Date: Tue Sep 4 11:07:20 2018 -0700 + + Add syscall watcher + + Signed-off-by: John Howard + +commit 3cbd119df3fcc7492430551d67e0402eaa406e42 +Merge: 11de494ff 24674a758 +Author: Justin +Date: Fri Aug 31 16:00:02 2018 -0700 + + Merge pull request #301 from Microsoft/go1_11_fixes + + Fixing issues found by go 1.11 + +commit 24674a758eed7d91c82130c3354bdc12b1b5a50f +Author: Justin Terry (VM) +Date: Fri Aug 31 15:57:51 2018 -0700 + + Fixing issues found by go 1.11 + + Signed-off-by: Justin Terry (VM) + +commit 11de494ff5970d45138fc02ce8c83b406634aea7 +Merge: ad5b578a1 b80200e43 +Author: Justin +Date: Fri Aug 31 15:38:23 2018 -0700 + + Merge pull request #274 from erfrimod/erfrimod/hns-v2-api + + WIP: Erfrimod/hns v2 api + +commit b80200e435a1971193fc63187851ad3e3ead69b5 +Author: Erik Frimodig +Date: Fri Aug 31 15:19:58 2018 -0700 + + Removing version checks from internal api calls. + +commit d7fab11be29ad7b3f59b7c8e9e031d022143c13e +Author: Erik Frimodig +Date: Fri Aug 31 14:57:59 2018 -0700 + + Re-use the Version in globals for SchemaVersion. + +commit 9772607a27af24a02fce4dac08c34f811b896b2c +Author: Erik Frimodig +Date: Fri Aug 31 14:29:25 2018 -0700 + + Responding to PR feedback. + +commit eb2d9ba9ef94d18b1b70a55e2b201e51a4e1dfd0 +Author: Erik Frimodig +Date: Fri Aug 31 12:49:07 2018 -0700 + + CheckError moved to lowercase to no longer publish + +commit e215cc8d81581c3c67807d536333c4a7eaf0cb1e +Author: Erik Frimodig +Date: Fri Aug 31 11:27:36 2018 -0700 + + Endpoints handle arrays of Policy objects. + +commit d653c2554bda5fbbbb5ef6d89b39a0d7be47eddf +Author: Erik Frimodig +Date: Thu Aug 30 15:42:04 2018 -0700 + + Adding multiple ACLs to endpoint tested. + +commit bf14fc22895f89b0154f93d6370c90063855f0be +Author: Erik Frimodig +Date: Thu Aug 30 14:37:38 2018 -0700 + + Update the mksyscall comment in hcn.go + +commit 40b8bbda758c307bf003544561ec33c3a4bce7f4 +Author: Erik Frimodig +Date: Thu Aug 30 14:35:19 2018 -0700 + + Moving HSN code to hcnshim::hcs. + +commit 3c64bb84489f8f5cd5bde4fdd1e8760f53cdda37 +Author: Erik Frimodig +Date: Wed Aug 29 17:20:40 2018 -0700 + + Squash before rebase. + +commit ad5b578a19495423d2546545fd5134127b272f79 (tag: v0.7.0) +Merge: 9856d81fc 230cc8114 +Author: Justin +Date: Fri Aug 24 10:02:39 2018 -0700 + + Merge pull request #300 from Microsoft/jjh/lineendings + + Convert all files to UNIX line endings + +commit 230cc81140509f40bf2b468759434a46fd8a8e17 +Author: John Howard +Date: Fri Aug 24 08:06:18 2018 -0700 + + Convert all files to UNIX line endings + + Signed-off-by: John Howard + +commit 9856d81fc4258e66eeeebe906c29fa07f6e12189 +Merge: 44c060121 48a95a59c +Author: John Howard +Date: Wed Aug 22 09:04:23 2018 -0700 + + Merge pull request #295 from Microsoft/jjh/uniquetimeouts + + Add individual timeouts rather than global + +commit 44c060121b68e8bdc40b411beba551f3b4ee9e55 +Merge: 9ae610d59 8d6cd8126 +Author: Justin +Date: Wed Aug 22 08:13:09 2018 -0700 + + Merge pull request #296 from Microsoft/fix_line_endings + + Fix CRLF to LF in some files + +commit 8d6cd812604e0aef14bbd8796d8ff4691d979aa1 +Author: Justin Terry (VM) +Date: Wed Aug 22 07:56:41 2018 -0700 + + Fix CRLF to LF in some files + + Signed-off-by: Justin Terry (VM) + +commit 48a95a59c886e4be9d366f555f0f6568a1741e1e +Author: John Howard +Date: Tue Aug 21 14:51:41 2018 -0700 + + Add individual timeouts rather than global + + Signed-off-by: John Howard + +commit 9ae610d5962dbb4778987805b6173b5b0e1c4263 +Merge: 4c804da6c a343346e8 +Author: Justin +Date: Tue Aug 21 14:13:32 2018 -0700 + + Merge pull request #294 from Microsoft/exec_detach + + Adding detach support to go-runhcs exec + +commit a343346e8e37bc029a6fdd970a54d8a993a66c98 +Author: Justin Terry (VM) +Date: Tue Aug 21 14:10:45 2018 -0700 + + Adding detach support to go-runhcs exec + + Signed-off-by: Justin Terry (VM) + +commit 4c804da6c6e9025334b7a389e1d8f0c24c06a501 +Merge: de5af6486 35436e40d +Author: Justin +Date: Mon Aug 20 15:11:53 2018 -0700 + + Merge pull request #293 from Microsoft/jjh/john-is-an-idiot-sometimes + + Put LinuxMetadata in the right place (oops) + +commit 35436e40d86648057f1c2768cdb2a82375d26dc2 +Author: John Howard +Date: Mon Aug 20 15:10:07 2018 -0700 + + Put LinuxMetadata in the right place (oops) + + Signed-off-by: John Howard + +commit de5af648634ddc15af06e7b3a25abaae0a16af48 +Merge: fc5774bb7 5d6ef6335 +Author: Justin +Date: Mon Aug 20 14:37:40 2018 -0700 + + Merge pull request #290 from Microsoft/go_runhcs + + Introduce go-runhcs client bindings + +commit fc5774bb7e0254061c3ec407382c65a550694139 +Merge: 850502f4f b1ae280af +Author: Justin +Date: Mon Aug 20 14:37:16 2018 -0700 + + Merge pull request #291 from Microsoft/jjh/setcurrentthreadcompartmentid + + Repromote SetCurrentThreadCompartmentId + +commit 850502f4f58925203e0d6fdca0517b57afe7fe24 +Merge: 8739e80d2 708826e2a +Author: Justin +Date: Mon Aug 20 14:35:53 2018 -0700 + + Merge pull request #292 from Microsoft/jjh/linuxmetadata-back-in-master + + Adds LinuxMetadata back (omitted in master) + +commit 708826e2a7ea92e98cb0d3296bc1d9b4d3231db8 +Author: John Howard +Date: Mon Aug 20 14:33:00 2018 -0700 + + Adds LinuxMetadata back (omitted in master) + + Signed-off-by: John Howard + +commit b1ae280af6260f2d6e7b9faeadda062158306599 +Author: John Howard +Date: Mon Aug 20 14:23:02 2018 -0700 + + Repromote SetCurrentThreadCompartmentId + + Signed-off-by: John Howard + +commit 5d6ef6335066e5921fcf8334990c2a856410dc93 +Author: Justin Terry (VM) +Date: Fri Aug 17 13:14:16 2018 -0700 + + Introduce go-runhcs client bindings + + Signed-off-by: Justin Terry (VM) + +commit f9d9074b643b7ca03f52994f5d640b2884a352bc +Merge: 4446ff298 843def10f +Author: Justin +Date: Mon Aug 20 12:39:04 2018 -0700 + + Merge pull request #254 from Microsoft/runc_kill_err + + Fix issue with runc kill + +commit 843def10f049cbf9ee8474c5212a81e39db1f793 +Author: Justin Terry (VM) +Date: Mon Aug 20 11:33:30 2018 -0700 + + Fix issue with runc kill + + Converts a runc error calling kill on an already dead pid to a success + since it is the final state we wanted anyways. + + Signed-off-by: Justin Terry (VM) + +commit 4446ff298e35bc6c4a47f8dd535a539375c3d9af +Merge: aae7bacb5 6258ed97a +Author: Justin +Date: Fri Aug 17 12:34:56 2018 -0700 + + Merge pull request #253 from Microsoft/jjh/fixbuild + + Fix info messages in build.ps1 + +commit 6258ed97aedd611b7e350e30ee9cb65e3813ffab +Author: John Howard +Date: Fri Aug 17 12:06:32 2018 -0700 + + Fix info messages in build.ps1 + + Signed-off-by: John Howard + +commit 8739e80d282d03baee4f01d3b96542541073b714 +Merge: a3c34bb18 4cb129576 +Author: Justin +Date: Fri Aug 17 11:33:30 2018 -0700 + + Merge pull request #289 from Microsoft/jjh/bumprs5 + + Bump RS5 build number + +commit a3c34bb1899f76e9394b79a8eb31ebe82b4ebd18 +Merge: c328a0ef1 e9a1157bb +Author: John Howard +Date: Fri Aug 17 10:58:08 2018 -0700 + + Merge pull request #288 from Microsoft/jjh/attachonly + + Remove AttachOnly + +commit 4cb129576225a9d5951d65d1b136583d750133c5 +Author: John Howard +Date: Fri Aug 17 10:40:46 2018 -0700 + + Bump RS5 build number + + Signed-off-by: John Howard + +commit e9a1157bb1c82458028201a94457f82241f15140 +Author: John Howard +Date: Fri Aug 17 10:38:36 2018 -0700 + + Remove AttachOnly + + Signed-off-by: John Howard + +commit c328a0ef1b2752804d028e2d4b2cb593d15eebe3 +Merge: 97c80f88f 56a3adc6f +Author: John Howard +Date: Fri Aug 17 10:30:36 2018 -0700 + + Merge pull request #286 from Microsoft/jterry75/containerd-runhcs-shim_fixes + + Jterry75/containerd runhcs shim fixes + +commit aae7bacb57d459a2d304844c5fadbb3df9927311 +Merge: db6b525bf 48a963be0 +Author: John Howard +Date: Fri Aug 17 10:29:09 2018 -0700 + + Merge pull request #249 from jterry75/v2_exec_external + + Supports V2 exec external process with a V2 schema + +commit 97c80f88fbfe4b5f3fc472549eb4e201624ea6fb +Merge: 573060c15 101fb900f +Author: Justin +Date: Fri Aug 17 10:20:43 2018 -0700 + + Merge pull request #287 from Microsoft/jjh/swagger-8-17-18 + + Refresh swagger + +commit 101fb900fa43fdffa8c1cfc3f4b1c5cdb4f2c08d +Author: John Howard +Date: Fri Aug 17 10:08:15 2018 -0700 + + Refresh swagger + + Signed-off-by: John Howard + +commit 573060c15561798303e08381d34f4474023afb84 +Merge: 6f4272e5a 3a2ea8f47 +Author: John Starks +Date: Thu Aug 16 10:58:35 2018 -0700 + + Merge pull request #277 from jiria/fix-convertandfree-32bit + + Fix ConvertAndFreeCoTaskMemString for 32 bit platforms + +commit db6b525bf60d6dd7c28505cef8eefcf6ba719bfb +Merge: 6294b3cab 7ceb2508d +Author: Justin +Date: Thu Aug 16 09:13:38 2018 -0700 + + Merge pull request #251 from jterry75/time_duration + + Fixing time.Duration casts + +commit 7ceb2508dd68e0da7e4a79228a99b5c8be4eb32f +Author: Justin Terry (VM) +Date: Wed Aug 15 14:58:04 2018 -0700 + + Fixing time.Duration casts + + Signed-off-by: Justin Terry (VM) + +commit 56a3adc6f0e2f0b5e884530239b4a1bb6a4c5204 +Author: Justin Terry (VM) +Date: Mon Aug 13 13:56:58 2018 -0700 + + Adding runhcs.exe tar2vhd command + + Signed-off-by: Justin Terry (VM) + +commit 2175e3ebbde2e86efa871db8aeef873d59551554 +Author: Justin Terry (VM) +Date: Tue Aug 14 08:13:07 2018 -0700 + + Add runhcs.exe create-scratch command + + Signed-off-by: Justin Terry (VM) + +commit a7b6c59a3f451c582bc7013390978c19a9795081 +Author: Justin Terry (VM) +Date: Mon Aug 13 08:20:41 2018 -0700 + + Removes punctuation from start error + + Signed-off-by: Justin Terry (VM) + +commit 6bf74c7a229bf6c4b1e1562deb6f69e17981b5ad +Author: Justin Terry (VM) +Date: Fri Aug 10 09:52:02 2018 -0700 + + Fixes an issue with state + + Occasionally the product will fail the state query and return "operation + is not valid in the current sate". Rather than returning an error in + this case we want to return state "unknown" with a valid json output for + clients to be able to handle. + + Signed-off-by: Justin Terry (VM) + +commit 48a963be052ed49aa098acf6ffdf8625edac072e +Author: Justin Terry (VM) +Date: Wed Aug 15 12:57:24 2018 -0700 + + Supports V2 exec external process with a V2 schema + + Adds support for a V2 exec external process that uses an oci.Process + spec rather than the v1 schema of cmd/args. + + Resolves: #246 + + Signed-off-by: Justin Terry (VM) + +commit 6294b3cabf1f6ae3f66944d9ec4704e2c466a88c +Merge: e7d636bb7 ba6a610b8 +Author: John Howard +Date: Wed Aug 15 11:28:57 2018 -0700 + + Merge pull request #247 from Microsoft/jterry75/stdio_close_log + + Adding log support on stdio connections + +commit ba6a610b8d36e874c33d7f29f58c2b692d0fb8c1 +Author: Justin Terry (VM) +Date: Tue Aug 14 10:30:26 2018 -0700 + + Adding log support on stdio connections + + Signed-off-by: Justin Terry (VM) + +commit 6f4272e5a96e53e3e2719ce9d53fa2516c92914d +Merge: 6c511c0a9 c335b9c7a +Author: Justin +Date: Tue Aug 14 08:35:35 2018 -0700 + + Merge pull request #249 from Microsoft/consolepipe + + abbreviate logging; fix test + +commit e7d636bb744853237979f3d03a22391a85f52e1c +Merge: 443b91ba7 6fae160bc +Author: John Howard +Date: Mon Aug 13 09:22:26 2018 -0700 + + Merge pull request #245 from Microsoft/rootfsvhd + + Carry #227: build.ps1: Build rootfs.vhd + +commit 6fae160bc123435c9d2fe3f22e16317c57f57d80 +Author: John Howard +Date: Fri Aug 10 15:43:24 2018 -0700 + + Fix --device-cgroup-rule typo + + Signed-off-by: John Howard + +commit d782cbd5fe57e45011f29bb42ccd9a327aea2a3c +Author: John Starks +Date: Thu Jun 21 11:01:04 2018 -0700 + + build.ps1: Build rootfs.vhd + +commit 6c511c0a92bf6ec952336c6cc5bcf4884dda572c +Merge: 46e81a2ea 1867c49be +Author: John Howard +Date: Fri Aug 10 15:22:21 2018 -0700 + + Merge pull request #275 from Microsoft/jjh/todos + + Clearup some TODOs, bump RS5 build + +commit 1867c49be736707b8a7f59f8564f38ccfdd62423 +Author: John Howard +Date: Thu Jul 26 11:13:34 2018 -0700 + + Clearup some TODOs, bump RS5 build + + Signed-off-by: John Howard + +commit 46e81a2ea0d77d62336908aa8f7a7f258c240cc7 +Merge: b08edbc01 fa457166d +Author: Justin +Date: Fri Aug 10 15:05:09 2018 -0700 + + Merge pull request #282 from Microsoft/jjh/masterlimitstarts + + Limit parallel starts if HCSSHIM_MAX_PARALLEL_START is set + +commit fa457166d8040de93ff11ec24b6b80e33df58365 +Author: John Howard +Date: Fri Aug 10 14:31:27 2018 -0700 + + Limit parallel starts + + Signed-off-by: John Howard + +commit b08edbc011f8d316cfdddfc7d64a95706185edca +Merge: 4a468a6f7 7feb8b6f5 +Author: Justin +Date: Fri Aug 10 14:50:03 2018 -0700 + + Merge pull request #276 from jiria/fix_fileattributes_size + + Fix FileAttributes size to work across all platforms + +commit 443b91ba766b14724e9470a22d5c2fea540cb84a +Merge: 2398de591 dee64dfb2 +Author: John Howard +Date: Thu Aug 9 11:49:16 2018 -0700 + + Merge pull request #244 from Microsoft/fix_reboot + + Fixing Reboot system call flags + +commit dee64dfb2fabbb1b68e37c222d5249f98b7dd01d +Author: Justin Terry (VM) +Date: Thu Aug 9 11:33:32 2018 -0700 + + Fixing Reboot system call flags + + Signed-off-by: Justin Terry (VM) + +commit 3a2ea8f473928ec022b208186fa35fac76f78256 +Author: Jiri Appl +Date: Fri Aug 3 12:12:56 2018 -0700 + + Fix ConvertAndFreeCoTaskMemString for 32 bit platforms + +commit 7feb8b6f58afd9e2fba400a383dbc510ea99abcc +Author: Jiri Appl +Date: Fri Aug 3 12:02:49 2018 -0700 + + Changes based on PR + +commit 8ec7e9b0509470d315e8fbe75ce88ce22f95ade0 +Author: Jiri Appl +Date: Thu Aug 2 11:12:49 2018 -0700 + + Fix FileAttributes size to work across all platforms + +commit 4a468a6f7ae547974bc32911395c51fb1862b7df +Merge: ab21da6a3 cb18d0084 +Author: Justin +Date: Mon Jul 23 13:05:44 2018 -0700 + + Merge pull request #273 from Microsoft/jjh/scsi + + Fixups to latest vmcompute as of 7/23/18 + +commit cb18d0084b70a4f8ac6ff80bfd06303370cd076e +Author: John Howard +Date: Mon Jul 23 12:50:24 2018 -0700 + + Updated for new VPMem schema + + Signed-off-by: John Howard + +commit 4a72322a1a6cf40f44823ab5c1026b27bd6aeec9 +Author: John Howard +Date: Mon Jul 23 11:46:45 2018 -0700 + + Fixups for moved fields (memory/vsmb) + + Signed-off-by: John Howard + +commit af9e475a6a459ff8a128f0a5bebe71a5a3b7107c +Author: John Howard +Date: Mon Jul 23 11:39:16 2018 -0700 + + Refresh swagger + + Signed-off-by: John Howard + +commit 172f6ab2412cb50b90d2ab29286b9e0e689cd234 +Author: John Howard +Date: Mon Jul 23 11:36:02 2018 -0700 + + Fix compile error, revert SCSI hack + + Signed-off-by: John Howard + +commit ab21da6a3b9b667c4ec37694efb7c0ea62069c80 +Merge: 437e687f3 186389daf +Author: Justin +Date: Thu Jul 19 15:34:41 2018 -0700 + + Merge pull request #268 from Microsoft/jjh/extraprintln + + Remove two noisy non-required fmt.Println in test code + +commit 437e687f35bc751239fa46be174764b1f41f90e9 +Merge: 637f233e0 e71658bb2 +Author: Justin +Date: Thu Jul 19 15:34:18 2018 -0700 + + Merge pull request #269 from Microsoft/jjh/userightimage + + TestWCOWXenonOciV1 was using wrong image + +commit e71658bb23f59a0482939fe5778e6f7ab694d1e3 +Author: John Howard +Date: Wed Jul 18 16:07:48 2018 -0700 + + TestWCOWSenonOciV1 was using wrong image + + Signed-off-by: John Howard + +commit 186389daf78b82a336321b8f1f8f7f1aaabd9aa5 +Author: John Howard +Date: Wed Jul 18 15:38:34 2018 -0700 + + Remove too noisy non-required fmt.Println in test code + + Signed-off-by: John Howard + +commit 637f233e07c034012eed8d1afdeea6371d2387a9 +Merge: 85fbacc2b a2badbf19 +Author: John Howard +Date: Wed Jul 18 15:26:00 2018 -0700 + + Merge pull request #261 from Microsoft/jjh/plan9fixup + + Fix ResourcePath for Plan9 + +commit 85fbacc2b987a29866d4871a3e3471036eb400f5 +Merge: 95f773c83 2be632347 +Author: John Howard +Date: Wed Jul 18 15:25:38 2018 -0700 + + Merge pull request #267 from Microsoft/jjh/vsmbfixup + + Fix VSMB, and scsi variable masking bug + +commit 2be632347d712cfc29f2ad9a46ff243c01a7af91 +Author: John Howard +Date: Wed Jul 18 14:30:48 2018 -0700 + + Fix VSMB, and scsi variable masking bug + + Signed-off-by: John Howard + +commit 95f773c83ea6558fb1d4e9dd9a3e083eede9c5dc +Merge: a45cb86dc c90b12fda +Author: Justin +Date: Wed Jul 18 13:32:19 2018 -0700 + + Merge pull request #266 from Microsoft/jterry75/latest_v1_assigned_device_support + + Add device passthrough support + +commit a45cb86dc60970d99dfd78bb424072281ee987dd +Merge: 90150b002 e71b7e435 +Author: John Howard +Date: Wed Jul 18 13:03:00 2018 -0700 + + Merge pull request #260 from Microsoft/jjh/scsicomment + + Remove old SCSI comment + +commit c90b12fda4b8b80a4b8293758b0ebdf7a0e43ec9 +Author: Justin Terry (VM) +Date: Tue Jul 17 14:42:10 2018 -0700 + + Add device passthrough support + + Signed-off-by: Justin Terry (VM) + +commit a2badbf19fa824136d6733583840f009ac7872a6 +Author: John Howard +Date: Wed Jul 18 10:32:20 2018 -0700 + + Fix ResourcePath for Plan9 + + Signed-off-by: John Howard + +commit 90150b002ba660f67d1d7148e20437260e8f337a +Merge: ec8a9cc09 1cd351af8 +Author: John Howard +Date: Wed Jul 18 11:54:50 2018 -0700 + + Merge pull request #264 from Microsoft/jjh/scsihack + + Temporary hack to +1 SCSI LUN due to VSO 18313454 + +commit 1cd351af8cc25c8512e2d34c5248f41831ac47c6 +Author: John Howard +Date: Wed Jul 18 11:47:59 2018 -0700 + + Temporary hack to +1 SCSI due to VSO 18313454 + + Signed-off-by: John Howard + +commit ec8a9cc090fbb28791408556249eec9a295e9e2b +Merge: 2fe5281f3 5e628b5e6 +Author: John Howard +Date: Wed Jul 18 11:41:40 2018 -0700 + + Merge pull request #262 from Microsoft/jjh/vpmemfixup + + Fix vpmem add/remove + +commit 5e628b5e6f00e362e2a491cbeb5ae32622184310 +Author: John Howard +Date: Wed Jul 18 10:39:44 2018 -0700 + + Fix vpmem add/remove + + Signed-off-by: John Howard + +commit e71b7e4354727e8ba6df851ab4a65be3534ccb52 +Author: John Howard +Date: Wed Jul 18 09:42:04 2018 -0700 + + Remove old SCSI comment + + Signed-off-by: John Howard + +commit 2fe5281f3d038255a0c44570b2a82d6291793b2b +Merge: 781276ffe b8256f94a +Author: John Howard +Date: Tue Jul 17 13:04:08 2018 -0700 + + Merge pull request #257 from Microsoft/jjh/networking + + Network pre-add and network add/rm updates + +commit b8256f94aba4a360fe4e755cec3cc2ba2842923a +Author: John Howard +Date: Mon Jul 16 10:24:52 2018 -0700 + + Network pre-add and network add/rm updates + + Signed-off-by: John Howard + +commit 781276ffe855d5f17941a92fa4101cbd542b3ce7 +Merge: b28cba84e a1be1573e +Author: John Howard +Date: Tue Jul 17 11:06:31 2018 -0700 + + Merge pull request #258 from Microsoft/jjh/resourcepaths + + Next breaking change + +commit a1be1573e3926a0cf130f1ecd9392689b0b88ed1 +Author: John Howard +Date: Mon Jul 16 15:32:42 2018 -0700 + + Compile fixups + + Signed-off-by: John Howard + +commit 51cf6a3357aec4ea837d159b8c58e840e3d4c41b +Author: John Howard +Date: Mon Jul 16 15:26:46 2018 -0700 + + Juggle ResourceTu[e removal + + Signed-off-by: John Howard + +commit dbfdb6ce07312986774f175f3fe44a9564db2f61 +Author: John Howard +Date: Mon Jul 16 14:43:11 2018 -0700 + + Schema to Friday 13th build + + Signed-off-by: John Howard + +commit 2d9754062bdb191538fda19338a70551f89d9a67 +Author: John Howard +Date: Mon Jul 16 10:46:09 2018 -0700 + + Fix resource path to latest breaking change + + Signed-off-by: John Howard + +commit b28cba84e7358f8d5dbe79d51f76f629c49483b7 +Merge: 18fe5ad1f 0ad56ba20 +Author: John Howard +Date: Fri Jul 13 13:35:09 2018 -0700 + + Merge pull request #256 from Microsoft/jjh/fixes + + Updates for latest schema, and workaround + +commit 0ad56ba2004298e32c62a80d1c89e651934ac504 +Author: John Howard +Date: Fri Jul 13 13:26:06 2018 -0700 + + Have GuestResourceType its own type + + Signed-off-by: John Howard + +commit a123bba553eba9b20d8752cbdef79277af046577 +Author: John Howard +Date: Fri Jul 13 13:05:24 2018 -0700 + + Remove no-longer-true comment + + Signed-off-by: John Howard + +commit bc28463bcdacabdad8a5f7c396365af2df610371 +Author: John Howard +Date: Fri Jul 13 13:03:57 2018 -0700 + + DOn't add Request/RequestType outside GuestRequest if no settings + + Signed-off-by: John Howard + +commit 4c12dc14b512816e0145acd4c57b74bfae8cecdc +Author: John Howard +Date: Fri Jul 13 12:52:42 2018 -0700 + + s/hostedsettings/guestrequest + + Signed-off-by: John Howard + +commit 5ee336fce61bfa96c5076832cfba860a5b5ae000 +Author: John Howard +Date: Fri Jul 13 12:31:41 2018 -0700 + + Fix SCSI nightname + + Signed-off-by: John Howard + +commit 20640a7b6c723aedeac213b40ae0824fbe38c52c +Author: John Howard +Date: Wed Jul 11 20:05:03 2018 -0700 + + Functional tests working + + Signed-off-by: John Howard + +commit f08a0577113cfb15d4a4d08b262da068ec806e15 +Author: John Howard +Date: Tue Jul 10 15:16:18 2018 -0700 + + Retry for test-d /sys/bus/scsi/.... + + Signed-off-by: John Howard + +commit 2398de591e9c577c112c6eeb7dd7659ecc77a46e +Merge: f4421ed6d fdfcf6d63 +Author: John Howard +Date: Tue Jul 10 14:41:31 2018 -0700 + + Merge pull request #238 from Microsoft/v2_process_version + + Remove ProcessV2 Version property requirement + +commit fdfcf6d635450f64c590efb38c31b81378aada11 +Author: Justin Terry (VM) +Date: Tue Jul 10 13:08:31 2018 -0700 + + Remove ProcessV2 Version property requirement + + Removes the SchemaVersion property requirement from the ProcessV2 schema + and gathers the version number from the ContainerID itself that was used + at create time. + + Signed-off-by: Justin Terry (VM) + +commit bea509c479e44803b66db24cd1d71549c2e63a90 +Author: John Howard +Date: Tue Jul 10 09:24:38 2018 -0700 + + Use busyboxw for wcow tests - can't have both linux/windows busybox images with same tag + + Signed-off-by: John Howard + +commit 01fb57ecf58c69ff03f5c44904e6b65beac1db02 +Merge: 7bb674b05 8202a2499 +Author: John Howard +Date: Tue Jul 10 09:26:31 2018 -0700 + + Merge pull request #255 from Microsoft/jterry75/fixes + + Jterry75/fixes + +commit 8202a24993de937532a44566bf80013024ddf170 +Author: Justin Terry (VM) +Date: Tue Jul 10 09:19:28 2018 -0700 + + Use GuestConnection for WCOW/LCOW in all cases + + Signed-off-by: Justin Terry (VM) + +commit b49915cf514597014b100daa81de6f5c176d84ed +Author: Justin Terry (VM) +Date: Tue Jul 10 09:13:42 2018 -0700 + + Fixing PMEM ImageFormat casing + + Signed-off-by: Justin Terry (VM) + +commit b40415305df717c1f242a32131fd17827cce4927 +Author: Justin Terry (VM) +Date: Tue Jul 10 09:06:46 2018 -0700 + + Bump Schema V2.1 version + + Signed-off-by: Justin Terry (VM) + +commit b8130634e1cc71213923df1f02086510fbdb799f +Author: Justin Terry (VM) +Date: Tue Jul 10 08:57:13 2018 -0700 + + Remove comment with new GuestConnection settings + + Signed-off-by: Justin Terry (VM) + +commit 63208dfcaae13d554d44ceb8f99dfbfae03ba6b9 +Author: Justin Terry (VM) +Date: Tue Jul 10 08:50:10 2018 -0700 + + Renaming VPMEM and VSMB share paths + + Signed-off-by: Justin Terry (VM) + +commit 7bb674b05c035efcb6cdeafe3db968f70dfb6f42 +Author: John Howard +Date: Mon Jul 9 16:04:08 2018 -0700 + + Back to compiling + + Signed-off-by: John Howard + +commit f4421ed6d06d1583e4625634a8cc4f5f864d77fe +Merge: f5289606b 40dcf5929 +Author: John Howard +Date: Mon Jul 9 16:02:08 2018 -0700 + + Merge pull request #237 from Microsoft/system_already_stopped + + Fixes v1 shutdown failure code + +commit 18fe5ad1fcac0292f535286a89f7f8b9014a0fee +Merge: a2572a88e 1d6fef405 +Author: Justin +Date: Mon Jul 9 15:08:53 2018 -0700 + + Merge pull request #253 from scooley/runc-reference-removal + + Removing runc help doc references from runhcs + +commit 40dcf5929406403fc51b6c60eff87b6fd17afe9f +Author: Justin Terry (VM) +Date: Mon Jul 9 15:06:08 2018 -0700 + + Fixes v1 shutdown failure code + + 1. Fixes an issue where when signaling a container either via Shutdown + or Terminate the HCS previously would return an error that indicated the + Compute System was already stopped. We now have the gcs return this + HRESULT directly to honor the existing hcsshim behavior for determining + if the signal error is a real one or not. + + Signed-off-by: Justin Terry (VM) + +commit e0423a94bd753bade73f392051de8a8edfd3c310 +Author: John Howard +Date: Mon Jul 9 13:20:57 2018 -0700 + + Refresh Swagger + + Signed-off-by: John Howard + +commit a2572a88e2483ab4379061a836026b57ef7e0ed2 +Merge: b71fa3891 27006252c +Author: John Howard +Date: Mon Jul 9 11:35:46 2018 -0700 + + Merge pull request #252 from Microsoft/schemaupdate + + HCS v2 Schema Updates to align with breaking change notification + +commit 1d6fef405084bca531f82f0265fec8b1ac039e65 +Author: Sarah +Date: Fri Jul 6 15:37:25 2018 -0700 + + noticed a minor grammar fail + +commit 9ccb8e1327af5e6d2b8ce208192f27d97697340e +Author: Sarah +Date: Fri Jul 6 15:31:45 2018 -0700 + + updating per feedback + +commit f5289606ba2d62e2c7d9aa73ec87353622d98a09 +Merge: 81cdc3e9f dd2cce66f +Author: Justin +Date: Fri Jul 6 15:11:44 2018 -0700 + + Merge pull request #235 from Microsoft/v2_name_changes + + V2 changes to modifysettings type + +commit d36cae81d3b8a7827350ccac1db67df68cc1cec6 +Author: Sarah +Date: Fri Jul 6 14:36:21 2018 -0700 + + name update + +commit da13cbe1318156299c475eb52de5394d38329747 +Author: Sarah +Date: Fri Jul 6 14:14:46 2018 -0700 + + updated main to refer to Hyper-V isolated containers rather than lcow based on references to wcow + +commit fe4fe0acdc3c0f8667f52068ef9547308f1f456e +Author: Sarah +Date: Fri Jul 6 14:10:34 2018 -0700 + + removed runc reference from run - modified to remove reference to runc spec (unimplemented in runhcs) + +commit cb5ac6361823f11aeb82d32de57fac350fd9ee7c +Author: Sarah +Date: Fri Jul 6 14:08:05 2018 -0700 + + removed runc reference from pause + +commit b0866532595e5eb70648d943678379306ad3922d +Author: Sarah +Date: Fri Jul 6 14:04:52 2018 -0700 + + minor updates to main + +commit 23e0510bc09eadfd90c503b0de32512dbd1ccc54 +Author: Sarah +Date: Fri Jul 6 14:00:31 2018 -0700 + + notice modification + +commit 387f1c5aaf747cf266ac01e29d45a5a26e4f57f8 +Author: Sarah +Date: Fri Jul 6 13:42:09 2018 -0700 + + removed runc reference from main - this will need to be updated to reflect differences between runhcs and runc + +commit 8aa5cfbf0fe71bb3f38370bd818797e37cddbe43 +Author: Sarah +Date: Fri Jul 6 13:37:51 2018 -0700 + + removed runc reference from list + +commit 136b0df464484161e62eab5be05289431457e63c +Author: Sarah +Date: Fri Jul 6 13:36:15 2018 -0700 + + removed runc reference from kill + +commit bff809e69781c4d6553ef97ee9beffb29d1b2ad4 +Author: Sarah +Date: Fri Jul 6 13:35:17 2018 -0700 + + changed notice + +commit b79c686437023d09eb0ab8c8fab3b21aea8c1761 +Author: Sarah +Date: Fri Jul 6 13:26:57 2018 -0700 + + changed notice + +commit 7fa3eb426620c59b8222b3d106291505fc85a9b5 +Author: Sarah +Date: Fri Jul 6 13:01:06 2018 -0700 + + removed runc refernces from delete.go + +commit dd2cce66fdeb5002ab22fcbdd68c8dbcb2a4ef76 +Author: Justin Terry (VM) +Date: Wed Jul 4 14:39:26 2018 -0700 + + V2 changes to modifysettings type + + Signed-off-by: Justin Terry (VM) + +commit 27006252cab143ae60cb549745bcd1eb88488d82 +Author: John Howard +Date: Mon Jul 2 10:50:20 2018 -0700 + + HCS v2 Schema Updates to align with breaking change notification + + This updates internal/schema2 to use (with some very minor modifications) + swagger generated code. The ripple effects then pass on through pretty + much everywhere else. + + Modification particularly to ModifySettingRequest so that Settings and + HostedSettings are `interface{}` rather than `*interface{}` + + Note there are new/updated internal packages for things which are not generated + by swagger: + + - The LCOW hosted settings for ProcessParameters are in lcow/types.go + - Request Types in internal/requesttype + - Resource Types in internal/resourcetype + + Signed-off-by: John Howard + +commit 81cdc3e9f74924f938f33ba23458c09bd39c8571 +Merge: 71721a238 bc06bb491 +Author: Justin +Date: Tue Jun 26 13:07:58 2018 -0700 + + Merge pull request #233 from Microsoft/multicontainer + + Merge Multicontainer into master + +commit bc06bb49132ae962745f344aef63d4e5f47ade63 +Merge: ce4c96aad 71721a238 +Author: Justin Terry (VM) +Date: Tue Jun 26 11:41:12 2018 -0700 + + Merge remote-tracking branch 'origin/master' into multicontainer + +commit ce4c96aad23884212170af346148798e25eb6fed +Merge: b0f290e3e ff739685a +Author: Justin +Date: Tue Jun 26 11:26:57 2018 -0700 + + Merge pull request #230 from Microsoft/multi_fix_unittests + + Cleanup GCS ginkgo tests in multicontainer + +commit ff739685a25caf731d6341a4e33c3caeac6a6974 +Author: Justin Terry (VM) +Date: Fri Jun 22 13:57:00 2018 -0700 + + Cleanup GCS ginkgo tests in multicontainer + + Signed-off-by: Justin Terry (VM) + +commit b0f290e3e4c8419f7319674e3fbde82761f7cba6 +Author: Justin Terry (VM) +Date: Tue Jun 26 10:42:37 2018 -0700 + + Rename OtherCapabilities->GuestDefinedCapabilities + + Signed-off-by: Justin Terry (VM) + +commit 83f4ea5c5aef829252a022d863ffae006ca3652d +Merge: 57c205771 8178e564e +Author: John Howard +Date: Mon Jun 25 09:49:18 2018 -0700 + + Merge pull request #232 from Microsoft/doh + + Ooops. Why we need CI back working + +commit 8178e564e6e3ee417e977cef4e3eb5bdcaa5ea2d +Author: John Howard +Date: Mon Jun 25 09:41:26 2018 -0700 + + Ooops. Why we need CI back working + + Signed-off-by: John Howard + +commit 57c205771fb1bb73c77192f527e437473617be6a +Merge: 6bc958142 52c45b00a +Author: John Howard +Date: Mon Jun 25 09:39:19 2018 -0700 + + Merge pull request #231 from Microsoft/init_exec_error_order + + Timeout netnscfg, logging, message to HCS on init process failure. + +commit 52c45b00af1532cd9c93e68d1c78886708bcfb63 +Author: John Howard +Date: Fri Jun 22 09:33:53 2018 -0700 + + Timeout netnscfg + + Signed-off-by: John Howard + +commit 6bc9581421b0675c1b0e7222645efd37a292164a +Merge: 0f9264675 2810bdcee +Author: Justin +Date: Fri Jun 22 15:53:35 2018 -0700 + + Merge pull request #228 from Microsoft/remove_v2_workarounds + + Remove the RS5 V2 Workarounds for multicontainer + +commit 2810bdceea7086b510ae76b95ea899e0a16c3771 +Author: Justin Terry (VM) +Date: Fri Jun 22 13:24:55 2018 -0700 + + Remove the RS5 V2 Workarounds for multicontainer + + Signed-off-by: Justin Terry (VM) + +commit 0f9264675a7feb051a7dbb42e646fa64bf2f1692 +Merge: a89985119 d9cd420f4 +Author: Justin +Date: Thu Jun 21 10:20:19 2018 -0700 + + Merge pull request #221 from Microsoft/multi_fix_unittests + + Fix bridge unit tests for V2 changes + +commit a899851197a0154730f30973f6c3ca8aabc04c42 +Merge: 7e1d1826c 138015ca0 +Author: Justin +Date: Thu Jun 21 10:17:53 2018 -0700 + + Merge pull request #226 from Microsoft/multicontainer_ostype + + Adds support for the RuntimeOsType Capability + +commit 138015ca047e339c23bcf544921e75995d46ed6e +Author: Justin Terry (VM) +Date: Wed Jun 20 13:30:12 2018 -0700 + + Adds support for the RuntimeOsType Capability + + Signed-off-by: Justin Terry (VM) + +commit 7e1d1826c651252714ae2997a509bef336dd50df +Merge: ba384d2f5 e7009243b +Author: Justin +Date: Mon Jun 18 15:05:34 2018 -0700 + + Merge pull request #224 from jstarks/rootfs_vhd + + Add Makefile rule to build rootfs.vhd + +commit e7009243bb9c286e68b9d68541ae57d7755f3cdd +Author: John Starks +Date: Fri Jun 15 16:21:47 2018 -0700 + + Add Makefile rule for building rootfs.vhd + +commit eaf7118ac221843d4f8c1ef3047a2fdee9dd3c42 +Author: John Starks +Date: Fri Jun 15 16:21:17 2018 -0700 + + tar2vhd: Print errors to stderr + +commit ba384d2f536b98e5eab9d8f6dd0f4d296a9f0aa1 +Merge: 93258f68d b127005bf +Author: John Howard +Date: Fri Jun 15 14:49:42 2018 -0700 + + Merge pull request #223 from jstarks/revert_makefile_change + + Revert "Build rootfs2vhd and run it" + +commit c335b9c7a25c3915768838b1a20556304a26a519 +Author: John Howard +Date: Fri Jun 15 09:49:06 2018 -0700 + + Env var for console pipe; abbreviate logging; fix test + + Signed-off-by: John Howard + +commit b127005bf4097fc8f8d918dd8a61ce0746234895 +Author: John Starks +Date: Fri Jun 15 14:29:22 2018 -0700 + + Revert "Build rootfs2vhd and run it" + + This reverts commit baf0fb6da7045f9e36d8c180ee3165ee65b83f34. + +commit 93258f68d793fcd388f5297036b7d2a205c332e1 +Merge: 96c811225 a857a5b87 +Author: Justin +Date: Fri Jun 15 12:02:50 2018 -0700 + + Merge pull request #222 from Microsoft/makelogsreadable + + Make logs readable! + +commit a857a5b87abbe0b2428aef7a28a0f766cba5d7c9 +Author: John Howard +Date: Fri Jun 15 11:43:10 2018 -0700 + + Make logs readable! + + Signed-off-by: John Howard + +commit d9cd420f4433fbf30ab2c4cafc16f3c7866b0d45 +Author: Justin Terry (VM) +Date: Fri Jun 15 10:09:07 2018 -0700 + + Fixes gcs tests in multicontainer V2 + + Signed-off-by: Justin Terry (VM) + +commit 22d1e76245492c226f4fb4bf8114c8ae20440481 +Author: Justin Terry (VM) +Date: Mon Jun 11 11:57:24 2018 -0700 + + Fix bridge unit tests for V2 changes + + Signed-off-by: Justin Terry (VM) + +commit 96c811225b9ad22567087aa4d0cd180192adf6a2 +Merge: ae9f8dcfe baf0fb6da +Author: John Howard +Date: Fri Jun 15 09:34:34 2018 -0700 + + Merge pull request #220 from Microsoft/jjh/rootfs2vhd + + Build rootfs2vhd and run it + +commit baf0fb6da7045f9e36d8c180ee3165ee65b83f34 +Author: John Howard +Date: Thu Jun 14 16:02:15 2018 -0700 + + Build rootfs2vhd and run it + + Signed-off-by: John Howard + +commit ae9f8dcfea5fe993b542f76435521bf548ffcc59 +Author: Justin Terry (VM) +Date: Thu Jun 14 13:52:54 2018 -0700 + + Ignore locally built folders in docker build + +commit 3a436228b9222c3800b50f887fe1abe30a6130a9 +Merge: 6462d7e96 18f58f34f +Author: John Starks +Date: Thu Jun 14 08:45:59 2018 -0700 + + Merge pull request #218 from Microsoft/capabilities_versions + + Return suported versions is GcsCapabilities + +commit 18f58f34fa13f0efef6ab045ce7643eaacc82d1b +Author: Justin Terry (VM) +Date: Wed Jun 13 15:27:27 2018 -0700 + + Return suported versions in GcsCapabilities + + 1. Now returns the fully supported list in GcsCapabilities + + Signed-off-by: Justin Terry (VM) + +commit 6462d7e9636bb1853ca6e0afa9e5940f8bf6ad4c +Merge: c09756a9d 3cd4a2854 +Author: John Howard +Date: Wed Jun 13 16:29:34 2018 -0700 + + Merge pull request #219 from jstarks/fix_lcowv1 + + gcs: Fix guards on StdOut, StdErr ports + +commit c09756a9da14ae703ca441d5eb44978f3fba9fcb +Merge: 0538d625c 957b3f9d8 +Author: Justin +Date: Wed Jun 13 15:30:58 2018 -0700 + + Merge pull request #217 from Microsoft/makefile + + Fix makefile + +commit 3cd4a28544d37ac2516cbc927895728d7edfe005 +Author: John Starks +Date: Wed Jun 13 15:30:33 2018 -0700 + + gcs: Fix guards on StdOut, StdErr ports + +commit b71fa3891c479302ce143b10f2bd1eb3590112cb +Merge: a66044fff a03de1d7e +Author: John Howard +Date: Wed Jun 13 11:31:06 2018 -0700 + + Merge pull request #248 from Microsoft/jjh/scsiremoval + + Fix SCSI eject + +commit 957b3f9d8a5ea9d31fcb8183918a720ec573820e +Author: Justin Terry (VM) +Date: Wed Jun 13 11:00:30 2018 -0700 + + Fix makefile + + Signed-off-by: Justin Terry (VM) + +commit a03de1d7e509b3f68694e1642083ef2433f7ce49 +Author: John Howard +Date: Tue Jun 12 15:06:54 2018 -0700 + + Fix SCSI eject + + Signed-off-by: John Howard + +commit a66044fff3ab3731ff43b4c810d1ff489746f1f8 +Merge: 5327bd1e3 9544f03fc +Author: John Howard +Date: Tue Jun 12 14:10:36 2018 -0700 + + Merge pull request #246 from Microsoft/jjh/wcowtesting + + WCOW testing + +commit 9544f03fc15663f8939a2bab36f96c0d88622d56 +Author: John Howard +Date: Thu Jun 7 17:09:48 2018 -0700 + + WCOW testing + + Signed-off-by: John Howard + +commit 5327bd1e35cde367ae28bb1e00771fa0475caf67 +Merge: eca717759 060fc907b +Author: John Starks +Date: Mon Jun 11 08:56:45 2018 -0700 + + Merge pull request #245 from jstarks/vsocklog + + uvm: Flow opengcs logs to host logrus + +commit 060fc907b397b450da032ed2d5eb51a2591ffdd4 +Author: John Starks +Date: Fri Jun 8 16:10:10 2018 -0700 + + uvm: Flow opengcs logs to host logrus + + This change opens a vsock port when creating a utility VM and directs + the init process inside the VM to launch gcs with stderr pointing to + that port. The host then collects the log entries from gcs and reports + them via logrus. + +commit 0538d625c328bfef0521d81b37689521172b76fc +Merge: f6917ea0e b837a2b56 +Author: John Starks +Date: Mon Jun 11 08:29:22 2018 -0700 + + Merge pull request #214 from jstarks/makefile + + Use a single Makefile to build initrd and contents + +commit f6917ea0ea1e0d95c1e29fb78ac0d4f6bd18d3b0 +Merge: 6901d5dc3 3462633e7 +Author: John Starks +Date: Mon Jun 11 08:25:18 2018 -0700 + + Merge pull request #215 from jstarks/no_recover + + gcstools: Allow panic to panic + +commit 3462633e7f5ea5b65363c1b3f60d1e2e81fa2a71 +Author: John Starks +Date: Fri Jun 8 16:50:37 2018 -0700 + + gcstools: Allow panic to panic + +commit b837a2b56f0b932e302b653aff78efdc2d13df62 +Author: John Starks +Date: Fri Jun 8 11:23:10 2018 -0700 + + Use a single Makefile to build initrd and contents + +commit 6901d5dc3e9f19b5207d0f499c50177c8c02a6d4 +Merge: 2c6e64500 5721451d9 +Author: Justin +Date: Fri Jun 8 14:18:40 2018 -0700 + + Merge pull request #213 from jstarks/vsockexec_glibc + + vsockexec: Don't reorder getopt args + +commit 5721451d96116ceaeeaeafaba987300d6f40a82d +Author: John Starks +Date: Fri Jun 8 14:06:43 2018 -0700 + + vsockexec: Don't reorder getopt args + + When linking against glibc, getopt will scan for arguments after the + first-non-flag argument, which causes problems when passing a command + without using -- (which does not appear to be possible on the Linux + kernel command line). + +commit 2c6e645003a82ba30e62fba7c8c39eb5db03c09c +Author: Justin Terry (VM) +Date: Fri Jun 8 13:53:00 2018 -0700 + + Adds support for running GCS via stdin,stdout + + 1. Implements the logic to allow for running the GCS via stdin,stdout + for reading and writing bridge messages. By default this still uses the + default way of connecting to the vsock port itself but this allows the + flexibility for debug mode where we can forward all traffic back to the + host from the daemon. + + Signed-off-by: Justin Terry (VM) + +commit 4d405ee983127900e34b1b42344ba23987ec40cb +Merge: 5515b6627 02cf33137 +Author: Justin +Date: Fri Jun 8 13:15:35 2018 -0700 + + Merge pull request #211 from jstarks/logformat + + gcs: Add -log-format option + +commit 5515b6627b7fbfd55a5a5cc8779f9adbe5387c56 +Merge: 2cccee4d4 cff5fc786 +Author: Justin +Date: Fri Jun 8 13:14:28 2018 -0700 + + Merge pull request #212 from jstarks/init_flex + + init: Allow the host to specify what to launch + +commit cff5fc7865f092aac32501ba10e70ae6b8e250f6 +Author: John Starks +Date: Fri Jun 8 11:27:30 2018 -0700 + + init: Allow the host to specify what to launch + +commit 02cf33137770f40b3051276ba729701386dc701f +Author: John Starks +Date: Fri Jun 8 11:28:06 2018 -0700 + + gcs: Add -log-format option + +commit 2cccee4d464eba254130b8c9f1e029c50b7e913d +Merge: 05418dd08 f518161c6 +Author: Justin +Date: Fri Jun 8 11:22:38 2018 -0700 + + Merge pull request #210 from jstarks/init + + Pull init script into repository + +commit 05418dd088bffd6be4a74791bedf28d35191a753 +Merge: cb0965ded 37e5f529e +Author: Justin +Date: Fri Jun 8 10:44:44 2018 -0700 + + Merge pull request #209 from jstarks/vsockexec + + vsockexec: Tool for execing with vsock handles + +commit f518161c656e8cf56e9b863a8bf4a69dd200bd12 +Author: John Starks +Date: Fri Jun 8 10:27:12 2018 -0700 + + Pull init script into repository + +commit 37e5f529ef33aabd0ce7cdd940075b466bb2d76e +Author: John Starks +Date: Fri Jun 8 10:19:47 2018 -0700 + + vsockexec: Tool for execing with vsock handles + + This tool will be used to write log files out to the host directly. + +commit cb0965ded9712fb91fd5fb3eadf59a1d4a83a80d +Author: Justin Terry (VM) +Date: Thu Jun 7 10:29:44 2018 -0700 + + Adds V2 GetProperties support + + 1. V1 only supported the process pid's query so this adds support to + that for V2 as an initial checkin. Other queries can be added if + required. + + Signed-off-by: Justin Terry (VM) + +commit eca7177590cdcbd25bbc5df27e3b693a54b53a6a +Merge: f47e6d88e 2dfbd8e3b +Author: John Howard +Date: Wed Jun 6 14:28:36 2018 -0700 + + Merge pull request #243 from Microsoft/jjh/wcowbinds + + Various tidy-up. See detailed list in comment. + +commit 2dfbd8e3b7152a6861b1217be57a33fed762c8f9 +Author: John Howard +Date: Tue Jun 5 17:42:43 2018 -0700 + + Move vpmem count to allow zero + + Signed-off-by: John Howard + +commit cb4902bfaf5d16f92d78e38214346012c9dca86e +Author: John Howard +Date: Mon Jun 4 18:01:01 2018 -0700 + + Various tidy-up + + Signed-off-by: John Howard + + Internalised all the properties in the Resources structure, providing methods (well one) where they are needed externally + + Tidied up the bind-mounts code + + Tidied up the VPMem code for utility VMs. Still some more work needed. + + Fixed the LCOW scratch path to under /run/gcs/c/n/scratch (rather than /run/gcs/c/n/upper) + + Renamed several variables so that it's much clearer what they actually are. Code was extremely confusing (to me...) + + Finished removing the aliasing of schema2 to hcsschemav2 + + Split the HCS document creation code in hcsoci into hcsdoc_wcow.go and hcsdoc_lcow.go for clarity.` + + Got rid of a few TODOs + + Fixed SCSI to pass the hosted settings through on remove correctly when mapped. Otherwise you have inconsistent "surprise" removal + + Removed CreateProcess from internal/uvm and moved to lcow/process. Extended it to cope with both in UVM and for init process + + Finally got an LCOW container init process to start in test code and get stdout back to prove a simple pod scenario + + Updated rootfs2vhd to use lcow.CreateProcess instead of shelling out to hcsdiag exec (another TODO removed) + +commit 71721a238352794418082ada9b92fde9f8414690 +Merge: 8ae7924fd dfec8a42a +Author: John Howard +Date: Mon Jun 4 16:07:42 2018 -0700 + + Merge pull request #207 from Microsoft/kernel + + Stop calling kernel bootx64.efi. It confuses everybody! + +commit dfec8a42a5efb3ff0038b4dc3f74776244eaac60 +Author: John Howard +Date: Mon Jun 4 10:44:50 2018 -0700 + + Stop calling kernel bootx64.efi. It confuses everybody! + + Signed-off-by: John Howard + +commit f47e6d88e78fee4d6d76d181bc93101f52dfb635 +Merge: 81291f5de 7addedece +Author: John Howard +Date: Mon Jun 4 10:13:30 2018 -0700 + + Merge pull request #240 from Microsoft/jjh/pmemboottestnotinitrd + + Add LCOW rootfs as pmem/vhd as option; Config for no scsi and number of VPMem + +commit 7addedece1dd3217e1a9c1abd7f060bce278da34 +Author: John Howard +Date: Fri Jun 1 16:52:18 2018 -0700 + + Feedback and moving WCOW tests + + Signed-off-by: John Howard + +commit 89303bdf70da9ddb42325b4b0f7bd4be7f424615 +Author: John Howard +Date: Tue May 29 19:10:02 2018 -0700 + + Boot PMEM option + + Signed-off-by: John Howard + +commit 81291f5debaa83d996964243670610ffc36b9191 +Merge: 7da072d02 4bad4db5a +Author: John Howard +Date: Mon Jun 4 09:04:57 2018 -0700 + + Merge pull request #242 from Microsoft/jjh/sandbox2scratchpart1 + + Rename sandbox to scratch, part 1. + +commit 7da072d0286e57e34ff1c0079ac3a37d50853002 +Merge: ca1b3625b b51a43c9b +Author: John Howard +Date: Fri Jun 1 10:01:21 2018 -0700 + + Merge pull request #241 from Microsoft/jjh/removeunusedtests + + Remove unused tests + +commit 4bad4db5acedea2a48562610b00935dc9a61bbb1 +Author: John Howard +Date: Thu May 31 19:49:47 2018 -0700 + + Rename sandbox to scratch + + Signed-off-by: John Howard + +commit b51a43c9b404824dc4bd81188ab5fce80ee4e1fb +Author: John Howard +Date: Thu May 31 19:21:50 2018 -0700 + + Remove unused tests + + Signed-off-by: John Howard + +commit 3eeb035c135af58101b824acf8dc59a9f6f2af38 +Author: Justin Terry (VM) +Date: Thu May 31 10:19:01 2018 -0700 + + Adds V2 supprot for exec, and wait process + + 1. Implements the support for create/exec where the container uses a tty or standard stdin,stdout,stderr + 2. Implements the proper wait logic for handling process/container exit. + + Signed-off-by: Justin Terry (VM) + +commit 089574ed128b6c317e47ae0e75d3a55426beeef1 +Merge: 25c4acdbf 8ae7924fd +Author: Justin Terry (VM) +Date: Thu May 31 12:21:10 2018 -0700 + + Merge remote-tracking branch 'origin/master' into multicontainer + +commit 8ae7924fd915db050b071d621a26de4048e4d1af +Merge: 1120fe80c 5a3af533f +Author: John Howard +Date: Wed May 30 21:33:49 2018 -0700 + + Merge pull request #206 from Microsoft/jjh/rootfstargz + + Build rootfs.tar.gz + +commit 5a3af533f46fb4742a35719c3d0668d11b6050ee +Author: John Howard +Date: Tue May 29 14:51:19 2018 -0700 + + Build rootfs.tar.gz + + Signed-off-by: John Howard + +commit ca1b3625b68509ed303b93333f658ddda0d55a5b +Merge: b930fbbe1 cbae1fdac +Author: John Howard +Date: Wed May 30 11:00:30 2018 -0700 + + Merge pull request #239 from Microsoft/jjh/catchappvpmemfail + + Mount: Catch AddVPMEM failure correctly + +commit 25c4acdbffccfe64fb7b805fd48b5670f5950130 +Author: Justin Terry (VM) +Date: Wed May 30 10:54:29 2018 -0700 + + Add support for V2 ModifyRequest Settings/Hosted + + 1. Some previous ModifyRequests in V2 were on HostedSettings + incorrectly. This add support for the fixes as they get moved to + Settings. The change perfers Settings but falls back to HostedSettings + if no value was passed for Settings. + + Signed-off-by: Justin Terry (VM) + +commit cbae1fdaceca22b7d0ee227e3ebbadf59382b7a0 +Author: John Howard +Date: Wed May 30 10:52:07 2018 -0700 + + Mount: Catch AddVPMEM failure correctly + + Signed-off-by: John Howard + +commit b930fbbe1e820ecabe5666846aae3e7d03c32fc6 +Merge: a5ae8e07c 409c71b70 +Author: John Howard +Date: Tue May 29 16:58:54 2018 -0700 + + Merge pull request #237 from Microsoft/jjh/test + + Test framework and re-org + +commit 409c71b705dd63202e9765aba47ef453d2dee5d1 +Author: John Howard +Date: Wed May 23 16:03:21 2018 -0700 + + Test framework and re-org + + Signed-off-by: John Howard + +commit a5ae8e07cd4686e562b58b8a38499660eb8ba67a +Merge: 7bad006b5 44cd9c71d +Author: John Starks +Date: Tue May 29 16:30:09 2018 -0700 + + Merge pull request #238 from jstarks/fix_plan9_mounts + + runhcs: Fix plan9 mounts + +commit 3b8617fe5e2af28efbd371049c0a08bcb6d1d7db +Author: Justin Terry (VM) +Date: Tue May 29 13:18:11 2018 -0700 + + Adds support to mount 9p aname's + + Signed-off-by: Justin Terry (VM) + +commit 44cd9c71d387b4c15916e590b7723bfeaf0a9bd0 +Author: John Starks +Date: Tue May 29 12:52:11 2018 -0700 + + runhcs: Fix plan9 mounts + +commit fee8700203c03c690e21daa2327c4288f8699efb +Author: Justin Terry (VM) +Date: Tue May 29 11:34:49 2018 -0700 + + Refactor V2 Start out of ExecProcess + + 1. More clearly describes when starting the init process versus execing + the 2nd-N'th process. + + Signed-off-by: Justin Terry (VM) + +commit 9619192a054bc6dc76ea5c1fd9a0f2334a4b2115 +Author: Justin Terry (VM) +Date: Tue May 29 10:01:21 2018 -0700 + + Move ModifySettingsV2 to UVM + + 1. Moves the ModifySettingsV2 to the UVM.ModifyHostSettings call. + 2. Moves SignalContainer targeting the host UVM to the bridge and + propertly shuts down the GCS. + 3. Removes the CreateContainerV2 function from the gcs core that was not + being referenced as it has moved to the UVM. + + Signed-off-by: Justin Terry (VM) + +commit 782ccf9f53b343d3d05eb19ee8cbd72f175b64c3 +Author: Justin Terry (VM) +Date: Tue May 29 09:41:21 2018 -0700 + + Log MessageIdentifer string rather than value for debug logs + + Signed-off-by: Justin Terry (VM) + +commit 7bad006b5f0f654fc115c8c91b8a2a4707741d1d +Merge: f17512a42 9a7451e7e +Author: John Howard +Date: Fri May 25 11:43:09 2018 -0700 + + Merge pull request #236 from jstarks/share_name + + hcsoci: Simplify VSMB + +commit 9a7451e7e7fba076d26eea9ca6ff9821989ec6ac +Author: John Starks +Date: Fri May 25 10:59:12 2018 -0700 + + hcsoci: Simplify VSMB + + This restore's jhoward's previous change to separate the layer ID from + the VSMB share name, but fixes it to still pass the layer ID correctly + for the container and combined layers calls. + +commit f17512a42fc995cff979d7f4596c814f16fdb863 +Merge: 68f10925f 654a95d17 +Author: John Howard +Date: Fri May 25 09:33:27 2018 -0700 + + Merge pull request #235 from jstarks/cleanup_container_root + + hcsoci: Put container state in more appropriate paths + +commit 68f10925fd514cdb43d324bb934d615376622e2b +Merge: 72bba1a5b 7e5f0095c +Author: John Howard +Date: Fri May 25 09:01:24 2018 -0700 + + Merge pull request #234 from jstarks/fix_xenon_windows + + Revert "VSMB Updates to match Plan9 PR" + +commit 654a95d17ca37ec8b83efd2ac575aef273807710 +Author: John Starks +Date: Fri May 25 08:20:07 2018 -0700 + + hcsoci: Put container state in more appropriate paths + +commit 7e5f0095c4560434f2830fa6278123a67c1e8ec2 +Author: John Starks +Date: Fri May 25 07:51:37 2018 -0700 + + Revert "VSMB Updates to match Plan9 PR" + + This reverts commit 18ee82cda2a1dac7e6a34d2d6723c31823d6460e, which + broke v2 VM-isolated Windows containers. + +commit 72bba1a5b6856acff7e42e0274ad8f0663370185 +Merge: 21ede7d0d 021252cf0 +Author: John Starks +Date: Fri May 25 07:52:25 2018 -0700 + + Merge pull request #233 from jstarks/random_pipe + + runhcs: Use random pipe names when communicating + +commit 21ede7d0d48ce4537d295fbe0fcdf36e362946a9 +Merge: d45550c97 30f211008 +Author: John Starks +Date: Thu May 24 17:28:03 2018 -0700 + + Merge pull request #232 from jstarks/plan9_mounts + + runhcs: Support plan9 root and mounts + +commit 021252cf0ca17f34aa63f1de1be9c877b0334e0e +Author: John Starks +Date: Thu May 24 17:25:47 2018 -0700 + + runhcs: Use random pipe names when communicating + + When a container ID is reused, it's possible to get runhcs into a state + where it will try to connect to the wrong VM (e.g. when cleaning up + resources for a container whose host has been deleted and recreated). + + Resolve this comprehensively by using a new random ID to generate the + pipe names for each container. + +commit 30f211008abab9f05b2ad4c3c6fa9655bf80832e +Author: John Starks +Date: Thu May 24 16:57:03 2018 -0700 + + runhcs: Support plan9 root and mounts + +commit d45550c97e46c2020b89064ce52a8fbb4ef7c6cf +Merge: 63fee2b7f 41b8af5ec +Author: John Howard +Date: Thu May 24 14:11:09 2018 -0700 + + Merge pull request #229 from jstarks/unmount_hosted + + runhcs: Fix unmount of hosted container + +commit 63fee2b7f7eae23090395caac515b809ecb50b52 +Merge: d05275050 dd648b607 +Author: John Howard +Date: Thu May 24 14:08:43 2018 -0700 + + Merge pull request #231 from jstarks/include_runhcs_in_artifacts + + appveyor: Include runhcs.exe in artifacts + +commit dd648b6078e9bb355c41da9867e1f7325acfdd4e +Author: John Starks +Date: Thu May 24 12:55:36 2018 -0700 + + appveyor: Include runhcs.exe in artifacts + +commit 41b8af5ecd7eeb2d084a3ed9b5a21cfb249c3297 +Author: John Starks +Date: Thu May 24 09:11:30 2018 -0700 + + runhcs: Fix unmount of hosted containers + +commit d052750506a1f517103ba3e80dd7fa9fe9dd6831 +Merge: f9f341e1e d5303919e +Author: John Starks +Date: Thu May 24 09:02:36 2018 -0700 + + Merge pull request #228 from jstarks/run_host + + runhcs: Add --host flag to run command too + +commit f9f341e1e1a72c75bbd5068e009f95feed14532d +Merge: 8defe5570 e63ae0820 +Author: John Howard +Date: Wed May 23 16:23:39 2018 -0700 + + Merge pull request #226 from Microsoft/jjh/unmount + + Unmount for VPMEM/Linux, VSMB/Windows + +commit d5303919ed7bee661d771609a3eba20422846566 +Author: John Starks +Date: Wed May 23 16:20:54 2018 -0700 + + runhcs: Add --host flag to run command too + +commit e63ae082048e8041a3df46fbd42d6311152ac8d0 +Author: John Howard +Date: Wed May 23 15:09:42 2018 -0700 + + Unmount for VPMEM/Linux, VSMB/Windows + + Signed-off-by: John Howard + +commit 8defe55707b4d6b12c18e5c5ec26643dbb947e48 +Merge: addbd1719 18ee82cda +Author: John Howard +Date: Wed May 23 16:17:37 2018 -0700 + + Merge pull request #225 from Microsoft/jjh/vsmbfix + + VSMB Updates to match Plan9 PR feedback + +commit 18ee82cda2a1dac7e6a34d2d6723c31823d6460e +Author: John Howard +Date: Wed May 23 14:28:53 2018 -0700 + + VSMB Updates to match Plan9 PR + + Signed-off-by: John Howard + +commit addbd17195944cdf1aaefb3a969f77d9d7b1ab7c +Merge: d7326fc35 e6038744b +Author: John Howard +Date: Wed May 23 16:08:25 2018 -0700 + + Merge pull request #224 from Microsoft/jjh/plan9 + + Add Plan9 shares for LCOW + +commit e6038744b58ad19749e983590e73c09bd7dcfe93 +Author: John Howard +Date: Wed May 23 14:00:16 2018 -0700 + + Address feedback + + Signed-off-by: John Howard + +commit b875597e3661a1508a4b4c66b732b5c60a870206 +Author: John Howard +Date: Wed May 23 08:52:21 2018 -0700 + + Add Plan9 shares for LCOW + + Signed-off-by: John Howard + +commit d7326fc3589bf902148b3e7927d744b06f9aff21 +Merge: 433ca4927 33c4e5670 +Author: John Starks +Date: Wed May 23 15:50:38 2018 -0700 + + Merge pull request #227 from Microsoft/jjh/lcowv2 + + Enable LCOWv2 + +commit 33c4e567018f1e5044df119d0cee01c227175391 +Author: John Starks +Date: Wed May 23 15:21:25 2018 -0700 + + Disable functional tests + +commit c0baefb6121dd4356c31aec359e2180133a16559 +Author: John Starks +Date: Wed May 23 15:19:06 2018 -0700 + + Disable functional tests + +commit 20e595b24609bcc8e0eae60c68288ea308803dc9 +Author: John Starks +Date: Wed May 23 15:12:22 2018 -0700 + + runhcs: Add --host parameter to specify the hosting VM container + +commit dba79432879c2b4bb4cd97be43e27f9327f6949a +Author: Justin Terry (VM) +Date: Wed May 23 15:10:43 2018 -0700 + + Adds V2 support for WaitContainer WaitProcess + + Signed-off-by: Justin Terry (VM) + +commit daec35e627c68118bc6accc2a788fd057dbe305e +Author: Justin Terry (VM) +Date: Wed May 23 13:21:22 2018 -0700 + + Adds V2 support for SignalContainer SignalProcess + + Signed-off-by: Justin Terry (VM) + +commit 0e588db1393c4475f11877b223893443e91c2e1c +Author: John Starks +Date: Wed May 23 11:11:14 2018 -0700 + + runhcs: Enable VM serial console with --vm-console flag + +commit f9db5d77f9b72860b60f86aeb0f6495a773a55a4 +Author: Justin Terry (VM) +Date: Tue May 22 16:37:42 2018 -0700 + + Adds CreateContainerV2 and CreateProcessV2 support + + Adds support for the CreateContainerV2 work based on an oci.Spec + Adds supprot for starting the container int process via the + CreateProcessV2 calls. + Fixes an issue in CombineLayers where we were not honoring the location + the client passed in on mount. + +commit 1903f6641648841a1740377b0a64a7188e4ac2ed +Author: John Starks +Date: Wed May 23 08:47:57 2018 -0700 + + Fix error detection from winio.DialPipe + +commit 2f86f95829366687ac8616d297e8ac69eb381e0e +Author: John Starks +Date: Wed May 23 08:38:34 2018 -0700 + + Handle LCOWv2 process launch + +commit 7233e4c9069111aef18ecdfb822903c7018b8bd1 +Author: Justin Terry (VM) +Date: Tue May 22 22:55:10 2018 -0700 + + Rename OciSpecificationPath to OciBundlePath + + Signed-off-by: Justin Terry (VM) + +commit db18da2aad1a6c5f4353d2be47feb64449ebfcd6 +Author: John Starks +Date: Tue May 22 16:42:36 2018 -0700 + + Try to create LCOWv2 containers + +commit 72a8d20dac6bae639bf1a16f6278520131d0467a +Author: John Howard +Date: Tue May 22 15:04:22 2018 -0700 + + Remove wrong test bits + + Signed-off-by: John Howard + +commit d70c156114a9fe86e30dcdb11f8ffe93e7d93937 +Author: John Starks +Date: Tue May 22 14:27:36 2018 -0700 + + Add LCOW spec filter function + +commit 446556d67696adb3d0ec237b9991252815a7af9f +Author: John Howard +Date: Tue May 22 14:46:13 2018 -0700 + + Unify mount error handling + + Signed-off-by: John Howard + +commit 12fd4a5b5c60dd39ec3634302c24f276ac00701c +Author: John Howard +Date: Tue May 22 14:24:40 2018 -0700 + + LCOW v2 limping + + Signed-off-by: John Howard + +commit 433ca492724657a2f7dcf7bdec8cfcb5fb7d9379 +Merge: bab21c47c 5ab76225f +Author: John Starks +Date: Tue May 22 11:10:41 2018 -0700 + + Merge pull request #222 from jstarks/network_xenon + + Enable v2 Xenon networking and network namespace sharing + +commit bab21c47c7fb9e167a10f517a4f26bb0c83168c2 +Merge: fcb334d75 1c0669ece +Author: John Howard +Date: Tue May 22 10:51:15 2018 -0700 + + Merge pull request #223 from Microsoft/vpmem + + Ref counting removal on vpmem + +commit 1c0669ecec7d0de88739daffa5a53cf602dcee22 +Author: John Howard +Date: Tue May 22 10:15:04 2018 -0700 + + Ref counting removal on vpmem + + Signed-off-by: John Howard + +commit 5ab76225f0f4fa5bdb64ac6082699b6bc4988775 +Author: John Starks +Date: Tue May 22 09:51:55 2018 -0700 + + Enable v2 Xenon networking and network namespace sharing + +commit fcb334d75761b4ecaea4e9a86980fdb96d8fc057 +Merge: 0041cbe6c 3f7cc180f +Author: John Starks +Date: Tue May 22 09:41:34 2018 -0700 + + Merge pull request #221 from Microsoft/fixtests + + Fix UVM tests after lock changes + +commit 3f7cc180f082caae668475d186063e98dfbffefd +Author: John Howard +Date: Tue May 22 09:34:14 2018 -0700 + + Fix UVM tests after lock changes + + Signed-off-by: John Howard + +commit 0041cbe6ce234a133e44c3c7ad37dc40e5701896 +Merge: 79e669602 8ecb50a03 +Author: John Howard +Date: Tue May 22 09:31:38 2018 -0700 + + Merge pull request #220 from jstarks/fewerlocks + + Consolidate UVM locks + +commit 8ecb50a03fdffaa9df881d31bd78df29ada0c293 +Author: John Starks +Date: Mon May 21 22:26:13 2018 -0700 + + Consolidate UVM locks + +commit 79e6696027e115b25aa9bedd36820ab6df639526 +Merge: 06b49ae51 f1dfd113b +Author: John Howard +Date: Mon May 21 22:34:35 2018 -0700 + + Merge pull request #219 from Microsoft/samplesofar + + Remove sample bits done so far + +commit f1dfd113bb05144de766d9bea95d0510088e012e +Author: John Howard +Date: Mon May 21 22:33:54 2018 -0700 + + Remove sample bits done so far + + Signed-off-by: John Howard + +commit 06b49ae510511f2adac1ae01b8c27ad3dd94b941 +Merge: 455ea56aa 3634e6756 +Author: John Howard +Date: Mon May 21 22:03:43 2018 -0700 + + Merge pull request #218 from Microsoft/functional2 + + Functional tests. VPMEM still failing + +commit 3634e6756c2892481a597c019e4c722d7ae0b46c +Author: John Howard +Date: Mon May 21 22:02:02 2018 -0700 + + Functional tests. VPMEM still failing + + Signed-off-by: John Howard + +commit 455ea56aa61a0264642fb46c4ff74f0a19f74180 +Merge: 9075c7b33 04cd7984b +Author: John Howard +Date: Mon May 21 21:48:30 2018 -0700 + + Merge pull request #216 from Microsoft/functional + + Functional tests UVM + +commit 04cd7984b5473f1b9f496463fc974f92e2b0fefb +Author: John Howard +Date: Mon May 21 21:45:40 2018 -0700 + + Functional tests UVM + + Signed-off-by: John Howard + +commit 9075c7b3309d23186e3066d30aaab638604eb7c6 +Merge: 185a6abe9 39869aa92 +Author: John Howard +Date: Mon May 21 21:35:41 2018 -0700 + + Merge pull request #215 from Microsoft/tidyuvm + + Lots of tidying. VPMem removal next step. Refcounting missing + +commit 39869aa92d33ef0e05cd16842d7613c9ebe72d57 +Merge: 988becada 6662e1012 +Author: John Howard +Date: Mon May 21 21:33:23 2018 -0700 + + Tidy merge conflicts + + Signed-off-by: John Howard + +commit 988becadad6752c9c8749cb9622cbd324244007a +Author: John Howard +Date: Mon May 21 20:46:48 2018 -0700 + + Lots of tidying. VPMem removal next step. Refcounting missing + + Signed-off-by: John Howard + +commit 185a6abe9890bd861741bb45d12a00d7fd6aa038 +Merge: 76f7e7633 373ecbcbc +Author: John Starks +Date: Mon May 21 21:28:30 2018 -0700 + + Merge pull request #210 from jstarks/shimlog + + runhcs: Open shim logs on stderr + +commit 76f7e7633f8e8b1697b0c728f5ab12c820ffab0a +Merge: 0c75dc2c6 a55056e47 +Author: John Starks +Date: Mon May 21 21:27:00 2018 -0700 + + Merge pull request #211 from jstarks/network + + Implement v2 Argon networking + +commit 6662e10124bb2813e53799c618a1755d10e03543 +Author: John Howard +Date: Mon May 21 20:46:48 2018 -0700 + + Lots of tidying. VPMem removal next step. Refcounting missing + + Signed-off-by: John Howard + +commit 0c75dc2c677e04571d0e4c33f18d792321e73486 +Merge: c7e541336 90196d2d3 +Author: John Howard +Date: Mon May 21 18:27:39 2018 -0700 + + Merge pull request #214 from jstarks/runtimecpu + + Remove internal/cpu package + +commit c7e5413360f44bfdfac97027d9352e5bf10e7d03 +Merge: e5c68ae12 e814f4f5d +Author: John Howard +Date: Mon May 21 18:27:05 2018 -0700 + + Merge pull request #213 from jstarks/gitignore + + Add .gitignore + +commit e5c68ae12033c52f5c72ade1cfa8e48e1ad9740e +Merge: 3e66594fd 63f26db10 +Author: John Howard +Date: Mon May 21 18:26:43 2018 -0700 + + Merge pull request #212 from jstarks/manifests + + Add Windows manifests for wclayer and runhcs + +commit 96d176950aa649ae6afec32b153848b364e645c8 +Author: Justin Terry (VM) +Date: Mon May 21 15:36:14 2018 -0700 + + Changes the Mounted* patterns for V2 + + Implements the changes to V2 in the HostedSettings for + MappedVirtualDiskV2, MappedDirectioryV2, MappedVPMemDeviceV2. This more + closely aligns with the unique requirements of LCOW over the predefined + Windows structs. + +commit 90196d2d33a76cbc4fa0084b3afc2a38e9b8df50 +Author: John Starks +Date: Mon May 21 15:27:57 2018 -0700 + + Remove internal/cpu package + +commit e814f4f5d188870764a5720fc05025e1efee9293 +Author: John Starks +Date: Mon May 21 15:24:27 2018 -0700 + + Add .gitignore + +commit 63f26db107df0d0ce3333cd1a6e504f494ae349b +Author: John Starks +Date: Mon May 21 14:59:47 2018 -0700 + + Add Windows manifests for wclayer and runhcs + +commit a55056e4774eb99c0575dbe5c79b291d24f6d0d4 +Author: John Starks +Date: Mon May 21 14:33:27 2018 -0700 + + Implement v2 Argon networking + +commit 3e66594fd8949e2d2efe2499302cbdedafb6ecb6 +Merge: a9b2cbca6 ac1593041 +Author: John Howard +Date: Mon May 21 13:59:09 2018 -0700 + + Merge pull request #209 from jstarks/v2xenon + + Enable v2 Hyper-V Windows containers + +commit 373ecbcbcb5c0ee953eb7ed7cd37e538ebe963e4 +Author: John Starks +Date: Mon May 21 10:13:22 2018 -0700 + + runhcs: Open shim logs on stderr + + This change opens the shim log files onto the shim processes' standard + error so that Go panics for those processes are written to the log. + +commit ac159304128e3ec05be1cf3c2e1ad4648639a994 +Author: John Starks +Date: Mon May 21 09:37:36 2018 -0700 + + Enable v2 Hyper-V Windows containers + +commit a9b2cbca6d0d36d953653a97e7ea6e729f843f0e +Merge: 39eae0af7 c39f4c2da +Author: John Howard +Date: Mon May 21 09:41:52 2018 -0700 + + Merge pull request #206 from jstarks/no_uvm_error + + uvm: Remove unnecessary error wrapper + +commit 39eae0af774ce42b4c06869d52466d937dd9c720 +Merge: 84a9e15d7 b68a9e060 +Author: John Howard +Date: Mon May 21 09:41:25 2018 -0700 + + Merge pull request #207 from jstarks/json_merge + + Restore HCSSHIM_CREATECONTAINER_ADDITIONALJSON functionality + +commit b68a9e060becd83186cab8b6e6669b2146a0b1b6 +Author: John Starks +Date: Sun May 20 14:23:39 2018 -0700 + + Restore HCSSHIM_CREATECONTAINER_ADDITIONALJSON functionality + +commit c39f4c2daf1f4a22d59f1ce2ef287d212836fc3c +Author: John Starks +Date: Sun May 20 13:52:38 2018 -0700 + + uvm: Remove unnecessary error wrapper + +commit 84a9e15d720b9984e5fbd1f0cd729826e579d00d +Merge: 327a04ecf c1af80054 +Author: John Howard +Date: Fri May 18 23:45:30 2018 -0700 + + Merge pull request #203 from Microsoft/scsitest + + Partial SCSI UVM tests + +commit c1af80054a6878fbea1c22af75a83a714a21a1df +Author: John Howard +Date: Fri May 18 23:43:43 2018 -0700 + + Partial SCSI UVM tests + + Signed-off-by: John Howard + +commit 327a04ecf3137a1cdc3ec88a3a0100ea9d515516 +Merge: 7fbac12bf b2a79d5ab +Author: John Howard +Date: Fri May 18 22:53:55 2018 -0700 + + Merge pull request #202 from Microsoft/tidying + + Tidying to uvm package + +commit b2a79d5abb2f149f5e839c25a0b94e6deff23a0f +Author: John Howard +Date: Fri May 18 22:53:11 2018 -0700 + + Tidying to uvm package + + Signed-off-by: John Howard + +commit 7fbac12bf2cf5d7b704847992d6bd269f6d0f51d +Merge: 134890878 984458de2 +Author: John Howard +Date: Fri May 18 22:48:07 2018 -0700 + + Merge pull request #201 from Microsoft/removev1 + + Remove v1 from UVM + +commit 984458de2abf928654ecb22b1f11df9f9e6b4249 +Author: John Howard +Date: Fri May 18 22:45:45 2018 -0700 + + Remove v1 from UVM + + Signed-off-by: John Howard + +commit 1348908789bcc3ec33cf2592539cdd0081109f7a +Merge: 1d5a9f6b7 1948d7712 +Author: John Howard +Date: Fri May 18 20:25:25 2018 -0700 + + Merge pull request #199 from Microsoft/uvmimplmentation1 + + First cut of uvm implementation (incomplete) + +commit 1948d7712c699df5fea5ed10429c1da8548071a4 +Author: John Howard +Date: Fri May 18 20:20:32 2018 -0700 + + Add CreateLCOWScratch helper + + Signed-off-by: John Howard + +commit af058f8ffe42af681986995cabcd951f199befae +Author: John Howard +Date: Fri May 18 20:02:06 2018 -0700 + + Adds implementation for create,modify,process,start,terminate,wait + + Signed-off-by: John Howard + +commit 290cd56a58c87551c34ac616f7b5cc0ea5d72292 +Author: John Howard +Date: Fri May 18 17:49:10 2018 -0700 + + Adding VPMem and VSMB too + + Signed-off-by: John Howard + +commit 1c8e76a8bb6fb73c45907107c089ad144e477098 +Author: John Howard +Date: Fri May 18 17:39:28 2018 -0700 + + Coalesce create and add SCSI + + Signed-off-by: John Howard + +commit 1d5a9f6b79cf1631c6ba75dd22e9d4eb9d09e960 +Merge: 25ffb37e1 6f55763ad +Author: John Howard +Date: Fri May 18 17:36:30 2018 -0700 + + Merge pull request #193 from jstarks/hns + + Move HNS implementation to internal package + +commit 9fead87cec00d09e9c34cd528b17325c55b51bd2 +Author: John Howard +Date: Fri May 18 16:59:17 2018 -0700 + + Before SCSI + + Signed-off-by: John Howard + +commit 25ffb37e1f6248e2fbb5dcb3dea2156e3449dd1d +Merge: f8ab8c20d 9e24cd65c +Author: John Howard +Date: Fri May 18 16:58:43 2018 -0700 + + Merge pull request #198 from jstarks/ex + + hcsoci: Remove Ex suffixes + +commit 9e24cd65c21cab7955d61b6fa95c358809a83d7c +Author: John Starks +Date: Fri May 18 16:31:13 2018 -0700 + + hcsoci: Remove Ex suffixes + +commit f8ab8c20dfdf1a8e8315dd8606bcc4e946c8789b +Merge: 6341e0ab0 fc5ccfe37 +Author: John Starks +Date: Fri May 18 16:20:10 2018 -0700 + + Merge pull request #197 from jstarks/runhcs + + Initial commit of runhcs, derived from runc + +commit fc5ccfe371ae653442edb26dec550d3cb76e67d3 +Author: John Starks +Date: Fri May 18 15:52:49 2018 -0700 + + Initial commit of runhcs, derived from runc + +commit bc26a48ae77f7eb208fb71248f7ce67f925843f8 +Author: John Howard +Date: Fri May 18 15:55:05 2018 -0700 + + CreateLCOW + + Signed-off-by: John Howard + +commit 6341e0ab0444bbd4daa99d127c6edde5a935d6e3 +Merge: 90d86467b 6fdd4653c +Author: John Starks +Date: Fri May 18 15:56:47 2018 -0700 + + Merge pull request #196 from jstarks/hcsoci + + Initial commit of OCI spec interface for HCS + +commit 6fdd4653cc77504bb4fe895f57ff5addaeda6514 +Author: John Howard +Date: Fri May 18 15:51:52 2018 -0700 + + Initial commit of OCI spec interface for HCS + +commit 90d86467bf3483bae1c708ca78e6e61a8065e631 +Merge: 5b3ff33c4 a251efb7e +Author: John Howard +Date: Fri May 18 15:39:16 2018 -0700 + + Merge pull request #194 from jstarks/state + + Add State property and remove HasPendingUpdates + +commit 5b3ff33c4150f74fd3391c0ce8808a4ce9068678 +Merge: b79b9fc2b 7f2b35c4c +Author: John Howard +Date: Fri May 18 15:37:50 2018 -0700 + + Merge pull request #195 from jstarks/guid + + Add utility packages for OCI containers + +commit 7f2b35c4c7836feee670588c8b93c1a2fd862c75 +Author: John Howard +Date: Fri May 18 15:03:19 2018 -0700 + + Add CPU package + +commit b566cae9216fc340935d04ccbb61ce111b63fe74 +Author: John Starks +Date: Fri May 18 15:03:09 2018 -0700 + + Split GUID functionality to separate package + +commit c6ed7e4aa14061f4325ddc604908a61e3e52978f +Author: Justin Terry (VM) +Date: Fri May 18 14:41:19 2018 -0700 + + Adds support for createContainer with V2 settings + + 1. Implements the bridge work to accept a createContainer that is with + the V2 schema. This overwrites the way windows does it with a OCI + specific area for the HostedSettings that allows for direct OCI + passthrough to runc. + + Signed-off-by: Justin Terry (VM) + +commit a251efb7e1b7c992f3e104d0d149473820f25b7b +Author: John Starks +Date: Fri May 18 14:03:45 2018 -0700 + + Add State property and remove HasPendingUpdates + + This change also adds some type safety to hcs.System.Properties. + +commit b79b9fc2bb5c2f941921c67ebad0e062fccbce8b +Merge: 1be1708b5 aa5f4faac +Author: John Starks +Date: Fri May 18 13:16:45 2018 -0700 + + Merge pull request #192 from Microsoft/uvminterface + + Adds external utility VM object and methods + +commit 6f55763adb33e840f8c66aecd523d07466cca355 +Author: John Starks +Date: Fri May 18 13:11:44 2018 -0700 + + Move HNS implementation to internal package + + This moves the HNS implementation out of the root package into an + internal package, with forwarders for existing clients. Once the + package's interface is updated and stabilized, it can be made external. + + This change also eliminates the ContainerHotAdd and ContainerHotRemove + methods, which are not used by any open source software on GitHub. These + methods are redundant with the free functions HotAttachEndpoint and + HotDetachEndpoint. + +commit 1be1708b5e85d08e00cd0c6931e83cb13b6b44e0 +Merge: d93eb2b49 e70197ad1 +Author: John Howard +Date: Fri May 18 12:50:42 2018 -0700 + + Merge pull request #191 from jstarks/error_events + + hcs: Include error events in errors + +commit aa5f4faaca4337a939c008d921050a6900017fe7 +Author: John Howard +Date: Fri May 18 12:02:24 2018 -0700 + + Adds external utility object and methods + + Signed-off-by: John Howard + +commit e70197ad1ccac8951651dc7c9c38e726425bcd8f +Author: John Starks +Date: Fri May 18 11:42:27 2018 -0700 + + hcs: Include error events in errors + +commit d93eb2b4906cb531dcb721be0435dca80392d0ae +Merge: 4101bbe20 635af9b38 +Author: John Starks +Date: Fri May 18 11:44:04 2018 -0700 + + Merge pull request #190 from Microsoft/computesystem + + Container to ComputeSystem + +commit 4101bbe204979ec10980c9fd2b81e2a78bccc806 +Merge: 4d5dfdf2f b18b4de05 +Author: John Starks +Date: Fri May 18 11:28:32 2018 -0700 + + Merge pull request #187 from Microsoft/remove18 + + Remove support for pre golang 1.9 + +commit 635af9b38d9d9f049f0a21466a275de5ebef4172 +Author: John Howard +Date: Fri May 18 10:57:40 2018 -0700 + + Container to ComputeSystem + + Signed-off-by: John Howard + +commit 4d5dfdf2f7e583d985af6aa8421e68a9f5576246 +Merge: d40251c30 d9f17cbd4 +Author: John Howard +Date: Fri May 18 11:00:35 2018 -0700 + + Merge pull request #189 from Microsoft/mergemap + + Move mergemaps to its own internal package + +commit d9f17cbd4e8046be500be4241a942f34e863ada5 +Author: John Howard +Date: Fri May 18 10:06:24 2018 -0700 + + Move mergemaps to its own internal package + + Signed-off-by: John Howard + +commit b18b4de05376c91af33264f757ab0382e36cd1f2 +Author: John Howard +Date: Fri May 18 09:53:21 2018 -0700 + + Remove support for pre golang 1.9 + + Signed-off-by: John Howard + +commit d40251c302e026cc5f7d4d1d7a3606ea98a5e2d6 +Merge: 796ee4c2b 198608399 +Author: John Starks +Date: Fri May 18 09:55:05 2018 -0700 + + Merge pull request #188 from jstarks/fix_hcs + + Fix process.Stdio() + +commit 19860839961e7f2010bf2099922309bce067e098 +Author: John Starks +Date: Fri May 18 09:54:08 2018 -0700 + + Fix process.Stdio() + +commit 90a826d6ec025d0d4e29eff3b0f3b5be8a0e032d +Author: Justin Terry (VM) +Date: Fri May 18 09:39:42 2018 -0700 + + Fixes to V2 protocol around CombinedLayers + + 1. There is a bug in the HCS that is not honoring the Capabilities sent + back via the negotiateProtcol. This is causing the first CreateContainer + call to come in in the protocol v4 which should not be. This had the + unintended consequence that the container cache had an entry for the UVM + and the baseFilesPath for /etc already existed. Both of these are + incorrect in the V2 case. This adds a work around to ignore the first + CreateContainer call and simply return a success case until the HCS is + fixed. + 2. Removes the use of the container cache in the V2 hot modify case + because the disks/folders/layers are not associated to a container in + the same way and should not be cleaned up automatically as they can + exist in the lifetime of multiple containers. + + Signed-off-by: Justin Terry (VM) + +commit 796ee4c2b1be2a84f9ef1d4c26f6835396c4c753 +Merge: 63661d945 c1d2c866a +Author: John Howard +Date: Fri May 18 09:39:32 2018 -0700 + + Merge pull request #186 from Microsoft/schemav2 + + Add schema2, schemaversion, test\assets, osversion + +commit c1d2c866ad232423a795506e9abc6755757883f8 +Author: John Howard +Date: Fri May 18 09:12:44 2018 -0700 + + Add schema2, schemaversion, test\assets, osversion + + Signed-off-by: John Howard + +commit 63661d945bdb514919a8e8202afecba6ada82f05 +Merge: 09cfdcca0 48596615c +Author: John Starks +Date: Fri May 18 08:53:04 2018 -0700 + + Merge pull request #185 from jstarks/hcs + + Split HCS methods into internal package + +commit 48596615c52a5f6d29a40942b0b97e5705073d3f +Author: John Starks +Date: Thu May 17 23:30:46 2018 -0700 + + Split HCS methods into internal package + + This change preserves the container interface but splits the core HCS + system and process APIs to an internal package and the v1 HCS schema + types to a second package. This allows further evolution of the core + HCS APIs without changing the existing container contract. + +commit 09cfdcca06477f4edf04f83c2e207a55c5cca116 +Merge: dabca480a 215cd8069 +Author: John Howard +Date: Thu May 17 20:25:07 2018 -0700 + + Merge pull request #184 from nwoodmsft/master + + Support for HNS global version and 1803 HNS ACL features + +commit dabca480af98d32e9fcc6ab9f79b662542ea5c39 +Merge: 770ed2688 9f63b70f9 +Author: John Howard +Date: Thu May 17 20:11:11 2018 -0700 + + Merge pull request #183 from jstarks/storage_simplify + + internal/wclayer: Remove DriverInfo arguments + +commit aee383a664447e3133c2620b7b5b1a68bce1ca19 +Author: Justin Terry (VM) +Date: Thu May 17 15:28:51 2018 -0700 + + Adds support for V2 ShutdownContainer on UVM + + Adds the supprot for calling ShutdownContainer where the target is the + UVM itself rather than a specific container. + + Signed-off-by: Justin Terry (VM) + +commit 215cd8069903f83192413b99faacb32de7eb7546 +Author: Nick Wood +Date: Thu May 17 15:13:23 2018 -0700 + + Fixing version number + +commit 75523eecb0494589596114eef225e1425dc2f64c +Merge: adebaa01e 770ed2688 +Author: Nick Wood +Date: Thu May 17 15:08:03 2018 -0700 + + Merge branch 'master' of https://github.com/Microsoft/hcsshim + +commit 85422854fe08e0dd2566470f4fa2a3c46bc1170c +Author: Justin Terry (VM) +Date: Thu May 17 14:59:26 2018 -0700 + + Adds support for modify CombinedLayers in V2 + + Signed-off-by: Justin Terry (VM) + +commit 9f63b70f9805bf8bd9bf224f0116402e5dc2fe90 +Author: John Starks +Date: Thu May 17 12:27:08 2018 -0700 + + internal/wclayer: Remove DriverInfo arguments + +commit 770ed2688c8089a15bdc8daf899536cd030a4f10 +Merge: 59a1ccbff d72910cce +Author: John Starks +Date: Thu May 17 11:15:31 2018 -0700 + + Merge pull request #178 from jstarks/new_storage + + Move layer functionality to separate package + +commit d72910ccef9ed201fa7df165010070ecb0b8c589 +Author: John Starks +Date: Wed May 16 16:54:32 2018 -0700 + + Move layer functionality to separate package + + Compatibility is preserved via aliases/forwarders for the layer-related + types and functions. + + For now this new package is internal. Once it has evolved to the + interface we want, we can make it public as a new package and deprecate + the existing interface. + +commit 59a1ccbff7ebff7f155607f92d5c531b8c58fe7f +Merge: b9ffe8b3e 80470512c +Author: John Starks +Date: Thu May 17 11:07:24 2018 -0700 + + Merge pull request #182 from jstarks/appveyor_test + + appveyor: Run non-functional tests + +commit 80470512c1efc10fa789d30b68a5585a55032a39 +Author: John Starks +Date: Thu May 17 11:01:56 2018 -0700 + + appveyor: Run non-functional tests + +commit b9ffe8b3ef23128b1c2ba847ce9ff9948e1b3806 +Merge: 3a95b8b96 e682f5dc7 +Author: John Starks +Date: Thu May 17 10:49:47 2018 -0700 + + Merge pull request #181 from Microsoft/build-badge + + Add appveyor build badge to README.md + +commit e682f5dc7c9005faaeb93e3de5dce60df12100ac +Author: John Starks +Date: Thu May 17 10:42:05 2018 -0700 + + Add appveyor build badge to README.md + +commit 3a95b8b96b9400e3c80f565ed2032013e503ba8c +Merge: 7814a4a5b d150dccde +Author: John Starks +Date: Thu May 17 10:34:40 2018 -0700 + + Merge pull request #180 from jstarks/appveyor_artifacts + + Collect wclayer.exe artifact in CI + +commit d150dccde53fa219969f12f6b998e73cc6fe3c4d +Author: John Starks +Date: Thu May 17 10:30:41 2018 -0700 + + Collect wclayer.exe artifact in CI + +commit 7814a4a5b21fed46e61af3d1248592bf41c4983c +Merge: 55bd6218d 5cb5354a0 +Author: John Starks +Date: Thu May 17 10:24:32 2018 -0700 + + Merge pull request #179 from jstarks/appveyor + + Add appveyor.yml + +commit 5cb5354a0aa5230aae2f47391293b28be0d1d6bb +Author: John Starks +Date: Thu May 17 09:38:19 2018 -0700 + + Add appveyor.yml + +commit 55bd6218d8dc9995fea8088e2742151053154e3f +Merge: 0a4192c60 ef7a456e3 +Author: John Starks +Date: Wed May 16 16:59:03 2018 -0700 + + Merge pull request #176 from jstarks/faster_import_2 + + Use bufio when extracting layer files + +commit 0a4192c603327c6ba07bd5dfa3fd1389ee418c56 +Merge: 370850844 836b946a3 +Author: John Starks +Date: Wed May 16 16:58:55 2018 -0700 + + Merge pull request #177 from jstarks/split_safeopen + + Move safeopen to an internal package + +commit 3708508446dd2cfe5f0df3ed0406f6ae341722e3 +Merge: b77ae037d 8a538bc7b +Author: John Starks +Date: Wed May 16 16:58:46 2018 -0700 + + Merge pull request #175 from jstarks/appargs + + internal/appargs: Improve interface + +commit 836b946a348e08ea1233cb1df3ca7a6461d969b1 +Author: John Starks +Date: Wed May 16 15:55:02 2018 -0700 + + Move safeopen to an internal package + +commit ee6f1e263f88eed3865916f8d1acba12142f211c +Author: Justin Terry (VM) +Date: Wed May 16 15:40:45 2018 -0700 + + Add support for MappedDisks and MappedDrives in V2 + + Signed-off-by: Justin Terry (VM) + +commit ef7a456e31ec424ac9bfed4fec3a9afcb0be791a +Author: John Starks +Date: Wed May 16 15:19:09 2018 -0700 + + Use bufio when extracting layer files + + On NTFS, on spinning hard disks, reducing the number of writes reduces + the number of disk seeks, which greatly improves image extraction + performance. + +commit 8a538bc7b52b324350ca51ac330c1df9f937744e +Author: John Starks +Date: Wed May 16 10:17:34 2018 -0700 + + internal/appargs: Improve interface + +commit 8403db01eba95f6cecaa4fb6fcc77ff9c179b405 +Author: Justin Terry (VM) +Date: Wed May 16 09:38:13 2018 -0700 + + Add VPMem Support for V2 + + Signed-off-by: Justin Terry (VM) + +commit b77ae037de7e41e21f89fd6bb1d718bb5a6ba4aa +Merge: befeb2e76 779e2797a +Author: John Howard +Date: Wed May 16 09:01:35 2018 -0700 + + Merge pull request #174 from jstarks/remove_docker_dep + + wclayer: Remove github.com/docker/docker dependency + +commit 779e2797a831f15737ae89980549e54dbeadab80 +Author: John Starks +Date: Wed May 16 08:55:24 2018 -0700 + + wclayer: Remove github.com/docker/docker dependency + +commit b14a94ee5e88640ba05f44ef081dfab21854a524 +Author: Justin Terry (VM) +Date: Wed May 16 07:26:39 2018 -0700 + + Adds support for Protocol v4 dispatch + + Implements the logic to support dispatching method types when the + protocol has been selected to be v4 for the bridge formats. + + Signed-off-by: Justin Terry (VM) + +commit befeb2e76da870dc3a74a9612fee45da589559a1 +Merge: cfdaa49c5 eb0cc2575 +Author: John Starks +Date: Tue May 15 16:03:40 2018 -0700 + + Merge pull request #173 from jstarks/wclayer_internal + + Move oci/wclayer to internal for now + +commit eb0cc25755569ca6fcb06f1ef54edd9c976cce82 +Author: John Starks +Date: Tue May 15 16:02:16 2018 -0700 + + Move oci/wclayer to internal for now + + We may want to iterate on this interface a bit before we support it + outside of hcsshim. + +commit cfdaa49c5b05fe09fb6984907e12429b537a04c8 +Merge: b46cbe1f6 e585ff8fc +Author: John Howard +Date: Tue May 15 15:44:31 2018 -0700 + + Merge pull request #172 from jstarks/wclayer + + wclayer: New package and utility for WCOW layer ops + +commit e585ff8fc51b19303a2ab084e8f947172c4f35fa +Author: John Starks +Date: Tue May 15 15:21:20 2018 -0700 + + wclayer: New package and utility for WCOW layer ops + + This adds new packages oci/wclayer and cmd/wclayer that can be used to + manipulate Windows container layers. The former is concerned only with + importing and exporting layers from and to their OCI tar formats. The + latter is a command line tool with myriad uses. + +commit 95b751a8c6459d5ac5d1ef28761aa67445cc0031 +Author: Ben Weedon +Date: Wed Feb 28 11:18:35 2018 -0800 + + Merge pull request #197 from Microsoft/v2_requests + + Support basic V2 ModifySettings requests + +commit 9e6c749a2c392864590a2d9439515378d097d780 +Merge: 3d91ba72a 1120fe80c +Author: Justin Terry (VM) +Date: Mon May 14 12:59:45 2018 -0700 + + Merging origin/master + +commit b46cbe1f60fed824e9d4a90d7eb94523e308a8d6 +Merge: 9c5a9ed71 b4fae2a31 +Author: John Howard +Date: Fri May 11 15:38:39 2018 -0700 + + Merge pull request #171 from darrenstahlmsft/README + + Update README to include HCS link, and formatting/spelling fixes + +commit b4fae2a312da2da18fbbaf799b01dcb772c4b756 +Author: Darren Stahl +Date: Fri May 11 13:40:21 2018 -0700 + + Remove extra underlines + + Signed-off-by: Darren Stahl + +commit 83162ba9749f9a2fbaa865b367a99704a49edfea +Author: Darren Stahl +Date: Fri May 11 13:37:06 2018 -0700 + + Add link to HCS, Include project dependencies + + Signed-off-by: Darren Stahl + +commit 9c5a9ed713b6d3a11c79f52e79056fd82c5a4e87 +Merge: 800683ae7 84e1fa53d +Author: John Howard +Date: Wed May 9 18:59:27 2018 -0700 + + Merge pull request #170 from darrenstahlmsft/README + + Update README.md + +commit 84e1fa53d19c07a0a8a8fd45f948756ce774ea51 +Author: Darren Stahl +Date: Wed May 9 17:58:31 2018 -0700 + + Update README.md + + Update description, add additional details on security reporting, and formatting fixes + + Signed-off-by: Darren Stahl + +commit 800683ae704ac360b2f3f47fa88f3a6c8c9091b5 (tag: v0.6.11) +Merge: ef2b994ff ba4e94420 +Author: John Howard +Date: Thu May 3 10:38:30 2018 -0700 + + Merge pull request #169 from johnstep/ignore-recycle-bin-case + + Ignore file name case when skipping $Recycle.Bin + +commit ba4e94420e46b89896f6acad894171de517f834a +Author: John Stephens +Date: Thu May 3 07:17:54 2018 -0700 + + Ignore file name case when skipping $Recycle.Bin + + Signed-off-by: John Stephens + +commit ef2b994ff21d5426829cdcaf164e3c9283bc25d5 +Merge: 26713568b f6218f9df +Author: John Howard +Date: Wed May 2 12:29:13 2018 -0700 + + Merge pull request #168 from Microsoft/taylorb-readme + + Update README.md + +commit f6218f9dfa054c08c4cef2896da163ba7d2d60cc +Author: Taylor Brown +Date: Wed May 2 11:27:20 2018 -0700 + + Update README.md + + Updating formatting, added security reporting information. + +commit 26713568b7c6a6686e147b5dd294dc7dd159a6f9 (tag: v0.6.10) +Merge: 8fccb44c8 79062a5b9 +Author: Darren Stahl +Date: Wed May 2 09:58:36 2018 -0700 + + Merge pull request #167 from Microsoft/rootJoin + + Root join + +commit 8fccb44c85288f54389c412b2ec466e4481fd252 (tag: v0.6.9) +Merge: 216772e34 f4eb3e75b +Author: Darren Stahl +Date: Tue Apr 24 11:46:18 2018 -0700 + + Merge pull request #165 from Microsoft/jjh/fix-oopsie + + Fix oopsie to not cause files to be skipped + +commit f4eb3e75b61062ced23c5a8b3ee7029625b98be2 +Author: John Howard (VM) +Date: Tue Apr 24 11:34:35 2018 -0700 + + Fix oopsie to not cause files to be skipped + + Signed-off-by: John Howard (VM) + +commit 79062a5b985d24ef42a4252a1b63a93ec450e407 +Merge: 85c171ce7 3b52b9e13 +Author: Darren Stahl +Date: Thu Apr 19 17:01:16 2018 -0700 + + Merge pull request #4 from Microsoft/accessDenied + + Implement removeAllRelative to not use os.RemoveAll + +commit 3b52b9e132f7ad6b29dd7938bcbde8c62cbdac43 +Author: Darren Stahl +Date: Thu Apr 19 15:40:34 2018 -0700 + + Implement removeAllRelative to not use os.RemoveAll + + Signed-off-by: Darren Stahl + +commit 85c171ce7377c47e1fa1a23597be04ae7727b707 +Merge: 9413f613b a0adf94c0 +Author: Darren Stahl +Date: Thu Apr 19 16:13:59 2018 -0700 + + Merge pull request #3 from johnstep/ignore-missing-tombstones + + Ignore missing tombstone files when closing an image + +commit a0adf94c0fc1f318b006ebf6be8720507d8f0324 +Author: John Stephens +Date: Wed Apr 18 03:38:29 2018 -0700 + + Ignore missing tombstone files when closing an image + + Signed-off-by: John Stephens + +commit 1120fe80c8cf5b5725ec2cc5fb73f3e3b649b785 +Merge: d249c1d35 92a4b72a9 +Author: John Howard +Date: Wed Apr 11 09:23:46 2018 -0700 + + Merge pull request #205 from rn/unplug + + Unplug mapped disks from inside the VM + +commit 92a4b72a9e7603eada4c7fb4de2946dff44a4589 +Author: Rolf Neugebauer +Date: Tue Apr 10 16:00:32 2018 +0100 + + Unplug mapped disks from inside the VM + + Currently, when removing mapped disks the disks are unmounted + before the host removes them. The removal from the host is just + a notification and the Linux kernel then performs the clean-up + asynchronously. + + If we unplug a larger number of disks this may take some time + and there is no way for the host to know when the clean-up is + finished and new/different disks can be added. + + This patch tells the Linux kernel that we are about to unplug + the disks after they were unmounted, allowing it to perform + the clean-up in advance. + + This fixes the issue in globalmode where a mkdir fails within + the Linux utility/service VM. + + Signed-off-by: Rolf Neugebauer + +commit d249c1d352f89ac65481d83a5556301f4f89b696 +Merge: 0aea33bc8 1eefe0e98 +Author: John Howard +Date: Tue Mar 27 10:32:08 2018 -0700 + + Merge pull request #204 from Microsoft/jjh/fromscratch + + Support FROM scratch + +commit 9413f613b3f5fab5364a58206ffd9d3c62564bef +Merge: 216772e34 731a68d7e +Author: Darren Stahl +Date: Tue Mar 20 16:59:20 2018 -0700 + + Merge pull request #2 from Microsoft/relOpen + + Relative open to bound paths + +commit 731a68d7efcd156d07149336aa35ec09aed75297 +Author: Darren Stahl +Date: Mon Mar 19 18:14:20 2018 -0700 + + Use the safeopen functions + + Use the safeopen functions to prevent following symlinks + and using relative paths in layer extraction. Also block tombstones + and delay reparse point directory creation to prevent platform follows. + + Signed-off-by: Darren Stahl + +commit 69375687f3aece3800a9b93e9c0b4b6acd4c949c +Author: Darren Stahl +Date: Mon Mar 19 18:04:30 2018 -0700 + + Add safeopen operations + + Add safeopen operations that prevent following symlinks and use NT paths + to prevent using relative path traversal operations. + + Signed-off-by: Darren Stahl + +commit 1eefe0e9834f28161f7c2387971de8a8efebe446 +Author: John Howard +Date: Wed Jan 10 15:37:29 2018 -0800 + + Support FROM scratch + + Signed-off-by: John Howard + +commit adebaa01e31820d45378e8c0e85266532b44c0e1 +Author: Nick Wood +Date: Mon Mar 12 18:55:17 2018 -0700 + + Fixing comment + +commit 9ce34b480b436d4dd4f03eb0be3aeddd7775895c +Author: Nick Wood +Date: Mon Mar 12 18:53:53 2018 -0700 + + Adding support for HNS versioning and updated ACL policy members + +commit 0aea33bc8fff7dc30577f98ddfe7757afc726138 +Merge: 1554a6bca cfab7ad6d +Author: John Howard +Date: Thu Mar 8 16:16:05 2018 -0800 + + Merge pull request #203 from Microsoft/jjh/bumpexternals + + Bump linuxkit alpine and runc + +commit cfab7ad6d9f04a9fde0162e038237f6d9d6a54cc +Author: John Howard +Date: Mon Mar 5 08:42:29 2018 -0800 + + Bump linuxkit alpine and runc + + Signed-off-by: John Howard + +commit 1554a6bcafeb4942a67869d21478a8c63273d6e7 +Merge: 1ae064448 bf8e1b381 +Author: John Howard +Date: Mon Mar 5 10:46:13 2018 -0800 + + Merge pull request #202 from Microsoft/revert_v2_schema + + Revert v2 schema + +commit bf8e1b381568b00b68a21f8e9c22bef3a392b73c +Author: Ben Weedon +Date: Tue Feb 27 19:51:52 2018 -0800 + + Use Errorf in remotefs_test where it should be used + +commit 6e185a65e0e3e8fc414a8628cb42feb861f84452 +Author: Justin Terry (VM) +Date: Mon Mar 5 10:25:58 2018 -0800 + + Revert "Merge pull request #197 from Microsoft/v2_requests" + + This reverts commit f9d2b725664d2a0129f68613d1f2d3cc8e1ce004, reversing + changes made to 5eaa01010b0c6ecbcaebf3b957b60fd8f792ac40. + +commit 4ce0b3e4bd2c300113aca642dc757976f285a601 +Author: Justin Terry (VM) +Date: Mon Mar 5 10:23:40 2018 -0800 + + Revert "Support basic V2 ModifySettings requests" + + This reverts commit 7317643ce0e15c219a8aed3a475f7760f47efa63. + +commit 3d91ba72a767f0033f8924d9a71e90c5daa94d26 +Merge: 4a822c968 1ae064448 +Author: Justin Terry (VM) +Date: Mon Mar 5 09:51:53 2018 -0800 + + Merge remote-tracking branch 'origin/master' into multicontainer + +commit 1ae064448429bad95ba277cb9139c97cc97f1e61 +Merge: 9d6c97a60 6e57b1f14 +Author: Justin +Date: Fri Mar 2 13:26:47 2018 -0800 + + Merge pull request #201 from Microsoft/jjh/addgitcommit + + Add /git.commit to docs + +commit 6e57b1f14289a168f9936c7e665932f5ddebf6be +Author: John Howard +Date: Fri Mar 2 11:40:29 2018 -0800 + + Add /git.commit to docs + + Signed-off-by: John Howard + +commit 4a822c968e860b43fca7ef919b8d3a7a8121264e +Merge: 860ed4475 9d6c97a60 +Author: Justin Terry (VM) +Date: Thu Mar 1 13:21:33 2018 -0800 + + Merge remote-tracking branch 'origin/master' into multicontainer + +commit 9d6c97a601d309738b1452172056dcc4c652de37 +Merge: 34247d82b 4415b9b9b +Author: John Howard +Date: Thu Mar 1 09:53:46 2018 -0800 + + Merge pull request #200 from jterry75/fix_bridge_unit_tests + + Fix race in WaitOnProcess tests + +commit 4415b9b9b733826dd74a364e3a0d21e8a6356972 +Author: Justin Terry (VM) +Date: Thu Mar 1 09:39:47 2018 -0800 + + Fix race in WaitOnProcess tests + +commit 34247d82b87b8936e2acf9966e2346c1d0fb0d58 +Merge: 11a442236 fea501d7a +Author: Justin +Date: Thu Mar 1 09:38:25 2018 -0800 + + Merge pull request #199 from Microsoft/jjh/remotefsdebug + + Adds logging to remotefs + +commit 11a442236f30b55328098de3cec8bcd13cf0cba0 +Merge: c98d7d2e8 8ed3cf00a +Author: Justin +Date: Thu Mar 1 09:37:23 2018 -0800 + + Merge pull request #196 from Microsoft/jjh/cutdowninitrd + + Strip debug symbols, add commit, fix alignment + +commit 8ed3cf00a2a13d898df43eee526b12ddd3c02121 +Author: John Howard +Date: Wed Feb 21 09:03:31 2018 -0800 + + Strip debug symbols, add commit, fix alignment + + Signed-off-by: John Howard + +commit c98d7d2e81192723810db31c6d854bc67b5953df +Merge: f9d2b7256 6e727ea3b +Author: Justin +Date: Thu Mar 1 09:00:59 2018 -0800 + + Merge pull request #198 from jterry75/fix_bridge_unit_tests + + Explicitly check for success/error in verify + +commit fea501d7a362ae48227bb08bdbabc962a5a19276 +Author: John Howard +Date: Thu Jan 18 07:47:08 2018 -0800 + + Adds logging to remotefs + + Signed-off-by: John Howard + +commit 6e727ea3b0465d07bf91229c57353f060d99f3d4 +Author: Justin Terry (VM) +Date: Thu Mar 1 08:56:30 2018 -0800 + + Explicitly check for success/error in verify + +commit 860ed44755dfba2cc8033f5a082d9b2ca35ea352 +Author: Ben Weedon +Date: Wed Feb 28 11:22:32 2018 -0800 + + Update new ModifySettings tests to use protocol V3 + +commit 39f41598b5ec0996456f6ebe8cd549feb4f671ca +Merge: bd50b3ffd f9d2b7256 +Author: Ben Weedon +Date: Wed Feb 28 11:19:46 2018 -0800 + + Merge branch 'master' into multicontainer + +commit f9d2b725664d2a0129f68613d1f2d3cc8e1ce004 +Merge: 5eaa01010 85175a093 +Author: Ben Weedon +Date: Wed Feb 28 11:18:35 2018 -0800 + + Merge pull request #197 from Microsoft/v2_requests + + Support basic V2 ModifySettings requests + +commit 85175a093bfb5c593b6c27ba37151f82a436d733 +Author: Ben Weedon +Date: Tue Feb 27 19:51:52 2018 -0800 + + Use Errorf in remotefs_test where it should be used + +commit 7317643ce0e15c219a8aed3a475f7760f47efa63 +Author: Ben Weedon +Date: Tue Feb 27 19:33:54 2018 -0800 + + Support basic V2 ModifySettings requests + + This doesn't actually add any V2 functionality. It just supports + receiving messages with the v2Request field filled in. + +commit 5eaa01010b0c6ecbcaebf3b957b60fd8f792ac40 +Merge: 18f6fec59 620af17b5 +Author: John Howard +Date: Wed Feb 21 09:01:40 2018 -0800 + + Merge pull request #195 from Microsoft/jjh/dockerfile + + Dockerfile to build initrd.img under LCOW + +commit 620af17b5ba4a6ba8c55bcb5315533ccb9adbca0 +Author: John Howard +Date: Fri Feb 16 15:23:00 2018 -0800 + + Dockerfile to build initrd.img under LCOW + + Signed-off-by: John Howard + +commit bd50b3ffd5036d3d3a8e7e8b20b2e05446abaf03 +Merge: 7663d3d65 f9835635f +Author: Justin +Date: Thu Feb 8 12:03:20 2018 -0800 + + Merge pull request #194 from Microsoft/multi_symver + + Changing bridge to major numbers only + +commit f9835635f0080d2cad5e8bfe889b3228808e1e16 +Author: Justin Terry (VM) +Date: Wed Feb 7 12:15:19 2018 -0800 + + Changing bridge to major numbers only + +commit 7663d3d6593834979e4ce141fb764178d327fa8a +Merge: 711141443 bc1ddd53a +Author: Ben Weedon +Date: Wed Feb 7 14:50:35 2018 -0800 + + Merge pull request #193 from Microsoft/add_capabilities + + Add and rename capabilities + +commit bc1ddd53aa885057eaa814102152cbb3d337a04e +Author: Ben Weedon +Date: Mon Feb 5 12:23:53 2018 -0800 + + Add and rename capabilities + + This change includes renaming SendInitialCreateMessage to + SendHostCreateMessage, and adding the capabilities SendHostStartMessage + and HVSocketConfigOnStartup. + +commit 18f6fec59ee021ac351f7e7b8d8e02bd06f929cd +Merge: a52fa6eeb 2e636698e +Author: Justin +Date: Mon Feb 5 12:26:11 2018 -0800 + + Merge pull request #192 from rbalint/master + + Fix int overflow on 32 bit architectures + +commit 2e636698ee818378c4bc4e3377c166d310beb753 +Author: Balint Reczey +Date: Sat Feb 3 03:10:32 2018 +0100 + + Fix int overflow on 32 bit architectures + +commit a52fa6eeb618e1ad2fa920ebd35883789bf8d143 +Merge: 19b160439 944350ddb +Author: Justin +Date: Thu Feb 1 14:56:42 2018 -0800 + + Merge pull request #191 from Microsoft/users/jterry75/171 + + Fixes an issue with resolv.conf on Ubuntu + +commit 944350ddbebd5f97e7d8634173ec6ce3ec25f68b +Author: Justin Terry (VM) +Date: Thu Feb 1 12:11:55 2018 -0800 + + Fixes an issue with resolv.conf on Ubuntu + + Resolves: #171 + +commit 71114144362bf4533b6e8e034a47758c9ba602ef +Merge: 814f5f02c 19b160439 +Author: Ben Weedon +Date: Wed Jan 31 18:17:29 2018 -0800 + + Merge branch 'master' into multicontainer + +commit 19b160439931d978b9871cf4e3dc0d8dbc14093b +Merge: 28bf6b4f7 1ebea8c7b +Author: Ben Weedon +Date: Wed Jan 31 18:14:29 2018 -0800 + + Merge pull request #189 from Microsoft/handle_nil_getproperties + + Properly handle case where GetProperties returns nil on non error + +commit 814f5f02c453b01f3c9ddbe09950d4dcc96a1931 +Merge: 06726eb33 c19ab0ac7 +Author: Justin +Date: Wed Jan 31 13:43:06 2018 -0800 + + Merge pull request #178 from Microsoft/unknown_message_error + + Unknown messages should return E_VMCOMPUTE_UNKNOWN_MESSAGE + +commit 06726eb33c6aa8fef288a3ff0d34ca19a4a62df6 +Merge: 90a753c70 fc269e452 +Author: Justin +Date: Wed Jan 31 13:42:43 2018 -0800 + + Merge pull request #176 from Microsoft/start_noop + + Handle start message as noop in bridge + +commit 28bf6b4f79f6f1be7a7650ea0e9007f13e8ac945 +Merge: 343fafbd8 35b8630cd +Author: Justin +Date: Wed Jan 31 13:41:35 2018 -0800 + + Merge pull request #190 from Microsoft/workdir_2 + + Creates the workdir on start + +commit 35b8630cd9be710f2cd108a83f928707833014b5 +Author: Justin Terry (VM) +Date: Tue Jan 30 16:13:50 2018 -0800 + + Creates the workdir on start + + Propertly creates the workdir in the container bundle previous to a start if + that workdir is not '/' + + Ref: #188 + +commit 1ebea8c7b737fb96333ee04b9364e1078b2321de +Author: Ben Weedon +Date: Mon Jan 29 18:58:15 2018 -0800 + + Properly handle case where GetProperties returns nil on non error + +commit 343fafbd8ebc3cb460f96836759b65bcc9ac8d45 +Merge: 823109b0c fda4658ca +Author: John Howard +Date: Wed Jan 24 16:04:36 2018 -0800 + + Merge pull request #186 from Microsoft/jjh/handleclosestdincorrectly + + Handle valid errors on process CloseStdin() + +commit fda4658ca65806e37f382a002d5c854744c8e8e4 +Author: John Howard +Date: Wed Jan 24 15:42:18 2018 -0800 + + Handle valid errors on process CloseStdin() + + Signed-off-by: John Howard + +commit 90a753c70f3611ba1f511d48a8186107035d71ed +Author: Ben Weedon +Date: Mon Jan 22 13:17:35 2018 -0800 + + Fix build error from merge + +commit e49f291a10690d830bdc115a6c2498725c715ed7 +Merge: 7321f329d 823109b0c +Author: Ben Weedon +Date: Mon Jan 22 13:00:52 2018 -0800 + + Merge branch 'master' into multicontainer + +commit 823109b0c47f66a87d48777a88cdac3b327e1dbb +Merge: a01f62aeb bb1471d74 +Author: Cheng-mean Liu +Date: Mon Jan 22 12:56:31 2018 -0800 + + Merge pull request #185 from Microsoft/getproperties + + Return the correct structure from GetProperties + +commit 216772e344403bb9fa8b04be64e6f64fa934b492 +Merge: 45ef15484 ac2867418 +Author: Darren Stahl +Date: Mon Jan 22 10:57:48 2018 -0800 + + Merge pull request #157 from thaJeztah/fix-line-endings + + Fix CRLF line-endings on some files + +commit ac28674180d8c7feee4b87c535307ac4f8ed3e8c +Author: Sebastiaan van Stijn +Date: Sat Jan 20 17:51:33 2018 +0100 + + Fix CRLF line-endings on some files + + Signed-off-by: Sebastiaan van Stijn + +commit bb1471d746337380c5cb42b69170aecca7ad16dc +Author: Ben Weedon +Date: Fri Jan 19 18:47:36 2018 -0800 + + Return the correct structure from GetProperties + + Nothing in the HCS was ever sending a GetProperties message, so this + issue didn't really ever come up. We should fix it now, though. + +commit a01f62aeb567053fdee0bf7b376083ae7b511ca4 +Merge: 7010b68f4 045ab4fe9 +Author: Cheng-mean Liu +Date: Thu Jan 18 14:23:37 2018 -0800 + + Merge pull request #184 from Microsoft/jjh/debugcopywithtimeout + + Adds advanced debugging to dump data to/from UVM + +commit 7010b68f4b161cb6daccfd7923848314af867687 +Merge: 6d24169ca 8cfbb6d8a +Author: Cheng-mean Liu +Date: Thu Jan 18 14:22:48 2018 -0800 + + Merge pull request #183 from Microsoft/jjh/translate-io-eof + + Translate io.EOF + +commit 045ab4fe9a9f163261277fd0c2b249366ba2ec68 +Author: John Howard +Date: Thu Jan 18 11:37:25 2018 -0800 + + Adds advanced debugging to dump data to/from UVM + + Signed-off-by: John Howard + +commit 6d24169ca82f47fdf5cc0adfa66c730788626e15 +Merge: 0eb964cce ead60c7c5 +Author: Cheng-mean Liu +Date: Thu Jan 18 11:08:11 2018 -0800 + + Merge pull request #182 from Microsoft/jjh/remotefs-loglevel + + Add logging flags for remotefs + +commit 8cfbb6d8ae8203a80464ca6e2bd39102d6fd9deb +Author: John Howard +Date: Thu Jan 18 07:47:59 2018 -0800 + + Translate io.EOF + + Signed-off-by: John Howard + +commit ead60c7c57a20b282ce97c15de5dddb795cb01c8 +Author: John Howard +Date: Wed Jan 17 14:23:53 2018 -0800 + + Add logging flags for remotefs + + Signed-off-by: John Howard + +commit 0eb964cce52adda7be54d661fa812d6cc6124fb5 +Merge: 3f708a091 05f3aa535 +Author: Cheng-mean Liu +Date: Wed Jan 17 11:37:59 2018 -0800 + + Merge pull request #181 from Microsoft/jjh/paniclog + + Basic panic logger for gcstools + +commit 05f3aa535d7d9d34f85c19e5074d590a0116a01e +Author: John Howard +Date: Tue Jan 16 15:59:48 2018 -0800 + + Basic panic logger for gcstools + + Signed-off-by: John Howard + +commit c19ab0ac713159ec4b96b45ba64723f4b7dbf30b +Author: Ben Weedon +Date: Tue Jan 9 17:08:14 2018 -0800 + + Unknown messages should return E_VMCOMPUTE_UNKNOWN_MESSAGE + + They used to return E_NOTIMPL, which is different from what the Windows + GCS would return. + +commit fc269e452aaf3e35e8075018c9bfae1617f54aab +Author: Ben Weedon +Date: Tue Dec 19 13:02:41 2017 -0800 + + Handle start message as noop in bridge + + The HCS will send this message to Linux VMs in the future, so we should + handle it rather than returning an error. + +commit 7321f329d3df91f8a68b4696492db67961626782 +Merge: 3f708a091 9c6d5d193 +Author: Ben Weedon +Date: Mon Jan 8 15:19:28 2018 -0800 + + Merge pull request #180 from Microsoft/protocol_negotiation + + Implements version based multiplexer dispatch and protocol negotiation + +commit 9c6d5d193267bc07677817dbc590aebf61ba7fdf +Author: Justin Terry (VM) +Date: Fri Jan 5 14:40:13 2018 -0800 + + Remove inaccessible code checks + +commit 40cbd7bf7708e766b4079622bf0efa54d156fb34 +Author: Justin Terry (VM) +Date: Fri Jan 5 10:46:58 2018 -0800 + + Review feedback + + 1. Implements a few unit tests around the negotiate protcol workflows. + 2. Updates based on early review feedback. + 3. Makes negotiate protcol dynamic rather than hard coded to the current version. + +commit 5ae3e4ce51905f28de44d95b139ccc191e5008ad +Author: Ben Weedon +Date: Tue Dec 19 17:51:30 2017 -0800 + + Implements version based multiplexer dispatch + + Resolves: #161 + +commit 3f708a091b4afc28c918ac6063e706c48a5f67de +Merge: 3b797f5ee 96cda51b4 +Author: Cheng-mean Liu +Date: Thu Jan 4 15:26:03 2018 -0800 + + Merge pull request #179 from jterry75/instructions + + Minor fix to doc markdown + +commit 96cda51b45223738185a4859775fabd214c29c0a +Author: Justin Terry (VM) +Date: Thu Jan 4 14:53:16 2018 -0800 + + Minor fix to doc markdown + +commit 45ef15484298b76abeb9513ea0ea0abd2b5b84b3 (tag: v0.6.8) +Merge: 34a629f78 0d5bb78dc +Author: Darren Stahl +Date: Wed Jan 3 11:29:33 2018 -0800 + + Merge pull request #154 from Microsoft/moby-partfix-32838 + + Skip recycle bin and part fix for moby/moby 32838 + +commit 0d5bb78dcdfedf19b523b432ec5dfbe5394d1ede +Author: John Howard +Date: Wed Jan 3 09:56:41 2018 -0800 + + Skip recycle bin + + Signed-off-by: John Howard + +commit 3b797f5ee8e8d4249d385f230a676ba307eec8e5 +Merge: 363ff12d4 eca96a27b +Author: Cheng-mean Liu +Date: Tue Jan 2 15:01:39 2018 -0800 + + Merge pull request #177 from kant/patch-1 + + Minor fixes (proposal) + +commit eca96a27b73c10620b1e0720ec8cb2bd49150cde +Author: Darío Hereñú +Date: Tue Dec 19 18:27:34 2017 -0300 + + Minor fixes (proposal) + +commit 363ff12d45a732e73e71ee92b9f916ac3b37cb4d +Merge: 564a38c30 60ae3e388 +Author: Cheng-mean Liu +Date: Thu Dec 7 14:53:07 2017 -0800 + + Merge pull request #170 from Microsoft/fix_layer_depth + + Fixing layer path size to long + +commit 564a38c30416403e537a2fbd9dccd687a4482e59 +Merge: 444a94724 d9d251334 +Author: Akash Gupta +Date: Fri Dec 1 11:58:41 2017 -0800 + + Merge pull request #160 from Microsoft/gateway + + Added support for setting a gateway that's outside of subnet it's setting for. + +commit 60ae3e3888ef515545b8258325e03b1fb3624c21 +Author: Justin Terry (VM) +Date: Thu Nov 30 15:03:41 2017 -0800 + + Review Feedback + +commit 1d109d8f26582c661e93d35a96ca27437c35ceb2 +Author: Justin Terry (VM) +Date: Wed Nov 29 14:42:39 2017 -0800 + + Fixing layer path size to long + +commit 444a94724c21b32c2ae56c9bf1fa6e0c3d077267 +Merge: b3146d0cc 0d797383b +Author: Cheng-mean Liu +Date: Wed Nov 29 17:22:26 2017 -0800 + + Merge pull request #150 from dvrkps/patch-1 + + travis: update go version + +commit b3146d0ccf327dcb0235bd8627043ca069b45690 +Merge: ec7c21720 861173575 +Author: Cheng-mean Liu +Date: Tue Nov 28 13:02:57 2017 -0800 + + Merge pull request #154 from jhowardmsft/jjh/sigusr1-debugging + + Add sigusr1 debugging to client + +commit d9d25133468c925e16925c4895ca6fdcba9ef09c +Merge: b4609cd98 0a80ebfc7 +Author: Cheng-mean Liu +Date: Tue Nov 21 16:45:11 2017 -0800 + + Merge branch 'gateway' of github.com:Microsoft/opengcs into gateway + +commit b4609cd98d12c7689989406e1c772a5369f962e0 +Author: Cheng-mean Liu +Date: Sun Nov 19 17:50:37 2017 -0800 + + added support for setting a gateway ip that's outside a subnet + +commit 34a629f78a5d50f7de07727e41a948685c45e026 (tag: v0.6.7) +Merge: 97daa08b8 0c09862b8 +Author: Darren Stahl +Date: Mon Nov 20 16:25:33 2017 -0800 + + Merge pull request #144 from greenhouse-org/go1.9 + + patch hcsshim to work with go1.9 + +commit 0c09862b86725a460e5aa043ce98fac1919e03ff +Author: Sunjay Bhatia +Date: Mon Nov 20 19:13:55 2017 -0500 + + patch hcsshim to work with go1.9 + + In go1.9, fi.IsDir() returns false if the directory is also a symlink. + + See: https://github.com/golang/go/commit/1989921aef60c83e6f9127a8448fb5ede10e9acc + + This breaks copyFileWithMetadata as it will not pre-create the + destination dir, causing the SetFileBasicInfo call to fail + + This fixes the problem by checking syscall.FILE_ATTRIBUTE_DIRECTORY + directly. + + Signed-off-by: Sam Smith + +commit 0a80ebfc7e97d59fb42b6b662d5363cec4a64fff +Author: Cheng-mean Liu +Date: Sun Nov 19 17:50:37 2017 -0800 + + added support for setting a gateway ip that's outside a subnet + +commit ec7c21720ed6d773a98dfa29a8f2f292b879c05f +Author: Cheng-mean Liu +Date: Sun Nov 19 17:38:34 2017 -0800 + + Removed previous accidental direct commit to the master + +commit 735335ed21b9defbf888a1a87460cd51804b994a +Author: Cheng-mean Liu +Date: Sun Nov 19 17:29:48 2017 -0800 + + added support for setting a gateway ip that's outside a subnet + +commit 2a3a94cca366171f159399ffbd1333058e1cef53 +Merge: de0346953 fad07561e +Author: Cheng-mean Liu +Date: Fri Nov 10 11:08:30 2017 -0800 + + Merge pull request #159 from jterry75/cleanup_logrus + + Fixes some logrus messages with newline + +commit fad07561ef7a80d632a469a6ab0c0120e76d136c +Merge: 05e847ab3 de0346953 +Author: Cheng-mean Liu +Date: Fri Nov 10 10:26:28 2017 -0800 + + Merge branch 'master' into cleanup_logrus + +commit 05e847ab324445744c35712d0ea784326dc614b2 +Merge: 0c0ccefac de0346953 +Author: Cheng-mean Liu +Date: Fri Nov 10 10:15:11 2017 -0800 + + Merge branch 'master' into cleanup_logrus + +commit de034695317c432e66bd59ea5aeb6718bec8980d +Merge: c1b7fb074 82ae51599 +Author: Cheng-mean Liu +Date: Fri Nov 10 10:13:25 2017 -0800 + + Merge pull request #157 from Microsoft/fix_race_on_exit + + Fixing issues with process exit + +commit 0c0ccefacb48f0c5f3539c06f53b6af90ee7ee7c +Author: Justin Terry (VM) +Date: Fri Nov 10 09:48:50 2017 -0800 + + Fixes some logrus messages with newline + + Resolves: #158 + +commit 82ae51599c5635f02a351ecb6a2ba821f1dc2033 +Author: Justin Terry (VM) +Date: Thu Nov 9 12:30:54 2017 -0800 + + Fixing a few bridge unit tests + +commit 97daa08b865a25dbdbd5b0e5ece889a982dd62f5 +Merge: e7bcb8a64 0e27f8f47 +Author: Darren Stahl +Date: Wed Nov 8 13:16:23 2017 -0800 + + Merge pull request #146 from mdelillo/typed-errors + + Return typed errors when getting endpoints and networks + +commit 21cfb8995312fb0fc7e9ad745fbf118e7d5f1864 +Author: Justin Terry (VM) +Date: Wed Nov 8 10:10:35 2017 -0800 + + Adding ack to WaitProcess + +commit 974b40e458bd5292c25e996ccb3467102b189cc9 +Author: Justin Terry (VM) +Date: Mon Nov 6 16:23:23 2017 -0800 + + Fixing issues with process exit + + Resolves: #153 - Init process exit codes are not always returning because the container exited notification returns before the WaitProcess call comes in causing the HCS to teardown the container. + Resolves: #126 - WaitProcess should honor the timeout associated with the call and return the proper error response on timeout. + +commit e7bcb8a6450b14c441e23a8a54126471ce69d962 +Merge: 337934926 cf75dcfd1 +Author: Darren Stahl +Date: Mon Nov 6 13:52:46 2017 -0800 + + Merge pull request #147 from darrenstahlmsft/skipDirReparse + + Stop skipping directory reparse points in Go1.9 + +commit c1b7fb074a6e4b612c81a941182f9f423ed99e50 +Merge: ab628ecbc e6f8d8974 +Author: Cheng-mean Liu +Date: Mon Nov 6 13:28:09 2017 -0800 + + Merge pull request #152 from Microsoft/add_stack_dump + + Adds stack dump support + +commit cf75dcfd1b43bc428181b3f7100f5073601da9ea +Author: Darren Stahl +Date: Mon Nov 6 13:16:42 2017 -0800 + + Stop skipping directory reparse points in Go1.9 + + Signed-off-by: Darren Stahl + +commit 0e27f8f473aed2ba2ac68a5e9df34e43a0aa79a8 +Author: Mark DeLillo +Date: Fri Nov 3 17:47:56 2017 -0400 + + Return typed errors when getting endpoints and networks + + * Makes it easier to determine if a resource does not exist or something else went wrong + +commit 8611735754847ea2d644ac9c2bed6002eea9fda9 +Author: John Howard +Date: Tue Oct 31 10:02:48 2017 -0700 + + Add sigusr1 debugging to client + + Signed-off-by: John Howard + +commit e6f8d897477584dad7eff49ce4aeabe4ca26cae8 +Author: Justin Terry (VM) +Date: Fri Oct 20 11:51:49 2017 -0700 + + Adds stack dump support + +commit ab628ecbcd900ac19d8b6b0c6aeb78f836904d99 +Merge: 48ae4e3ba 86c2214eb +Author: Cheng-mean Liu +Date: Wed Oct 18 09:39:51 2017 -0700 + + Merge pull request #151 from StefanScherer/fix-typo + + Fix typos + +commit 86c2214eb68f0ce9b5951dee6a14238507ad4e97 +Author: Stefan Scherer +Date: Wed Oct 18 12:48:15 2017 +0200 + + Fix typos + +commit 0d797383b3966d9a7e05945519ca6ebaa320de07 +Author: Davor Kapsa +Date: Thu Oct 12 18:33:09 2017 +0200 + + travis: update go version + +commit 33793492662087369cf96403be23a1ec8360f7dd +Merge: 7db05c0f1 d1097dbfc +Author: Darren Stahl +Date: Tue Oct 3 15:16:22 2017 -0700 + + Merge pull request #145 from nwoodmsft/master + + Correcting ACLPolicy field names to LocalAddresses and RemoteAddresses + +commit d1097dbfc8c2ae24d089938004bac2d61a41b727 +Author: Nick Wood +Date: Thu Sep 28 18:12:03 2017 -0700 + + Correcting ACLPolicy field names to LocalAddresses and RemoteAddresses + +commit 7db05c0f1e17f2d6a1fc2b3bddb2e39ed30804e8 (tag: v0.6.6) +Merge: 4486bc29c 08379cc24 +Author: Darren Stahl +Date: Thu Sep 28 16:27:35 2017 -0700 + + Merge pull request #143 from nwoodmsft/master + + ApplyACLPolicy needs to allow multiple policies to be provided + +commit 08379cc24ce52038f5d18817e7c5b621f1120efe +Author: Nick Wood +Date: Thu Sep 28 15:16:09 2017 -0700 + + Fixing typo in ApplyACLPolicy func comment + +commit ef84ccead846463309533631d12a206ce4d89d42 +Author: Nick Wood +Date: Wed Sep 27 16:37:09 2017 -0700 + + PR code review feedback + +commit 9303effa036dc69dc84afc79dba3a6b9f647efed +Author: Nick Wood +Date: Tue Sep 26 16:46:18 2017 -0700 + + ApplyACLPolicy needs to allow a collection of policies to be applied to the endpoint + +commit 48ae4e3ba3d2fea746fb4dc20a72832a46f45466 +Merge: e9838ced1 0ffc2a04d +Author: Akash Gupta +Date: Fri Sep 22 14:01:15 2017 -0700 + + Merge pull request #147 from Microsoft/patches + + Added new hyperv vsock patches for addressing connection close racing… + +commit 0ffc2a04d24d4dacca7095d2481aaa518cbd4c28 +Author: Cheng-mean Liu +Date: Fri Sep 22 11:19:47 2017 -0700 + + Added new hyperv vsock patches for addressing connection close racing condition issue + +commit e9838ced183be08b51502e7b915c46d60e932718 +Merge: af8bcbce5 6a947600c +Author: Cheng-mean Liu +Date: Thu Sep 21 15:43:27 2017 -0700 + + Merge pull request #139 from jterry75/130 + + Moves runc logs to per container id + +commit 6a947600c15eaf97a908e450cb867a2e398a7bfc +Author: Justin Terry (VM) +Date: Fri Sep 15 15:20:38 2017 -0700 + + Moves runc logs to per container id + + Resolves: #130 + +commit af8bcbce53af7d202fe18b4361dbd0f7e7c8561e +Merge: 353a47aea caacb87be +Author: Akash Gupta +Date: Mon Sep 18 13:50:33 2017 -0700 + + Merge pull request #143 from jterry75/26 + + Renames gcs/errors to gcs/gcserr + +commit caacb87beaca95faf2be856caa6ca7ca195d374b +Author: Justin Terry (VM) +Date: Mon Sep 18 13:33:38 2017 -0700 + + Renames gcs/errors to gcs/gcserr + + Resolves: #26 + +commit 353a47aea9ec51f755c5d529479269fac57ad989 +Merge: a7cca0dd4 ca946d59d +Author: Akash Gupta +Date: Mon Sep 18 13:41:38 2017 -0700 + + Merge pull request #142 from jterry75/12 + + Fixes a golint issue + +commit ca946d59db0d979a1a4f4dc332aa4c8cedbd5a72 +Author: Justin Terry (VM) +Date: Mon Sep 18 13:26:10 2017 -0700 + + Fixes a golint issue + + Resolves: #12 + +commit a7cca0dd463d1d0b7854d1767a6fa567f2069312 +Author: Cheng-mean Liu +Date: Fri Sep 15 11:21:34 2017 -0700 + + Updated LCOW custom kernel builds instructions with 4.12 support (#138) + + * Updated LCOW custom kernel builds instructions with 4.12 support + +commit de29646b8dfadfc443e1467bd4b493e9068fb582 +Merge: d8dcf800d ca4f9a8e6 +Author: Akash Gupta +Date: Thu Sep 14 16:22:41 2017 -0700 + + Merge pull request #137 from jterry75/131 + + Fixes potential delete on unmounts failure + +commit ca4f9a8e6ce596047c8b6452daf6125cd2e7e203 +Author: Justin Terry (VM) +Date: Thu Sep 14 12:53:24 2017 -0700 + + Fixes potential delete on unmounts failure + + Will only destroy the container storage in the UVM if all mounts are successfully unmounted. Without this we have no way of knowing if it safe to delete the files or if this could have an affect on the host files. + + Resolves: #131 + +commit d8dcf800d2b115abeebd12f3c16d22c5cd836b76 +Merge: b26665705 5d8f573d2 +Author: Akash Gupta +Date: Thu Sep 14 09:48:34 2017 -0700 + + Merge pull request #136 from rn/vsock-timeout + + Improve the vsock timeout handling + +commit 5d8f573d27b31d06fbdf69fcf4c0784e8bbe838d +Author: Rolf Neugebauer +Date: Thu Sep 14 11:53:24 2017 +0100 + + Improve error handling and retry of vsock.Dial() + + The update vsock package returns th underlying error. Use it + to determine if the error was ETIMEDOUT and only retry if it was. + + Other errors are treated as real errors and the Dial attempt is + aborted. Also, improve the logging to see the real error. + + Signed-off-by: Rolf Neugebauer + +commit 0a108afb032bd32ad966011ae9af02389e8da7c0 +Author: Rolf Neugebauer +Date: Thu Sep 14 11:26:06 2017 +0100 + + Update vsock package to latest + + Signed-off-by: Rolf Neugebauer + +commit b26665705d946626f6c9a2255a6d17f06e93f0cf +Merge: abfed798b 33d89b69e +Author: Cheng-mean Liu +Date: Wed Sep 13 15:10:39 2017 -0700 + + Merge pull request #133 from Microsoft/retry-connect + + Add a retry when connecting stdin/stdout/stderr + +commit abfed798b278301a9d3df64c955d27cab8f9eeae +Merge: 203a54283 ad9d9e50e +Author: Cheng-mean Liu +Date: Wed Sep 13 10:13:47 2017 -0700 + + Merge pull request #134 from jhowardmsft/jjh/getlogs + + Enable GCS debugging from docker + +commit 33d89b69e4babb73c3025eb15a34d3bc49f6ca68 +Author: Akash Gupta +Date: Wed Sep 6 14:35:28 2017 -0700 + + Add a retry when connecting stdin/stdout/stderr + +commit ad9d9e50e0656ac3c5228730989505bae0244f09 +Author: John Howard +Date: Fri Sep 8 14:26:03 2017 -0700 + + Enable GCS debugging from docker + + Signed-off-by: John Howard + +commit 4486bc29c643509eac9de46f1d77ecb96b5b364f (tag: v0.6.5) +Merge: b144c6050 12f6b54e1 +Author: Darren Stahl +Date: Thu Sep 7 18:19:22 2017 -0700 + + Merge pull request #142 from darrenstahlmsft/CreateTimeout + + Cleanup on failed container create due to timeout + +commit 12f6b54e1eb3816b625c77b98768c1b5f3be3074 +Author: Darren Stahl +Date: Wed Sep 6 12:57:16 2017 -0700 + + Cleanup on failed container create due to timeout + + Signed-off-by: Darren Stahl + +commit 203a54283e0b0d58c1bc9d8d0f0b4bea8503fe37 +Merge: 726a1d9fd e4a274473 +Author: Akash Gupta +Date: Thu Sep 7 16:54:25 2017 -0700 + + Merge pull request #125 from jterry75/async_bridge_tests + + Implements the bridge handler tests + +commit 726a1d9fdd9a017a24cb5fdcf2468d8cc58b1728 +Merge: a358b5838 2403c72ae +Author: Akash Gupta +Date: Thu Sep 7 16:52:20 2017 -0700 + + Merge pull request #132 from jterry75/131 + + Fixes an issue on cleanup with mapped directories + +commit 2403c72ae0ac803f4e3f7c6905a7da6bd10d3c5e +Author: Justin Terry (VM) +Date: Thu Sep 7 15:11:50 2017 -0700 + + Fixes an issue on cleanup with mapped directories + + Resolves: #131 + +commit b144c605002d4086146ca1c15c79e56bfaadc2a7 (tag: v0.6.4) +Merge: 6ea7fe54f da9e7b79f +Author: John Howard +Date: Thu Sep 7 10:57:15 2017 -0700 + + Merge pull request #141 from Microsoft/jjh/mappeddir + + Add CreateInUtilityVM to MappedDir + +commit da9e7b79fe11175fc510036539efb89381ca859a +Author: John Howard +Date: Thu Sep 7 09:16:11 2017 -0700 + + Add CreateInUtilityVM to MappedDir + + Signed-off-by: John Howard + +commit e4a2744739de07a9287f4f21c65a7f6e178f5489 +Author: Justin Terry (VM) +Date: Wed Aug 16 10:48:22 2017 -0700 + + Implements the bridge handler tests + + 1. Updates the bridge_test suite to test just the handler code and all error/success cases. + 2. Cleans up a little bit of the bridge handler code. + 3. Fixes the way that the 'Settings' field of a ContainerModifyRequestResponse is sent so that + we dont have an additional level of inderiction. + +commit a358b5838a87a83ce68a65c26604f905939cbe80 +Merge: ab442e9a0 d63e5f20c +Author: Akash Gupta +Date: Wed Sep 6 12:37:08 2017 -0700 + + Merge pull request #129 from jhowardmsft/jjh/readonly + + LCOW: VHDX boot to read-only + +commit d63e5f20c5385a7c49c75c0d1f4043391873a390 +Author: John Howard +Date: Wed Sep 6 11:04:37 2017 -0700 + + LCOW: VHDX boot to read-only + + Signed-off-by: John Howard + +commit ab442e9a042246e5e6c87102ed56faa6d3925458 +Merge: bba126e0a ba270d2f2 +Author: Cheng-mean Liu +Date: Tue Sep 5 21:49:03 2017 -0700 + + Merge pull request #128 from jstarks/mount_plan9_without_vsock_kernel_patch + + gcs: Mount plan9 shares with fd transport + +commit ba270d2f2f3982863cbcbe8b17897e1bdde38de0 +Author: John Starks +Date: Fri Sep 1 14:52:53 2017 -0700 + + gcs: Mount plan9 shares with fd transport + + This change eliminates the need for the plan9 vsock transport by + connecting to the plan9 server in GCS and using the plan9 fd + transport. + +commit bba126e0ae5fb4d720f0d76be64ed83506928947 +Merge: 34a64c360 1ef737534 +Author: Cheng-mean Liu +Date: Thu Aug 31 18:01:55 2017 -0700 + + Merge pull request #127 from Microsoft/docs + + Updated patch doc for the pickup of the latest Hyper-V vsock fix + +commit 1ef7375343f7b9fe1fc108df9db15c8ccadc556c +Author: Cheng-mean Liu +Date: Thu Aug 31 17:48:18 2017 -0700 + + Updated patch doc for the pickup of the latest Hyper-V vsock fix + +commit 34a64c3608036509e36bf9a211579a411f4d10da +Merge: a8a66ed78 af640c590 +Author: Cheng-mean Liu +Date: Tue Aug 29 13:50:47 2017 -0700 + + Merge pull request #116 from Microsoft/async_bridge_loop + + Implements the async bridge loop + +commit a8a66ed78fbdc6274ee9a6bdc89a61843481b462 +Merge: d98b0b1e5 6df781fd3 +Author: Cheng-mean Liu +Date: Fri Aug 25 16:54:24 2017 -0700 + + Merge pull request #123 from jterry75/golint + + Fixes the majority of golint issues + +commit 6df781fd3791f1ddb351f51130799554b14d1ded +Author: Justin Terry (VM) +Date: Fri Aug 25 14:16:33 2017 -0700 + + Updating comments to be under 80 chars + +commit af640c590aa0de1965174b8c74c5c35f527a2e0d +Author: Justin Terry (VM) +Date: Fri Aug 25 14:53:11 2017 -0700 + + Fixing nil map checks + +commit 97a7e8bed8f529885cb079904c152883166ddf3a +Author: Justin Terry (VM) +Date: Mon Aug 14 11:55:48 2017 -0700 + + Implements the async bridge loop + + Implements the async bridge + Implements the bridge multiplexer + Removes any waiting between commands in favor of a channel writer per request + Fixes the "RegisterExitHook" pattern in favor of a single channel writer on an async goroutine + Temporarily disables the bridge_test suite put puts in place bridge unit tests. These will be moved when the handler funcs are pulled off of the bridge in the second change. + +commit d98b0b1e51fe392ac67566c01a04fc73f1e9347f +Merge: aee5da25f 189a3fa86 +Author: Cheng-mean Liu +Date: Fri Aug 25 14:00:04 2017 -0700 + + Merge pull request #118 from Microsoft/vsock_relay + + Implement stdio pipe relay for container processes + +commit a618cc5cf50f4042f48e7a9d2f5ee98ba75ed90a +Author: Justin Terry (VM) +Date: Fri Aug 25 12:53:22 2017 -0700 + + Fixes the majority of golint issues + + Partial: #12 + +commit aee5da25f354b8b660a20a50b68479b17de7f8d4 +Merge: f05981df1 a08081743 +Author: Cheng-mean Liu +Date: Fri Aug 25 12:26:13 2017 -0700 + + Merge pull request #121 from Microsoft/update_runc_version + + Update runc version to version used by docker + +commit a08081743d8fa8cdf799c994b0cf8ca07983ac3c +Author: Ben Weedon +Date: Fri Aug 25 11:01:04 2017 -0700 + + Update runc version to version used by docker + + The docker update to use this version of runc can be found in the PR + https://github.com/moby/moby/pull/34356. + +commit f05981df1ee30380217c64886dc636409a3830e2 +Merge: aa648d4a9 ea1abdb54 +Author: Akash Gupta +Date: Fri Aug 25 10:12:11 2017 -0700 + + Merge pull request #120 from Microsoft/OCI_V_1.0.0 + + updated gcs to oci v1.0.0 + +commit ea1abdb54786e2d8d37a5ab24c13f97ef93835a0 +Author: Cheng-mean Liu +Date: Fri Aug 25 01:51:36 2017 -0700 + + updated gcs to oci v1.0.0 + +commit 189a3fa8605406ef6f168763ca1277aff9cb47ae +Author: Justin Terry (VM) +Date: Thu Aug 24 21:16:44 2017 -0700 + + Fixing a runc_test issue + + The cleanup code runs a goroutine that leaks the capture state of the stdioset which causes go to detect a race only when running tests and not production code. + +commit 34d74a65dcc813e07c97313d16e45bb88c538b6f +Author: Justin Terry (VM) +Date: Tue Aug 22 14:42:23 2017 -0700 + + Implement stdio pipe relay for container processes + + Resolves: #114 + +commit aa648d4a9eb4140223093d01933c06a51a33ea26 +Merge: f87b25d86 2f319d643 +Author: Cheng-mean Liu +Date: Thu Aug 24 15:36:52 2017 -0700 + + Merge pull request #94 from Microsoft/remotefs-sync + + remotefs: Added sync to writes and OpenFile + +commit f87b25d862c8f18b503444c1e23c8e25f2844ed9 +Merge: a3116797c cd355b57b +Author: Cheng-mean Liu +Date: Thu Aug 24 15:19:03 2017 -0700 + + Merge pull request #117 from Microsoft/mtu + + Sets the MTU when a non-default value is specified + +commit a3116797cceda8f8b477c36b0d4fe47a0103b5cd +Merge: b73ea61a2 924880f09 +Author: Cheng-mean Liu +Date: Thu Aug 24 11:12:49 2017 -0700 + + Merge pull request #119 from Microsoft/mount + + Tar2vhd should use -t ext4 when calling mount. + +commit 924880f09cf314b1691dc11283d4cf524012df3d +Author: Justin Terry (VM) +Date: Thu Aug 24 10:21:43 2017 -0700 + + Tar2vhd should use -t ext4 when calling mount. + +commit b73ea61a2a98f620e906b1484b268d1d4c1224f7 +Merge: 3193f23a4 38abb8633 +Author: Justin +Date: Wed Aug 23 13:22:54 2017 -0700 + + Merge pull request #107 from Microsoft/error_recovery + + Proper error recovery in the bridge + +commit 2f319d6439b4f60fcbd49f076cf635344a923198 +Author: Akash Gupta +Date: Fri Aug 18 17:30:55 2017 -0700 + + Add build tag to remotefs implementation + +commit abd271d6013eea2bc8e1a370b93573afad481917 +Author: Akash Gupta +Date: Wed Aug 9 15:57:50 2017 -0700 + + Added Seek to remotefs.OpenFile + +commit 3dd8a4b2c7f402b25b62dd390f25c47f3be1b19b +Author: Akash Gupta +Date: Wed Aug 9 15:22:51 2017 -0700 + + Changed remotefs organization + +commit 4c5bd9a32710e6e1bf802e0cc39acfcf71e08725 +Author: Akash Gupta +Date: Tue Aug 8 13:24:21 2017 -0700 + + Reworked OpenFile to have protocol + +commit f956d6c6fe27e4db0e419e2591ad3c8c492cddd3 +Author: Akash Gupta +Date: Thu Aug 3 18:01:13 2017 -0700 + + Added sync on write operations + +commit 8b8c7d4f163f5198f00b36cb3ea6e3095624078a +Author: Akash Gupta +Date: Thu Aug 3 15:59:50 2017 -0700 + + Added openfile to remotefs + +commit cd355b57b77aa4a3ee8a25ac52f28c0e1f4bcf77 +Author: Justin Terry (VM) +Date: Thu Aug 17 15:01:51 2017 -0700 + + Sets the MTU when a non-default value is specified + + Resolves: #115 + +commit 3193f23a47db3dc77162a0b99f431203d374664c +Merge: 2dad06f03 c66398b24 +Author: Cheng-mean Liu +Date: Wed Aug 16 15:17:49 2017 -0700 + + Merge pull request #111 from miguelinux/kernelconfig-refactoring + + Kernelconfig refactoring and add missing patches + +commit c66398b245111dc188d83a43e169a7e37b8c5d58 +Author: Miguel Bernal Marin +Date: Wed Aug 9 15:05:17 2017 -0500 + + kernel: consolidate documentation to one file + + consolidate the information to README.md, so in + the GitHub page it will be showed at a directory level. + + Signed-off-by: Miguel Bernal Marin + +commit b997de397663e77aede372e17bae19e698962081 +Author: Miguel Bernal Marin +Date: Wed Aug 9 14:14:13 2017 -0500 + + kernelconfig: organize kernel directory as linuxkit + + As the files are properly named with the kernel version, is time to + move the directory to be similar as linuxkit. + + This commit moves the content from kernelconfig/4.11 to kernel + directory, and updates customosbuildinstructions document. + + Signed-off-by: Miguel Bernal Marin + +commit da6797e3a750ca6ccb721a40278566b953532062 +Author: Miguel Bernal Marin +Date: Mon Aug 7 19:02:59 2017 -0500 + + kernelconfig: organize kernel patches as linuxkit + + This commit creates a directory where the Linux kernel patches live, + the directory is called patches-4.11.x (similar as linuxkit) + + The following patches were renamed: + + * patch_9pfs_vsock-transport.patch -> patches-4.11.x/0001-Added-vsock-transport-support-to-9pfs.patch + * patch_lower-the-minimum-PMEM-size.patch -> patches-4.11.x/0002-NVDIMM-reducded-ND_MIN_NAMESPACE_SIZE-from-4MB-to-4K.patch + + And the kernel config file was renamed + + * kconfig_for_4_11 -> kernel_config-4.11.x + + Signed-off-by: Miguel Bernal Marin + +commit 2dad06f038530dc305fb139a281507f1002e7e51 +Merge: 0410aabd5 05b0e586e +Author: Cheng-mean Liu +Date: Tue Aug 15 13:55:39 2017 -0700 + + Merge pull request #106 from Microsoft/more_runc_tests + + Expanded runC tests + +commit 38abb86337ce3570685fbe77f3acfa15bae0f1bf +Author: Ben Weedon +Date: Wed Aug 9 20:36:22 2017 -0700 + + Add bridge tests for core error responses + +commit 05b0e586ef2bff95da1a0913782577111080ed39 +Author: Ben Weedon +Date: Tue Aug 15 11:46:42 2017 -0700 + + Only use empty connection sets for sleep processes in runc tests + + This prevents potential process exits for processes like sh or cat which + require non-empty connection sets. + +commit e3b81fc4ed4c673fe92e4adb0e930bc4de3eb3ec +Author: Ben Weedon +Date: Wed Aug 9 17:05:11 2017 -0700 + + Add stderr tests to runC tests + +commit 34cfe2b9235e655515937775e7ef7d6a6cc1b24c +Author: Ben Weedon +Date: Wed Aug 9 15:07:06 2017 -0700 + + Add stdio validation to runC tests + + Some tests will now send input to processes and expect the correct + output to be returned. + +commit 587e4a424a14e51063eccd813b427759d848af7f +Author: Ben Weedon +Date: Wed Aug 9 12:11:36 2017 -0700 + + Support non-initial cat processes in runC tests + +commit b57fc6d82d15107415e8a841212126176737d92f +Author: Ben Weedon +Date: Wed Aug 9 11:54:35 2017 -0700 + + Support a cat init process in the runC tests + +commit ec4ecc5330b569d34141ffdbc0b61874bb344fda +Author: Ben Weedon +Date: Wed Aug 9 11:44:31 2017 -0700 + + Support non-empty ConnectionSets in runC tests + +commit 1a6499aa601416a4ff9781e6e5b8e7c67ede2202 +Author: Ben Weedon +Date: Tue Aug 8 18:28:49 2017 -0700 + + Reimplement MockConnection to use unix sockets + + This more closely mirrors vsocks, especially in allowing for + implementation of the File() method. + +commit 0410aabd5ba42fc3375f0a906f683c6d26efc95b +Merge: 6587989a9 590f34149 +Author: Akash Gupta +Date: Tue Aug 15 11:21:04 2017 -0700 + + Merge pull request #113 from Microsoft/close_nil_connset + + Fix nil deref when closing ConnectionSet on error + +commit 590f3414977436a5a49bcf356c14f3c72df34024 +Author: Ben Weedon +Date: Mon Aug 14 18:13:42 2017 -0700 + + Fix nil deref when closing ConnectionSet on error + + This bug caused the GCS to crash with a panic when connecting to stdio + sockets failed in any way. + +commit 6587989a95a2f64705ccd569abe68d0a2ffc20b1 +Merge: b8aae4a62 4604cf060 +Author: Akash Gupta +Date: Fri Aug 11 16:02:19 2017 -0700 + + Merge pull request #112 from Microsoft/etc_perms + + Change permissions of etc directory from 0700 to 0755 + +commit 4604cf0602686b2985e0d74daf13c76df4faccb3 +Author: Ben Weedon +Date: Fri Aug 11 15:45:22 2017 -0700 + + Change permissions of etc directory from 0700 to 0755 + + This fixes an issue experienced in the ubuntu image where apt-get needs + the /etc directory to be executable to perform an nslookup. When we + switch to using bind mounts specified by docker to get resolv.conf into + the container namespace, we might be able to avoid specifying the + permission bits altogether. + +commit 73c352e686db410ab49c319f3a9c9460ab2099c9 +Author: Miguel Bernal Marin +Date: Fri Aug 4 18:03:16 2017 -0500 + + kernelconfig: modify file mode bits + + The following files had the execution bit enabled + + * kconfig_for_4_11 + * patch_9pfs_vsock-transport.patch + * patch_hyperv_vsock_patch_instruction.txt + * patch_lower-the-minimum-PMEM-size.patch + * readme.txt + + This commit removes the execution bit. + + Also set the execution bit to the init_sript + + * scripts/init_script + + Signed-off-by: Miguel Bernal Marin + +commit 922a826a8138a585737894482ada2d503faab81f +Author: Ben Weedon +Date: Tue Aug 8 15:47:17 2017 -0700 + + Support multiple test config.json files + + The current one was renamed to sh_config.json. The runc tests will now + symlink the specified file into testbundle. + + Also makes sure to make parent directories in setup_test_env, since the + testbundle directory is now empty and so won't be included in the git + repo. + +commit b54345f91dedd9498347967eb2287805cf6a401a +Author: Ben Weedon +Date: Tue Aug 8 15:15:01 2017 -0700 + + runc test init process is now sh rather than sleep + + Also replace the long sleep processes in the tests with sh as well. + +commit 502efaa4ae979d49e943fced9a0fd69c92be361b +Author: Ben Weedon +Date: Tue Aug 8 15:07:24 2017 -0700 + + Only wait for runc master pt after runc finishes + + This prevents the socket read from hanging when runc encounters an + error. + +commit b8aae4a623d61c9862aead6d560ad13dc04a5f87 +Merge: d5e297f59 cf92d91f6 +Author: Akash Gupta +Date: Thu Aug 10 11:52:07 2017 -0700 + + Merge pull request #108 from jhowardmsft/fixmessage + + client: fix error message + +commit d5e297f5933edfa6781a3e133f80f62f4dcb21f2 +Merge: 874b6714c cf327b5e8 +Author: Akash Gupta +Date: Thu Aug 10 11:51:42 2017 -0700 + + Merge pull request #109 from jhowardmsft/golint + + Fixes some golint errors + +commit cf327b5e80a453420eeacf05747e087af804d90d +Author: John Howard +Date: Thu Aug 10 10:50:49 2017 -0700 + + Fixes some golint errors + + Signed-off-by: John Howard + +commit cf92d91f6037e19fc2e4533ef228b3bb756d3b64 +Author: John Howard +Date: Thu Aug 10 10:29:42 2017 -0700 + + client: fix error message + + Signed-off-by: John Howard + +commit 7762cf8143c49c181b54f9fdd94d0fc39544cc61 +Author: Ben Weedon +Date: Wed Aug 9 18:21:51 2017 -0700 + + Remove the unnecessary "the message is normal ASCII" test Contexts + +commit 6ea7fe54f719d95721e7d9b26ac0add224c9b923 (tag: v0.6.3, tag: V0.6.3) +Merge: 43f972530 821c68e41 +Author: John Howard +Date: Tue Aug 8 00:05:43 2017 -0700 + + Merge pull request #140 from pradipd/LB_fix + + Adding SourceVIP and fixing VIPs in AddLoadBalancer. + +commit 874b6714c9d15f9f346f7f6c080069b399285f06 +Merge: c0a6db952 32fdcada3 +Author: Cheng-mean Liu +Date: Mon Aug 7 17:44:35 2017 -0700 + + Merge pull request #84 from Microsoft/console_resize + + Adds console resize support. + +commit c0a6db9523d43063ad1057af7e2d5151be91778f +Merge: 7f54f585a 891e7f7ef +Author: Cheng-mean Liu +Date: Mon Aug 7 17:43:48 2017 -0700 + + Merge pull request #97 from Microsoft/stack_trace_in_response + + Support responses with both error messages and stack traces + +commit 891e7f7efed9053f44dc6504eca00e9d5ad313bb +Author: Ben Weedon +Date: Mon Jul 31 12:08:41 2017 -0700 + + Support responses with both error messages and stack traces + + The HCS now can accept stack trace information in the ErrorRecord + struct. As a result, the GCS should provide that information back on + error. + +commit 821c68e419f15ab764315ec5cb6ae1743eae3500 +Author: Pradip Dhara +Date: Mon Aug 7 09:26:03 2017 -0700 + + Adding SourceVIP and fixing VIPs in AddLoadBalancer. + + Signed-off-by: Pradip Dhara + +commit 7f54f585a5bd3d5bfc4f0e1aa2fd98f77a7f8bab +Merge: 285d650c8 1decdad52 +Author: Cheng-mean Liu +Date: Fri Aug 4 15:34:07 2017 -0700 + + Merge pull request #95 from Microsoft/dns_resolv_conf + + Changing base layer order + +commit 1decdad523a716677b2bddc5650ec6307fae9a7d +Author: Justin Terry (VM) +Date: Wed Aug 2 13:33:18 2017 -0700 + + Changing base layer order + + Partially Resolves: #78 + +commit 32fdcada34a17dc7172ae708bc5826d38dc79e8e +Author: Justin Terry (VM) +Date: Fri Aug 4 09:11:09 2017 -0700 + + Updating comment + +commit b5e25bab13b9b613de9262f8d3beaf385d0e00bb +Author: Justin Terry (VM) +Date: Tue Aug 1 14:02:49 2017 -0700 + + Change to use mutex for sync + + Removes the per container cache for processes as they are all external pid's + Changes to use a mutex instead of the wait group for ResizeConsole so we are confident of order. + Puts back some of the containerID overloads because HCS always sends this even for external processes. + +commit ab71b3f2c7a694d520be64d2f7262c8b8df6e91d +Author: Justin Terry (VM) +Date: Tue Aug 1 11:10:35 2017 -0700 + + Synchronizing ResizeConsole + +commit 5691c4e2f6c98a5e14aa732f334aa7a798c39e05 +Author: Justin Terry (VM) +Date: Tue Aug 1 10:15:58 2017 -0700 + + Adding console resize bridge tests. + +commit 7556251ab64e43d93f81283c8e7ce0e4ba7d7ddc +Author: Justin Terry (VM) +Date: Mon Jul 31 12:31:11 2017 -0700 + + Adds console resize support. + + Resolves: #76 + +commit 285d650c8f3aa754af537871cddc273b6c5c6d58 +Merge: 67f64632c 538c30635 +Author: Akash Gupta +Date: Thu Aug 3 18:10:09 2017 -0700 + + Merge pull request #93 from Microsoft/build_instructions + + Updated user mode preparation instructions in response to the removal + +commit 538c3063559438648fba76c0ce2b87f734bfcd0b +Merge: de973bf9b 67f64632c +Author: Cheng-mean Liu (SOCCER) +Date: Thu Aug 3 17:55:26 2017 -0700 + + Updated user mode preparation instructions in response to the removal of prebuiltsandbox.vhdx from the requirement + +commit de973bf9b4f1278fea6ed42efb7b3b4cae7c2c97 +Author: Cheng-mean Liu (SOCCER) +Date: Thu Aug 3 17:13:32 2017 -0700 + + Updated user mode preparation instructions in response to the removal of prebuiltsandbox.vhdx from the requirement + +commit 67f64632c1011a8fe1622116d063ba986a9949bc +Merge: 4aee5fc4f 601dd2748 +Author: Akash Gupta +Date: Thu Aug 3 17:05:24 2017 -0700 + + Merge pull request #91 from jhowardmsft/jjh/doccorrection + + docs: remotefs and netnscfg + +commit 601dd27482444f8c6e673a637e6d5301e973781c +Author: John Howard +Date: Thu Aug 3 16:59:36 2017 -0700 + + docs: remotefs and netnscfg + + Signed-off-by: John Howard + +commit 4aee5fc4f3116b13cb4ab097ed399c18a712e396 +Merge: edd79db19 03fb78a50 +Author: Cheng-mean Liu +Date: Thu Aug 3 16:54:57 2017 -0700 + + Merge pull request #41 from jhowardmsft/jjh/removecreatesandbx + + Remove createSandbox utility + +commit 03fb78a50f43288d1aab75c58e4bc36f19b875f8 +Author: John Howard +Date: Thu Jul 13 12:01:55 2017 -0700 + + Remove createSandbox + + Signed-off-by: John Howard + +commit edd79db19adcd7387ef7f10ef4657f4bfab39546 +Merge: 675f68677 492716ef5 +Author: Akash Gupta +Date: Thu Aug 3 16:23:39 2017 -0700 + + Merge pull request #90 from Microsoft/newkconfig + + Removed a few more unnecessary kconfig for reduing the kernel size + +commit 675f68677074e581f87f2b2c1101ebf1cc83cd42 +Merge: 0a7cc451f 5e8c4c3f4 +Author: Cheng-mean Liu +Date: Thu Aug 3 16:13:44 2017 -0700 + + Merge pull request #89 from Microsoft/tmp-gcsutils + + changed temp directory for gcstools + +commit 0a7cc451fba2344118030bb1d67faf7a993be1db +Merge: d0bae48f0 00d75e41c +Author: Cheng-mean Liu +Date: Thu Aug 3 16:13:03 2017 -0700 + + Merge pull request #88 from jhowardmsft/bootvhd + + Add boot from VHD + +commit 43f9725307998e09f2e3816c2c0c36dc98f0c982 (tag: v0.6.2) +Merge: 807cab50f 4107f5b56 +Author: John Starks +Date: Thu Aug 3 16:10:26 2017 -0700 + + Merge pull request #139 from Microsoft/jjh/bootfromvhd + + Add Boot from VHD settings + +commit 492716ef53444c87b22b18d5012c52a96182621f +Author: Cheng-mean Liu (SOCCER) +Date: Thu Aug 3 16:07:56 2017 -0700 + + Removed a few more unnecessary kconfig for reduing the kernel size + +commit 5e8c4c3f46af500179fab76b4869178276c10483 +Author: Akash Gupta +Date: Thu Aug 3 16:01:50 2017 -0700 + + changed temp directory for gcstools + +commit 00d75e41c424091dbbe08e79e03944a662f7ff7e +Author: John Howard +Date: Thu Aug 3 16:01:55 2017 -0700 + + Add boot from VHD + + Signed-off-by: John Howard + +commit 4107f5b564a250977778c4779c91fc74b34d0e8c +Author: John Howard +Date: Thu Aug 3 15:56:51 2017 -0700 + + Add Boot from VHD settings + + Signed-off-by: John Howard + +commit d0bae48f0a956d2320a0dd863f58e8a49839bdc6 +Merge: b3f837990 4b48998dd +Author: Cheng-mean Liu +Date: Wed Aug 2 17:00:33 2017 -0700 + + Merge pull request #87 from jterry75/sirupsen + + Update to lowercase sirupsen/logrus + +commit 4b48998ddb6e6f2208c168de5c9a2212ea52f2df +Author: Justin Terry (VM) +Date: Wed Aug 2 16:32:05 2017 -0700 + + Adding golang.org/x/crypto to vendor + +commit 807cab50f9377d5a29aa59d45fa8fd559496199b +Merge: a8d9cc56c 37b447b34 +Author: John Starks +Date: Wed Aug 2 11:42:53 2017 -0700 + + Merge pull request #138 from jstarks/seekable_layer_reader + + Add Seek to layer reader + +commit 0f64acf13c60c7a08500b2c46779ba9ad018eb72 +Author: Justin Terry (VM) +Date: Wed Aug 2 11:34:21 2017 -0700 + + Updating service files with Sirupsen + +commit e363cbb1c6a825d1b18289962b904d4fdf0f04b3 +Author: Justin Terry (VM) +Date: Wed Aug 2 11:34:03 2017 -0700 + + Updating dependent vendor's with Sirupsen casing + +commit 3909b2179e7c380748742a5279b392bd30b5ffa7 +Author: Justin Terry (VM) +Date: Wed Aug 2 10:59:45 2017 -0700 + + Adding back lowercase sirupsen package + +commit 8a672aff39fa09ccb7fc2fe75f551dd7207a3999 +Author: Justin Terry (VM) +Date: Wed Aug 2 10:58:35 2017 -0700 + + Remove capital Sirupsen vendor package + +commit b3f83799000b0cfcddcd34021cfccd2cc8fa49d5 +Merge: 29241d303 0d7438b07 +Author: Cheng-mean Liu +Date: Wed Aug 2 10:26:35 2017 -0700 + + Merge pull request #85 from Microsoft/remotefs-dir + + Added readdir and fixed typo in omitempty + +commit 29241d30397cee46d627a61f6a9c7aef41933f2e +Merge: e248b10d8 b8f581e25 +Author: Cheng-mean Liu +Date: Wed Aug 2 10:25:06 2017 -0700 + + Merge pull request #86 from Microsoft/jjh/opengcs.12 + + (Final!) refresh of client + +commit 37b447b34728eb60903866ab8f9b3131ac911da0 +Author: John Starks +Date: Tue Aug 1 16:35:30 2017 -0700 + + Add Seek to layer reader + +commit b8f581e25727e246b4819ee9ff68aeffcb4762e3 +Author: John Howard +Date: Tue Aug 1 16:04:23 2017 -0700 + + (Final!) refresh of client + + Signed-off-by: John Howard + +commit 0d7438b074bb9d110a0e6db323d7be3d8b8f5cbf +Author: Akash Gupta +Date: Tue Aug 1 12:50:11 2017 -0700 + + Added readdir and fixed json omitempty + +commit e248b10d8dae94ffaa59fae15245b4e7b6c56fbb +Merge: 48af930c9 239a4b993 +Author: Cheng-mean Liu +Date: Mon Jul 31 17:03:20 2017 -0700 + + Merge pull request #81 from Microsoft/remotefs-bak + + Added remotefs binary + +commit 239a4b993de41ee9b9125b1b82f3393a6e6dd3ce +Author: Akash Gupta +Date: Mon Jul 31 15:28:24 2017 -0700 + + Implemented rest of remote file system + +commit 48af930c9e9b0a150aab8160678e40e3e406a32b +Merge: 8f5d50fa9 6825d2bcd +Author: Cheng-mean Liu +Date: Mon Jul 31 11:41:39 2017 -0700 + + Merge pull request #82 from Microsoft/signal_process_2 + + Change TerminateProcess to SignalProcess + +commit 8f5d50fa9b4af1341713f06d19fe2e22fd85524c +Merge: c36e11860 00c1fcf5e +Author: Cheng-mean Liu +Date: Sat Jul 29 11:00:28 2017 -0700 + + Merge pull request #83 from Microsoft/mapped_dir_full_path + + Mount MappedDirectories under full path ContainerPath + +commit 00c1fcf5edd46a35561a35002a0aeaf74e1d6627 +Author: Ben Weedon +Date: Fri Jul 28 16:35:02 2017 -0700 + + Remove unnecessary variable for dir/disk.ContainerPath + +commit 6825d2bcd4ca38a984755a137f24fc381508e4be +Author: Ben Weedon +Date: Wed Jul 26 14:03:41 2017 -0700 + + Change TerminateProcess to SignalProcess + + Now the GCS will receive a SignalProcessOptions field in the + ContainerSignalProcess message (which was renamed from + ContainerTerminateProcess). Rather than sending a SIGTERM to the process + followed by a SIGKILL after a timeout, the GCS will simply send the + specified signal to the process. Renaming has also been done throughout + the code to match this semantic change. + +commit 39bf49820df656faea5572a12d2903cc728a33ef +Author: Akash Gupta +Date: Thu Jul 27 18:50:27 2017 -0700 + + Changed time to nanoseconds + +commit 4a470e0fa938a8ec8836f0e95d4cd9fc961ec2fb +Author: Akash Gupta +Date: Thu Jul 27 16:52:35 2017 -0700 + + Fixed serialization and added tests for remotefs + +commit c36e118608493a7ab5c624bfb836f16fddbe5e10 +Merge: c89eef133 730dff1a1 +Author: Akash Gupta +Date: Thu Jul 27 18:02:27 2017 -0700 + + Merge pull request #80 from Microsoft/docs + + Updated kconfig with the latest clean .config + persistent memory sup… + +commit 730dff1a177aeda8dc84f9ab64ba437e5f45ddeb +Author: Cheng-mean Liu (SOCCER) +Date: Thu Jul 27 16:22:37 2017 -0700 + + Updated kconfig with the latest clean .config + persistent memory support + +commit e820c97db608f036e13dcaf0a1a0137beef0a8fd +Author: Akash Gupta +Date: Wed Jul 26 17:37:08 2017 -0700 + + Added docker symlink pkg to vendor + +commit f38dfdd92b027b297c55d479397632cbcc87e327 +Author: Akash Gupta +Date: Wed Jul 26 17:36:35 2017 -0700 + + ran gofmt and fixed error serialization + +commit 4c4406b3f209476ea1768612c42d80352ad8e0fe +Author: Akash Gupta +Date: Wed Jul 26 16:37:17 2017 -0700 + + forgot to fix merge conflict on makefile + +commit 36ee04434ce12536e16f8aefe3e6f8f9758738f4 +Author: Akash Gupta +Date: Thu Jul 13 17:07:57 2017 -0700 + + Cleaned up remotefs + +commit f8e4eb7406168fb6285fe3e30bff320a13c9f00e +Author: Akash Gupta +Date: Mon Jul 10 18:05:45 2017 -0700 + + added mkdirall + +commit d9469a30d7894c0209ced57744df2b1b466d51f2 +Author: Akash Gupta +Date: Thu Jul 6 11:39:00 2017 -0700 + + Added logging for debugging + +commit b438d9b4e6b5a2235a5b28d4858c98866ef26f1b +Author: Akash Gupta +Date: Thu Jul 6 10:38:49 2017 -0700 + + Implemented remotefs + +commit 6f5074407db25752272f46317b6bcf0620b3a895 +Author: Ben Weedon +Date: Wed Jul 26 16:41:09 2017 -0700 + + Mount MappedDirectories under full path ContainerPath + + Previously, ContainerPath specified a single path element and was always + mounted under /tmp. Now, it is a full path just like + MappedVirtualDisks. + +commit c89eef1339d9bea5106c865f5830798bfa7ad5c0 +Merge: dec72ab7c 351131260 +Author: Cheng-mean Liu +Date: Wed Jul 26 17:14:23 2017 -0700 + + Merge pull request #77 from jterry75/disk_attach_only + + Disk attach only + +commit 3511312608f65376b98bc57c52f1190d0a44aecf +Author: Justin Terry (VM) +Date: Tue Jul 25 14:53:17 2017 -0700 + + Review feedback. + + 1. Fixes the protocol to allow a default request type. + 2. Adds a comment about why we early deserialize. + +commit a8d9cc56cbce765a7eebdf4792e6ceceeff3edb8 +Merge: b35bbcffd dc76e2ed3 +Author: Darren Stahl +Date: Tue Jul 25 13:47:27 2017 -0700 + + Merge pull request #134 from madhanrm/AttachDetach + + (1) Expose Attach/Detach (2) Add hns unit testing + +commit de4ec2648880ce8c27f7c9589e8cf2c362aa81e1 +Author: Justin Terry (VM) +Date: Tue Jul 25 10:13:13 2017 -0700 + + Assigns the bridge activityid as early as possible. + + Fixes an issue where when we fail for validation reasons in + the bridge unmarshal we actually fail to return an error with the correct + activity id's. + +commit b9080368a39f90cc2606dc217b50fad66fee6ef6 +Author: Justin Terry (VM) +Date: Tue Jul 25 09:56:58 2017 -0700 + + Adds the AttachOnly bridge tests. + +commit a82606f2f1cfd341d5bc4f740f1492c3806203b4 +Author: Justin Terry (VM) +Date: Tue Jul 25 09:55:38 2017 -0700 + + Fixes an unmarshal bug in the unit tests. + + 1. When using a global type passed by reference a previous unit tests can unmarshal the results onto properties affecting a later test. + +commit 1d74d2b59d6d5e7c1ccd71fbf77a02c3660c3a8e +Author: Justin Terry (VM) +Date: Tue Jul 25 09:52:33 2017 -0700 + + Fixes a few bridge tests. + + 1. Properly checks for the channel being closed in test teardown. + 2. Removes the default assignment for resource type, request type. These should always be required. + 3. Fixes up the unit tests to match. + +commit b35bbcffd92dd4d51c0963a5ebefa41bac612d4d (tag: v0.6.1) +Merge: c14cfef07 007f13997 +Author: Darren Stahl +Date: Mon Jul 24 15:12:04 2017 -0700 + + Merge pull request #136 from dmcgowan/update-logrus + + Fix casing on logrus + +commit 007f139973e2d02396f37b7f0a87bedec7716dce +Author: Derek McGowan +Date: Fri Jul 21 16:08:12 2017 -0700 + + Fix casing on logrus + + Add files missed with the merge + +commit c14cfef0724512698bbc6833031020e03970c93c (tag: v0.6.0) +Merge: 08397650a 461d6cb54 +Author: John Starks +Date: Fri Jul 21 13:08:59 2017 -0700 + + Merge pull request #123 from XenoPhex/master + + downcase github.com/sirupsen/logrus imports + +commit dc76e2ed396ac8097934c72fe5863aa06fc4711f +Author: Madhan Raj Mookkandy +Date: Tue Jul 18 11:12:20 2017 -0700 + + Unit test for HNS + +commit 44f5291985b06363f8c9a7a594b7f7dccd7d2954 +Author: Madhan Raj Mookkandy +Date: Tue Jul 18 11:11:58 2017 -0700 + + Attach/Detach Apis + + Fix Policy List Apis + +commit 3b5d7dfe92d53911c3300551c1b177cc2ac0794a +Author: Ben Weedon +Date: Thu Jul 13 16:57:15 2017 -0700 + + Don't mount MappedVirtualDisk if specified AttachOnly + +commit dec72ab7c137eb9aa5b3464a86b063359b8284bd +Merge: e04d22255 8c0bb6830 +Author: Cheng-mean Liu +Date: Wed Jul 19 18:36:44 2017 -0700 + + Merge pull request #75 from Microsoft/ci_tests + + CI Tests + +commit 8c0bb68303f1ac8093da034b5c4e2bcda0b7b048 +Author: Ben Weedon +Date: Tue Jul 18 09:29:04 2017 -0700 + + Configure Travis to run tests + +commit 7d1c289e1e8803928d1a149661884998f10eefd5 +Author: Ben Weedon +Date: Wed Jul 19 17:20:28 2017 -0700 + + Add runc test setup to setup_test_env + +commit e04d22255c959ca14a3a41b32b391dcd7edc2625 +Merge: b58d6b723 35ee0c39c +Author: Cheng-mean Liu +Date: Wed Jul 19 18:06:06 2017 -0700 + + Merge pull request #74 from Microsoft/test_fixes + + Test fixes + +commit b58d6b72313e14f8d53aa97c9396d43d263e002e +Merge: bdb44fcc6 428bd4618 +Author: Cheng-mean Liu +Date: Wed Jul 19 15:25:06 2017 -0700 + + Merge pull request #67 from jhowardmsft/jjh/refreshclientagain + + Refreshes the client code again + +commit 35ee0c39cccb27676aa8361040165571818e269c +Author: Ben Weedon +Date: Tue Jul 18 14:26:49 2017 -0700 + + Reimplement PathIsMounted to remove mountpoint dependency + + The mountpoint executable on some systems (such as the Travis CI system) + doesn't work for bindmounts. Reading from /proc/self/mountinfo like + other mountpoint implementations doesn't have this limitation. + +commit 5d2cf10deef16be68467528f93546150a2076972 +Author: Ben Weedon +Date: Tue Jul 18 11:24:13 2017 -0700 + + mockruntime container now only exits when killed + + Previously, a call to Wait on a mockruntime container would exit + immediately. Now, it doesn't exit until the Kill call (with any signal) + has been made on the container. + +commit ae087e6c0d8765e8d6444d7fb68973b560c9c8e1 +Author: Ben Weedon +Date: Tue Jul 18 10:25:01 2017 -0700 + + Pass -F parameter to mkfs.ext4 in storage_test.go + + This parameter is required to ignore the "___ is not a block special + device" warning. + +commit 67d9cc641ebb128dd743aff205934c4f89ad7231 +Author: Ben Weedon +Date: Wed Jul 19 14:34:20 2017 -0700 + + Mark bridge tests as unit tests + + This allows them to be run with "ginkgo -focus unittests". + +commit bdb44fcc6d6fc6204316778b9af9d3bb0dc2bf32 +Merge: 606febe91 dd93d23a9 +Author: Cheng-mean Liu +Date: Wed Jul 19 15:18:22 2017 -0700 + + Merge pull request #57 from jstarks/vpmem + + gcs: Add per-layer vPMEM support + +commit 606febe912790cfa38fc44b812e81c620b8aa2c2 +Merge: 708abf284 c93c98f52 +Author: Akash Gupta +Date: Wed Jul 19 14:58:18 2017 -0700 + + Merge pull request #73 from Microsoft/netdoc + + Updated build instructions for the addition of the new netnscfg tool + +commit 708abf284c45aacc61f84395d4afd4221853071a +Merge: 30e5d9367 690951360 +Author: Cheng-mean Liu +Date: Wed Jul 19 14:15:02 2017 -0700 + + Merge pull request #59 from Microsoft/mapped_directories + + Implement mapped directories + +commit c93c98f527f8b6c52dcc7d012b34ff92f906a5f3 +Author: Cheng-mean Liu +Date: Wed Jul 19 14:09:08 2017 -0700 + + Updated build instructions for the addition of the new netnscfg tool + +commit 08397650a089e836bcac4c946175ee0fe49fed69 +Merge: 283d35b22 3d1ca7289 +Author: Darren Stahl +Date: Wed Jul 19 14:01:23 2017 -0700 + + Merge pull request #113 from darrenstahlmsft/CPUComments + + Update ProcessorMaximum and ProcessorWeight comments + +commit 3d1ca728979d3f513b10e6de32027a92c3a5a0a8 +Author: Darren Stahl +Date: Wed Apr 26 12:09:07 2017 -0700 + + Update ProcessorMaximum and ProcessorWeight comments + + Signed-off-by: Darren Stahl + +commit 30e5d93672b11f6588bb909783f5f18ac89a27e8 +Merge: f2f4d2d48 d55a91737 +Author: Cheng-mean Liu +Date: Wed Jul 19 11:40:25 2017 -0700 + + Merge pull request #70 from rn/rootfs + + Fix permissions on the container root filesystem + +commit f2f4d2d482be0581577e3b4a1c50b494a433b3aa +Merge: c17911904 86faef152 +Author: Cheng-mean Liu +Date: Wed Jul 19 11:39:56 2017 -0700 + + Merge pull request #63 from rn/net + + Various fixes to the networking setup + +commit d55a917379686980ef3d68e5ed9b53dd4ea1bcd5 +Author: Rolf Neugebauer +Date: Wed Jul 19 11:08:18 2017 +0100 + + Fix permissions on the container root filesystem + + Make sure the scratch and workdir are accessible + by all users. + + fixes #69 + + Signed-off-by: Rolf Neugebauer + +commit c17911904e39e965a5d8f60643c6dc8418b86a34 +Merge: ad7a0bb54 4adb4ea1e +Author: Cheng-mean Liu +Date: Tue Jul 18 18:37:12 2017 -0700 + + Merge pull request #60 from Microsoft/setup_tests + + Add script to service/gcs for setting up GCS tests + +commit 428bd461888c68253a6f4430fa0a7eae59bd393d +Author: John Howard +Date: Tue Jul 18 14:55:20 2017 -0700 + + Refreshes the client code again + + Signed-off-by: John Howard + +commit 283d35b2271ae4dc5ebb43fdd356c8f873e41568 (tag: v0.5.28) +Merge: abde106ed ffd0daf83 +Author: John Howard +Date: Tue Jul 18 14:41:55 2017 -0700 + + Merge pull request #135 from Microsoft/jjh/dynamicsandboxmanagement + + Dynamic Sandbox Management for LCOW + +commit ffd0daf833588dafa05cd466773229609add2ea5 +Author: John Howard +Date: Tue Jul 18 11:45:40 2017 -0700 + + Dynamic Sandbox Management for LCOW + + Signed-off-by: John Howard + +commit 86faef1527a120555319d7eea4d658d47e0ab08c +Author: Rolf Neugebauer +Date: Tue Jul 18 14:45:57 2017 +0100 + + Remove unused networking and namespace functions from oslayer + + All network and namespace config has been moved to the netnscfg + utility, so there is no need for these functions in the oslayer + anymore. + + Signed-off-by: Rolf Neugebauer + +commit d46eec79e0347e128fbeda1757f8026625554976 +Author: Rolf Neugebauer +Date: Tue Jul 18 13:58:42 2017 +0100 + + Fix resolv.conf + + The list of DNS servers is comma separated, not space separated: + '\"HostDnsServerList\":\"172.24.16.1,10.14.32.10\"' + + Also fix permissions on /etc/resolv.conf. It should not be executable + and should be world readable. + + Signed-off-by: Rolf Neugebauer + +commit 81b67b19f6f325e247d508b365897b0e62955938 +Author: Rolf Neugebauer +Date: Mon Jul 17 17:42:30 2017 +0100 + + Use netnscfg to configure the network interface + + As pointed out in the previous commit, dealing with network namespaces + in Go is iffy, at best. This commit moves the network configuration + over to use the new utility introduced by the previous commit. + + Note, this changes the timing of when the network is configured. + Previously, 'eth0' would be configured in the root network + namespace during 'CreateContainer()' and then later moved to + the runc container network namespace in 'ExecProcess()'. With the + new approach, the network interface is configured directly inside + 'ExecProcess()' and 'eth0' remains down until then. + + This not only makes the code simpler, but also removes the rather + brittle code, which tried to gather the network configuration in the + root network namespace and then replay it inside the new container + namespace. + + /etc/resolv.conf also needed special attention as it is added to + baselayer and with the change of ordering of network config the /etc + must exist before creating the overlay rootfs. + + Signed-off-by: Rolf Neugebauer + +commit 1127136d69c9785b9da908fa46a9a09f880f2d6d +Author: Rolf Neugebauer +Date: Mon Jul 17 15:22:07 2017 +0100 + + Add a utility to configure a network interface in a namespace + + Currently, the network namespaces are configured in the root namespace + and then later moved into the new container network namespace. Dealing + with network namespaces in Go is really tricky as one has very little + control over which go routine is run on which kernel thread/process + and the network namespace ('netns.SetNs()') is tied to the kernel + thread/process. Moving the code to a seperate utility allows us to + lock the kernel threads early on and allows us to use the 'netns' + package in a safer way. + + Signed-off-by: Rolf Neugebauer + +commit 89bf22d249a9b97097f5ca5e0045d6cbb9b34591 +Author: Justin Terry (VM) +Date: Mon Jul 17 10:48:58 2017 -0700 + + Removes the fixed paths to runc. + + exec.Command will use a LookPath so we dont want to hard code paths to commands we are running. + + Resolves: #52 + +commit dd93d23a99c63b8237374e4197ce6609f6c05b24 +Author: John Starks +Date: Mon Jul 17 17:43:28 2017 -0700 + + Fix broken storage tests + +commit 4adb4ea1e1e7c16c3d21022a933a651dee0192d3 +Author: Ben Weedon +Date: Mon Jul 17 11:57:37 2017 -0700 + + Add script to service/gcs for setting up GCS tests + +commit ad7a0bb54a305983640e093b19a44391b56ccce4 +Merge: a208e8c10 f10359fa8 +Author: Cheng-mean Liu +Date: Mon Jul 17 16:03:59 2017 -0700 + + Merge pull request #58 from jterry75/master + + Removes the fixed paths to runc. + +commit 1f8bebc2aa7bb59397ea9c90241f079d2e21e441 +Merge: 1801e612f c30d96bad +Author: John Starks +Date: Mon Jul 17 15:07:53 2017 -0700 + + Merge branch 'master' into vpmem + +commit a208e8c10e1827d53930bcb288435622d59592d0 +Merge: c30d96bad 33a7b06e7 +Author: Akash Gupta +Date: Mon Jul 17 15:07:04 2017 -0700 + + Merge pull request #62 from Microsoft/ci + + Added initial Trais CI for the opengcs + +commit 33a7b06e79582fd3cead1349de66db028be96c5b +Author: Cheng-mean Liu (SOCCER) +Date: Mon Jul 17 14:51:45 2017 -0700 + + Added initial CI setup + +commit 07158af7d6668de31b0e6c58ce5c597e3c8bc9c4 +Author: Cheng-mean Liu (SOCCER) +Date: Mon Jul 17 14:43:09 2017 -0700 + + Added initial CI setup + +commit 40ae86f068c3836ec2a8051cb4d1ee3b12d66587 +Author: Cheng-mean Liu (SOCCER) +Date: Mon Jul 17 14:37:59 2017 -0700 + + Added initial CI setup + +commit 0ed2d03dd587c18fe458a8766b6c90d33519f3a5 +Author: Cheng-mean Liu (SOCCER) +Date: Mon Jul 17 14:34:47 2017 -0700 + + Added initial CI setup + +commit 1801e612fb68a416b7aae005f0845cd3da4a4e78 +Author: John Starks +Date: Mon Jul 17 14:12:57 2017 -0700 + + Adjustments from PR feedback + +commit 69095136092c205a7fa8ccda524defc874903148 +Author: Ben Weedon +Date: Mon Jul 17 12:27:15 2017 -0700 + + Don't produce error when removing mapped disk or directory + +commit 4193a8575703dd7f8cc699a4de15b395b1c5fa96 +Author: Ben Weedon +Date: Wed Jul 5 13:56:09 2017 -0700 + + Implement mapped directories + + These directories are implemented using the Plan9 filesystem. Given a + mount location and a port, the GCS can mount a directory as a Plan9 + share to the host. + +commit f10359fa8229fa730a51b8a35af43d031268ed6b +Author: Justin Terry (VM) +Date: Mon Jul 17 10:48:58 2017 -0700 + + Removes the fixed paths to runc. + + exec.Command will use a LookPath so we dont want to hard code paths to commands we are running. + + Resolves: #52 + +commit c30d96bad25e9d7eea281879c2afc6765706b0a1 +Merge: 820861ce9 407b0488b +Author: Cheng-mean Liu +Date: Mon Jul 17 10:44:07 2017 -0700 + + Merge pull request #51 from Microsoft/cleanup + + General Cleanup + +commit 820861ce926342cb536516d0d74bdf62f0180a35 +Merge: 47c88e858 80946f01e +Author: Cheng-mean Liu +Date: Mon Jul 17 10:31:48 2017 -0700 + + Merge pull request #55 from shaggygi/patch-1 + + Update README.md + +commit ea6148b7547ba806232a35a1e4805633fd2a2863 +Author: John Starks +Date: Sun Jul 16 15:37:32 2017 -0700 + + gcs: Add per-layer vPMEM support + +commit 80946f01e490af57e1afd3a06ad750d526f705cc +Author: Greg Ingram +Date: Sat Jul 15 09:13:23 2017 -0400 + + Update README.md + + Wording + +commit 47c88e858a733cc468f4316a3635a255a478f664 +Merge: c46a09287 af88832f9 +Author: Cheng-mean Liu +Date: Fri Jul 14 18:40:47 2017 -0700 + + Merge pull request #54 from Microsoft/loggingfix + + Fixed a gcs failure due to a logging switching to logrus package + +commit af88832f9eba43c4930e9d66b2c2fd069f413b3f +Author: Cheng-mean Liu +Date: Fri Jul 14 18:29:15 2017 -0700 + + Fixed gcs failure from the typo in logFile + +commit 6ce633931928df07215d45c3ce701a598864600b +Author: Cheng-mean Liu +Date: Fri Jul 14 18:25:00 2017 -0700 + + Fixed gcs failure from the typo in logFile + +commit 407b0488b4522691968ef0814a9b587370964e82 +Author: Ben Weedon +Date: Fri Jul 14 15:28:12 2017 -0700 + + Turn off logging for all test suites + +commit f5eaeb6e2387e9177408908aa5ae62427ec28603 +Author: Ben Weedon +Date: Wed Jul 12 17:49:21 2017 -0700 + + Remove printErrors from bridge + +commit 354da03ae9b43ae8acceff0c7d720121353c7d1f +Author: Ben Weedon +Date: Wed Jul 12 17:32:48 2017 -0700 + + Fix GCS imports to use goimports format + +commit c46a092871d3a4ef043a535be6ed5829e7de62a5 +Merge: 4e4e6f28a c733155fb +Author: Cheng-mean Liu +Date: Fri Jul 14 15:12:59 2017 -0700 + + Merge pull request #37 from jterry75/master + + Merges all logging to use logrus + +commit c733155fb09d7effc5eb9f4fbbf1a8ff3c3e21c9 +Author: Justin Terry (VM) +Date: Wed Jul 12 14:31:27 2017 -0700 + + Merges all loging to use logrus + + Resolves #33 + +commit 4e4e6f28a03e974e6c32f00a91d51f9605821fdd +Merge: fbf06df5a cb82ebf90 +Author: Cheng-mean Liu +Date: Thu Jul 13 19:06:49 2017 -0700 + + Merge pull request #49 from Microsoft/mkfs-fix + + Fix mkfs.ext4 ordering + +commit fbf06df5a25ec8cbc426d48ae652377f51af9fb2 +Merge: c9970b0ba 771770c3f +Author: Cheng-mean Liu +Date: Thu Jul 13 19:03:06 2017 -0700 + + Merge pull request #50 from Microsoft/fix_tests + + Fix tests and other minor changes + +commit 771770c3f89e45a767fca7e3deaf46459c86354a +Author: Ben Weedon +Date: Thu Jul 13 18:23:15 2017 -0700 + + Move gcsrunc state from /var/lib to /var/run + +commit bd36060c52e419bb16e549111bd1d78ec57065e5 +Author: Ben Weedon +Date: Thu Jul 13 18:11:32 2017 -0700 + + Only set runc command's stdio handles if fileSet field not nil + + There's apparently a difference in Go between setting something to nil, + and setting it to a nil interface. Setting cmd.Std* to a nil interface + from fileSet was causing something to get messed up in the runc command + itself, and the create call would hang. + +commit 043d568f2a509adb89eada1166e96842680a5592 +Author: Ben Weedon +Date: Thu Jul 13 18:07:58 2017 -0700 + + Fix some storage and runC tests + + Need to make sure tests expect dirs created by GCS to be under /tmp. + Also, make sure /var/run/runc even exists before cleaning it up. + +commit cb82ebf90005303a755638bb9a1a993f4e967f42 +Author: Akash Gupta +Date: Thu Jul 13 17:25:37 2017 -0700 + + Fix mkfs.ext4 ordering + +commit c9970b0bac8cd9f9f5a864dab46c660d9ce190e0 +Merge: b81761efe 742a2a81e +Author: Akash Gupta +Date: Thu Jul 13 17:05:24 2017 -0700 + + Merge pull request #40 from Microsoft/docs + + Added additional details on the build instructions + +commit 742a2a81eee9146c05fca9b7b0251814b73a02b9 +Author: Cheng-mean Liu (SOCCER) +Date: Thu Jul 13 16:59:15 2017 -0700 + + Added additional details on the build instructions + +commit b81761efe308933037e42b8a0aa26db56567d642 +Merge: d6b438938 3add33422 +Author: Cheng-mean Liu +Date: Thu Jul 13 16:51:28 2017 -0700 + + Merge pull request #44 from jhowardmsft/jjh/gcs.log + + GCS log to gcs.log + +commit d6b438938e0a2ece60e347c82f2dde21617f29dc +Merge: df1c627c6 5b33f9bbc +Author: Cheng-mean Liu +Date: Thu Jul 13 16:41:27 2017 -0700 + + Merge pull request #35 from jstarks/vsock_passthrough_containers + + gcs: Pass vsock handles to container processes + +commit df1c627c6bacb8b84fc36bbfa7a2ab0f80932a35 +Merge: 1c65d61c0 914e25fad +Author: John Starks +Date: Thu Jul 13 16:39:12 2017 -0700 + + Merge pull request #47 from Microsoft/readonly + + Moved storage root and base file path away from potetial real-only directory + +commit 914e25fad87c4474ab61e20062872a1341f644d0 +Author: Cheng-mean Liu +Date: Thu Jul 13 16:07:33 2017 -0700 + + Moved storage root and base file path away from potetial real-only directory + +commit 3add334221ef59cb0758eecf5ed88e3e42269200 +Author: John Howard +Date: Thu Jul 13 14:48:49 2017 -0700 + + GCS log to gcs.log + + Signed-off-by: John Howard + +commit 097c9baf663462a881fed1065b0eee1ef500f0ed +Author: Cheng-mean Liu (SOCCER) +Date: Thu Jul 13 10:18:11 2017 -0700 + + Added additional details the build instrutions + +commit 1c65d61c0ed1d0891108c8e9b5c7359408dd1e1e +Merge: 7ddc2f62d 204eda2ad +Author: Cheng-mean Liu +Date: Thu Jul 13 10:08:48 2017 -0700 + + Merge pull request #39 from jhowardmsft/jjh/additionalbinaries + + Add binaries used by docker + +commit 204eda2adc86dad287efbc887ab587603ae2dd1b +Author: John Howard +Date: Thu Jul 13 09:32:16 2017 -0700 + + Add binaries used by docker + + Signed-off-by: John Howard + +commit 7ddc2f62d93fa1e75c74a3fafa2f75a761989a99 +Author: Cheng-mean Liu +Date: Wed Jul 12 16:28:19 2017 -0700 + + Added docs for how to produce a custom Linux OS image (#38) + + Added LCOW custom kernel build instructions + +commit 5b33f9bbc4df74487538b5485fc60a4330713601 +Author: John Starks +Date: Wed Jul 12 14:59:27 2017 -0700 + + Update with PR feedback + +commit e115671db7a8bb56b8fa6e5d91e06a90ac621aff +Author: John Starks +Date: Wed Jul 12 12:12:18 2017 -0700 + + gcs: Pass vsock handles to container processes + + This also unifies the TTY relay code for external and container + processes and fixes several possible file descriptor leaks. + +commit 2e5c2fac44f4f618017db8a89f9d415aa60ad5b3 +Merge: 422813e48 79138b2e3 +Author: Cheng-mean Liu +Date: Tue Jul 11 18:07:29 2017 -0700 + + Merge pull request #34 from Microsoft/patch + + Updated patches with previsouly missing Signed-off-by line + +commit 79138b2e366b886d81308e7561bcfa998cb555fe +Author: Cheng-mean Liu (SOCCER) +Date: Tue Jul 11 17:04:56 2017 -0700 + + Updated patches with previsouly missing Signed-off-by line + +commit 422813e483ed752322a24b837950514d4c61bd39 +Merge: 4a268ffb0 ffe98a9ed +Author: Cheng-mean Liu +Date: Tue Jul 11 16:13:40 2017 -0700 + + Merge pull request #24 from Microsoft/hresult + + Support embedding HRESULT codes in errors + +commit 4a268ffb04f5f86b5332ad7998187b879df2da54 +Merge: 12a034c67 53f4eb8d9 +Author: Cheng-mean Liu +Date: Tue Jul 11 16:13:23 2017 -0700 + + Merge pull request #23 from jstarks/vsock_passthrough + + gcs: Pass vsock handles through to external processes + +commit 53f4eb8d9056fa57fca53c9657d70b2e6806b7d8 +Merge: 9cb63675d 12a034c67 +Author: John Starks +Date: Tue Jul 11 15:59:07 2017 -0700 + + Merge branch 'master' into vsock_passthrough + +commit 12a034c67b5e7827969237d00b9e7b1b85bec58c +Merge: 1b76cf09f 5fcbbbfad +Author: Akash Gupta +Date: Tue Jul 11 15:45:42 2017 -0700 + + Merge pull request #25 from Microsoft/kconfig + + Added a vhdx file with prebuilt empty ext4 for configuing ServiceVM + +commit 1b76cf09f3ad8a97e8e265f121dafe61639259f2 +Merge: b987a683d 02640a311 +Author: Cheng-mean Liu +Date: Tue Jul 11 15:35:39 2017 -0700 + + Merge pull request #32 from Microsoft/dcui-patch-add-Signed-off-by + + Update the commits after I added my Signed-off-by + +commit b987a683dd0537576e8cb3ec77738ff705986d7d +Merge: ffb9d0957 c8ee352ed +Author: Akash Gupta +Date: Tue Jul 11 15:34:26 2017 -0700 + + Merge pull request #29 from Microsoft/fix_runc_tests + + Fix issue in runC tests where container list not initialized + +commit 02640a311ab1e913ef523c5f3a707834ac1ae71d +Author: Dexuan Cui +Date: Tue Jul 11 15:26:15 2017 -0700 + + Update the commits after I added my Signed-off-by + + The 17 commits are on https://github.com/dcui/linux/commits/decui/hv_sock/v4.11/20170511-debug-0628-with-signed-off-by-of-dexuan-fixed. + +commit ffb9d0957dc234036920ffa43fcfec47d3ed6f60 +Merge: 101346455 4d0b5c7bd +Author: Cheng-mean Liu +Date: Tue Jul 11 14:55:27 2017 -0700 + + Merge pull request #27 from jstarks/unvendor + + Remove unused vendored packages + +commit 9cb63675dfbb273eea64b842c31330416b66d30e +Author: John Starks +Date: Tue Jul 11 13:17:38 2017 -0700 + + Update string for mock + +commit c8ee352ed63ce5958c21269159fa98f4763a23af +Author: Ben Weedon +Date: Tue Jul 11 11:31:03 2017 -0700 + + Fix issue in runC tests where container list not initialized + + This caused the list to leak between tests, resulting in data races and + test failures. + +commit ffe98a9ed85868cc025af3dd20874f6e99d101c3 +Author: Ben Weedon +Date: Mon Jul 10 12:38:31 2017 -0700 + + Support embedding HRESULT codes in errors + + This allows the GCS to return HRESULTs to the HCS for certain errors. + HRESULTs are a common way for the HCS to represent errors. + + This change only adds HRESULTs to JSON parsing errors at the moment. It + is mostly focused on building the necessary infrastructure. Additional + HRESULTs can be added now as needed. + +commit 1013464555eba0deae682653bf18af354ff38ce6 +Merge: b53a32cbc b0ca67659 +Author: Cheng-mean Liu +Date: Tue Jul 11 11:16:33 2017 -0700 + + Merge pull request #20 from jstarks/abstract + + gcs: Improve runtime abstraction + +commit 4d0b5c7bd0d5450f0325cb2980e7d13edbbb3951 +Author: John Starks +Date: Mon Jul 10 18:39:24 2017 -0700 + + Remove unused vendored packages + +commit b44279598fc570924e3a95bd7b9ac17b499554b4 +Author: John Starks +Date: Mon Jul 10 14:27:50 2017 -0700 + + gcs: Pass vsock handles through to external processes + + There's no need to use a relay for non-terminal cases; just pass the + vsock handles through. This change only does this for external + processes. A subsequent change will add support in container processes. + +commit b0ca67659a8dcb8d510aaf06d3016bde8ae68405 +Author: John Starks +Date: Fri Jul 7 17:14:52 2017 -0700 + + gcs: Improve runtime abstraction + + This adds Container and Process interfaces that abstract operations on + container and processes, respectively. + +commit 5fcbbbfad94cd41b69ee9135b0d4c5e85a9b614f +Author: Cheng-mean Liu (SOCCER) +Date: Mon Jul 10 15:52:16 2017 -0700 + + Added a vhdx file with prebuilt empty ext4 for configuing ServiceVM + +commit b53a32cbc2fff5be85b03fb78be5b57b845db85b +Merge: da5b2c868 b7d99ec77 +Author: Akash Gupta +Date: Mon Jul 10 14:41:29 2017 -0700 + + Merge pull request #22 from jstarks/make_pkg + + Make go binaries using a private pkg directory + +commit da5b2c8686a7a853c1f471f2d4f07808658f1edf +Merge: 1ff403115 795281de4 +Author: Akash Gupta +Date: Mon Jul 10 14:28:34 2017 -0700 + + Merge pull request #21 from jstarks/close_config + + runc: Close config.json after reading it + +commit 04a5329a68b3188c3c37093ffcadf45c187920e2 +Author: John Starks +Date: Mon Jul 10 14:27:03 2017 -0700 + + Revendor github.com/linuxkit/virtsock/pkg/vsock + + This adds support for vsock.Conn.File(). + +commit 795281de478757ae8b717a2539575cce5cea3df3 +Author: John Starks +Date: Mon Jul 10 13:51:04 2017 -0700 + + runc: Close config.json after reading it + +commit b7d99ec776a98303f21d89b4ab7b3987a0817079 +Author: John Starks +Date: Fri Jul 7 19:01:00 2017 -0700 + + Make go binaries using a private pkg directory + + When CGO_ENABLED is set to 0, go needs to rebuild its runtime without + cgo support. This requires write access to GOROOT, which the user often + does not have. + + Since this is the non-default configuration, the best thing to do is to + store the pkg cache locally so that Go does not try to overwrite any + existing packages built with CGO_ENABLED=1. + + This also requires removing the -N -l flags from go, since building the + go runtime with these flags set often fails. + +commit 1ff4031159dc53daa0ddabbf418f3bfbea599aff +Merge: 6b3361780 a8e579f5d +Author: Akash Gupta +Date: Mon Jul 10 10:33:00 2017 -0700 + + Merge pull request #19 from Microsoft/kconfig + + updated kconfig with the real kconfig contents + +commit a8e579f5d2cc969e5b881f670f0367a1f240188e +Author: Cheng-mean Liu (SOCCER) +Date: Sun Jul 9 12:38:41 2017 -0700 + + updated kconfig + +commit 6b3361780e5cf17463c2eae68b957fa1fa96eba1 +Merge: 5ddfff20a 6d5bbbdbd +Author: Akash Gupta +Date: Fri Jul 7 14:45:46 2017 -0700 + + Merge pull request #16 from Microsoft/readme + + update hyperv vsock commit list + +commit 5ddfff20af6244c60671f9f05c25d508c73ea1e2 +Merge: b9bd5a73f c9017c37f +Author: Cheng-mean Liu +Date: Fri Jul 7 14:42:19 2017 -0700 + + Merge pull request #18 from Microsoft/golint-gcsutils + + Fixed golint warnings on gcsutils + +commit b9bd5a73f5f409d7baf5f599a6c1da1751f1bf20 +Merge: 32eadd938 ad8e94d30 +Author: Cheng-mean Liu +Date: Fri Jul 7 14:40:39 2017 -0700 + + Merge pull request #17 from Microsoft/revendor-vsock + + Revendor vsock + +commit 6d5bbbdbd7d8eaebc599752755271a8e8fbe42be +Author: Cheng-mean Liu +Date: Fri Jul 7 14:37:06 2017 -0700 + + update hyperv vsock commit list + +commit c9017c37fcf5db732d35722ab06eeac056115d11 +Author: Akash Gupta +Date: Fri Jul 7 14:20:02 2017 -0700 + + Fixed golint warnings on gcsutils + +commit ad8e94d3081c9c771914d85dbcacc80fa1734293 +Author: Akash Gupta +Date: Fri Jul 7 12:49:36 2017 -0700 + + Revendor linuxkit/virtsock/pkg/vsock@298d0178dbea9b267e90112c02bad8835ecf5d63 + +commit 32eadd9387723bf25add759c5e7c358c048145af +Merge: aab751f86 b69f427ff +Author: Akash Gupta +Date: Fri Jul 7 12:31:23 2017 -0700 + + Merge pull request #15 from Microsoft/gen_test_layers + + Generate layer files during storage tests + +commit 39dabcd8ebfacdbea0e6e5561a92f89b9971d6ba +Author: Cheng-mean Liu +Date: Fri Jul 7 11:54:23 2017 -0700 + + update hyperv vsock commit list + +commit abde106edd39e67c6e89ec3c44763fa41411b2ad (tag: v0.5.27) +Merge: 5401bead4 84301e30c +Author: John Howard +Date: Fri Jul 7 11:34:42 2017 -0700 + + Merge pull request #126 from madhanrm/policylist + + Expose HNS Related APIs for Endpoints/Networks/PolicyLists/Policies + +commit b69f427ffe17767905c30cadd16516d0ca5aa525 +Author: Ben Weedon +Date: Fri Jul 7 10:52:09 2017 -0700 + + Generate layer files during storage tests + + Previously, four layer files (scratch, layer1, layer2, and layer3) were + included in the repo. The storage tests would then test mounting against + these layers. Now, these layer files are generated on the fly by the + test, so that binary files don't need to be included in the repo. + +commit 84301e30cf62c8dbdf413dedcc9f59b832c93ce1 +Author: Madhan Raj Mookkandy +Date: Tue Jun 20 11:45:40 2017 -0700 + + Export HNS Related APIs for Endpoints/Networks/PolicyLists/Policies + Add ROUTE policy and methods to create it + Add a new Property for network (AutomaticDNS) + Fixing some Log Typos + Incorportated review comments + +commit aab751f8661e8accb5a729425bed88466b5aa2a2 +Merge: e9f191ad8 10943402f +Author: Cheng-mean Liu +Date: Thu Jul 6 18:14:46 2017 -0700 + + Merge pull request #14 from jstarks/vsock_cloexec + + gcs: Vendor jstarks/virtsock to fix vsock fd leak + +commit 10943402f6c01fd08087b20eecae0f87e26d804d +Author: John Starks +Date: Thu Jul 6 17:54:56 2017 -0700 + + gcs: Vendor jstarks/virtsock to fix vsock fd leak + + This vendors a virtsock fix in so that child processes do not + inherit all vsock fds when they are launched. + +commit 3049d65d10b479cd1c011eafae01a0fba4a73b01 +Author: Ben Weedon +Date: Thu Jul 6 17:40:14 2017 -0700 + + Simplify loopback code in storage_test.go + + The code no longer has special casing for scratch devices vs layers, and + always mounts to the loop devices with the lowest numbers. + +commit e9f191ad80402d9cdfc52ed6206cfae9fb66ffd3 +Merge: d12d6dcbd c4549cc4d +Author: Akash Gupta +Date: Thu Jul 6 16:38:27 2017 -0700 + + Merge pull request #10 from jhowardmsft/refreshclient + + Refresh client to latest + +commit c4549cc4d8bea91c049975a6b5a1a020ecbda50e +Author: John Howard +Date: Thu Jul 6 16:07:56 2017 -0700 + + Refresh client to latest + + Signed-off-by: John Howard + +commit d12d6dcbd5c64931d218954dac4208e1d3ef9a7f +Merge: 3d645d8a6 e16565f17 +Author: Cheng-mean Liu +Date: Thu Jul 6 12:31:35 2017 -0700 + + Merge pull request #9 from Microsoft/linting + + Linting + +commit 3d645d8a625628cd2de6bb255bab1a20631afe81 +Merge: d0011f60b 80a64dbc3 +Author: Cheng-mean Liu +Date: Thu Jul 6 12:30:10 2017 -0700 + + Merge pull request #8 from Microsoft/ignore-bins + + ignore bin directory + +commit e16565f17171fffde4099fd5b55cfe20e2d08f96 +Author: Ben Weedon +Date: Mon Jul 3 17:37:33 2017 -0700 + + Lots of changes all around fixing golint warnings + + This commit does not fix all golint warnings. It only fixes the ones it + seemed reasonable to fix without reducing code clarity or adding + unnecessary comments. It also does not fix any warnings in serviceVM + code, just GCS code. + +commit aad6ab8bc6d24a6c9aa037c4389ad8e4c339be7b +Author: Ben Weedon +Date: Mon Jul 3 14:56:36 2017 -0700 + + Remove newline at end of error string + +commit 80a64dbc31e5febe59266935d6b874b0083cf03f +Author: Akash Gupta +Date: Thu Jul 6 10:44:27 2017 -0700 + + ignore bin directory + +commit d0011f60b7170dd119b1a2f4e4eb96a2311f9aef +Merge: ac9468aa1 bed71d218 +Author: Akash Gupta +Date: Wed Jul 5 18:00:03 2017 -0700 + + Merge pull request #7 from Microsoft/readme + + Fixed broken gcsbuildinstrutions link + +commit bed71d218e00e545781b35d00211657f632b6be1 +Author: Cheng-mean Liu +Date: Wed Jul 5 17:50:51 2017 -0700 + + Fixed broken gcsbuildinstrutions link + +commit ac9468aa192ce9e8646f04e91a338121bf7418b6 +Author: Cheng-mean Liu +Date: Wed Jul 5 16:39:13 2017 -0700 + + Added gcs building instructions (#5) + + * Added opengcs repo clone and build instructions + + * Added opengcs repo clone and build instructions + + * Added opengcs repo clone and build instructions + + * Added opengcs repo clone and build instructions + + * Added opengcs repo clone and build instructions + +commit c2ef1ee9ba68c6d83966f19b26a2258c7fcbb4c9 +Merge: 8ff7ccfbf a0a16bb02 +Author: Cheng-mean Liu +Date: Mon Jul 3 16:03:06 2017 -0700 + + Merge pull request #4 from Microsoft/init_dirs + + Populated opengcs with initial GCS soruce files + +commit a0a16bb02d1df306aca0574d43d875e8f30a0d80 +Author: Cheng-mean Liu +Date: Mon Jul 3 15:58:48 2017 -0700 + + Populated opengcs with initial GCS soruce files + +commit 8ff7ccfbf9c2d7713364b32a4d4c686ddc305483 +Merge: d2bd0f812 d1ff48192 +Author: Akash Gupta +Date: Wed Jun 28 14:21:22 2017 -0700 + + Merge pull request #1 from Microsoft/soccerGB-patch-1 + + Update README.md + +commit d1ff48192e0a2dc7f3878f3413e5cb12885dbf1a +Author: Cheng-mean Liu +Date: Wed Jun 28 14:16:28 2017 -0700 + + Update README.md + + Added initial README.md + +commit d2bd0f8122899e1261e5b68cacad6a9cbc23d373 +Author: Microsoft Open Source +Date: Tue Jun 27 14:29:15 2017 -0700 + + Initial commit + +commit db733a7534b7269ed087fc65a6c8a139bf741f01 +Author: Microsoft Open Source +Date: Tue Jun 27 14:29:13 2017 -0700 + + Initial commit + +commit e96ee58a3f31ed147d75e3ef9ed6e0a73f48bc30 +Author: Microsoft GitHub User +Date: Tue Jun 27 14:28:56 2017 -0700 + + Initial commit + +commit 5401bead4feac753f42a6b72f9d8c2c30647d61e (tag: v0.5.26) +Merge: 78039139c f0390624f +Author: John Starks +Date: Tue Jun 27 12:02:28 2017 -0700 + + Merge pull request #129 from Microsoft/user/jostarks/mappedpipes + + Add HCS interface for mapped named pipes + +commit f0390624f58858bd5881c86d0636a24a4045a1b1 +Author: John Starks +Date: Mon Jun 26 19:12:15 2017 -0700 + + Add HCS interface for mapped named pipes + +commit 78039139c5008979e0de976962c6b4321dae02b0 (tag: v0.5.25) +Merge: 391074557 352678954 +Author: John Starks +Date: Thu Jun 22 17:02:16 2017 -0700 + + Merge pull request #128 from jstarks/commandargs + + Add CommandArgs for passing Linux arguments correctly + +commit 352678954657d2a8a512035aa6ed2bb39707b2a4 +Author: John Starks +Date: Thu Jun 22 17:00:00 2017 -0700 + + Add CommandArgs for passing Linux arguments correctly + +commit 391074557be6835013e03314ed43a0a7d3e67958 (tag: v0.5.24) +Merge: a6281990d d797473d5 +Author: John Howard +Date: Thu Jun 22 14:12:18 2017 -0700 + + Merge pull request #127 from Microsoft/jjh/schema + + HCS schema updates for 6/21 on builds + +commit d797473d5383f65b1afd1c0cb6633f5e9e2f723d +Author: John Howard +Date: Thu Jun 22 14:11:17 2017 -0700 + + HCS schema updates for 6/21 on builds + + Signed-off-by: John Howard + +commit a6281990dd880fc5a285c788f65508917e390e3c (tag: v0.5.23) +Merge: 0ec2249ab 30c2d28a2 +Author: John Howard +Date: Thu Jun 15 11:42:10 2017 -0700 + + Merge pull request #125 from Microsoft/jjh/fixbadlogging + + Fix bad debug log + +commit 30c2d28a2f157e419cc6ff022ad6a24bba80fed8 +Author: John Howard +Date: Thu Jun 15 11:41:09 2017 -0700 + + Fix bad debug log + + Signed-off-by: John Howard + +commit 0ec2249abdf84d600b6a04c0fd9a48a80e989275 +Merge: 918b03ed5 619f41d84 +Author: John Howard +Date: Thu Jun 15 11:39:18 2017 -0700 + + Merge pull request #124 from Microsoft/jjh/modifytointerface + + Change Data to interface in ResourceModificationRequestResponse + +commit 619f41d8447b29a1e9cff24671538704f9cb84ca +Author: John Howard +Date: Wed Jun 14 17:56:12 2017 -0700 + + Change Data to interface in ResourceModificationRequestResponse + + Signed-off-by: John Howard + +commit 461d6cb5453df54ec1b746a43dd2bb320f0f18f8 +Author: Anand Gaitonde +Date: Tue Jun 13 09:20:28 2017 -0700 + + downcase github.com/sirupsen/logrus imports + + According to the sirupsen/logrus README, this package should be imported + entirely lowercased. + +commit 918b03ed5b5dcbbc34e89064f4e5bfdd17be5bb6 (tag: v0.5.22) +Merge: fd95ed0cb 17e710d8a +Author: John Howard +Date: Wed Jun 7 12:52:18 2017 -0700 + + Merge pull request #122 from Microsoft/jjh/linuximage + + Add initrd/kernel path to HvRuntime + +commit 17e710d8a33b5ffdee339f84e400a1f959b8b880 +Author: John Howard +Date: Wed Jun 7 12:46:29 2017 -0700 + + Add initrd/kernel path to HvRuntime + + Signed-off-by: John Howard + +commit fd95ed0cbd97f207707146ca058f57f9bc23687f (tag: v0.5.21) +Merge: 106da6777 513a999d8 +Author: John Howard +Date: Wed Jun 7 12:30:23 2017 -0700 + + Merge pull request #121 from Microsoft/jjh/mappedvirtualdisk + + Add MappedVirtualDisks to ContainerConfig + +commit 513a999d894ecbb74465d3d9c2c258005e6953ee +Author: John Howard +Date: Wed Jun 7 12:21:01 2017 -0700 + + Add MappedVirtualDisks to ContainerConfig + + Signed-off-by: John Howard + +commit 106da67770a4b3388d3e872a99ac80e756a28d13 (tag: v0.5.20) +Merge: ad62b0caf 7edb791bf +Author: John Howard +Date: Tue Jun 6 11:51:34 2017 -0700 + + Merge pull request #120 from Microsoft/jjh/omitempty + + OmitEmpty on ProcessConfig fields + +commit 7edb791bfbd2fed6dea8a07fb6853a323455b565 +Author: John Howard +Date: Tue Jun 6 10:32:36 2017 -0700 + + OmitEmpty on ProcessConfig fields + + Signed-off-by: John Howard + +commit ad62b0cafa1e41ad10961fe1bc20d28edcbba9e5 +Author: John Howard +Date: Fri Jun 2 11:48:56 2017 -0700 + + Remove IsDummy + + Signed-off-by: John Howard + +commit 3146c55e7c57ac6bc20e457ea1a38bd77c081ca9 (tag: v0.5.19) +Merge: 84ea0d366 38e5a9f47 +Author: Cheng-mean Liu +Date: Thu Jun 1 16:13:36 2017 -0700 + + Merge pull request #119 from Microsoft/jjh/lcowinterface + + LCOW: Add fields + +commit 38e5a9f470c8fe25dc1362145841cbddea591f4f +Author: John Howard +Date: Thu Jun 1 09:31:35 2017 -0700 + + LCOW: Add fields + + Signed-off-by: John Howard + +commit 84ea0d3666475c550167921c45a8df68552aa478 (tag: v0.5.18) +Merge: 49582cc50 43879e46e +Author: John Howard +Date: Wed May 24 14:01:14 2017 -0700 + + Merge pull request #117 from Microsoft/jjh/removesandboxpath + + Remove SandboxPath + +commit 43879e46ec89fe5fbfdb0502510b4c310bf6e6b1 +Author: John Howard +Date: Wed May 24 13:51:20 2017 -0700 + + Remove SandboxPath + + Signed-off-by: John Howard + +commit 49582cc501b7b6ade520e91e61e8d77c8a6e162e (tag: v0.5.17) +Merge: d673e9771 ec86ea14c +Author: John Starks +Date: Mon May 8 10:49:17 2017 -0700 + + Merge pull request #114 from darrenstahlmsft/RemoveFinalizers + + Remove finalizers due to go1.8 liveness + +commit d673e9771d2d9f70900c47d533e2cb28d05cf9ef (tag: v0.5.16) +Merge: 75e4c004b dbc4b0ccb +Author: John Howard +Date: Mon May 8 10:26:54 2017 -0700 + + Merge pull request #115 from jstarks/generous_linking + + Allow hard links between utility VM and base layer + +commit dbc4b0ccb6f783988438c543fbea640c45245c22 +Author: John Starks +Date: Fri May 5 17:19:46 2017 -0700 + + Allow hard links between utility VM and base layer + + To save space, new Windows container images will have hard links between + the utility VM image and the container base layer. This change relaxes + hcsshim's requirements to allow this behavior. + +commit ec86ea14ca77bef1a6656327e918de83e07f65d0 +Author: Darren Stahl +Date: Thu May 4 11:40:50 2017 -0700 + + Remove finalizers due to go1.8 liveness + + Signed-off-by: Darren Stahl + +commit 75e4c004b5824be6dd2bee4c47451f9fc33ebf4d (tag: v0.5.15) +Merge: 7fb72df30 26ffe5a5d +Author: John Howard +Date: Thu Apr 6 12:05:46 2017 -0700 + + Merge pull request #112 from Microsoft/jjh/removewhitespace + + Remove whitespace from LICENSE + +commit 26ffe5a5ddb6caa707d97ceb9ee6450df04601b9 +Author: John Howard +Date: Thu Apr 6 12:04:37 2017 -0700 + + Remove whitespace from LICENSE + + Signed-off-by: John Howard + +commit 7fb72df30c604381a1bd0e82fa3660d4e3584307 (tag: v.0.5.14) +Merge: eb3470df7 73084cdf2 +Author: John Howard +Date: Wed Mar 29 23:05:29 2017 -0700 + + Merge pull request #110 from madhanrm/hotadd + + Expose ModifySettings Support in HcsShim. + +commit 73084cdf2decd9e31ebffb5ae247be420429da36 +Author: Madhan Raj Mookkandy +Date: Wed Mar 29 17:33:34 2017 -0700 + + Expose ModifySettings Support in HcsShim. This is required for Hot Add/Remove of Network Endpoints + + Signed-off-by: Madhan Raj Mookkandy + +commit eb3470df7849886d6d40be84e2788d9d08fd40d2 (tag: v0.5.13) +Merge: 69507a3cc 1c8d1042e +Author: John Howard +Date: Thu Mar 23 11:37:37 2017 -0700 + + Merge pull request #111 from Microsoft/jjh/additionaljson + + Allow additional JSON for create container + +commit 1c8d1042ef8f3c101e3bb6bc4882d5d281b2c160 +Author: John Howard (VM) +Date: Wed Mar 22 13:56:09 2017 -0700 + + Allow additional JSON for create container + + Signed-off-by: John Howard (VM) + +commit 69507a3ccf423a86b1995f07b96b7541d093c000 (tag: v0.5.12) +Merge: 0f615c198 18e06133f +Author: Darren Stahl +Date: Wed Feb 15 10:14:18 2017 -0800 + + Merge pull request #109 from Microsoft/jjh/addaccessisdenied + + Add 'Access is denied' error + +commit 18e06133f8e48f5f3ed6c6cb0bb5270e8e3425e4 +Author: John Howard +Date: Wed Feb 15 09:45:03 2017 -0800 + + Add 'Access is denied' error + + Signed-off-by: John Howard + +commit 0f615c198a84e0344b4ed49c464d8833d4648dfc (tag: v0.5.11) +Merge: 71115b827 07f8c0bea +Author: John Howard +Date: Thu Jan 26 10:44:08 2017 -0800 + + Merge pull request #103 from madhanrm/ns + + Interface changes to support --net:container: for Windows + +commit 07f8c0beaab61a15a05525c11ef8c25054b2e862 +Author: Madhan Raj Mookkandy +Date: Fri Jan 13 16:56:31 2017 -0800 + + Interface changes to support --net:container: for Windows + + Signed-off-by: Madhan Raj Mookkandy + +commit 71115b82780d4248ef32f80519490b179d5da350 (tag: v0.5.10) +Merge: 2c872d137 010b942a6 +Author: John Howard +Date: Fri Jan 13 11:00:55 2017 -0800 + + Merge pull request #101 from msabansal/dnssearch + + Adding omitempty tag to DnsSearchList + +commit 010b942a6d082fc81e46ab474e8ddf9eb761cedc +Author: msabansal +Date: Fri Jan 13 10:25:53 2017 -0800 + + Adding omitempty tag to DnsSearchList + + Signed-off-by: msabansal + +commit 2c872d137f3a1064686710ec072141b741924fb3 +Merge: d327ca738 498b3a781 +Author: John Howard +Date: Mon Jan 9 16:05:14 2017 -0800 + + Merge pull request #98 from msabansal/dnssearch + + Added option to allow setting DNS search list for containers + +commit 498b3a781236972f8bd362fa461c2bce4eac433c +Author: msabansal +Date: Tue Dec 27 11:49:25 2016 -0800 + + Added option to allow setting DNS search list for containers + + Signed-off-by: msabansal + +commit d327ca738085de7d617aa1df16d98fe7a64c2455 (tag: v0.5.9) +Merge: ba7f9b77b e9f85e30b +Author: Darren Stahl +Date: Mon Nov 21 11:31:14 2016 -0800 + + Merge pull request #93 from darrenstahlmsft/UpdateMkSyscall + + Update mksyscall_windows.go to match upstream updates + +commit e9f85e30bf2dceced80b91683b82b01a6c7b7d88 +Author: Darren Stahl +Date: Fri Nov 18 18:20:11 2016 -0800 + + Update mksyscall_windows.go to match upstream updates + + Signed-off-by: Darren Stahl + +commit ba7f9b77b0a18ffd7cf697da401256c14a83f494 (tag: v0.5.8) +Merge: e439b7d2b 8a9596f9e +Author: John Howard +Date: Thu Nov 10 11:33:58 2016 -0800 + + Merge pull request #92 from darrenstahlmsft/GetContainerError + + bug fix: return errors from hcsEnumerateComputeSystem + +commit 8a9596f9ed4a689e90ef1f21eca4a02b84552a0f +Author: Darren Stahl +Date: Wed Nov 9 17:55:12 2016 -0800 + + bug fix: return errors from hcsEnumerateComputeSystem + + Signed-off-by: Darren Stahl + +commit e439b7d2b63f036d3a50c93a9e0b154a0d50e788 (tag: v0.5.7) +Merge: 6553f7caf f755000dc +Author: John Starks +Date: Tue Nov 8 12:05:42 2016 -0800 + + Merge pull request #82 from darrenstahlmsft/NilFinalizer + + Nil the finalizers on Close + +commit 6553f7cafaf3e2b7d993e8bc88bfb15e130bd4ab +Merge: 03051f0b5 3873740af +Author: John Howard +Date: Tue Nov 8 12:04:29 2016 -0800 + + Merge pull request #91 from darrenstahlmsft/properties + + Add comment for exported ContainerProperties + +commit 3873740af99f01470eeb54e461f91e6ceb1efa20 +Author: Darren Stahl +Date: Tue Nov 8 12:03:19 2016 -0800 + + Add comment for exported ContainerProperties + + Signed-off-by: Darren Stahl + +commit 03051f0b51fed0b880d03383910e76c72e4ef8ee +Merge: 9e91fe08c b5b46351e +Author: John Howard +Date: Tue Nov 8 12:02:12 2016 -0800 + + Merge pull request #90 from msabansal/DisableICC + + Fixing the field name to DisableICC + +commit b5b46351e45441b5993ecaab90812ee53a1c4f01 +Author: msabansal +Date: Tue Nov 8 12:00:29 2016 -0800 + + Fixing the field name to DisableICC + + Signed-off-by: msabansal + +commit 9e91fe08c6dc4e95fad6e9d1f6c5f650b946d513 (tag: v0.5.6, tag: v0.5.5) +Merge: 392add835 9f18f0048 +Author: John Howard +Date: Tue Nov 8 11:30:07 2016 -0800 + + Merge pull request #89 from msabansal/DisableICC + + Control path support to disable ICC + +commit 9f18f004899a9529e6e925d9b74b86049075f0f8 +Author: msabansal +Date: Mon Nov 7 17:37:11 2016 -0800 + + Control path support to disable ICC + + Signed-off-by: msabansal + +commit 392add8355ccd1d46111bd5144d631400c818f0e (tag: v0.5.5.5) +Merge: cf8b6fb40 09c11445e +Author: John Howard +Date: Tue Nov 8 11:16:05 2016 -0800 + + Merge pull request #88 from darrenstahlmsft/containerProperties + + Fix compile error due to containerProperties rename + +commit 09c11445e13187e80cbd880feef66d38d35a17e3 +Author: Darren Stahl +Date: Tue Nov 8 11:12:51 2016 -0800 + + Fix compile error due to containerProperties rename + + Signed-off-by: Darren Stahl + +commit cf8b6fb4074c5c6b86f74a6a1611b61859670ed4 (tag: v.0.5.4) +Merge: 44aa6ad64 1d14bc2b1 +Author: John Howard +Date: Tue Nov 8 11:04:35 2016 -0800 + + Merge pull request #84 from darrenstahlmsft/CombineTimeoutWait + + Combine timeout switches + +commit 44aa6ad64f186a74eee6613d6901900357a0da1f (tag: v0.5.3) +Merge: 4ca4b19e4 dd1bd8f3b +Author: John Howard +Date: Tue Nov 8 11:02:02 2016 -0800 + + Merge pull request #85 from darrenstahlmsft/RegisterCallbackOpen + + Add a callback registration when opening a container + +commit 4ca4b19e45abb33b2fdaf53d2b4df531078ef90f +Merge: c2c946457 8d4ff2e15 +Author: John Howard +Date: Tue Nov 8 10:59:26 2016 -0800 + + Merge pull request #86 from darrenstahlmsft/GetContainers + + Add GetContainers function + +commit c2c946457a3a614df2d3d569befd35a82fc5aa63 +Merge: ccae35550 2c0716647 +Author: John Howard +Date: Tue Nov 8 10:58:48 2016 -0800 + + Merge pull request #87 from Microsoft/jjh/user + + Add user to ProcessConfig interface + +commit 2c071664764b1a258c4bbb8b2716356176e8449d +Author: John Howard +Date: Tue Nov 8 10:44:36 2016 -0800 + + Add user to ProcessConfig interface + + Signed-off-by: John Howard + +commit dd1bd8f3bcf3ae86cb95b8548678aed1638f3311 +Author: Darren Stahl +Date: Mon Nov 7 17:24:37 2016 -0800 + + Add a callback registration when opening a container + + Signed-off-by: Darren Stahl + +commit 8d4ff2e15f1737661ee7c68c0fb827b8eb2c0c1b +Author: Darren Stahl +Date: Mon Nov 7 17:23:31 2016 -0800 + + Add GetContainers function + + Signed-off-by: Darren Stahl + +commit ccae3555085fbec1e146658768bd9e3dfea40092 +Merge: a2c7176d7 fd5191ac5 +Author: Darren Stahl +Date: Mon Oct 31 12:28:30 2016 -0700 + + Merge pull request #83 from darrenstahlmsft/AlreadyClosed + + Change ErrInvalidHandle to ErrAlreadyClosed + +commit 1d14bc2b16e20c3193670c05ead89276179cbed4 +Author: Darren Stahl +Date: Thu Oct 27 15:10:47 2016 -0700 + + Combine timeout switches + + Signed-off-by: Darren Stahl + +commit fd5191ac58e2ecfdc39468cf5cd59ade4692251e +Author: Darren Stahl +Date: Thu Oct 27 13:02:50 2016 -0700 + + Change ErrInvalidHandle to ErrAlreadyClosed + + Signed-off-by: Darren Stahl + +commit f755000dcd9caaf1304af87025fca9ea11176719 +Author: Darren Stahl +Date: Thu Oct 27 12:39:54 2016 -0700 + + Nil the finalizers on Close + + Signed-off-by: Darren Stahl + +commit a2c7176d71f579623ba55005e505905b44bf0baf (tag: v0.5.2) +Merge: b9ddf81bb 0eb786cbc +Author: John Starks +Date: Wed Oct 26 14:48:01 2016 -0700 + + Merge pull request #81 from darrenstahlmsft/PrepareLayerHack + + Serialize calls to PrepareLayer due to Windows bug + +commit 0eb786cbc7842b668cfed5cc448cf5ba9f2893c2 +Author: Darren Stahl +Date: Tue Oct 25 20:06:37 2016 -0700 + + Serialize calls to PrepareLayer due to Windows bug + + Signed-off-by: Darren Stahl + +commit b9ddf81bba1cfdccf64ce2e79f3d7a6865c1e278 +Merge: df9c56465 258284091 +Author: John Starks +Date: Fri Oct 21 18:31:26 2016 -0700 + + Merge pull request #79 from allencloud/allencloud-patch-1 + + Update hcsshim.go + +commit df9c564659bf5c8ca27213d328d127055703e16b +Merge: 00e294208 523023ef1 +Author: John Starks +Date: Fri Oct 21 18:30:47 2016 -0700 + + Merge pull request #80 from msabansal/overlay + + Overlay networking support + +commit 523023ef1ef8ec08b23bbff88ab68552c5f1a6d7 +Author: msabansal +Date: Fri Oct 21 16:59:22 2016 -0700 + + Overlay networking support + + Signed-off-by: msabansal + +commit 2582840915b13736236f52cd012927b5f77922e4 +Author: Allen Sun +Date: Wed Oct 5 11:17:35 2016 +0800 + + Update hcsshim.go + + correct HSC to HCS + +commit 00e2942088e65cec1754ae4096d1bae739efcc1f (tag: v0.5.1) +Merge: 0a4175a49 f63798c03 +Author: Stefan J. Wernli +Date: Mon Oct 3 17:12:23 2016 -0700 + + Merge pull request #77 from darrenstahlmsft/RemoveTP5 + + Remove TP5 support + +commit 0a4175a49a826b812be248e23deb0b7f13064b88 +Merge: 7fc39210b c38818f4e +Author: Stefan J. Wernli +Date: Mon Oct 3 10:50:18 2016 -0700 + + Merge pull request #78 from jstarks/use_lstat + + Use Lstat to avoid following reparse points + +commit c38818f4ebf563081923c0af6752d2e34a73ca05 +Author: John Starks +Date: Fri Sep 30 18:50:15 2016 -0700 + + Use Lstat to avoid following reparse points + + Signed-off-by: John Starks + +commit 7fc39210ba159ce923c7a22461c0b4efc53a8a9d +Merge: f6ba880e9 0fae7c9fc +Author: Stefan J. Wernli +Date: Fri Sep 30 13:41:01 2016 -0700 + + Merge pull request #76 from jstarks/uvm_dir + + Fix non-base utility VM directory additions + +commit f63798c03d5206b9d7b486776eebedfa237baf19 +Author: Darren Stahl +Date: Fri Sep 30 13:05:04 2016 -0700 + + Remove TP5 support + + Signed-off-by: Darren Stahl + +commit 0fae7c9fc77ffc84ce5945d58a5baea07de59979 +Author: John Starks +Date: Fri Sep 30 12:33:13 2016 -0700 + + Fix non-base utility VM directory additions + +commit f6ba880e91aad9d8a386f84be7b318fbef4d233a +Merge: 2c8189a12 2bfd23c89 +Author: John Starks +Date: Wed Sep 28 19:09:46 2016 -0700 + + Merge pull request #75 from jstarks/no_reparse_walk + + Don't follow reparse points when cloning the utility VM + +commit 2bfd23c890712fbd979c142d8f55f1d3c27cfdb2 +Author: John Starks +Date: Wed Sep 28 13:40:20 2016 -0700 + + Don't follow reparse points when cloning the utility VM + + This works around a Go issue where on Windows filepath.Walk follows + reparse points. + +commit 2c8189a12c3f291a72a037a3ff4f51c573bb7b46 +Merge: 26aaa85d8 68381525b +Author: Stefan J. Wernli +Date: Wed Sep 28 13:18:48 2016 -0700 + + Merge pull request #74 from jstarks/layer_hardlink_support + + Support importing layers with hard links + +commit 68381525b99eeb90e74ff75fd97232d8d1056cc9 +Author: John Starks +Date: Wed Sep 28 12:14:18 2016 -0700 + + Support importing layers with hard links + + This is necessary to support servicing layers distributed by Microsoft, + since these layers will contain hard links to save space. + + Signed-off-by: John Starks + +commit 26aaa85d88cf171a3d96d92664f47b9722ffec37 +Merge: ab64fb88b 4f245d12e +Author: Stefan J. Wernli +Date: Tue Sep 27 11:53:14 2016 -0700 + + Merge pull request #73 from jstarks/layered_utilityvm + + Support utility VM changes in non-base layers + +commit 4f245d12ece5f7a48cf62c89daf83f46b554a394 +Author: John Starks +Date: Mon Sep 26 18:42:05 2016 -0700 + + Support utility VM changes in non-base layers + + With this change, non-base layers can have utility VM changes. Since + Server 2016 does not support layered utility VMs, this works by cloning + the parent layer's utility VM and applying the changes directly. Layers + are assumed to be immutable, so hard links are used to make this cloning + operation fast. + + Signed-off-by: John Starks + +commit ab64fb88b54c722d68336a354193ea0c0db3f065 (tag: v0.5.0) +Merge: 2f5428934 89caa8858 +Author: Darren Stahl +Date: Fri Sep 23 14:07:29 2016 -0700 + + Merge pull request #72 from darrenstahlmsft/ContainerError + + Stop saying all container errors occured in win32 + +commit 89caa8858210cc08d6e03c65ec3ed99abd974d7e +Author: Darren Stahl +Date: Fri Sep 23 11:05:02 2016 -0700 + + Stop saying all container errors occured in win32 + + Signed-off-by: Darren Stahl + +commit 2f542893463b1da515679c889b36528051311127 +Merge: 64101c714 928337438 +Author: Darren Stahl +Date: Thu Sep 22 18:42:36 2016 -0700 + + Merge pull request #71 from darrenstahlmsft/Locks + + Add RW Lock to protect the hcs handles + +commit 9283374380929c2946276be4024d064ec29b28f0 +Author: Darren Stahl +Date: Wed Sep 21 16:14:32 2016 -0700 + + Add RW Lock to protect the hcs handles + + Signed-off-by: Darren Stahl + +commit 64101c714707e0083512445e3157a7fc17e54b5f +Merge: 4899f73bb 70f33c801 +Author: Darren Stahl +Date: Tue Sep 20 17:12:20 2016 -0700 + + Merge pull request #70 from darrenstahlmsft/ExitCodeError + + Check errors in LastWaitResult + +commit 4899f73bbd06252284712605fbeaf69cd74894a6 +Merge: d8e08e7d3 e22d55c41 +Author: John Howard +Date: Tue Sep 20 14:59:20 2016 -0700 + + Merge pull request #69 from Microsoft/jjh/omitempty + + Add omitempty and annotations + +commit 70f33c801766f381fbc1c9cf38a2202a0f42701e +Author: Darren Stahl +Date: Tue Sep 20 14:29:15 2016 -0700 + + Check errors in LastWaitResult + + Signed-off-by: Darren Stahl + +commit e22d55c4199128d5d7a61bd3131fb2d82b6cb1ce +Author: John Howard +Date: Tue Sep 20 08:45:44 2016 -0700 + + Add omitempty and annotations + + Signed-off-by: John Howard + +commit d8e08e7d31d4f441646638b35f423a760d6dfbcd +Merge: ee12be31f d3554df8c +Author: John Howard +Date: Fri Sep 16 10:29:03 2016 -0700 + + Merge pull request #67 from Microsoft/jjh/consolesize + + ConsoleSize --> uint + +commit d3554df8c4e158244b93c3f9b6d470712f91ee43 +Author: John Howard +Date: Thu Sep 15 12:26:18 2016 -0700 + + ConsoleSize --> uint + + Signed-off-by: John Howard + +commit ee12be31f1d7df1dbb81b9bb00ff3e151a0fcd1d +Merge: 6611816fb ef97acc3c +Author: Darren Stahl +Date: Thu Sep 8 14:44:32 2016 -0700 + + Merge pull request #66 from darrenstahlmsft/VolumeQoS + + Added volume QoS settings to MappedDir + +commit ef97acc3ce8bae16842d1e945bc56793e2be5d58 +Author: Darren Stahl +Date: Tue Sep 6 16:09:53 2016 -0700 + + Added volume QoS settings to MappedDir + + Signed-off-by: Darren Stahl + +commit 6611816fb4c1693b429ada0f358102119a0b1466 (tag: v0.4.3) +Merge: e5e415eb5 407de2853 +Author: John Starks +Date: Thu Aug 18 14:15:15 2016 -0700 + + Merge pull request #62 from msabansal/dns + + Added dns support + +commit e5e415eb501f8226c671b71e966839fa76c6d6ed (tag: v0.4.2) +Merge: 600757db2 4a0988d65 +Author: Darren Stahl +Date: Wed Aug 17 17:39:22 2016 -0700 + + Merge pull request #65 from Microsoft/jjh/processlist + + Add support for ProcessList + +commit 4a0988d6549162141f8ec9980f37d253c075eef8 +Author: John Howard +Date: Wed Aug 17 16:57:09 2016 -0700 + + Add support for ProcessList + + Signed-off-by: John Howard + +commit 600757db21d4b3d9974f7394a90ab17933748efd +Merge: 4b220a174 6635818ce +Author: John Starks +Date: Wed Aug 17 17:00:30 2016 -0700 + + Merge pull request #64 from darrenstahlmsft/OpenProcessCallbacks + + Stop calling post TP5 API in OpenProcess + +commit 6635818cebe2dd6c896bbdd170d5eca9c9adfdc4 +Author: Darren Stahl +Date: Wed Aug 17 15:36:45 2016 -0700 + + Stop calling post TP5 API in OpenProcess + + Signed-off-by: Darren Stahl + +commit 4b220a174dd16fe1d2e679ac61e15739f21ee721 (tag: v0.4.1) +Merge: 6a6862bd8 f43b71b58 +Author: John Starks +Date: Tue Aug 16 16:31:35 2016 -0700 + + Merge pull request #63 from darrenstahlmsft/ReparseModifiedTime + + Only update directory modified times if not a reparse point + +commit f43b71b58785865e0b99f6027bbe68a36577ea49 +Author: Darren Stahl +Date: Tue Aug 16 15:27:09 2016 -0700 + + Only update directory modified times if not a reparse point + + Signed-off-by: Darren Stahl + +commit 407de28530b937db3954d8205392d5a5f0ef8009 +Author: msabansal +Date: Thu Jul 14 16:13:32 2016 -0700 + + Added dns support + + Signed-off-by: msabansal + +commit 6a6862bd8669eeae0ee0e75b8d3455c29fb56fe0 (tag: v0.4.0) +Merge: 7b7051ecc 4f10c13aa +Author: Stefan J. Wernli +Date: Wed Aug 10 11:37:48 2016 -0700 + + Merge pull request #61 from darrenstahlmsft/RemoveOldAPI + + Deleting old API in preparation for v0.4.0 + +commit 7b7051ecc1585ade9134b3ac5500884210b0d742 +Merge: a79940068 0ae7e7ece +Author: Stefan J. Wernli +Date: Tue Aug 9 15:54:18 2016 -0700 + + Merge pull request #60 from darrenstahlmsft/ProcNotFound + + Added proc not found error + +commit 4f10c13aa7d12ad727779d9469a92431f94d880b +Author: Darren Stahl +Date: Tue Aug 9 14:30:19 2016 -0700 + + Deleting old API in preparation for v0.4.0 + + Signed-off-by: Darren Stahl + +commit 0ae7e7ecebd7b5609582153ed680c35ba666a264 +Author: Darren Stahl +Date: Tue Aug 9 13:45:30 2016 -0700 + + Added proc not found error + + Signed-off-by: Darren Stahl + +commit a79940068e291a3535c896e9d769d16c962b99a8 +Merge: f22313726 0303637d3 +Author: Darren Stahl +Date: Tue Aug 9 13:23:42 2016 -0700 + + Merge pull request #59 from Microsoft/jjh/statistics + + Add statistics query + +commit 0303637d3bc1e43ab52d7b4c8868d23de69dfde2 +Author: John Howard +Date: Mon Aug 8 15:04:37 2016 -0700 + + Add statistics query + + Signed-off-by: John Howard + +commit f22313726f850ecd6e78a9018f3c32bff53fc60a +Merge: 92bbeef4e 34bcde9a0 +Author: John Starks +Date: Mon Aug 8 15:09:53 2016 -0700 + + Merge pull request #58 from darrenstahlmsft/RemoveKnownErrors + + Removed knownErrors in favour of helper methods to check error types + +commit 34bcde9a0270972ef65990d054a47d672cb829aa +Author: Darren Stahl +Date: Wed Aug 3 16:34:36 2016 -0700 + + Removed knownErrors in favour of helper methods to check error types + + Signed-off-by: Darren Stahl + +commit 92bbeef4ebd268dff4dd993ad58de7360a7a6058 +Merge: e6abe39ac 135df7275 +Author: Stefan J. Wernli +Date: Thu Jul 28 10:52:20 2016 -0700 + + Merge pull request #57 from jstarks/preserve_directory_times + + Preserve directory times when writing base layer + +commit 135df7275fee70b0bd82bfcdceba8c00730c6b0a +Author: John Starks +Date: Wed Jul 27 18:44:57 2016 -0700 + + Preserve directory times when writing base layer + +commit e6abe39ac5cc46ae095f72f445108873d7e255aa +Merge: a8b686dbe 604d38e62 +Author: John Starks +Date: Tue Jul 19 16:35:43 2016 -0700 + + Merge pull request #55 from darrenstahlmsft/cgo + + Added import C to force hcsshim to compile as CGO + +commit 604d38e6200e8d89c46fabd029e0b50abbc4f7eb +Author: Darren Stahl +Date: Tue Jul 19 16:14:12 2016 -0700 + + Added import C to force hcsshim to compile as CGO + + Signed-off-by: Darren Stahl + +commit a8b686dbee0d309c09deb679ed135481637f0efd (tag: v0.3.6) +Merge: 9bcfb85fc 0386414f0 +Author: Darren Stahl +Date: Fri Jun 24 15:55:06 2016 -0700 + + Merge pull request #53 from jstarks/skip_template + + Add SkipTemplate flag for disabling clone + +commit 0386414f0b59ede3c88828e268690417d8ec394f +Author: John Starks +Date: Fri Jun 24 13:33:09 2016 -0700 + + Add some missing fields to container config + + Adds HvRuntime.SkipTemplate and ProcessorCount. + +commit 9bcfb85fc94a019f106133e9b8c3f54040ccc676 +Merge: 5357233d2 46cdef4ce +Author: John Howard +Date: Thu Jun 23 13:17:16 2016 -0700 + + Merge pull request #52 from jstarks/conduct + + Add reference to code of conduct + +commit 46cdef4ce09a5570429477dc572ad4fc75b59280 +Author: John Starks +Date: Tue Jun 21 14:14:13 2016 -0700 + + Add reference to code of conduct + +commit 5357233d2489512ee045478d3ce1d282cd445aa2 (tag: v0.3.5) +Merge: 3aeaaddbb 5065f1a57 +Author: Darren Stahl +Date: Wed Jun 15 16:41:13 2016 -0700 + + Merge pull request #51 from Microsoft/ContainerAlreadyStoppedError + + Added known error code when shutdown is already complete + +commit 5065f1a577bef8ff0cb94abe075c17a0694b6fb2 +Author: Darren Stahl +Date: Tue Jun 14 11:05:57 2016 -0700 + + Added known error code when shutdown is already complete + + Signed-off-by: Darren Stahl + +commit 3aeaaddbb11bcbf777d1696c51a9bc4561c2433a (tag: v0.3.4) +Merge: 59dba3910 ef88ee861 +Author: Stefan J. Wernli +Date: Fri Jun 10 15:02:39 2016 -0700 + + Merge pull request #49 from Microsoft/CallbackLock + + Prevent deadlock when unregistering notification handler + +commit ef88ee8615c6539347f406fd6adfaff251051c7b +Author: Darren Stahl +Date: Thu Jun 9 12:57:17 2016 -0700 + + Prevent deadlock when unregistering notification handler + + Signed-off-by: Darren Stahl + +commit 59dba3910e81e634b380f9872349d1d359d2b497 (tag: v0.3.3) +Merge: 5f88b2ebf c4d043d5b +Author: Darren Stahl +Date: Wed Jun 8 18:23:11 2016 -0700 + + Merge pull request #48 from Microsoft/PendingUpdates + + Fixed PendingUpdates call with correct query + +commit c4d043d5bf8e2579616c937728148b81ed77c21a +Author: Darren Stahl +Date: Wed Jun 8 18:16:22 2016 -0700 + + Fixed PendingUpdates call with correct query + + Signed-off-by: Darren Stahl + +commit 5f88b2ebf0f2fe8fae6eb41177673691c55b339d (tag: v0.3.2) +Merge: 6131038ed 42d8e6156 +Author: John Howard +Date: Wed Jun 8 15:32:48 2016 -0700 + + Merge pull request #47 from Microsoft/credentials + + Added credentials to ContainerConfig + +commit 42d8e6156a63a25989f7245575888c608cddc5b8 +Author: Darren Stahl +Date: Wed Jun 8 14:25:43 2016 -0700 + + Added credentials to ContainerConfig + + Signed-off-by: Darren Stahl + +commit 6131038ed6d018ca64449fd0006533e689d540d0 +Merge: 1358a21ed fb1347a51 +Author: Stefan J. Wernli +Date: Tue Jun 7 18:09:12 2016 -0700 + + Merge pull request #44 from msabansal/vlan + + Vlan and VSID policy + +commit 1358a21ed38b43602c1d74cb00dc512d49d7477c +Merge: efcbf2f19 92cde45e3 +Author: Stefan J. Wernli +Date: Tue Jun 7 17:35:26 2016 -0700 + + Merge pull request #45 from Microsoft/Errors + + Correctly propogate timeouts and other errors + +commit efcbf2f19212ffe70be7c9894e42cb0a7bd662c7 +Merge: 2c6c607df 9ded7c764 +Author: Stefan J. Wernli +Date: Tue Jun 7 17:34:17 2016 -0700 + + Merge pull request #46 from Microsoft/ExpandSandbox + + Added ExpandSandboxSize + +commit 92cde45e346e749a07831111adb95e404b00536b +Author: Darren Stahl +Date: Tue Jun 7 16:05:05 2016 -0700 + + Correctly propogate timeouts and other errors + + Signed-off-by: Darren Stahl + +commit 9ded7c7643790cd474d025e888ae8a0e933c314e +Author: Darren Stahl +Date: Tue Jun 7 15:25:29 2016 -0700 + + Added ExpandSandboxSize + + Signed-off-by: Darren Stahl + +commit 2c6c607df30d905bd5dd5c99e77b4339d5837451 (tag: v0.3.1) +Merge: c247079e3 d7dbe6bef +Author: Darren Stahl +Date: Fri May 27 18:19:32 2016 -0700 + + Merge pull request #42 from Microsoft/NotificationWaiter + + New notification design allows for multiple waiters + +commit d7dbe6bef8548b48ad42e4d6968b83fa354203d0 +Author: Darren Stahl +Date: Thu May 26 15:36:42 2016 -0700 + + New notification design allows for multiple waiters + + Signed-off-by: Darren Stahl + +commit c247079e3c9b8c2e4589fd3255170e7d4bc362e8 +Merge: 4d37d7d31 178fd5193 +Author: John Starks +Date: Fri May 27 16:29:58 2016 -0700 + + Merge pull request #43 from jstarks/fix_tombstones + + legacyLayerReader: handle tombstones correctly + +commit 178fd519344ecfbc20d53296aa158ff424470547 +Author: John Starks +Date: Fri May 27 15:27:05 2016 -0700 + + legacyLayerReader: handle tombstones correctly + +commit fb1347a5173dda809f4e7bb1539f10d9be86bfc5 +Author: msabansal +Date: Thu May 26 16:24:23 2016 -0700 + + Vlan and VSID policy + + Signed-off-by: msabansal + +commit 4d37d7d314a8a6755b49a46db9f2caf9fa81a5fa +Merge: 045aa709e 9c19c72a5 +Author: Darren Stahl +Date: Thu May 26 13:57:04 2016 -0700 + + Merge pull request #41 from Microsoft/LoggingConfigs + + Added logging of JSON config in success case + +commit 9c19c72a50d5eae904bd0742097531f16a4af1c6 +Author: Darren Stahl +Date: Thu May 26 13:51:03 2016 -0700 + + Added logging of JSON config in success case + + Signed-off-by: Darren Stahl + +commit 045aa709eaee99187864b55c720f3fad6535e35d (tag: v0.3.0) +Merge: 9c2382d9d fe77c7c3b +Author: John Starks +Date: Tue May 24 14:25:57 2016 -0700 + + Merge pull request #39 from Microsoft/postTP5 + + Implement the new hcsshim API using the new HCS RPC API + +commit fe77c7c3b4e00213c29949cc176bf94b65d2dbf6 +Author: Darren Stahl +Date: Mon Apr 25 13:22:01 2016 -0700 + + Implement the new hcsshim API using the new HCS RPC API + + Signed-off-by: Darren Stahl + +commit 9c2382d9d7839b66f3ab497fd67ab6c1414b9b4e +Merge: 4f09401a1 d339e0f54 +Author: John Howard +Date: Mon May 16 12:40:38 2016 -0700 + + Merge pull request #38 from Microsoft/nopriv + + Rely on caller to take privileges when manipulating base layers + +commit 4f09401a16a8e8e8b86b5c6ea2d8c4e9773cac11 +Merge: 67e008e55 7fa1cb54f +Author: John Howard +Date: Mon May 16 12:40:04 2016 -0700 + + Merge pull request #37 from Microsoft/nodeps + + Remove Godeps and vendor + +commit d339e0f54bb2f1e29dc722d3c4f494061e9d00dd +Author: John Starks +Date: Thu May 12 21:37:11 2016 -0700 + + Rely on caller to take privileges when manipulating base layers + +commit 7fa1cb54f0384f1269e85ed76ac65560c6c17dc1 +Author: John Starks +Date: Thu May 12 21:38:00 2016 -0700 + + Remove Godeps and vendor + + Vendoring works well for commands, but for libraries such as this one it just + causes problems. Eliminate it. + +commit 67e008e55de5b15567d908d9fc8f7c5767d527db (tag: v0.2.2) +Merge: 70bdea0be c9490a0c1 +Author: John Starks +Date: Wed Apr 13 14:59:27 2016 -0700 + + Merge pull request #35 from Microsoft/sjw/servicing + + Adding GetComputeSystemProperties for use in servicing scenario. + +commit c9490a0c171cf9410cd715ca9fd84935ca015839 +Author: Stefan J. Wernli +Date: Wed Apr 13 14:38:33 2016 -0700 + + Adding GetComputeSystemProperties for use in servicing scenario. + + Signed-off-by: Stefan J. Wernli + +commit 70bdea0be35d83b45d73b40b7e73bf7a15dc4fde (tag: v0.2.1) +Merge: 44ffe2501 05ed910ab +Author: John Starks +Date: Fri Apr 8 11:01:06 2016 -0700 + + Merge pull request #34 from Microsoft/jstarks/uvm + + Support utility VM paired with base image + +commit 05ed910ab49722034de73ebe74e1c2a3dd5773e7 +Author: John Starks +Date: Wed Apr 6 17:03:55 2016 -0700 + + Support utility VM paired with base image + + For TP5, the utility VM is shipped with the base image. Process it if it + is present. + +commit 44ffe2501c0e5f7a2e5bdbe118ad5ccb65cb8d11 (tag: v0.2.0) +Merge: e44ecf4bd 0ed05a9e5 +Author: John Starks +Date: Tue Apr 5 12:49:33 2016 -0700 + + Merge pull request #33 from Microsoft/jstarks/support_base_import + + Support base layer import + +commit 0ed05a9e5a8552ed471b0c9d0a4f375af1ef9fb0 +Author: John Starks +Date: Wed Mar 30 12:34:13 2016 -0700 + + Don't expose internal types + +commit 0bcb8b78d5be22604f379a49da42e1b2d6896408 +Author: John Starks +Date: Wed Mar 30 12:20:19 2016 -0700 + + Support base layer import + +commit 65bcc758abf7955df691a03cb5c12ef4f420d43a +Author: John Starks +Date: Tue Mar 29 10:03:22 2016 -0700 + + Don't swallow ImportLayer errors + +commit e47cb020d909cfa523dc368543c933cac657099f +Author: John Starks +Date: Wed Mar 30 12:48:43 2016 -0700 + + Revendor go-winio and logrus + +commit e44ecf4bd8450a2eeb2b4affd281ad50ec169154 (tag: v0.1.0) +Merge: 116e0e9f5 357aec7e5 +Author: John Starks +Date: Thu Mar 17 13:41:28 2016 -0700 + + Merge pull request #32 from Microsoft/fix_long_paths + + Fix import and export of layers containing long paths + +commit 357aec7e5ba61f8b4332741a68be000ea8a6cb88 +Author: John Starks +Date: Thu Mar 17 13:08:38 2016 -0700 + + Fix import and export of layers containing long paths + + This only affects the legacy import/export code path. + +commit 116e0e9f5ced0cec94ae46d0aa1b3002a325f532 +Merge: f185a162a b018767be +Author: John Starks +Date: Sat Mar 5 18:57:56 2016 -0800 + + Merge pull request #31 from Microsoft/fix_legacy_export + + Fix legacy export + +commit b018767be88a45c062fb593d8617a252ac58e2d3 +Author: John Starks +Date: Sat Mar 5 18:54:53 2016 -0800 + + Fix legacy export + + Post-TP4, $wcidirs$ files are required for Hives and Files directories. + +commit f185a162a9d6ec58116d108648b51f1e92ea140a +Author: John Starks +Date: Fri Mar 4 22:34:21 2016 -0800 + + Fix build break + +commit 08c978dd7e7a40c41e0fc9e4b1f13d1430cd7ba9 +Merge: 9947a4e01 9b424d04a +Author: John Starks +Date: Fri Mar 4 22:31:15 2016 -0800 + + Merge pull request #30 from Microsoft/prepare_base + + Add APIs for processing base layers and utility VM images + +commit 9b424d04a2170693254aa7dfa0bef90c4d982f0b +Author: John Starks +Date: Fri Mar 4 17:30:36 2016 -0800 + + Add APIs for processing base layers and utility VM images + +commit 9947a4e01c2c7b1ef1404c430185fdb286e7be2c +Merge: 9488dda5a 52af10f17 +Author: John Starks +Date: Fri Mar 4 13:29:56 2016 -0800 + + Merge pull request #29 from msabansal/hnsupdate + + Updating HNS structures to their latest implementation + +commit 52af10f17d7b20be829cd514b8a94636625e74cf +Author: msabansal +Date: Fri Mar 4 13:17:30 2016 -0800 + + Updating HNS structures to their latest implementation + + Signed-off-by: msabansal + +commit 9488dda5ab5d3c1af26e17d3d9fc2e9f29009a7b +Merge: 2a8d47c11 7231c5053 +Author: John Starks +Date: Tue Mar 1 12:43:17 2016 -0800 + + Merge pull request #28 from Microsoft/tp4 + + Simplify TP4 version test + +commit 7231c50531b1ef8a582f9f69365fc69ff5a0d780 +Author: John Starks +Date: Tue Mar 1 12:42:29 2016 -0800 + + Simplify TP4 version test + +commit 2a8d47c11b3016473c6824907186d4c0983db0f5 +Merge: 5f354ce07 5f0741866 +Author: John Starks +Date: Tue Feb 23 18:41:29 2016 -0800 + + Merge pull request #27 from Microsoft/jstarks/layers + + Add new import/export APIs + +commit 5f0741866b24007ad7ccb1cbf1a9f032973ed570 +Author: John Starks +Date: Tue Feb 23 12:50:59 2016 -0800 + + Expose stream-oriented export/import APIs + +commit 5f354ce07fe39c7b8323a43301d220851e37377f +Merge: c7fcc23ae 94c1d0c60 +Author: John Starks +Date: Thu Feb 18 20:25:14 2016 -0800 + + Merge pull request #26 from Microsoft/auto_hr_conversion + + Ensure HRESULTs are converted to Win32 code early + +commit 94c1d0c60597ad8710de2ffac7f9cf31eace6bd0 +Author: John Starks +Date: Tue Feb 16 16:55:02 2016 -0800 + + Ensure HRESULTs are converted to Win32 code early + +commit c7fcc23ae0a198db2015449df41a28fdb5e29487 +Merge: 43858ef3c 9cbf6f544 +Author: John Starks +Date: Tue Feb 16 16:45:20 2016 -0800 + + Merge pull request #25 from Microsoft/jstarks/remove_deprecated_call + + Remove deprecated CopyLayer function, which won't be available in TP5 + +commit 9cbf6f5449d2c8ec052b4c8beb90e79b682763aa +Author: John Starks +Date: Mon Feb 8 18:05:59 2016 -0800 + + Remove deprecated CopyLayer function, which won't be available in TP5 + +commit 43858ef3c5c944dfaaabfbe8b6ea093da7f28dba +Merge: 35ad4d808 fd9d5fb11 +Author: John Howard (Microsoft) +Date: Wed Feb 3 12:06:23 2016 -0800 + + Merge pull request #24 from Microsoft/jstarks/go_style_error_handling + + Make Win32 errors visible to callers + +commit fd9d5fb1197b4d1f2d68eab9907af2a695106ae4 +Author: John Starks +Date: Tue Feb 2 18:37:26 2016 -0800 + + Make Win32 errors visible to callers + + This makes hcsError public so that callers can inspect the internal + error and check it against certain known Win32 error codes. + +commit 35ad4d808a97203cb1748d7c43167e91f51e7f86 +Merge: 4f08e9239 acea72d04 +Author: John Starks +Date: Mon Feb 1 14:47:43 2016 -0800 + + Merge pull request #23 from Microsoft/jostarks/pipe + + Perform std handle pipe IO without blocking system threads + +commit acea72d04cb8bf2f9b8e1218c58f828df1019080 +Author: John Starks +Date: Fri Jan 29 15:39:11 2016 -0800 + + Perform std handle pipe IO without blocking system threads + + This should reduce the thread pressure on the docker daemon, which + may help reduce crashes when there are many containers running. + +commit 4f08e9239ccff98e8a5b2f81294bc0cf37434373 +Merge: fc8f843b4 c532ef07e +Author: John Starks +Date: Fri Jan 29 14:30:21 2016 -0800 + + Merge pull request #21 from Microsoft/jostarks/autogen + + Rewrite hcsshim methods to use generated code + +commit c532ef07eec6c0c2f8e809807197dd14bdaf6c3d +Author: John Starks +Date: Thu Jan 28 19:15:48 2016 -0800 + + Rewrite hcsshim methods to use generated code + + Also simplify how errors are returned so that the Win32 HRESULT can be + extracted. This is an improvement over the current situation, but it + is still problematic in that errors cannot be compared for equality. + We should address this in a future change (it will require removing + the debug info from the errors, which means we may want to move it + to the callers first). + +commit bf3883a8e797bfdd4b9efa6aff5b2d0e07bb2cf1 +Author: John Starks +Date: Thu Jan 28 19:14:47 2016 -0800 + + Update mksyscall_windows.go to for hcsshim + + Always use UTF-16 strings, and don't panic if the procedure is missing + from the DLL. + +commit 34ae220d68918f6a7083e0df5fea5b94a3e0eb93 +Author: John Starks +Date: Thu Jan 28 19:14:06 2016 -0800 + + Add mksyscall_windows.go from go 1.5.3 + +commit fc8f843b468326d898f2ef2257440c792d2fa283 +Merge: de43b42b5 5a4bca127 +Author: John Howard (Microsoft) +Date: Fri Jan 29 12:46:01 2016 -0800 + + Merge pull request #20 from msabansal/master + + Adding support for HNS in HCSShim + +commit 5a4bca12703a073b5ab861e4364b09fe29e247b7 +Author: Sandeep Bansal +Date: Tue Dec 15 19:25:00 2015 -0800 + + Added HNS support + +commit de43b42b5ce14dfdcbeedb0628b0032174d89caa +Merge: 325e531f8 c8985474a +Author: John Howard (Microsoft) +Date: Thu Oct 22 13:59:07 2015 -0700 + + Merge pull request #18 from Microsoft/jjh/xenon-exec-workaround + + TP4: CreateProcess: Return RC + +commit c8985474afff2895524c86a0eb13523773ac2188 +Author: John Howard +Date: Thu Oct 22 13:55:36 2015 -0700 + + TP4: CreateProcess: Return RC + + Signed-off-by: John Howard + +commit 325e531f8c49dd78580d5fd197ddb972fa4610e7 +Merge: 7f646aa6b 08107cda0 +Author: John Howard (Microsoft) +Date: Tue Oct 13 15:29:11 2015 -0700 + + Merge pull request #17 from Microsoft/errorcode + + Various bits of tidy up + +commit 08107cda0aee385a993800d96e838e7c766346ab +Author: John Howard +Date: Tue Oct 13 15:27:01 2015 -0700 + + Various bits of tidy up + + Signed-off-by: John Howard + +commit 7f646aa6b26bcf90caee91e93cde4a80d0d8a83e +Merge: da093dac5 c7f529b05 +Author: Stefan J. Wernli +Date: Thu Aug 27 15:39:53 2015 -0700 + + Merge pull request #15 from Microsoft/sjw/comments + + Adding comments for remaining HCSSHIM public functions. + +commit c7f529b052ee3dfa5632bf648ce29c32345bcb32 +Author: Stefan J. Wernli +Date: Thu Aug 27 14:49:14 2015 -0700 + + Adding comments for remaining HCSSHIM public functions. + + Signed-off-by: Stefan J. Wernli + +commit da093dac579302d7b413696b96dec0b5e1bce8d4 +Merge: 2a9898ec1 be4bf9a2c +Author: John Howard (Microsoft) +Date: Mon Aug 10 12:04:06 2015 -0700 + + Merge pull request #14 from Microsoft/gofmt + + Gofmt on all files + +commit be4bf9a2cf3a2536c293a07bb687a072e0db824e +Author: John Howard +Date: Mon Aug 10 12:03:17 2015 -0700 + + Gofmt on all files + + Signed-off-by: John Howard + +commit 2a9898ec11f7c693b91a020b330116730738cc0f +Merge: 236c43404 6e3a41c8d +Author: Stefan J. Wernli +Date: Thu Aug 6 10:55:04 2015 -0700 + + Merge pull request #13 from Microsoft/sjw/guid_fix + + Fix for GUID ToString. + +commit 6e3a41c8d4bd9026900032f226822c327bf239ee +Author: Stefan J. Wernli +Date: Thu Aug 6 10:14:37 2015 -0700 + + Fix for GUID ToString. + + Signed-off-by: Stefan J. Wernli + +commit 236c4340489309791f2509409c3d8abf67102f1a +Merge: 153092cbb 64b66f5b4 +Author: Stefan J. Wernli +Date: Tue Jul 21 17:01:24 2015 -0700 + + Merge pull request #12 from Microsoft/sjw/guid_fix + + Sjw/guid fix + +commit 64b66f5b46e1e91bd4793b45d1ee0147476c6c44 +Author: Stefan J. Wernli +Date: Tue Jul 21 16:39:29 2015 -0700 + + Fixing GUID.ToString to use correct endian-ness. + + Signed-off-by: Stefan J. Wernli + +commit 7d7fbd20760891b6fa6c37472d030fa58539b10c +Author: Stefan J. Wernli +Date: Tue Jul 21 13:15:11 2015 -0700 + + Changing layerutils to use new hcsshim guid hashing function. + + Signed-off-by: Stefan J. Wernli + +commit 153092cbbd77361091eae5236d0e09c8b3d08f1d +Merge: 4afa14d4f a8f1e11ed +Author: John Howard (Microsoft) +Date: Tue Jul 21 12:54:52 2015 -0700 + + Merge pull request #11 from Microsoft/sjw/guid_fix + + Adding methods for calling into hcsshim to do string to guid hashing. + +commit a8f1e11ed24329ab0c30da71e37d00b75cc60fe6 +Author: Stefan J. Wernli +Date: Tue Jul 21 12:46:42 2015 -0700 + + Adding methods for calling into hcsshim to do string to guid hashing. + + Signed-off-by: Stefan J. Wernli + +commit 4afa14d4ff91397d69e7beb3998018da98944f67 +Merge: f674a70f1 e3ddc6f4c +Author: John Howard (Microsoft) +Date: Mon Jul 20 08:44:30 2015 -0700 + + Merge pull request #10 from Microsoft/js/handles + + Improve stdin/out/err handling for container processes + +commit e3ddc6f4cb1bade154fcdec74e28129ff32539ea +Author: John Starks +Date: Sat Jul 18 16:37:35 2015 -0700 + + Improve stdin/out/err handling for container processes + + Use CreateProcessWithStdHandlesInComputeSystem to provide stdin/out/err. + This allows vmcompute.dll to handle creating the named pipes with the + correct paths, security attributes, etc. and provides flexibility for + changing the pipe creation protocol in future builds of Windows. + + Signed-off-by: John Starks + +commit f674a70f1306dbe20b3a516bedd3285d85db60d9 +Merge: 889b3b6e8 31695d474 +Author: John Howard (Microsoft) +Date: Thu Jul 16 11:56:43 2015 -0700 + + Merge pull request #9 from Microsoft/centralstore + + Support for central store + +commit 31695d4746956a0261aae0b301ccfc7d8ccca719 +Author: John Howard +Date: Thu Jul 16 11:45:03 2015 -0700 + + Support for central store + + Signed-off-by: John Howard + +commit 889b3b6e8f6c6c193ca068209edccb5bc0909276 +Merge: 2f540b26b 70d0861a2 +Author: John Howard (Microsoft) +Date: Thu Jul 16 10:32:54 2015 -0700 + + Merge pull request #8 from Microsoft/logging + + Fix logging + +commit 70d0861a2ab4bd5df20dce535159915472964d1a +Author: John Howard +Date: Thu Jul 16 10:31:31 2015 -0700 + + Fix logging + + Signed-off-by: John Howard + +commit 2f540b26beafc3d4aded4fc9799af261a1a91352 +Merge: 43a6d3f19 7e14d3e2a +Author: John Howard (Microsoft) +Date: Thu Jul 2 13:01:44 2015 -0700 + + Merge pull request #7 from Microsoft/fiximportexport + + Fix import/export proc calls + +commit 7e14d3e2aed25a7152a143dc4b495dfbf2887569 +Author: John Howard +Date: Thu Jul 2 13:01:06 2015 -0700 + + Fix import/export proc calls + + Signed-off-by: John Howard + +commit 43a6d3f190395c9b8af2f45c49ad8791e2a901c2 +Merge: 6d06be3e9 0a2675c8f +Author: John Howard (Microsoft) +Date: Thu Jul 2 11:24:31 2015 -0700 + + Merge pull request #6 from Microsoft/guid + + Make guid external + +commit 0a2675c8f278a462b154d61a74e29b0634d750d8 +Author: John Howard +Date: Thu Jul 2 11:23:52 2015 -0700 + + Make guid external + + Signed-off-by: John Howard + +commit 6d06be3e9d4ead787a58c0484079585d13aa2328 +Merge: c99df026c 96a17a471 +Author: John Howard (Microsoft) +Date: Wed Jul 1 16:29:54 2015 -0700 + + Merge pull request #5 from Microsoft/importexport + + Added Import/Export Layer + +commit 96a17a47192602c9a68e37d9a6cec4c770a193ff +Author: John Howard +Date: Wed Jul 1 16:28:33 2015 -0700 + + Added Import/Export Layer + + Signed-off-by: John Howard + +commit c99df026cb2488caad4535694d08da21e23b9bd7 +Merge: 406926754 715fbdbc9 +Author: John Howard (Microsoft) +Date: Wed Jul 1 15:13:52 2015 -0700 + + Merge pull request #4 from Microsoft/consolesizeplumbing + + Plumbing through ConsoleSize + +commit 715fbdbc9d42c768bd26114c0a7725278cfee682 +Author: John Howard +Date: Wed Jul 1 15:12:58 2015 -0700 + + Plumbing through ConsoleSize + + Signed-off-by: John Howard + +commit 406926754572cbb22ee286a75593d1ebb8b72a07 +Merge: 1efe3d09c 8148ab6c9 +Author: John Howard (Microsoft) +Date: Wed Jul 1 10:51:46 2015 -0700 + + Merge pull request #3 from Microsoft/terminatecomputesystem + + Added terminatecomputesystem + +commit 8148ab6c9050f654948db6c75736b0c2f8fdd2a1 +Author: John Howard +Date: Wed Jul 1 10:50:33 2015 -0700 + + Added terminatecomputesystem + + Signed-off-by: John Howard + +commit 1efe3d09c6979aebb0b2d1f39dcd731a0e102886 +Merge: 6d2d19951 09b19fbf2 +Author: John Howard (Microsoft) +Date: Tue Jun 30 18:27:24 2015 -0700 + + Merge pull request #2 from Microsoft/glmp-use + + Move use to avoid GC problem in GLMP + +commit 09b19fbf2218bccbb46245f17f6111179d796fa8 +Author: John Howard +Date: Tue Jun 30 18:25:40 2015 -0700 + + Move use to avoid GC problem in GLMP + + Signed-off-by: John Howard + +commit 6d2d19951953075a7b8ce486be6191b29ba4520a +Merge: bd2bb73fc ae87f320b +Author: John Howard (Microsoft) +Date: Tue Jun 30 12:07:02 2015 -0700 + + Merge pull request #1 from Microsoft/initial + + Initial implementation + +commit ae87f320b9e8cd9308f95f58576c306961105142 +Author: John Howard +Date: Tue Jun 30 11:49:00 2015 -0700 + + Initial implementation + + Signed-off-by: John Howard + +commit bd2bb73fc273fe06ba105a78cc8f097a5c0f3484 +Author: Candice Pfeister +Date: Mon Jun 29 09:44:26 2015 -0700 + + Initial commit diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index b848017c13..60cce3e453 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -27,6 +27,10 @@ const ( // ResourceTypeMappedVirtualDisk is the modify resource type for mapped // virtual disks ResourceTypeMappedVirtualDisk guestrequest.ResourceType = "MappedVirtualDisk" + // ResourceTypeMappedVirtualDiskForContainerScratch is the modify resource type + // specifically for refs formatting and mounting scratch vhds for c-wcow cases only. + ResourceTypeMappedVirtualDiskForContainerScratch guestrequest.ResourceType = "MappedVirtualDiskForContainerScratch" + ResourceTypeWCOWBlockCims guestrequest.ResourceType = "WCOWBlockCims" // ResourceTypeNetwork is the modify resource type for the `NetworkAdapterV2` // device. ResourceTypeNetwork guestrequest.ResourceType = "Network" @@ -51,12 +55,6 @@ const ( ResourceTypeSecurityPolicy guestrequest.ResourceType = "SecurityPolicy" // ResourceTypePolicyFragment is the modify resource type for injecting policy fragments. ResourceTypePolicyFragment guestrequest.ResourceType = "SecurityPolicyFragment" - // ResourceTypeWCOWBlockCims is the modify resource type for mounting block cims for hyperv - // wcow containers. - ResourceTypeWCOWBlockCims guestrequest.ResourceType = "WCOWBlockCims" - // ResourceTypeMappedVirtualDiskForContainerScratch is the modify resource type - // specifically for refs formatting and mounting scratch vhds for c-wcow cases only. - ResourceTypeMappedVirtualDiskForContainerScratch guestrequest.ResourceType = "MappedVirtualDiskForContainerScratch" ) // This class is used by a modify request to add or remove a combined layers diff --git a/internal/uvm/scsi/backend.go b/internal/uvm/scsi/backend.go index 6219a15172..130ee66df6 100644 --- a/internal/uvm/scsi/backend.go +++ b/internal/uvm/scsi/backend.go @@ -170,6 +170,13 @@ func mountRequest(controller, lun uint, path string, config *mountConfig, osType ResourceType: guestresource.ResourceTypeMappedVirtualDisk, RequestType: guestrequest.RequestTypeAdd, } + // This option is set only for cwcow scratch disk mount requests + // where we need to format the disk with refs. + // For refs the scratch disk size should > 30 GB. + if config.formatWithRefs { + req.ResourceType = guestresource.ResourceTypeMappedVirtualDiskForContainerScratch + } + switch osType { case "windows": // We don't check config.readOnly here, as that will still result in the overall attachment being read-only. @@ -185,6 +192,7 @@ func mountRequest(controller, lun uint, path string, config *mountConfig, osType ContainerPath: path, Lun: int32(lun), } + case "linux": req.Settings = guestresource.LCOWMappedVirtualDisk{ MountPath: path, diff --git a/internal/uvm/scsi/manager.go b/internal/uvm/scsi/manager.go index ff8374038e..272ea9c992 100644 --- a/internal/uvm/scsi/manager.go +++ b/internal/uvm/scsi/manager.go @@ -86,6 +86,9 @@ type MountConfig struct { // BlockDev indicates if the device should be mounted as a block device. // This is only supported for LCOW. BlockDev bool + // FormatWithRefs indicates to refs format the disk. + // This is only supported for CWCOW scratch disks. + FormatWithRefs bool } // Mount represents a SCSI device that has been attached to a VM, and potentially @@ -162,6 +165,7 @@ func (m *Manager) AddVirtualDisk( ensureFilesystem: mc.EnsureFilesystem, filesystem: mc.Filesystem, blockDev: mc.BlockDev, + formatWithRefs: mc.FormatWithRefs, } } return m.add(ctx, diff --git a/internal/uvm/scsi/mount.go b/internal/uvm/scsi/mount.go index 68e36f1c9c..4696ac15a5 100644 --- a/internal/uvm/scsi/mount.go +++ b/internal/uvm/scsi/mount.go @@ -45,6 +45,7 @@ type mountConfig struct { options []string ensureFilesystem bool filesystem string + formatWithRefs bool } func (mm *mountManager) mount(ctx context.Context, controller, lun uint, path string, c *mountConfig) (_ string, err error) { diff --git a/internal/wclayer/cim/mount.go b/internal/wclayer/cim/mount.go index 56d0d0ac7d..89fa13ccdc 100644 --- a/internal/wclayer/cim/mount.go +++ b/internal/wclayer/cim/mount.go @@ -108,6 +108,7 @@ func MergeMountBlockCIMLayer(ctx context.Context, mergedLayer *cimfs.BlockCIM, p if err != nil { return "", fmt.Errorf("generated cim mount GUID: %w", err) } + return cimfs.MountMergedBlockCIMs(mergedLayer, parentLayers, mountFlags, volumeGUID) } diff --git a/pkg/cimfs/mount_cim.go b/pkg/cimfs/mount_cim.go index 8588d63b34..424857de52 100644 --- a/pkg/cimfs/mount_cim.go +++ b/pkg/cimfs/mount_cim.go @@ -15,6 +15,10 @@ import ( "golang.org/x/sys/windows" ) +const ( + VolumePathFormat = "\\\\?\\Volume{%s}\\" +) + type MountError struct { Cim string Op string @@ -116,5 +120,5 @@ func MountMergedBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM, mountFlag if err := winapi.CimMergeMountImage(uint32(len(cimsToMerge)), &cimsToMerge[0], mountFlags, &volumeGUID); err != nil { return "", &MountError{Cim: filepath.Join(mergedCIM.BlockPath, mergedCIM.CimName), Op: "MountMerged", Err: err} } - return fmt.Sprintf("\\\\?\\Volume{%s}\\", volumeGUID.String()), nil + return fmt.Sprintf(VolumePathFormat, volumeGUID.String()), nil } diff --git "a/\357\200\222-f" "b/\357\200\222-f" new file mode 100644 index 0000000000..20ad6942d1 --- /dev/null +++ "b/\357\200\222-f" @@ -0,0 +1 @@ +erskiashokgosrcgithub.comMicrosofthcsshim qq From dac494ef6546722f295c7c1fb135a2d38365b032 Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Tue, 7 Jan 2025 11:18:34 +0000 Subject: [PATCH 04/20] C-WCOW: Policy enforcement squashed commits Commit squashes the following individual commits: C-WCOW: Add security policy plumbing on hcsshim side C-WCOW: Add security policy framework C-WCOW:Securitypolicy: Rename securitypolicy framework files C-WCOW: Add device mount policy enforcement with a fake hash C-WCOW: Enforce mounting at the layers level C-WCOW: Add enforcement points and clean up existing ones C-WCOW: Merge securitypolicy package for linux and windows C-WCOW: Remove securitypolicy package copy from gcs-sidecar C-WCOW: Workaround mount_device and mount_overlay enforcements Signed-off-by: Mahati Chamarthy (cherry picked from commit 5d2bca13df87ccc5430846748922d9f79d1f5d1f) Signed-off-by: Kirtana Ashok --- internal/gcs-sidecar/handlers.go | 60 ++++++++++++++++++- internal/uvm/security_policy.go | 48 ++++++++++++++- internal/uvm/start.go | 10 ++++ internal/uvm/types.go | 3 + pkg/annotations/annotations.go | 10 ++++ pkg/securitypolicy/securitypolicy_test.go | 3 - .../securitypolicyenforcer_rego.go | 13 ++-- 7 files changed, 137 insertions(+), 10 deletions(-) diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 7d9aeafad4..3943eb5bcd 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -4,6 +4,7 @@ package bridge import ( + "context" "encoding/json" "fmt" "os" @@ -21,6 +22,7 @@ import ( "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/windevice" "github.com/Microsoft/hcsshim/pkg/cimfs" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" "github.com/pkg/errors" ) @@ -99,6 +101,10 @@ func (b *Bridge) shutdownGraceful(req *request) (err error) { // TODO (kiashok/Mahati): Since gcs-sidecar can be used for all types of windows // containers, it is important to check if we want to // enforce policy or not. + b.hostState.securityPolicyEnforcer.EnforceShutdownContainerPolicy(req.ctx, r.ContainerID) + if err != nil { + return fmt.Errorf("rpcShudownGraceful operation not allowed: %v", err) + } b.forwardRequestToGcs(req) return nil @@ -392,6 +398,14 @@ func (b *Bridge) modifySettings(req *request) (err error) { log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v", containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath) + // check that this is not denied by policy + // TODO: modify gcs-sidecar code to pass context across all calls + // TODO: Update modifyCombinedLayers with verified CimFS API + policy_err := modifyCombinedLayers(ctx, containerID, guestRequestType, settings.CombinedLayers, b.hostState.securityPolicyEnforcer) + if policy_err != nil { + return errors.Wrapf(policy_err, "CimFS layer mount is denied by policy: %v", settings) + } + // TODO: Update modifyCombinedLayers with verified CimFS API // The following two folders are expected to be present in the scratch. @@ -429,7 +443,12 @@ func (b *Bridge) modifySettings(req *request) (err error) { wcowMappedVirtualDisk := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWMappedVirtualDisk) log.G(ctx).Tracef("ResourceTypeMappedVirtualDiskForContainerScratch: { %v }", wcowMappedVirtualDisk) - // 1. TODO (Mahati): Need to enforce policy before calling into fsFormatter + policy_err := modifyMappedVirtualDisk(ctx, guestRequestType, wcowMappedVirtualDisk, b.hostState.securityPolicyEnforcer) + if policy_err != nil { + return errors.Wrapf(policy_err, "Mount device denied by policy %v", wcowMappedVirtualDisk) + } + + // 1. TODO (kiashok/Mahati): Need to enforce policy before calling into fsFormatter // 2. Call fsFormatter to format the scratch disk. // This will return the volume path of the mounted scratch. // Scratch disk should be >= 30 GB for refs formatter to work. @@ -490,3 +509,42 @@ func (b *Bridge) modifySettings(req *request) (err error) { b.forwardRequestToGcs(req) return nil } + +func modifyMappedVirtualDisk( + ctx context.Context, + rt guestrequest.RequestType, + mvd *guestresource.WCOWMappedVirtualDisk, + securityPolicy securitypolicy.SecurityPolicyEnforcer, +) (err error) { + switch rt { + case guestrequest.RequestTypeAdd: + // TODO: Modify and update this with verified Cims API + return securityPolicy.EnforceDeviceMountPolicy(ctx, mvd.ContainerPath, "hash") + case guestrequest.RequestTypeRemove: + // TODO: Modify and update this with verified Cims API + return securityPolicy.EnforceDeviceUnmountPolicy(ctx, mvd.ContainerPath) + default: + return newInvalidRequestTypeError(rt) + } +} + +func modifyCombinedLayers( + ctx context.Context, + containerID string, + rt guestrequest.RequestType, + cl guestresource.WCOWCombinedLayers, + securityPolicy securitypolicy.SecurityPolicyEnforcer, +) (err error) { + switch rt { + case guestrequest.RequestTypeAdd: + layerPaths := make([]string, len(cl.Layers)) + for i, layer := range cl.Layers { + layerPaths[i] = layer.Path + } + return securityPolicy.EnforceOverlayMountPolicy(ctx, containerID, layerPaths, cl.ContainerRootPath) + case guestrequest.RequestTypeRemove: + return securityPolicy.EnforceOverlayUnmountPolicy(ctx, cl.ContainerRootPath) + default: + return newInvalidRequestTypeError(rt) + } +} diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go index 195b93d3ce..c232f5f491 100644 --- a/internal/uvm/security_policy.go +++ b/internal/uvm/security_policy.go @@ -34,6 +34,52 @@ func WithSecurityPolicyEnforcer(enforcer string) ConfidentialUVMOpt { } } +// TODO (Mahati): Move this block out later +type WCOWConfidentialUVMOpt func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error + +// WithSecurityPolicy sets the desired security policy for the resource. +func WithWCOWSecurityPolicy(policy string) WCOWConfidentialUVMOpt { + return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error { + r.EncodedSecurityPolicy = policy + return nil + } +} + +// WithSecurityPolicyEnforcer sets the desired enforcer type for the resource. +func WithWCOWSecurityPolicyEnforcer(enforcer string) WCOWConfidentialUVMOpt { + return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error { + r.EnforcerType = enforcer + return nil + } +} + +// TODO: Separate this out later +func (uvm *UtilityVM) SetWCOWConfidentialUVMOptions(ctx context.Context, opts ...WCOWConfidentialUVMOpt) error { + if uvm.operatingSystem != "windows" { + return errNotSupported + } + uvm.m.Lock() + defer uvm.m.Unlock() + confOpts := &guestresource.WCOWConfidentialOptions{} + for _, o := range opts { + if err := o(ctx, confOpts); err != nil { + return err + } + } + modification := &hcsschema.ModifySettingRequest{ + RequestType: guestrequest.RequestTypeAdd, + GuestRequest: guestrequest.ModificationRequest{ + ResourceType: guestresource.ResourceTypeSecurityPolicy, + RequestType: guestrequest.RequestTypeAdd, + Settings: *confOpts, + }, + } + if err := uvm.modify(ctx, modification); err != nil { + return fmt.Errorf("uvm::Policy: failed to modify utility VM configuration: %w", err) + } + return nil +} + func base64EncodeFileContents(filePath string) (string, error) { if filePath == "" { return "", nil @@ -88,7 +134,7 @@ func (uvm *UtilityVM) SetConfidentialUVMOptions(ctx context.Context, opts ...Con } } modification := &hcsschema.ModifySettingRequest{ - RequestType: guestrequest.RequestTypeAdd, + //RequestType: guestrequest.RequestTypeAdd, GuestRequest: guestrequest.ModificationRequest{ ResourceType: guestresource.ResourceTypeSecurityPolicy, RequestType: guestrequest.RequestTypeAdd, diff --git a/internal/uvm/start.go b/internal/uvm/start.go index 9ab8a9bdd5..90b97b314d 100644 --- a/internal/uvm/start.go +++ b/internal/uvm/start.go @@ -334,6 +334,16 @@ func (uvm *UtilityVM) Start(ctx context.Context) (err error) { } } + if uvm.WCOWconfidentialUVMOptions != nil && uvm.OS() == "windows" { + copts := []WCOWConfidentialUVMOpt{ + WithWCOWSecurityPolicy(uvm.WCOWconfidentialUVMOptions.WCOWSecurityPolicy), + WithWCOWSecurityPolicyEnforcer(uvm.WCOWconfidentialUVMOptions.WCOWSecurityPolicyEnforcer), + } + if err := uvm.SetWCOWConfidentialUVMOptions(ctx, copts...); err != nil { + return err + } + } + return nil } diff --git a/internal/uvm/types.go b/internal/uvm/types.go index 150b204999..a301e396ac 100644 --- a/internal/uvm/types.go +++ b/internal/uvm/types.go @@ -14,6 +14,7 @@ import ( "github.com/Microsoft/hcsshim/hcn" "github.com/Microsoft/hcsshim/internal/gcs" "github.com/Microsoft/hcsshim/internal/hcs" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/uvm/scsi" ) @@ -142,6 +143,8 @@ type UtilityVM struct { // LCOW only. Indicates whether to use policy based routing when configuring net interfaces in the guest. policyBasedRouting bool + // WCOWconfidentialUVMOptions hold confidential UVM specific options + WCOWconfidentialUVMOptions *guestresource.WCOWConfidentialOptions } func (uvm *UtilityVM) ScratchEncryptionEnabled() bool { diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go index 62eac7e80d..f1470591bf 100644 --- a/pkg/annotations/annotations.go +++ b/pkg/annotations/annotations.go @@ -228,6 +228,13 @@ const ( // This allows for better fallback mechanics. SecurityPolicyEnforcer = "io.microsoft.virtualmachine.lcow.enforcer" + // WCOW SecurityPolicy is used to specify a security policy for opengcs to enforce. + WCOWSecurityPolicy = "io.microsoft.virtualmachine.wcow.securitypolicy" + + // WCOW SecurityPolicyEnforcer is used to specify which enforcer to initialize (open-door, standard or rego). + // This allows for better fallback mechanics. + WCOWSecurityPolicyEnforcer = "io.microsoft.virtualmachine.wcow.enforcer" + // HclEnabled specifies whether to enable the host compatibility layer. HclEnabled = "io.microsoft.virtualmachine.lcow.hcl-enabled" @@ -290,6 +297,9 @@ const ( // UVMReferenceInfoFile specifies the filename of a signed UVM reference file to be passed to UVM. UVMReferenceInfoFile = "io.microsoft.virtualmachine.lcow.uvm-reference-info-file" + // UVMReferenceInfoFile specifies the filename of a signed UVM reference file to be passed to UVM. + WCOWUVMReferenceInfoFile = "io.microsoft.virtualmachine.wcow.uvm-reference-info-file" + // HostAMDCertificate specifies the filename of the AMD certificates to be passed to UVM. // The certificate is expected to be located in the same directory as the shim executable. HostAMDCertificate = "io.microsoft.virtualmachine.lcow.amd-certificate" diff --git a/pkg/securitypolicy/securitypolicy_test.go b/pkg/securitypolicy/securitypolicy_test.go index cf5046b878..378629d706 100644 --- a/pkg/securitypolicy/securitypolicy_test.go +++ b/pkg/securitypolicy/securitypolicy_test.go @@ -1,6 +1,3 @@ -//go:build linux -// +build linux - package securitypolicy import ( diff --git a/pkg/securitypolicy/securitypolicyenforcer_rego.go b/pkg/securitypolicy/securitypolicyenforcer_rego.go index 52a0cbf571..850f7ec133 100644 --- a/pkg/securitypolicy/securitypolicyenforcer_rego.go +++ b/pkg/securitypolicy/securitypolicyenforcer_rego.go @@ -1,5 +1,5 @@ -//go:build linux && rego -// +build linux,rego +//go:build rego +// +build rego package securitypolicy @@ -15,7 +15,10 @@ import ( "strings" "syscall" - "github.com/opencontainers/runc/libcontainer/user" + "github.com/Microsoft/hcsshim/internal/guestpath" + "github.com/Microsoft/hcsshim/internal/log" + rpi "github.com/Microsoft/hcsshim/internal/regopolicyinterpreter" + "github.com/moby/sys/user" oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" @@ -720,8 +723,8 @@ func (policy *regoEnforcer) EnforceCreateContainerPolicy( "argList": argList, "envList": envList, "workingDir": workingDir, - "sandboxDir": specGuest.SandboxMountsDir(sandboxID), - "hugePagesDir": specGuest.HugePagesMountsDir(sandboxID), + "sandboxDir": SandboxMountsDir(sandboxID), + "hugePagesDir": HugePagesMountsDir(sandboxID), "mounts": appendMountData([]interface{}{}, mounts), "privileged": privileged, "noNewPrivileges": noNewPrivileges, From d58b8a2623394c05327384734228577b61a84c69 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok <99994218+kiashok@users.noreply.github.com> Date: Thu, 10 Apr 2025 15:13:21 -0700 Subject: [PATCH 05/20] gcs-sidecar: Squahsed following commits Amit's changes for cimfs (#35) Allow different types of boot configurations for WCOW UVM Add support for running confidential WCOW UVMs Initial changes to start a cwcow container working CWCOW container with ReFS formatting in UVM Some sidecar updates by Kirtana Signed-off-by: Kirtana Ashok Co-authored-by: Amit Barve (cherry picked from commit 477dea5be5075cd304b9b21ff38541d417030b9c) Signed-off-by: Kirtana Ashok --- cmd/containerd-shim-runhcs-v1/pod.go | 12 +- ...osofthcsshim\357\200\276\357\200\222-f qq" | 37974 ---------------- internal/gcs-sidecar/bridge.go | 1 - internal/gcs-sidecar/handlers.go | 72 +- internal/gcs-sidecar/uvm.go | 45 + internal/hcs/schema2/cimfs.go | 9 + internal/layers/wcow_mount.go | 87 +- internal/layers/wcow_parse.go | 57 +- internal/oci/uvm.go | 27 +- internal/protocol/guestresource/resources.go | 7 +- internal/uvm/cimfs.go | 90 + internal/uvm/combine_layers.go | 24 +- internal/uvm/create_wcow.go | 63 +- internal/uvm/start.go | 2 +- internal/wclayer/cim/block_cim_writer.go | 49 + internal/wclayer/cim/common.go | 5 +- internal/wclayer/cim/forked_cim_writer.go | 6 + internal/wclayer/cim/process.go | 6 + internal/wclayer/cim/registry.go | 50 + pkg/annotations/annotations.go | 8 +- .../libcontainer/user/lookup_deprecated.go | 81 - .../runc/libcontainer/user/user_deprecated.go | 146 - vendor/modules.txt | 1 - "\357\200\222-f" | 1 - 24 files changed, 504 insertions(+), 38319 deletions(-) delete mode 100644 "erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" create mode 100644 internal/uvm/cimfs.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/user/lookup_deprecated.go delete mode 100644 vendor/github.com/opencontainers/runc/libcontainer/user/user_deprecated.go delete mode 100644 "\357\200\222-f" diff --git a/cmd/containerd-shim-runhcs-v1/pod.go b/cmd/containerd-shim-runhcs-v1/pod.go index 1d2551ee4d..6684529690 100644 --- a/cmd/containerd-shim-runhcs-v1/pod.go +++ b/cmd/containerd-shim-runhcs-v1/pod.go @@ -128,11 +128,15 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques layerFolders = s.Windows.LayerFolders } wopts := (opts).(*uvm.OptionsWCOW) - wopts.BootFiles, err = layers.GetWCOWUVMBootFilesFromLayers(ctx, req.Rootfs, layerFolders) - if err != nil { - return nil, err + if !wopts.SecurityPolicyEnabled { + // When security policy is enabled SpecToUVMCreateOpts + // above sets up the BootFiles, otherwise we get boot + // files from the rootfs/layerfolders passed to us. + wopts.BootFiles, err = layers.GetWCOWUVMBootFilesFromLayers(ctx, req.Rootfs, layerFolders) + if err != nil { + return nil, err + } } - parent, err = uvm.CreateWCOW(ctx, wopts) if err != nil { return nil, err diff --git "a/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" "b/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" deleted file mode 100644 index 4582acf83e..0000000000 --- "a/erskiashokgosrcgithub.comMicrosofthcsshim\357\200\276\357\200\222-f qq" +++ /dev/null @@ -1,37974 +0,0 @@ -commit 81dd14bd8d2d1596220d2558bd057402734d62a9 (HEAD -> gcs-sidecar-framework) -Author: Kirtana Ashok <99994218+kiashok@users.noreply.github.com> -Date: Thu Apr 3 09:27:33 2025 -0700 - - Add ResourceTypeMappedDirectory request (#32) - - Signed-off-by: Kirtana Ashok - (cherry picked from commit 2dc7c56ae9bd4d30f6abd96ba8c20bde9d846b3c) - Signed-off-by: Kirtana Ashok - (cherry picked from commit e4f5d4739858a3d3684a4f0acb9f0d6ac6f17adf) - Signed-off-by: Kirtana Ashok - -commit 918a60089edf8ef2c207d2156f3bf8691c9a1e89 -Author: Kirtana Ashok -Date: Mon Mar 24 09:59:29 2025 -0700 - - Add Block CIM mount and refs format support - - - Add new resource type and code needed - to support block cim mounts for hyperv wcow - - Add support to invoke refs formatter - - Signed-off-by: Kirtana Ashok - (cherry picked from commit 5e48feece5ad357ca8decae49698054e75f867d9) - Signed-off-by: Kirtana Ashok - -commit 9843bfba982c0d421a44e866a3ab1f37fa565447 -Author: Kirtana Ashok -Date: Thu Apr 24 14:06:30 2025 -0700 - - Build break - - Signed-off-by: Kirtana Ashok - -commit 88f598f76ad15ff397a47baba478ff4f4c9c7b97 -Author: Kirtana Ashok -Date: Wed Apr 23 08:15:46 2025 -0700 - - WIP: cleanup fsformatter invoker - - Signed-off-by: Kirtana Ashok - -commit df342a3cea1899b42ae591592aa728580d212281 -Author: Kirtana Ashok -Date: Mon Apr 21 09:48:24 2025 -0700 - - gcs-sidecar framework - - Signed-off-by: Kirtana Ashok - -commit 92b788140f629159b6f29afdec25b4e0fcd59323 -Author: Kirtana Ashok -Date: Mon Apr 21 12:41:37 2025 -0700 - - Refactor common bridge protocol code for reuse - - - Move common bridge protocol definitions to subpackage - under internal/gcs - - Move helper functions to internal/bridgeutils pkg - so that they can be used by gcs-sidecar as well - - Signed-off-by: Kirtana Ashok - -commit 7084bd2fa445d83629a67a91ff4e072517a11f04 (origin/main, origin/HEAD, main) -Author: Maksim An -Date: Mon Apr 21 10:49:13 2025 -0700 - - rego policy enforcer should use the same user parsing logic as GCS (#2405) - - This PR fixes a discrepancy between user info handling between - GCS and rego policy enforcer. For example, GCS doesn't require the - user/group to exist in container's /etc/passwd and /etc/group - and has a fallback to UID and GID 0, when the user is absent. - Rego enforcer's `GetUserInfo`, however, always tries to - lookup user/group in /etc/passwd and /etc/group and returns - an error when the UID doesn't exist. This behavior is inconsistent - with non confidential LCOW workloads and fixed in this PR. - - To avoid circular imports, the spec.go and spec_devices.go under - `internal/guest/runtime/hcsv2` have been moved under - `internal/guest/spec` and the dependent code updated accordingly. - As a result a bunch of methods are now exported, but still under - `internal`, so this shouldn't cause problems. - - User parsing has been updated and split into `ParseUserStr`, which - returns UID and GID for a given `username` string and `SetUserStr`, - which just sets the UID and GID for the OCI process. - - Rego enforcer's `GetUserInfo` now prioritizes the result of - `ParseUserStr` and fallbacks to the previous behavior of UID/GID - lookup in container's filesystem. - - Signed-off-by: Maksim An - -commit a5c5b4c46f51ec5481421b2ebf824cea2bc66ba0 -Author: Hamza El-Saawy -Date: Mon Apr 21 11:31:42 2025 -0400 - - Deps/crypto vulnFix golang.org/x/crypto vulnerability (#2416) - - * Fix `golang.org/x/crypto` & `/net` vulnerabilities - - Update `golang.org/x/crypto` and`golang.org/x/net` to fix reported - vulnerabilies. - (This update requires `go1.23`, so updated that in `go.mod`). - - Also update other `golang.org/x/` modules. - - PRs: - - 2418 - - 2417 - - 2415 - - 2414 - - 2411 - - 2409 - - 2408 - - 2396 - - 2395 - - NOTE: **This commit only has updates to `go.mod`.** - - Signed-off-by: Hamza El-Saawy - - * `go.sum` and vendor updates - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit a00144a51864f1068148efbe9bb89516ea4934b6 (mahati/main, mahati/HEAD) -Author: Amit Barve -Date: Wed Apr 9 13:13:13 2025 -0400 - - Add support for running confidential WCOW UVMs - - Initial changes to allow creating confidential WCOW UVMs. uvmboot tool is also updated for - easier command line testing of confidential UVMs. - - Signed-off-by: Amit Barve - -commit 5def1d7e26fee3525c1842221e265a40efabded2 -Author: Amit Barve -Date: Wed Apr 9 13:13:13 2025 -0400 - - Allow different types of boot configurations for WCOW UVM - - Currently WCOW UVM only support booting with VmbFS and legacy layers. However, we are - adding support for booting the UVM with BlockCIM layers. This commit updates the - WCOWBootFiles struct to support different boot configurations. - - Signed-off-by: Amit Barve - -commit b4e07445e062c54f4c0a08682cec322135a92613 -Merge: d7e384230 e5f8fd835 -Author: Maksim An -Date: Wed Apr 9 14:24:53 2025 -0700 - - Merge pull request #2406 from anmaxvl/privileged-pause - - tooling: allow pause container to be run in privileged mode - -commit e5f8fd83592962bf2a089cc5ca949224eaf88480 -Author: Maksim An -Date: Tue Apr 1 11:20:37 2025 -0700 - - tooling: allow pause container to be run in privileged mode - - Signed-off-by: Maksim An - -commit d7e384230944f153215473fa6c715b8723d1ba47 (hcsshim/master, hcsshim/kirtana/wcow-block-cim, hcsshim/HEAD) -Author: Maksim An -Date: Mon Mar 17 09:42:02 2025 -0700 - - feature: cross-container named pipes (#2358) - - * feature: cross-container named pipes - - Add new "uvm://" mount prefix to support cross-container - pipes for Xenon WCOW containers. For now, it's a WCOW-only - feature, while the Linux work is being prototyped. - - Additionally, extend the logic of `GetContainerPipeMapping` to - also handle cross-container pipes within the UVM. The syntax - similar to sandbox mounts: - - ``` - { - "host_path": "uvm://\\\\.\\pipe\\uvmPipe", - "container_path": "\\\\.\\pipe\\containerPipe" - } - ``` - - Containers sharing the pipe need to have the same "host_path". - - refactor how named pipes are parsed and added for WCOW. - - `setupMounts` will now try to parse mount source as a named pipe - for both process isolated and hyper-v isolated containers. - The mapped pipes will be tracked under `namedPipeMounts` and - later added to HCS container doc. - - go mod tidy in test directory - --------- - - Signed-off-by: Maksim An - -commit 62ddb129f044a01c4938e64c741ba243fea89fc6 (upstream-hcshsim/ms/release/0.1, upstream-hcshsim/main, upstream-hcshsim/HEAD, hcsshim/ms/release/0.1, adoshim/dev/kiashok/update-ms-rel-0.1, adoshim/dev/kiashok/ms/release/0.1, dev/kiashok/pipeline-ms-rel-0.1) -Author: Maksim An -Date: Mon Mar 3 10:50:44 2025 -0800 - - HvSocket support for containers (#2353) - - * HvSocket support for containers - - Applications connecting from the host into the container should use - container-specific VMID. This ID will need to be the same as the - container's VMID inside the guest, which is calculated by HCS/GCS - like it's done in this PR by `HCSIDToGUID`. - - To allow the container ID to work with HvSocket on the host, we - need to set up an AddressInfo mapping to tell HvSocket to redirect - the call into the UVM, which is done in this PR by default for - all WCOW containers. - - Add internal `hvsocketaddr.exe` tool that clients can use to generate - VM ID for container. - - Add a generic function for creating HvSocket address info mapping. - - export a function that creates a mapping for containers only. - - --------- - - Signed-off-by: Maksim An - Co-authored-by: Kevin Parsons - -commit fa9d402bce734aa3031fd7db1c9c997c3448cb78 -Author: Maksim An -Date: Thu Feb 27 19:36:02 2025 -0800 - - ci: fix golangci-lint config (#2387) - -commit a3c0edf1b6bea7b95f96680c88108a56e41f11b6 -Author: Maksim An -Date: Thu Feb 13 13:44:38 2025 -0800 - - github-actions: update lint action (#2379) - - * github-actions: update lint action - - seems like something broke with newer golang versions. - - Update golangci-lint version and set `only-new-issues` to `true`. - - Signed-off-by: Maksim An - - * lint: fix lint errors - - Signed-off-by: Maksim An - - --------- - - Signed-off-by: Maksim An - -commit b9fc67d6189cc2c0921eb67e4b61401eb96832e2 -Author: Jie Chen -Date: Tue Feb 11 09:49:23 2025 -0800 - - Revert "Enabled Linux UVM tests to run on 1ES github runner pool" - - This reverts commit e5c83a121b980b1b85f4df0813cfba2d83572bac. - - The OIDC authentication is failing for PRs from external contributors because the id-token write permission is not granted to forked repos. Disabling the Linux UVM tests for now until it is fixed. - - Signed-off-by: Jie Chen - -commit e5c83a121b980b1b85f4df0813cfba2d83572bac -Author: Jie Chen -Date: Tue Jan 21 09:54:57 2025 -0800 - - Enabled Linux UVM tests to run on 1ES github runner pool - - Skipped uvm plan9 test until azurelinux rootfs is fixed - - Signed-off-by: Jie Chen - -commit 56e7aa82c4da7a2241756c2ca56f824a8bfa15e6 -Author: Kathryn Baldauf -Date: Thu Jan 30 10:15:54 2025 -0800 - - Fix TestLCOW_IPv6_Assignment functional test (#2359) - - * Previously we were just using the IPAM routes configured earlier in the test, - * but this causes an error since the IPAM route will append the scope identifier - * at the end of IPv6 routes' NextHop. - - Signed-off-by: Kathryn Baldauf - -commit 9e50c9b5c3999ed2db783059ff3c4711e43b8096 -Author: Jie Chen -Date: Tue Jan 28 16:40:27 2025 -0800 - - Fix duplicate artifact name in github CI - - Signed-off-by: Jie Chen - -commit 24ef284ce6c57c5cdf915c8a86d592ce41083cd9 -Merge: 8d81359dc 367ccd5ed -Author: Jie Chen -Date: Tue Jan 28 13:10:30 2025 -0800 - - Merge pull request #2365 from jiechen0826/skip_hvsock_functional_tests - - Skip HVSock_* flaky tests until they are fixed - -commit 367ccd5ed6560d3b09b5463131235cf2a4e1697e -Author: Jie Chen -Date: Tue Jan 28 09:18:02 2025 -0800 - - Skip HVSock_* flaky tests until they are fixed - - Signed-off-by: Jie Chen - -commit 8d81359dc374e39d9edd63639a0402fbbea694f9 -Author: Kathryn Baldauf -Date: Wed Jan 15 12:55:51 2025 -0800 - - Add support for HCN v2 endpoint and add unit tests (#2343) - - * Add support for HCN v2 endpoint and add unit tests - * switch to HCN v2 endpoint API instead of HNS v1 endpoint API - * Support parsing routes in GCS when we setup the network interfaces - * [breaking] update gcs bridge LCOW network adapter type with new fields that better - align with v2 endpoint - * Add unit tests for new GCS side changes - * Add legacy policy based routing for lcow and an annotation to toggle use - - Signed-off-by: Kathryn Baldauf - - --------- - - Signed-off-by: Kathryn Baldauf - -commit bac751f6dc7337d8cfc37528b3ce5acc4b5987b6 -Merge: 20e8795e2 c38d4366a -Author: Jie Chen -Date: Tue Jan 14 10:31:58 2025 -0800 - - Merge pull request #2338 from microsoft/jiechen3/github_runner - - Enable Windows UVM functional tests - -commit c38d4366a501294c0be7d1157f87d643c01f0783 -Author: Jie Chen -Date: Thu Jan 9 15:45:18 2025 -0800 - - Enabled Windows UVM tests to run on 1ES Github Runner Pool - - Co-authored-by: Hamza El-Saawy - Signed-off-by: Jie Chen - -commit 20e8795e2765d37014ebe5d3048c186b5ddd38fa (tag: v0.13.0-rc.3) -Author: Hamza El-Saawy -Date: Fri Jan 10 15:24:56 2025 -0500 - - Omnibus dependabot update (#2347) - - * Omnibus dependabot update - - Consolidate and resolve the dependabot PRs (mostly handle nested - module): - - - 2267 - - 2296 - - 2307 - - 2315 - - 2323 - - 2324 - - 2333 - - 2334 - - 2335 - - 2336 - - 2339 - - 2340 - - 2341 - - 2345 (https://github.com/microsoft/hcsshim/security/dependabot/113) - - 2346 (https://github.com/microsoft/hcsshim/security/dependabot/115) - - Two commits: first is core updates, second is module tidy and vendor, - along with (protobuf) file regen. - - Signed-off-by: Hamza El-Saawy - - * go mod tidy and vendor, protobuf update - - Replace deprecated `github.com/opencontainers/runc/libcontainer/user` - with `github.com/moby/sys/user` (which it is an alias for). - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 36c11610a8c78b7176062c012cf5bc30f5c774d3 -Author: Hamza El-Saawy -Date: Thu Jan 9 17:51:24 2025 -0500 - - Use abs path to testing binary (#2344) - - * Use abs path to testing binary - - Use the full path to the `functional.test.exe` binary when sharing into - the uVM or container for the `TestHVSock_*` test cases in - `test\functional\hvsock_test.go` to prevent vSMB share issues. - - Otherwise, `os.Args[0]` will return the path that the tests were run - with (e.g., `.\functional.test.exe`), which can cause vSMB to fail with - `The parameter is incorrect.` (likely because it cannot find the current - file). - - Signed-off-by: Hamza El-Saawy - - * PR: bug fix - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit d9a4231b9d7a03dffdabb6019318fc43eb6ba996 -Merge: f234e83a3 bacda3961 -Author: Kevin Parsons -Date: Tue Dec 17 11:31:09 2024 -0800 - - Merge pull request #2327 from kevpar/compat-ws2025 - - osversion: Add new versions, fix compat bug, improve tests - -commit f234e83a39219dadb30902bd4c6880639b3b3538 -Author: Amit Barve -Date: Tue Dec 17 10:41:43 2024 -0500 - - Use Block CIM layers for container RootFS - - This commit adds the ability to parse block CIM layer mounts and to mount the merged block - CIMs to be used as a rootfs for a container. - - Signed-off-by: Amit Barve - -commit dd7420482d99f61884eb9d550594599b980b2c91 -Author: Amit Barve -Date: Tue Dec 17 10:41:38 2024 -0500 - - Add LayerWriter for block CIMs - - This commit adds a layer writer that can be used for extracting an image layer tar into a - Block CIM format. - - Existing forked CIM layer writer was renamed to a common base type `cimLayerWriter`. - Forked CIM layer writer & Block CIM layer writer both now extend this common base type to - write layers in that specific format. - - This commit also removes some code that used `time.Now()` as the default timestamps for - some files that it creates within the layer CIM. These timestamps cause differences in the - layer CIMs generated from the same layer tar. This change fixes that. - - Signed-off-by: Amit Barve - -commit ccb51aa79b2eb946274395a20e9319b6ea8f3cfe -Author: Amit Barve -Date: Tue Dec 17 10:41:31 2024 -0500 - - Block CIM types and new CimFS API wrappers - - CimFS now supports a new format for storing CIMs, named BlockCIM. A block CIM format can - store the entire CIM on a block device (like a VHD) or a file formatted like a block - device. - - This commit adds Go wrappers for the new CimFS APIs that allow creation, merging and - mounting of such Block CIMs. Some new flags required when creating and mounting these CIMs - are added and some deprecated flags have been removed. New type has been introduced to - represent a block CIM. Unit tests have been added to test the newly added CimFS - functionality. Lastly, CimFS flags aren't a part of the hcs schema (only the CimMount - request is), those flags are moved from the hcs/schema2 package to the cimfs package. - - Signed-off-by: Amit Barve - -commit 0d6d57252a69cd5ffb7a46b8b4a1201e875b3b93 -Author: Amit Barve -Date: Tue Dec 17 10:41:31 2024 -0500 - - Remove unnecessary cim mount cache - - Currently we have a map which maintains a mapping of CIM & containerd ID to the volume at - which a CIM is mounted for the given container. This was required before the layer - refactoring work when we needed to get the volume path from the layer cim path. However, - this isn't needed anymore. As of now, this map doesn't provide much value and makes the code a - bit complicated. Moreover, we will need to rewrite some of this code anyway when we do the work - required for handling `shim delete` cleanups properly (https://github.com/containerd/containerd/issues/9727). - - Signed-off-by: Amit Barve - -commit 1a8c2e3ba7d5fc1ecdb708e1ef623597574432c9 -Merge: ca5ca6e7e e0e242309 -Author: Kevin Parsons -Date: Wed Dec 11 09:56:57 2024 -0800 - - Merge pull request #2330 from kevpar/spanfix - - octtrpc: Fix span status defer, add tests - -commit ca5ca6e7ed80f8e8c7ae9f083c9c5db0b3921498 -Author: Mahati Chamarthy -Date: Thu Dec 5 19:16:42 2024 +0000 - - Fix path in security policyenginesimulator sample (#2329) - - Signed-off-by: Mahati Chamarthy - -commit 66a6fc14923487cb8d8656abd2af1ea53225e45b -Merge: b0b5a0c68 db9d4e44b -Author: Kevin Parsons -Date: Tue Nov 26 14:19:26 2024 -0600 - - Merge pull request #2326 from kevpar/fix-gomod - - Fix go.mod to have the correct Go version - -commit e0e2423096779446ad46fc1022124c3ec5c6197d -Author: Kevin Parsons -Date: Mon Nov 25 15:20:34 2024 -0800 - - octtrpc: Fix span status defer, add tests - - It turns out for years that the autogenerated TTRPC spans have not been - marked correctly if the call failed. This is because defers evaluate - their arguments immediately, rather than at the deferred execution time. - Fix this by changing err from an argument to the defer, to a variable - evaluated inside the defer. - - Also adds tests for octtrpc client and server interceptors. - - Signed-off-by: Kevin Parsons - -commit bacda3961da2630b0b7fecafe801905c9dcca93b -Author: Kevin Parsons -Date: Mon Nov 25 15:05:58 2024 -0800 - - osversion: Add new versions, fix compat bug, improve tests - - - Add V23H2 (annual channel) and LTSC2025 to the version list - - Use the LTSC build naming in the compat checks and tests, to make - intent clearer - - Fix a bug in the compat check. A given LTSC release should be able to - run everything from the previous LTSC up to itself - - Add new test cases, including for the fixed compat check bug - - Change the tests to use t.Run for each test case - - Signed-off-by: Kevin Parsons - -commit db9d4e44bcde8e0b0b4d4d54845bfe4bdc092caf -Author: Kevin Parsons -Date: Mon Nov 25 10:45:52 2024 -0800 - - Fix go.mod to have the correct Go version - - As of recent Go versions, specifying the go directive without a patch - (e.g. 1.22) is no longer supported. Because go tries to download a - matching toolchain if you're not already using one, it will try to - download go toolchain version 1.22, which doesn't exist (1.22.0 does). - - Fix the go.mod version to specify the full version with patch, 1.22.0. - - Signed-off-by: Kevin Parsons - -commit b0b5a0c6843178b3ee8c9655621fcf05c4087d4e -Author: Kathryn Baldauf -Date: Mon Nov 25 10:55:25 2024 -0800 - - Add build version block for pod CPU limits updating (#2321) - - Signed-off-by: Kathryn Baldauf - -commit 9cf7c1c7e7cd1d9f241709f97a76cb72a6830b22 -Author: Maksim An -Date: Mon Nov 18 17:03:55 2024 -0800 - - remove dmverity-vhd code and release pipeline (#2318) - - dmverity-vhd code was moved to a separate repo, - this PR removes the binary and release pipeline - associated with it. - - Signed-off-by: Maksim An - -commit c65b7892d7994291dd99c298931ecb624704b36b -Author: Kathryn Baldauf -Date: Mon Nov 4 14:47:24 2024 -0800 - - Fix issue with mask length of gatway addresses that are out of the (#2305) - - interface's subnet - * See documentation at https://pkg.go.dev/net#ParseIP - - Signed-off-by: Kathryn Baldauf - -commit 1c29e9d8cc4c7a01060caf8ab5c337c11df34292 -Author: Maksim An -Date: Thu Oct 31 16:47:01 2024 -0700 - - add `longPathAware` to shim manifest (#2303) - - Depending on the version of Go used to build the shim binaries - the process may or may not be long path aware, for example MS Go - removed it https://github.com/microsoft/go/commit/af3d04ecaf07be0e0f37ccfda756a2279047aab3. - - Microsoft recommends adding long path support through manifest - https://learn.microsoft.com/en-us/windows/win32/fileio/maximum-file-path-limitation?tabs=registry#enable-long-paths-in-windows-10-version-1607-and-later - - Signed-off-by: Maksim An - -commit 1b095260edf2f8396896e96df504261176d30e19 (upstream-hcshsim/kevpar/hcsshim, origin/kevpar/hcsshim) -Author: Kirtana Ashok -Date: Mon Oct 28 10:50:11 2024 -0700 - - Switch to using containerd/errdefs/pkg/errgrpc for grpc translation - - Signed-off-by: Kirtana Ashok - -commit 0269ad38a0fbfe6188458153b4af42465fd16ae8 -Author: Kirtana Ashok -Date: Mon Oct 28 10:32:59 2024 -0700 - - Update go version to 1.22 - - Signed-off-by: Kirtana Ashok - -commit 11e1033a45b19e2fae15981275696e2e8f84d5e2 (tag: v0.13.0-rc.2) -Merge: 677a76a59 4cd6fef63 -Author: Kathryn Baldauf -Date: Fri Oct 18 15:12:17 2024 -0700 - - Merge pull request #2293 from dmcgowan/update-containerd-1.7.23 - - Update containerd to v1.7.23 - -commit 4cd6fef63241324078e1431be3e0fe8168f247e5 -Author: Derek McGowan -Date: Mon Oct 14 14:37:13 2024 -0700 - - Update containerd to v1.7.23 - - Signed-off-by: Derek McGowan - -commit 677a76a59a9be164621448efdf3e30d0d0aa6cc2 -Merge: e78ef44f6 ffe8282eb -Author: Kathryn Baldauf -Date: Mon Oct 14 08:44:04 2024 -0700 - - Merge pull request #2279 from katiewasnothere/user/kabaldau/fix_parse_devices - - Fix parse pod devices to not include invalid devices - -commit e78ef44f61098d395a4dbea1ca84c87455fa8cd9 -Author: Heather Garvison -Date: Tue Oct 8 19:25:57 2024 -0400 - - Update dmverity tool to take a directory as input to create a VHD (#2274) - - update dmverity tool to take data tar as input to create a verity VHD - - Signed-off-by: Heather Garvison - -commit 514a8b7637b64aed0108409ab2722c042caa552d -Author: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> -Date: Tue Oct 8 09:13:22 2024 -0700 - - Fixing typo (#2287) - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - -commit 1d69a9c658655b77dd4e5275bff99caad6b38416 -Author: Maksim An -Date: Tue Oct 1 14:04:53 2024 -0700 - - scsi: relax mount re-use constraint (#2280) - - This is to fix a case with shared scratch enabled where the pause - container scratch and workload container scratch should be the same - mountpoint. This effectively changes the SCSI mount logic to have - the same semantics as before the SCSI refactor, which mainly affected: - * where the `runc` config.json for a container is written - * scratch encryption - The old semantics ensured that the scratch (in a shared scratch case) - is encrypted only once and also ensured that runc config.json for a - given container is written to a unique location: either container's - scratch (when scratch isn't shared) or tmpfs (when scratch is shared). - - As before, the eventual hope is to remove guestPath support, and - always generate a path, but that requires more extensive work to pass - this path to the GCS. - - Signed-off-by: Kevin Parsons - Signed-off-by: Maksim An - Co-authored-by: Kevin Parsons - -commit c6e7159431112fe8949824eef4e7e884fe648266 -Merge: e1b4506e2 3b7c087db -Author: Kevin Parsons -Date: Fri Sep 27 16:57:47 2024 -0500 - - Merge pull request #2278 from kevpar/scsi-mount-fix-2 - - scsi: Support optional guest path for mount, add tests, refcount fix - -commit 3b7c087db13be3514524d6a736fc6f84ffc1259c -Author: Kevin Parsons -Date: Fri Sep 27 11:50:24 2024 -0700 - - scsi: Add tests and fix refcount bug - - Adds various tests to the SCSI manager code. As part of this testing, - a bug tracking attachment refcounts was also found. The attachment - refcount is increased every time a new top-level request comes in, even - if an existing mount is re-used. This means that the attachment refcount - should also be decremented every time one is released, even if the mount - refcount is not at 0. - - Signed-off-by: Kevin Parsons - -commit ffe8282ebe4441c51813f9130059d9e2efd6bbe3 -Author: Kathryn Baldauf -Date: Fri Sep 27 14:03:54 2024 -0700 - - Fix parse devices to not include invalid device - - Signed-off-by: Kathryn Baldauf - -commit c1d649299c57828e494dc743c99e32a53d22a0b1 -Author: Kevin Parsons -Date: Fri Sep 27 11:23:53 2024 -0700 - - scsi: Take optional guest path for mount - - Currently the SCSI mount manager will generate a new path for each new - mount, based on a format string that it is instantiated with. However, - it turns out some code in the GCS (e.g. sandbox mounts) assumes that the - container scratch is mounted at a certain path. The long-term best - solution here is probably to pass what paths to use explicitly to the - GCS, but that would be more impactful. We need a more contained fix. - - This commit addresses the issue by allowing an optional guest path to be - given for a SCSI mount. The mount manager has been changed as follows: - - If a guest path is not supplied: The mount can re-use (refcount++) any - existing mount with the same controller/lun/options. If a new mount is - created, the mount manager will generate a path for it. - - If a guest path is supplied: The mount can re-use (refcount++) any - existing mount with the same controller/lun/guestpath/options. If a - new mount is created, the mount manager will use the supplied path for - it. - - Accordingly, code calling into the mount manager has been updated to - pass an empty string for the guest path. The exception to this is the - LCOW layer mounting code, which will pass an explicit guest path for the - scratch disk. As far as I know, WCOW does not depend on a specific path - for its scratch disk. - - Signed-off-by: Kevin Parsons - -commit e1b4506e26dd587d3e27682560c5a1d68a70c96d -Author: Maksim An -Date: Thu Sep 26 09:46:02 2024 -0700 - - fix: verity boot overrides SCSI config (#2262) - - When creating HCS doc for SNP UVM with verity boot, the SCSI - controllers are overriden to always have only a single SCSI - controller. This limits the max number of container layers to - 64. - - Signed-off-by: Maksim An - -commit 16dc8eba1e3036be4109725203b649ab777dcdaf -Author: Takuro Sato -Date: Wed Sep 25 18:31:49 2024 +0100 - - Make tar2ext4 deterministic with files without parent dir in tar (#2270) - - Make tar2ext4 deterministic with files without parent dir in tar - - Signed-off-by: Takuro Sato - -commit 0b833ccebb7ec414cc33d3ac0fe3424d459abd14 -Merge: e55a82b1c 89620dc26 -Author: Kathryn Baldauf -Date: Wed Sep 11 15:28:34 2024 -0700 - - Merge pull request #2220 from katiewasnothere/kabaldau/guest_caps - - Refactor guest defined capabilities - -commit e55a82b1c962d666c68df8acb76bb311cd0a69db -Merge: 31569925b 512aaa21c -Author: Kathryn Baldauf -Date: Wed Sep 11 11:16:14 2024 -0700 - - Merge pull request #2249 from katiewasnothere/kabaldau/fabric_manager_config - - Support passing in fabric manager config - -commit 89620dc2614857f45ae16aea29d79ab8270c51f1 -Author: Kathryn Baldauf -Date: Mon Jul 29 17:35:16 2024 -0700 - - Refactor guest defined capabilities - - Signed-off-by: Kathryn Baldauf - -commit 31569925b06a13530a7b6f2b6cc7bdefd6f3bbca -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Sep 10 10:13:18 2024 -0400 - - Omnibus dependabot update: (#2260) - - - hcsshim/2259 - - hcsshim/2258 - - hcsshim/2257 - - hcsshim/2256 - - hcsshim/2255 - - hcsshim/2254 - - hcsshim/2253 - - hcsshim/2247 - - hcsshim/2227 - - Also, update `github.com/Microsoft/cosesign1go` to retract the - `github.com/veraison/go-cose@v1.2.0` implicit import. - - Signed-off-by: Hamza El-Saawy - -commit ca3f8b3b51fdae0114f6a5879289edac76d8153c -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Sep 9 16:43:00 2024 +0000 - - Bump google.golang.org/grpc from 1.65.0 to 1.66.0 in /test (#2252) - -commit a4215dc7b31e6e1c3bed4a134e7a9a0109c7b7bb -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Sep 9 16:03:34 2024 +0000 - - Bump golang.org/x/sync from 0.7.0 to 0.8.0 in /test (#2230) - -commit ddf0556bc7b3daab940b8d1aa8a88371a637b09d -Merge: d2836fb99 291d13e7a -Author: Kathryn Baldauf -Date: Thu Sep 5 14:31:34 2024 -0700 - - Merge pull request #2248 from katiewasnothere/kabaldau/fix_device_wait - - Fix no such device error when getting device filesystem - -commit 291d13e7af01f5f6d6c86001ee961cd91804eba1 -Author: Kathryn Baldauf -Date: Fri Aug 23 15:42:21 2024 -0700 - - Fix no such device error when getting device filesystem - * os.Stat does not open the file. We're seeing issues where after stat'ing the device path in /dev, we get the error from _getDeviceFsType "No such device or address", aka ENXIO, when trying to open the device to read the superblock. - * Change os.Stat call to os.Open when waiting for the /dev device to show up to ensure we can successfully open the device later. - - Signed-off-by: Kathryn Baldauf - -commit d2836fb99ff0ad3c25343b3c1163f6542fec4c1a -Merge: f80cf917a bf239f668 -Author: Kathryn Baldauf -Date: Wed Aug 28 10:09:51 2024 -0700 - - Merge pull request #2234 from hgarvison/main - - Update dmverity tool to fix bug where hdv creation fails - -commit 512aaa21c168604b70bb3ac8c4743ebe98fa871d -Author: Kathryn Baldauf -Date: Tue Aug 27 13:50:51 2024 -0700 - - Support passing in fabric manager config - * Allows the ability to customize log file path, log rotation, and more - - Signed-off-by: Kathryn Baldauf - -commit f80cf917a3963e05f86327149fb2abe36fcde6c0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Aug 27 14:58:09 2024 -0400 - - Add `.clang-format` and format C files (#2246) - - Add `.clang-format` file that can be used directly by the clang - formatter or by the Microsoft C/C++ VSCode extension. - Style based on Microsoft default style guide, but update brace and case - indentation settings to match current files better (as well as Go code). - - Run formatter on `init\init.c` and `vsockexec\vsockexec.c`. - Changes mostly with brace position, spacing, indentation, and pointer - alignment. - - Signed-off-by: Hamza El-Saawy - -commit 59e8375cfad4883ea18bc75b765bc4cb64cb7b6b -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Aug 27 11:39:30 2024 -0400 - - Add and updateCodeQL suppression (#2245) - - Microsoft CodeQL analyzer's suppression format is slightly different - than GitHub's, and expects the suppression comment to be one line. - Update suppression comments in `pkg\ociwclayer\import.go` to conform. - - Suppress warnings for "uncontrolled process operation" in `init\init.c` - and `vsockexec\vsockexec.c`. - Suppress "incorrect conversion between integer types" in - `internal\jobobject\limits.go`, and add fix to - `internal\guest\runtime\hcsv2\uvm.go`. - - Signed-off-by: Hamza El-Saawy - -commit 1e97fa626c65df43f7619083b68d32b9717b6e59 -Merge: 925fb1e04 41c6cb0b2 -Author: Kathryn Baldauf -Date: Fri Aug 23 15:24:13 2024 -0700 - - Merge pull request #2240 from katiewasnothere/kabaldau/support_ko_xz_ext - - Add support for kernel modules files ending in .ko.xz - -commit 41c6cb0b2866991c2a5b1af8b343aca9f74f89bc -Author: Kathryn Baldauf -Date: Tue Aug 20 17:07:56 2024 -0700 - - Add support for kernel modules files ending in .ko.xz - * Azure linux provides compressed kernel modules in files by default for some modules. - This PR adds support for both compressed and uncompressed module files. - - Signed-off-by: Kathryn Baldauf - -commit 925fb1e0442cd5f1a74d1fc5d9417247f48a7d2f -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Aug 23 15:54:57 2024 -0400 - - Consolidate Go installation step (#2244) - - Create composite action to call `actions/setup-go` with common values - and logic across different jobs and workflows to reduce duplication and - make sure workflows all use the same Go version. - - Specifically, the action defaults to `oldstable` for the Go version, - uses both `go.sum` and `test/go.sum` for the cache dependency, and - allows pre-filling the Go module cache after installing Go. - - It exposes the same outputs as `actions/setup-go` as well. - - Signed-off-by: Hamza El-Saawy - -commit e7a1be7061b457cea9b70f8b3a917e3cc8a33796 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Aug 23 10:15:11 2024 -0400 - - Filter vendor and test CodeQL results (#2243) - - Skip scanning for files under the `test/` or `vendor/` directories, or - for `_test.go` files. - - Neither the Go or C/C++ CodeQL scanning support the `path-ignore` config - options, raising the warning: - ``` - Path filters have no effect for Go - Go does not support path-based filtering. The paths and paths-ignore configuration properties will have no effect for this language. - ``` - - Use the recommended `advanced-security/filter-sarif` action to instead - filter results, based on [provided - example](https://github.com/advanced-security/filter-sarif?tab=readme-ov-file#example). - - Remove the config file since there is nothing to configure. - - Additionally, build the `securitypolicy.exe` and `dmverity-vhd` binaries - during CodeQL, and `securitypolicy` during the normal build CI. - - Signed-off-by: Hamza El-Saawy - -commit 00640ef8d7dff66019c2b06278a0581c933e0515 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Aug 22 14:42:04 2024 -0400 - - Use `atomic` types instead of raw values (#2241) - - Per Go documentation recommendation (e.g. - [link](https://pkg.go.dev/sync/atomic#AddUint64)), use the `atomic` - types and their associated methods instead of the - `atomic.Add*`/`.Store*` functions. - - This makes the intent for atomic access clearer, prevents (accidental) - non-atomic access, and (for boolean variables) simplifies code. - - Signed-off-by: Hamza El-Saawy - -commit e2a2b5f4e2a70d0b41f5f0f70b49587cf15917ec -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Aug 22 12:54:39 2024 -0400 - - Configure advanced codeql.yml scanning (#2242) - - It appears GH doesn't recognize our CodeQL pipeline and attempts to run - its own default version. - Rename the workflow to conform to what GH expects of the standard - "advanced setup" for CodeQL, with some minor updates: - - run on `release/*` branches - - use the recommended job permissions - - explicit `manual` build mode - - use `c-cpp` instead of `cpp` - - add a `codeql-config` file to ignore the test and vendor directories - - Based on recommendations here, which simple create the appropriate - workflow: - https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning-with-codeql-at-scale - - Signed-off-by: Hamza El-Saawy - -commit 4f3da95b5b48f6c340cbed6f5fcca107216125b4 -Merge: 008474976 327e53588 -Author: Kathryn Baldauf -Date: Tue Aug 20 12:00:44 2024 -0700 - - Merge pull request #2239 from katiewasnothere/kabaldau/check_exist_modules_dir - - Remove kernel panic when kmod load fails - -commit 327e53588be2d777630234e0da5d4836fceca577 -Author: Kathryn Baldauf -Date: Mon Aug 19 20:25:38 2024 -0700 - - Remove kernel panic if ftw returns an error - - Signed-off-by: Kathryn Baldauf - -commit 008474976972163ac32a39fc12111a95c66ae428 -Author: Davanum Srinivas -Date: Wed Aug 14 18:24:14 2024 -0400 - - drop usage of deprecated package/methods - - Signed-off-by: Davanum Srinivas - -commit 56e8cf904ce1b0e4391ce7ca8d1ea8b80aa80d34 -Author: Davanum Srinivas -Date: Wed Aug 14 18:12:10 2024 -0400 - - drop usage of deprecated package/methods - - Signed-off-by: Davanum Srinivas - -commit 9b0599b0bb93f6f5b546b09bfb4cab6221ff16b4 -Author: Davanum Srinivas -Date: Wed Aug 14 17:47:13 2024 -0400 - - Bump opa/containerd to latest versions - - Signed-off-by: Davanum Srinivas - -commit ba6e8eaf1851250a44ec179727760b15cee48899 -Merge: a8ef0c488 07fea0dc9 -Author: Kathryn Baldauf -Date: Wed Aug 14 14:31:44 2024 -0700 - - Merge pull request #2231 from katiewasnothere/kabaldau/sort_endpoints - - Sort the endpoints such that eth0 is first - -commit 07fea0dc90880a4543f1f83e60784cacf055874f -Author: Kathryn Baldauf -Date: Mon Aug 12 14:19:41 2024 -0700 - - Sort the endpoints such that eth0 is first - - Signed-off-by: Kathryn Baldauf - -commit bf239f668b713fbf1d976835695d310689f620a1 -Author: Heather Garvison -Date: Wed Aug 14 14:05:42 2024 -0400 - - update dmverity tool to fix bug where hdv creation fails to move all VHDs from the temp dir - - Signed-off-by: Heather Garvison - -commit a8ef0c488fd3919ba9af8fc2599e803a1bf39b2a -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Aug 5 16:31:56 2024 -0400 - - Upgrade deps to resolve CVEs (#2225) - - CVE alerts: - - - https://github.com/microsoft/hcsshim/security/dependabot/108 - - https://github.com/microsoft/hcsshim/security/dependabot/107 - - Dependabot PRs: - - - 2224 - - 2223 - - 2219 - - 2218 - - 2213 - - Signed-off-by: Hamza El-Saawy - -commit a1586171de44edfbc3609fd769f21987f7d5685f -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 5 18:09:26 2024 +0000 - - Bump google.golang.org/grpc from 1.64.0 to 1.65.0 in /test (#2195) - -commit 0952ff694227a4123ee4ad5092df243008fcf8f5 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 5 18:09:04 2024 +0000 - - Bump softprops/action-gh-release from 2.0.7 to 2.0.8 (#2212) - -commit 415030aefbf56caccf1c44414fee18069857425d -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 5 14:06:42 2024 -0400 - - Bump github.com/docker/docker in /test (#2221) - - Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.0.0+incompatible to 27.1.0+incompatible. - - [Release notes](https://github.com/docker/docker/releases) - - [Commits](https://github.com/docker/docker/commits/v27.1.0) - - --- - updated-dependencies: - - dependency-name: github.com/docker/docker - dependency-type: indirect - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 7edc1f5203c22e21124d8d0f739ce0ada7f5cf61 -Author: Seth Hollandsworth -Date: Wed Jul 31 13:09:10 2024 -0400 - - updating a link in the readme to its new location (#2214) - - Signed-off-by: sethho - -commit a658eee405cb0dc85121e7edb41fd26086013595 -Author: Kirtana Ashok -Date: Thu Jul 18 16:00:44 2024 -0700 - - Fix HPC tests - - Signed-off-by: Kirtana Ashok - -commit 5c81656ca4bd1c51295f7c18d3c562aa880253a1 -Author: Maksim An -Date: Wed Jul 24 15:17:12 2024 -0700 - - fix: use block device mount to format scratch (#2215) - - By default create LCOW will set the number of SCSI controllers to 4, when - VPMem isn't used, which is the case when formatting scratch. This makes the - device path lookup non-determenistic, since the SCSI controllers in the guest - may have different indices. - - To workaround that, use a block device mount and use the mount-path to format - the scratch VHDX without needing to lookup the actual dev node path. - - Signed-off-by: Maksim An - -commit eb8c5c67775b348f2a8c2a8fe5905a8f559e5d11 -Merge: eedd1fece 0c061a1ee -Author: Kathryn Baldauf -Date: Tue Jul 23 10:53:16 2024 -0700 - - Merge pull request #2201 from katiewasnothere/kabaldau/boot_nvidia_services - - Start nvidia-persistenced and nv-fabricmanager daemons in init script - -commit 0c061a1eeefff209adb65f98de4f40f506e3fc62 -Author: Kathryn Baldauf -Date: Mon Jun 24 15:56:26 2024 -0700 - - Start nvidia_persistenced and nv-fabricmanager daemons in init script - - Signed-off-by: Kathryn Baldauf - -commit eedd1fece70183480075409c54fc307e5d045fc2 -Merge: c1e403cfe 848523221 -Author: Kathryn Baldauf -Date: Mon Jul 22 10:15:13 2024 -0700 - - Merge pull request #2206 from katiewasnothere/kabaldau/remove_graceful_dda_cleanup - - Remove graceful removal of DDA devices added on pod boot - -commit c1e403cfe1e4991c78fcd3535308a88403e42477 -Merge: c28c0b237 408381769 -Author: Kathryn Baldauf -Date: Thu Jul 18 17:24:23 2024 -0700 - - Merge pull request #2207 from katiewasnothere/kabaldau/runhcs_higher_memory - - Add higher memory size for create scratch UVM - -commit 40838176901554ca9b2147683a5be1d4fd4f34ca -Author: Kathryn Baldauf -Date: Mon Jun 17 17:00:48 2024 -0700 - - Increasing the memory size as Azure Linux requires more memory to run - - Signed-off-by: Kathryn Baldauf - -commit c28c0b2376f275735dbd4f9ebc716111a241df9c -Author: Maksim An -Date: Thu Jul 18 09:40:18 2024 -0700 - - fix: error shadowing removing read-write mount tracking (#2208) - - When filesystem mount fails, we attempt to cleanup - read-write mount tracking. However, the return error is - being shadowed and `RemoveRWDevice` is never called. - - Signed-off-by: Maksim An - -commit ffe0492588fe581a24573a94223df96a0a6601a9 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Jul 18 15:10:58 2024 +0000 - - Bump softprops/action-gh-release from 2.0.5 to 2.0.7 (#2209) - -commit 8ad5a9794372865ff0cc6b64ec4a2df713017387 -Author: apurv15 <69455689+apurv15@users.noreply.github.com> -Date: Wed Jul 17 11:05:20 2024 +0530 - - Create UVM honoring NUMA configuration parameters (#2198) - - * Expose NUMA config to containers. Use HCS device affinity so that UVM is configured on same NUMA node as the device. Expose SLIT configuration to UVM to gather NUMA node distances. - - Signed-off-by: Apurv Barve - - * Fixing lint errors - - Signed-off-by: Apurv Barve - - * Fix linter errors - - Signed-off-by: Apurv Barve - - * Addressing review comments - - Signed-off-by: Apurv Barve - - * Addressing review comments - - Signed-off-by: Apurv Barve - - * Schema changes - - Signed-off-by: Apurv Barve - - * OS build version check - - Signed-off-by: Apurv Barve - - * Removing some checks not required for container platform - - Signed-off-by: Apurv Barve - - * Removing a TODO comment - - Signed-off-by: Apurv Barve - - * Conditionalize setting PropagateNumaAffinity for newer OS build only - - Signed-off-by: Apurv Barve - - * Changing variable name from propagationEnabled to propagateAffinity for better readability - - Signed-off-by: Apurv Barve - - * Modifying comment and not initializing pointer as it happens implicitly. - - Signed-off-by: Apurv Barve - - --------- - - Signed-off-by: Apurv Barve - -commit 848523221903d628002cd8b6953b149f63b689b8 -Author: Kathryn Baldauf -Date: Tue Jul 16 14:41:16 2024 -0700 - - Remove graceful removal of vpci devices - - Signed-off-by: Kathryn Baldauf - -commit d69c26d67ca8ec4b13a220a344bb93237459515b -Author: Prince Pereira -Date: Tue Jul 16 00:16:14 2024 +0530 - - Modifying network flag EnableIov. - - Signed-off-by: Prince Pereira - -commit 7af6804e753190024abb9d89b777572814153276 -Author: PRINCE PEREIRA -Date: Thu Jul 11 01:39:07 2024 +0530 - - Introducing new network flag EnableIov. (#2192) - - Signed-off-by: Prince Pereira - -commit 376b320b332e24c4a8830407139522abe5fdb2d5 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Jul 8 14:47:48 2024 -0400 - - [test] Add Hyper-V socket functional tests (#1979) - - * [test] Add hvsock connection tests - - Add tests for binding to and listening on hyper-v sockets from within a - uVM (as well as a hyper-v isolated containers). - Tests verify default SDDL and wildcard bind settings, as well updating - the settings for a particular service ID. - - In order to test HVSocket communication, an agent is needed to run from - within the uVM (or container within that). - To accomplish that, the ability to re-exec the (functional) testing - binary is added, so that it can be shared into the uVM (or container) - and then run a separate code path that is defined within the same test - case that is running on the host. - - For example, while running the test case - `TestHVSock_Container_GuestBind/default`, the functional testing binary - that is being run (i.e. `functional.test.exe`) is shared within the - running container and then run with the flag - `-run=^TestHVSock_Container_GuestBind$/^default$`. This causes the guest - to bind to the agreed-upon Service GUID, and then (after the host - connects to the same Service GUID), the guest verifies the expected VM - and service GUIDs, and then ensures communication is possible. - - Signed-off-by: Hamza El-Saawy - - * PR: remove hvsock feature - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 7bcf0ceac7b2a78364f1e75f02798b443091019f -Author: Maksim An -Date: Mon Jul 8 10:35:46 2024 -0700 - - fix: uvmboot gcs exec (#2193) - - Rely on default `sh` to be in `PATH` rather than hardcoding - to `/bin/sh` when using uvmboot with GCS and exec. - - Signed-off-by: Maksim An - -commit 200feabd854da69f615a598ed6a1263ce9531676 (tag: v0.13.0-rc.1) -Author: Prince Pereira -Date: Fri Jun 21 14:41:53 2024 +0530 - - Hcsshim wrapper over HNS API needed for exclusion of management mac addresses for VF reassignment. - - Signed-off-by: Prince Pereira - -commit 53f2486325624a81d2797b26294021c8647a6811 -Author: Maksim An -Date: Wed Jun 26 09:14:33 2024 -0700 - - feature: block-device mounts (#2168) - - This PR adds capability to mount virtual and passthrough disks - as block devices inside containers. - - We add a new "blockdev://" prefix to OCI `Mount.ContainerPath`, - which indicates that the source should be mounted as a blcok - device. - - A new `BlockDev` field has been added to `mountConfig` used by - `mountManager`, which indicates that the SCSI attachment should - be mounted as a block device. - - The GCS has also been updated to handle `BlockDev`. Instead of - mounting the filesystem, GCS creates a symlink to the block device - corresponding to the SCSI attachment. The symlink path is set - by shim as a source of bind mount in OCI container spec. GCS - resolves the symlink and adds the corresponding device cgroup. - Without the cgroup, the container won't be able to work with the - block device. - - We chose a symlink approach instead of bind mounting the device - directly, because the shim doesn't know the path at which the - device will appear inside UVM. For this to work, we either need - to encode the SCSI controller/LUN in the OCI mount's HostPath or - update the communication protocol between the shim and GCS, where - GCS would either return the device path, or add capability for - the shim to query for it. - - Below are some CRI container config examples for physical and - virtual disks: - - Passthrough physical disk: - ```json - { - ... - "mounts": [ - { - "host_path": "\\\\.\\PHYSICALDRIVE1", - "container_path": "blockdev:///my/block/mount", - "readonly": false - } - ] - ... - } - ``` - - Virtual VHD disk: - ```json - { - ... - "mounts": [ - { - "host_path": "C:\\path\\to\\my\\disk.vhdx", - "container_path": "blockdev:///my/block/mount", - "readonly": false - } - ] - ... - } - ``` - - Mount manager will differentiate between a block device and a - filesystem mount. Two containers can use the same managed disk - inside UVM as a block device or filesystem at the same time. - For block device mount a symlink will be created, for filesystem - mount the block device will be mounted in the UVM. - ``` - bash-5.0# ls -l /run/mounts/scsi/ - total 16 - drwxr-xr-x 3 root root 4096 Jan 1 1970 m0 - drwxr-xr-x 4 root root 4096 Jun 20 23:20 m1 - drwxr-xr-x 18 root root 4096 Jan 1 1970 m2 - drwxr-xr-x 3 root root 4096 Jun 20 23:20 m3 - lrwxrwxrwx 1 root root 8 Jun 20 23:22 m4 -> /dev/sde - bash-5.0# mount | grep sde - /dev/sde on /run/mounts/scsi/m3 type ext4 (rw,relatime) - ``` - - Signed-off-by: Maksim An - -commit e96bfcd186703633a600134d100a61ae4f173077 -Author: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> -Date: Tue Jun 18 12:40:06 2024 -0700 - - Adding state attribute to the HNSEndpoint struct to support hyperv containers for k8s - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Adding stringer for usage and CI/CD - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Fixing build errors - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Ignore linting for files generated by Stringer - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Trying to fix CI go gen - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Removing extra step to fix CI go gen - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - go gen CI fix try 2 - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Skip autogenerated file from linting - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Fixing linting - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Fixing linting - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Removing stringer to avoid increasing package bloat for hcsshim - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - cleanup - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Adding comment for future HNS v2 change - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - - Fix linting - - Signed-off-by: ritikaguptams <85255050+ritikaguptams@users.noreply.github.com> - -commit 66f4e4d68bd3afb15d3926f8c13c1d8803364b12 -Merge: 75311a3dd 3e6830005 -Author: Kathryn Baldauf -Date: Sun Jun 23 16:36:56 2024 -0700 - - Merge pull request #2167 from katiewasnothere/kabaldau/add_back_kmod_init - - Add support for loading modules in init script when makefile variable is set - -commit 75311a3dd1e88ed6d486b8ec365bee8556406525 -Merge: c12580828 f5f103dcc -Author: Kathryn Baldauf -Date: Fri Jun 21 15:55:33 2024 -0700 - - Merge pull request #2164 from katiewasnothere/kabaldau/host_process_unsafe_op - - Disable host process containers when disable unsafe operations is enabled - -commit c12580828ff856adede9a64697777cbc2463428e -Merge: 75428d123 7f60d8ffd -Author: Kathryn Baldauf -Date: Fri Jun 21 15:41:50 2024 -0700 - - Merge pull request #2181 from katiewasnothere/kabaldau/remove_nvidia_load_kmods - - Remove load-kmods option to libnvidia-container - -commit 7f60d8ffdaf78f23b47f48c3ffe5fd9a61cc62b4 -Author: Kathryn Baldauf -Date: Fri Jun 21 10:27:47 2024 -0700 - - Remove load-kmods option to libnvidia-container - - Signed-off-by: Kathryn Baldauf - -commit 75428d123ada3f341e1c55e13e738a92d11cbfd6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jun 18 13:50:26 2024 -0400 - - Omnibus dependency update (#2166) - - Dependebot PRs: - - - hcsshim/2140 - - hcsshim/2145 - - hcsshim/2146 - - hcsshim/2149 - - hcsshim/2153 - - hcsshim/2154 - - hcsshim/2159 - - hcsshim/2161 - - hcsshim/2174 - - hcsshim/2175 - - hcsshim/2176 - - Update protobuf files. - - `google.golang.org/grpc v1.64.0` deprecated `Dial[Context]` and - `WithBlock`. - Replacing either is non-trivial, and left for a future PR. - - Update dependabot file to ignore patch updates: they rarely provide bug - fixes and increase repo churn. - - Signed-off-by: Hamza El-Saawy - -commit f5f103dcc7c1f079723e79aa56d2b33e741d9c42 -Author: Kathryn Baldauf -Date: Mon Jun 10 16:25:39 2024 -0700 - - Add new annotation to disable host process containers as a child - annotation to DisableUnsafeOperations - - Signed-off-by: Kathryn Baldauf - -commit 3e6830005fd9e763e08d0db4e42067bc9716802e -Author: Kathryn Baldauf -Date: Mon Apr 1 16:57:41 2024 -0700 - - Add support for loading modules in init script when makefile variable - is set. - - Signed-off-by: Kathryn Baldauf - -commit efb0296a0a369e4a1212ca165ad0652ba82d800e -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Jun 12 17:13:33 2024 +0000 - - Bump golang.org/x/sys from 0.20.0 to 0.21.0 in /test (#2158) - -commit c8ec2736eb00b70ca33320bf04a7e790b26f6fa3 -Merge: 8beabacfc 472097790 -Author: Kathryn Baldauf -Date: Tue Jun 11 13:08:14 2024 -0700 - - Merge pull request #2128 from katiewasnothere/kabaldau/add_devices_at_boot_time - - Support passing oci devices on pod boot - -commit 8beabacfc2d21767a07c20f8dd5f9f3932dbf305 -Author: PRINCE PEREIRA -Date: Tue Jun 4 21:22:05 2024 +0530 - - Changes for checking the global version for modify policy version support. (#2139) - - Signed-off-by: Prince Pereira - -commit 472097790b59c13ed696cb896a23e991d25885a1 -Author: Kathryn Baldauf -Date: Tue Apr 9 16:00:19 2024 -0700 - - Support passing oci devices on pod boot - - Signed-off-by: Kathryn Baldauf - -commit c79a6310e6f15a893430063ca76f44dcb7711426 -Author: Debjit -Date: Wed May 29 11:28:51 2024 -0700 - - OutBoundNATPolicy Schema changes (#2106) - - Signed-off-by: Debjit Mondal - -commit 62b77d5a6a25a064b09814e36fe992f73ffa486f -Merge: 63adf6a1b b271a2c5d -Author: Kathryn Baldauf -Date: Tue May 28 15:03:04 2024 -0700 - - Merge pull request #2152 from katiewasnothere/kabaldau/runhcs_use_pa_memory - - Change runhcs create-scratch to use physical backed memory by default - -commit 63adf6a1b539409398f2f098381b7c090c454719 -Author: Maksim An -Date: Tue May 28 14:44:20 2024 -0700 - - verity-boot: append hash device to rootfs (#2142) - - * verity-boot: append hash device to rootfs - - Turned out that dev nodes for SCSI devices may not be - determenistic, where the hash device and rootfs may end - up appearing under /dev/sda and /dev/sdb respectively. - - Instead of mounting a separate hash device, append the - verity Merkle tree to rootfs ext4 filesystem, similarly - to how it's done for layer VHDs and mount single VHD. - Remove redundant hash device code. - - The default `GuestStateFile` filename was changed to `kernel.vmgs`. - - Update the IVGM kernel init to reflect the changes. - - The kernel command looks something like this: - - 8250_core.nr_uarts=0 panic=-1 debug loglevel=7 root=/dev/dm-0 \ - dm-mod.create="dmverity,,,ro,0 173768 verity \ - 1 /dev/sda /dev/sda 4096 4096 21721 21721 sha256 \ - 42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62 \ - a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" \ - init=/startup.sh - - To break this down a little further: - - dm-mod.create=",,,,[table {verity_params}]" - table=" verity_params" - verity_params=" \ - \ - []" - - With the example above we get: - - name: "dmverity" - uuid: "" - minor: "" - flags: "ro" - table: 0 0 173768 verity - verity_params: - version: 1 - data_device: /dev/sda - hash_device: /dev/sda - data_block_size: 4096 - hash_block_size: 4096 - num_data_blocks: 21721 - hash_start_block: 21721 - algorithm: "sha256" - root_digest: "42896a788a58da77b6acb8ddf53aa744bd269c19146cfdf48eb8fc5529a52e62" - salt: "a1c38923e44adffdd21f84e9185248c884fa28e767795d1025e5804e1c3df905" - - The support for booting non-SNP UVMs with dm-verity has also been added - as part of this PR. A new annotation can be used to pass the `dm-mod.create` - parameters to kernel. The assumption that the rootfs VHD will also have Merkle - tree appended after ext4 filesystem still holds. The new annotation is - "io.microsoft.virtualmachine.lcow.dmverity-create-args" and must be used - in conjunction with an existing "io.microsoft.virtualmachine.lcow.dmverity-mode" - annotation. - - Add an internal "io.microsoft.virtualmachine.console.pipe" annotation, which - can be used to set the serial for the UVM for debugging purposes. - - Note that dm-verity boot has a dependency on `CONFIG_DM_INIT` kernel config. - - --------- - - Signed-off-by: Maksim An - -commit 32498a77e3db5c47172d265c1571ec578e95db3e -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 28 15:15:35 2024 -0400 - - [test] Update WCOW uVM and vSMB, and HostProcess functional tests (#1965) - - * Initial file reorg & rename - - WCOW tests can be integrated directly into existing LCOW tests as - subtests, after generalizing the original (LCOW-only) tests to run both - types of uVMs and containers. - - Break the change into two: - (1) move (and rename) the original LCOW-only tests; and - (2) generalize the tests and add the WCOW components. - - To simplify the diffs, this commit only includes the first process. - Specifically, move: - - `lcow_bench_test.go` to `uvm_bench_test.go` - - `lcow_container_test.go` to `container_test.go` - - `lcow_test.go` to `lcow_uvm_test.go` - - Within `lcow_uvm_test.go`, combine and generalize kernel arg tests - (i.e., `TestLCOW_UVMNoSCSINoVPMemInitrd` and - `TestLCOW_UVMNoSCSISingleVPMemVHD`) to `TestLCOW_UVM_KernelArgs`. - - Combine and generalize boot/time tests (e.g., - `TestLCOW_TimeUVMStartVHD`, `TestLCOW_UVMStart_KernelDirect_VHD`) to - `TestLCOW_UVM_Boot`. - - Also, since go1.21, `"github.com/Microsoft/hcsshim/internal/sync"` is no - longer necessary, so replace it with `"sync".OnceValue[s]`. - - Signed-off-by: Hamza El-Saawy - - * Export `FileBindingSupported` function - - Expose `FileBindingSupported()` function from `"internal\jobcontainers"` - so it can be used in functional testing code. - - Switch from `sync.Once` to checking for `bindfltapi.dll` during package - init, since the check is (relatively) cheap. - - Signed-off-by: Hamza El-Saawy - - * Add WCOW and vSMB functional tests - - Un-skip and fix WCOW uVM and container tests. - Add WCOW: - - uVM benchmarks - - vSMB tests - - Host Process tests - - For WCOW host process tests, add dedicated tests for setting - username, and verifying hostname and volume mounts. - - Fix bug where removing a direct-mapped vSMB share fails. - - Run (non-virtualization/uVM) functional tests within CI. - - Starting Host Process containers requires SYSTEM to create a - process with a specified token, so use PsExec.exe (from sysutils) - to run tests. - - Make sure container specs are created with the default working - directory (`C:\`), similar to how `internal\cmd` works). - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit b271a2c5dd14aaadfadafd8fc0f5f6d61f447e2a -Author: Kathryn Baldauf -Date: Wed May 22 13:56:35 2024 -0700 - - Change runhcs create-scratch to use physical backed memory by default - - Signed-off-by: Kathryn Baldauf - -commit 43d1ab5f87a346654b6e3061520f53a48949b23f -Author: Maksim An -Date: Tue May 21 13:01:28 2024 -0700 - - scrubbing: scrub execute process message inside the guest (#2144) - - Signed-off-by: Maksim An - -commit 8e5438a31c954829c7c318732966cf0368907e4a -Author: Maksim An -Date: Thu May 16 12:02:38 2024 -0700 - - always scrub logs in SNP mode (#2143) - - Signed-off-by: Maksim An - -commit 46ef279de8dbe80851358ab9947b333f4586ecd7 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu May 9 15:23:27 2024 +0000 - - Bump softprops/action-gh-release from 2.0.4 to 2.0.5 (#2138) - -commit 75dcbc4a6bc68c15efe5b563e343ea4fa2208b6c -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Tue May 7 15:08:53 2024 +0000 - - Bump golangci/golangci-lint-action from 5 to 6 (#2137) - -commit 575f7f83a743b64ea554eb6f41ea453704425641 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon May 6 18:35:49 2024 +0000 - - Bump google.golang.org/protobuf from 1.33.0 to 1.34.1 in /test (#2135) - -commit b0ae328a8afba19690235516f1d193138e348ad7 -Author: Maksim An -Date: Mon May 6 11:07:22 2024 -0700 - - fix: wrong src and dst when copying vmgs/rootfs/hash device (#2125) - - Signed-off-by: Maksim An - -commit e2b26fad26c5c4801130a0a8d88a186d5a43aa35 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 6 11:24:42 2024 -0400 - - Omnibus dependabot update (#2124) - - Consolidate dependabot PRs: - - - 2131 - - 2130 - - 2122 - - 2120 - - 2119 - - 2112 - - 2105 - - 2093 - - Signed-off-by: Hamza El-Saawy - -commit ac2fd71f9742d301e3a68d5d1cc2a63be846a60a -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed May 1 16:02:21 2024 +0000 - - Bump golang.org/x/net from 0.22.0 to 0.23.0 in /test (#2111) - -commit 7690cc75ccc2e844e444279eaf613dcb13340e43 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed May 1 15:35:19 2024 +0000 - - Bump google.golang.org/grpc from 1.62.1 to 1.63.2 in /test (#2108) - -commit 81becbcf6c02116f7e43533a64d2f0e0a244d91f -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed May 1 15:35:09 2024 +0000 - - Bump golang.org/x/sync from 0.6.0 to 0.7.0 (#2101) - -commit 530d0f3628892c4d3bbb717930ce42118b00f146 -Author: Maksim An -Date: Mon Apr 29 10:25:00 2024 -0700 - - copy rootfs and hash VHD to bundle directory for SNP (#2110) - - Make sure that there's no potential race in accessing - rootfs.vhd and rootfs.hash.vhd when multiple SNP pods - are created concurrently with verity boot. - - Signed-off-by: Maksim An - -commit adfc9c0b04c66e0db9f45094e84dcbc4604258fb -Author: Maksim An -Date: Mon Apr 29 09:53:19 2024 -0700 - - fix scsi attachment for verity boot (#2116) - - When a SCSI device is added to an LCOW UVM the controllers inside - the guest can be reliably mapped via their corresponding GUIDs. - Make sure that we are adding the rootfs and corresponding rootfs - hash device to the correct controller 0. - - Signed-off-by: Maksim An - -commit 74c8fdf8d5d099450d16b6ab182d8481df3a72cc -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Apr 25 15:29:51 2024 +0000 - - Bump golangci/golangci-lint-action from 4 to 5 (#2118) - -commit 99b45823b06f03d94b054b7cf54921ce9db987f2 -Author: Maksim An -Date: Sun Apr 21 22:07:56 2024 -0700 - - fix: set `ReadOnly` when unmounting LCOW mapped virtual disk (#2109) - - When unmounting LCOW read-only container layers with - layer integrity enabled, the guest checks whether the - unmount request is coming for a read-only SCSI device. - If that's the case, GCS also attempts to clear out the - corresponding verity targets. Current implementation - omits the `ReadOnly` setting in the guest request, which - results in verity targets to linger even though the target - has been unmounted. The security policy is also unaware - that the layer has been unmounted, since it's enforced - only when `ReadOnly` is set to `true`. - This PR fixes this on the host side, by ensuring that - the `ReadOnly` is set in the guest request. It seems, though, - we may need to revisit the enforcement logic to potentially - deny unmounting a read-only layer when the host is not - explicitly specifies it as read-only. - - Signed-off-by: Maksim An - -commit cc618c1d24746925bbd42a127a95e1652da9733b -Author: Kirtana Ashok -Date: Fri Apr 19 11:43:10 2024 -0700 - - Update go-winio to v0.6.2 & fix lint errors - - Signed-off-by: Kirtana Ashok - -commit 0f7d8de9948c3ebfd45911dc55b451d8902d48b2 -Author: PRINCE PEREIRA -Date: Mon Apr 15 08:26:12 2024 -0700 - - Adding support for loadbalancer policy update in hns. (#2085) - - Signed-off-by: Prince Pereira - -commit f9a5c7b37ad50be3dc8eda6f2510d81db27967dd -Author: Dominic Ayre -Date: Fri Apr 12 04:53:18 2024 +0100 - - Improve dmverity-vhd -d performance (#2089) - - The current implementation of dmverity-vhd -d has to make one of the - following tradeoffs: - - Runtime: By default this option calls the docker daemon to fetch the - entire image for each layer as it doesn't provide an endpoint to get - a specific layer - Memory: The user can include a -b option that makes this call buffered, - keeping the image in memory the whole time, this is much faster but - at the cost of keeping the whole image in memory, which is a problem - with runners with low memory - - #2086 Proposed a new tradeoff of disk space, by saving the image to - disk and accessing the layers locally, this is a problem for runners with - smaller disks as the image is stored twice. - - This solution makes a single request to the docker daemon, and - processes both the layer hashes and the manifest to assign layer - numbers in a single pass, making it performant in all three aspects. - - --------- - - Signed-off-by: Dominic Ayre - Signed-off-by: Dominic Ayre - -commit c09ae9d05abe69d3ad4d957547a46143652d8fa0 -Author: Maksim An -Date: Thu Apr 11 10:43:59 2024 -0700 - - split existing Makefile (#2096) - - The existing Makefile grew pretty large and now has a few - additional dependencies like python and crypto for SNP targets. - - The idea behind the split is that the new Makefile.bootfiles - can be used to create Linux boot files and it depends only - on `delta*.tar.gz`. This is useful in e.g. multi staged build - process, where `delta*.tar.gz` artifacts can be produced - separately from the final boot files. Since the delta can be - applied to any base image, the build job that does it, wouldn't - need go runtime or C compiler. - - Signed-off-by: Maksim An - -commit fd6185a54cf8f82c8435506c25a9af290d01d610 -Merge: 0db3bffb7 3ad4d7e87 -Author: Kathryn Baldauf -Date: Wed Apr 10 11:18:36 2024 -0700 - - Merge pull request #2104 from katiewasnothere/kabaldau/fully_physically_backed - - Remove requirement on initrd for fully physically backed UVM - -commit 3ad4d7e879b3326dc9b6d65fb963da2dcf6b35e1 -Author: Kathryn Baldauf -Date: Mon Apr 8 14:33:44 2024 -0700 - - Remove requirement on initrd for fully physically backed UVM - - Signed-off-by: Kathryn Baldauf - -commit 0db3bffb783a391436c3bd01158280cee2ab4966 -Merge: c248e5166 6ed2b432f -Author: Kathryn Baldauf -Date: Wed Apr 10 10:20:01 2024 -0700 - - Merge pull request #2097 from katiewasnothere/kabaldau/remove_gpu_no_cgroups - - Remove no-cgroups option in gpu code path - -commit c248e516653406d3be399a48dd8bc012f0ac3f09 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Apr 8 15:36:53 2024 +0000 - - Bump golang.org/x/sync from 0.6.0 to 0.7.0 in /test - - Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.6.0 to 0.7.0. - - [Commits](https://github.com/golang/sync/compare/v0.6.0...v0.7.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sync - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit 38d960de25660592f662bbcc4f64d847030b2ae4 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Apr 8 15:07:16 2024 +0000 - - Bump golang.org/x/sys from 0.18.0 to 0.19.0 in /test - - Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.18.0 to 0.19.0. - - [Commits](https://github.com/golang/sys/compare/v0.18.0...v0.19.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sys - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit ad99b71729099afead68cff33527f2264244dc24 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Mar 28 20:52:38 2024 +0000 - - Bump github.com/google/go-containerregistry from 0.19.0 to 0.19.1 - - Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.0 to 0.19.1. - - [Release notes](https://github.com/google/go-containerregistry/releases) - - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - - [Commits](https://github.com/google/go-containerregistry/compare/v0.19.0...v0.19.1) - - --- - updated-dependencies: - - dependency-name: github.com/google/go-containerregistry - dependency-type: direct:production - update-type: version-update:semver-patch - ... - - Signed-off-by: dependabot[bot] - -commit 0272d9bf9f88eff1d7a1ce6e573e7162d5e48910 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Mar 28 20:53:40 2024 +0000 - - Bump github.com/opencontainers/image-spec in /test - - Bumps [github.com/opencontainers/image-spec](https://github.com/opencontainers/image-spec) from 1.1.0-rc3 to 1.1.0. - - [Release notes](https://github.com/opencontainers/image-spec/releases) - - [Changelog](https://github.com/opencontainers/image-spec/blob/main/RELEASES.md) - - [Commits](https://github.com/opencontainers/image-spec/compare/v1.1.0-rc3...v1.1.0) - - --- - updated-dependencies: - - dependency-name: github.com/opencontainers/image-spec - dependency-type: direct:production - update-type: version-update:semver-patch - ... - - Signed-off-by: dependabot[bot] - -commit f0b44766d98c93b55ddc0e56286460ab044d87aa -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Sun Mar 31 03:34:23 2024 +0000 - - Bump github.com/urfave/cli/v2 from 2.25.7 to 2.27.1 in /test - - Bumps [github.com/urfave/cli/v2](https://github.com/urfave/cli) from 2.25.7 to 2.27.1. - - [Release notes](https://github.com/urfave/cli/releases) - - [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md) - - [Commits](https://github.com/urfave/cli/compare/v2.25.7...v2.27.1) - - --- - updated-dependencies: - - dependency-name: github.com/urfave/cli/v2 - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit 6ed2b432f4c56e60690a99bcb37a4fe30c3cd5dc -Author: Kathryn Baldauf -Date: Wed Apr 3 17:40:28 2024 -0700 - - Remove no-cgroups option in gpu code path - - Signed-off-by: Kathryn Baldauf - -commit 42671b424b99461eb3dde4ed44f6f123092f656d -Author: Maksim An -Date: Tue Apr 2 10:38:35 2024 -0700 - - Update `JOB_OBJECT_ALL_ACCESS` and `OpenJobObject` (#2095) - - Update `JOB_OBJECT_ALL_ACCESS` value to the most recent one. - Update `winapi.OpenJobObject` to accept `inheritHandle` as - `bool`. The underlying syscall stays the same, but this allows - cleaner calls from go's perspective as it avoids `bool` to `uint32` - casting. - - Signed-off-by: Maksim An - -commit 71270a3d0e911941a24c419df4cc197a9ada0930 -Merge: 7df3b5fa9 d73645396 -Author: Kathryn Baldauf -Date: Mon Apr 1 13:21:06 2024 -0700 - - Merge pull request #2091 from katiewasnothere/kabaldau/revert_init_kmod - - Revert "Use kmod library to load modules" - -commit d73645396e31feedd11e029f2005a3d971c7c13e -Author: Kathryn Baldauf -Date: Fri Mar 29 16:10:17 2024 -0700 - - Revert "Use kmod library to load modules" - - This reverts commit 8c5f531c3502ed836f94b29b4fc0876c8f5e3be6. - - Signed-off-by: Kathryn Baldauf - -commit 7df3b5fa9e2b4d760d8fc60835299ac83712ea8f -Author: Maksim An -Date: Fri Mar 29 09:18:25 2024 -0700 - - gh-actions: prevent publishing release automatically (#2090) - - The release Github action will automatically publish - a release for each non-rc tag in a form `v*`, which is - not desired. This may lead to accidents like described in https://github.com/microsoft/hcsshim/issues/2084 - - Change the release action to instead create draft - releases, regardles of the tag being final or RC. - - It will be up to the maintainers to decide when to - publish an official release. - - Signed-off-by: Maksim An - -commit 95b3c28b981c22025336edb1be401e9fad8440c4 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Mar 28 16:51:26 2024 -0400 - - Omnibus dependency update (#2088) - - * Omnibus dependency updates - - - github.com/microsoft/hcsshim/pull/2087 - - github.com/microsoft/hcsshim/pull/2073 - - github.com/microsoft/hcsshim/pull/2072 - - github.com/microsoft/hcsshim/pull/2071 - - github.com/microsoft/hcsshim/pull/2064 - - github.com/microsoft/hcsshim/pull/2063 - - github.com/microsoft/hcsshim/pull/2062 - - github.com/microsoft/hcsshim/pull/2061 - - github.com/microsoft/hcsshim/pull/2058 - - github.com/microsoft/hcsshim/pull/2057 - - Signed-off-by: Hamza El-Saawy - - * update protofiles - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 1d406d0eac5573287ba7b46a04a58275410137ac -Merge: 3f5931a23 e0c52cd23 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Tue Mar 26 14:59:26 2024 -0700 - - Merge pull request #2029 from ambarve/layer_refactor - - Refactor layer management code. - -commit e0c52cd23b414706ac630ce3d4c9651c3e74c146 -Author: Amit Barve -Date: Fri Mar 1 01:59:33 2024 -0800 - - Remove unused CimFS related code - - CimFS is currently not supported with HyperV isolation. However, we still have code that - handles processing of UtilityVM layer during image import. After the layer refactoring - change we need to update this code as well. But since this code isn't being used anywhere - updating it doesn't make much sense. There are no tests for this either. This code is - removed for now and we can add it back later once the plan for running HyperV isolated - containers with CimFS is more solid. - - Signed-off-by: Amit Barve - -commit 5abf55c8119d77bbd6afd867ee8039ee3aadde18 -Author: Amit Barve -Date: Tue Feb 27 10:41:33 2024 -0800 - - Refactor layer writer interface - - Current layer writer interface forces us to calculate the CIM path from the layer path by - making assumptions about CIM storage. This isn't a very good approach, better way is to be - explicit about what information the layer writer needs from containerd. This change - updates the CIM layer writer to take in layer CIM & parent CIM paths as inputs. This also - means a corresponding changes needs to be made in containerd. - - Signed-off-by: Amit Barve - -commit 00ca088f41b4de5d438d3d0ab7bdfbb948e44024 -Author: Amit Barve -Date: Tue Feb 27 09:59:54 2024 -0800 - - Refactor layer mount functions - - This commit uses the newly added WCOW layer parsers and the new type for representing - mounted WCOW layers. LCOW functions are also moved around (and renamed) to follow similar - style as that of WCOW functions. - - Signed-off-by: Amit Barve - -commit 49ada2e138adc6e43dfc9b9c672daf0b8d457af4 -Author: Amit Barve -Date: Tue Feb 27 09:47:28 2024 -0800 - - Add WCOW RootFS Mount parsers - - Adds a set of functions that can parse layers or rootfs mounts provided by containerd into - structs that can be later used for mounting layers. Primary purpose of this change is to - remove restriction of always representing layers as an array of strings. - - Signed-off-by: Amit Barve - -commit 47a65a15819fb13236d780ec057f77eaddc8f367 -Author: Amit Barve -Date: Tue Jan 30 14:39:52 2024 -0800 - - Move LCOW & WCOW layer management functions to their own file - - As we refactor the layer management code, it is easier to keep LCOW & WCOW layer management code - in their own separate files. - - Signed-off-by: Amit Barve - -commit 3f5931a2319947029673ed615d23dfb0be401f53 -Author: Maksim An -Date: Mon Mar 25 09:53:46 2024 -0700 - - devicemapper: add `EBUSY` to the retriable errors (#2069) - - Testing revealed that creating device mapper targets sometimes - yields `device or resource busy` error (`EBUSY`). Add it to - the list of retriable errors and consolidate them into a single - slice. - - Add unit tests for `CreateDeviceWithRetryError`. - - Signed-off-by: Maksim An - -commit 3eeba905b4e0a408b372e3de326f00c70bdb442a -Author: Maksim An -Date: Fri Mar 22 16:27:19 2024 -0700 - - fix: move permissions to the correct job (#2080) - - The permissions block should be under `create_release` job, rather - than `build`. - - Signed-off-by: Maksim An - -commit a58b41457cca7c4f08f489e15ca1768ebfd84df5 -Author: Heather Garvison -Date: Fri Mar 22 17:07:14 2024 -0400 - - Updating permissions and github release action versions (#2078) - - Signed-off-by: Heather Garvison - -commit 4c5bf0d0436ddf023f2dabee361dcf6b069b9fae -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Mar 22 14:18:30 2024 -0400 - - Remove musl references (#2077) - - `libkmod` relies of `libc`, which means we no longer can build with - `musl`. - Remove reference to it. - - Signed-off-by: Hamza El-Saawy - -commit def0c29dd6d8be0c70a820e08ebe7eefaaf557a2 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Mar 21 15:05:55 2024 -0400 - - Use errors.As() (#2074) - - Signed-off-by: Hamza El-Saawy - -commit df34d1dc7c6b7dd49676869b021eb49047b25ecf -Merge: 6be41bcae 8c5f531c3 -Author: Kathryn Baldauf -Date: Wed Mar 20 13:46:13 2024 -0700 - - Merge pull request #2034 from katiewasnothere/kabaldau/kmod_load_modules_init - - Use kmod library to load modules in init script - -commit 6be41bcaed8d2dec828cf5c52ad05672c00c7828 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Mar 18 16:25:47 2024 -0400 - - Add hvsock service config annotation (#2056) - - Allow specifying the hyper-v configuration for specific service GUIDs - via an annotation to allow dedicated hvsocket communication from the - host to the guest - - Signed-off-by: Hamza El-Saawy - -commit 8c5f531c3502ed836f94b29b4fc0876c8f5e3be6 -Author: Kathryn Baldauf -Date: Wed Feb 7 15:39:24 2024 -0800 - - Use kmod library to load modules - - Update Makefile to use libkmod when building init and remove static compilation - - Signed-off-by: Kathryn Baldauf - -commit 02a899c7693a7783d3a5c2896452f493eddb9b3f -Merge: 7e32690db 3d466f91e -Author: Kathryn Baldauf -Date: Wed Mar 13 10:46:03 2024 -0700 - - Merge pull request #2040 from katiewasnothere/kabaldau/retry_find_dev_nodes - - Add the ability to retry when looking for hot added device nodes - -commit 7e32690dbfec42c476c0d0cbe6d6a9535a8c6c0e -Author: Maksim An -Date: Mon Mar 11 20:18:07 2024 -0700 - - upgrade open policy agent (#2059) - - Signed-off-by: Maksim An - -commit c91d82d2e8c5cad1034f17712391e0c76281e5aa -Author: Kirtana Ashok -Date: Tue Feb 13 19:46:01 2024 -0800 - - Add spans and drop large size high volume trace logs - - Signed-off-by: Kirtana Ashok - -commit 523fe7ba243047588b93cc5734669a3962be8899 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Mar 7 15:54:14 2024 -0500 - - Functional test housekeeping (#1964) - - Remove unused/legacy functional test flags/environment variables. - - Unify [TestMain] control flow, so there is only one exit call, and - `defer` is used to run cleanup after the tests are run. - - Standardize UVM `default[L|W]COWOptions` to accept a context, and add - context parameter to `namespacedContext` - - Remove all build tags aside from `functional`, since features are used - to select the tests to run. This standardizes the functional tests with - the cri-containerd tests, even though the feature names themselves are - different. - - Add `test/pkg/uvm.CreateWCOW` function to mirror `CreateLCOW`, and add - `Create` and `CreateAndStart` functions that pick LCOW or WCOW based on - the options provided. - - Have uVM scratch and image layers be created under a dedicated and - persisted folder within `%TEMP%` that is excluded from Windows defender. - (The folder will be removed during OS restart, regardless of contents.) - - Remove copied OCI spec options from `test/internal/oci`, add new - options for creating HostProcess containers. - - Add a `internal\sync.OnceValue`(`Ctx`) function that mirrors - `sync.OnceValues` (introduced in go1.21) to have a type-safe `Once` - function. - - Check that required privileges are held (only once) when unpacking - Windows layers. - - Fix LCOW tests in `lcow_test.go` that were setting `KernelDirect` - without also updating `KernelFile`. - - Add `util.Context` function to create context that times out before test - timeout, to help with timing issues and allow time for cleanup and - logging. - - Rename `cri_util` to `criutil`, since underscores are frowned upon in - package names. - Add a `test` prefix to `github.com/Microsoft/hcsshim/test/pkg/*` and - `github.com/Microsoft/hcsshim/test/internal/*` imports to be consistent - across all `test/functional/*` files. - - Signed-off-by: Hamza El-Saawy - -commit 3d466f91ecd9693cc733a4ec3fb0e105ec4e3063 -Author: Kathryn Baldauf -Date: Mon Feb 26 14:22:27 2024 -0800 - - Add the ability to retry when looking for hot added device nodes - - Signed-off-by: Kathryn Baldauf - -commit 67393b5dbf3e5ba34ca4f308183b3845dc099bbb -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Mar 6 13:58:22 2024 -0500 - - Update pre-go1.21 code (#2054) - - Signed-off-by: Hamza El-Saawy - -commit f317473b553f091ffa8259ca29b47ed77086aaa4 -Merge: 060de7cb9 6428d3dfe -Author: Kevin Parsons -Date: Tue Mar 5 13:19:08 2024 -0600 - - Merge pull request #2052 from qmuntal/fixalign - - fix SILOOBJECT_BASIC_INFORMATION alignment - -commit 6428d3dfe30097fcd1e03d969847be34e27f4b86 -Author: qmuntal -Date: Tue Mar 5 17:17:24 2024 +0100 - - mobve SILOOBJECT_BASIC_INFORMATION to winapi - - Signed-off-by: qmuntal - -commit f5066241551896b7e89690b7bc22ebc6ce42afa2 -Author: qmuntal -Date: Tue Mar 5 17:04:03 2024 +0100 - - fix SILOOBJECT_BASIC_INFORMATION alignment - - Signed-off-by: qmuntal - -commit 060de7cb9b4a420e824c50b299bf608cdda50ea6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Mar 5 10:58:41 2024 -0500 - - Omnibus dependency updates (#2051) - - Consolidate dependabot updates: - - github.com/microsoft/hcsshim/pull/2050 - - github.com/microsoft/hcsshim/pull/2048 - - github.com/microsoft/hcsshim/pull/2047 - - github.com/microsoft/hcsshim/pull/2046 - - github.com/microsoft/hcsshim/pull/2045 - - github.com/microsoft/hcsshim/pull/2044 - - github.com/microsoft/hcsshim/pull/2043 - - github.com/microsoft/hcsshim/pull/2042 - - Signed-off-by: Hamza El-Saawy - -commit fe8c673755dff71acc0e697feea129a149fa0055 (tag: v0.12.0) -Author: Maksim An -Date: Tue Feb 27 18:50:03 2024 -0800 - - update `newBinaryCmd` URL path handling (#2041) - - Signed-off-by: Maksim An - -commit 85086d759bed5fab0f539ba169d566489e733d98 -Author: Kirtana Ashok -Date: Wed Feb 21 13:41:56 2024 -0800 - - Upgrade to go1.21 + fix lint errors - - Signed-off-by: Kirtana Ashok - -commit 8039310a9c449836ba496082536d9f503ee7ba9b -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Feb 26 17:51:50 2024 -0500 - - [deps] Omni-bus dependency update (#2039) - - * [deps] Omni-bus dependency update - - Signed-off-by: Hamza El-Saawy - - * upgrade containerd to see if tests pass - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 7458e588af85def50ec522a8930ab604af4fd9d4 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Feb 20 13:56:17 2024 -0500 - - Update Cmd IO handling (#1937) - - Update `Cmd.Wait` to return a known error value if it times out waiting - on IO copy after the command exits (and update `TestCmdStuckIo` to check - for that error). - Prior, the test checked for an `io.ErrClosedPipe`, which: - 1. is not the best indicator that IO is stuck; and - 2. is now ignored as an error value raised during IO relay. - - Update `stuckIOProcess` logic in `cmd_test.go` to mirror logic in - `interal/exec.Exec`, using `os.Pipe` for std io that returns an `io.EOF` - (instead of `io.Pipe`, which does not). - - Signed-off-by: Hamza El-Saawy - -commit 5f9910ae0c4584fa694e27228e34d2ba9cf88e6e -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Feb 15 17:14:16 2024 -0500 - - Fix CodeQL pipeline failure (#2032) - - CodeQL Analyze job fails with:`Resource not accessible by integration`, - and logs show the following help: - - This run of the CodeQL Action does not have permission to access Code - Scanning API endpoints. - As a result, it will not be opted into any experimental features. - This could be because the Action is running on a pull request from a fork. - If not, please ensure the Action has the 'security-events: write' permission. - Details: Resource not accessible by integration - - Add `security-events: write`, along with default `contents` and - `packages` read permissions. - - Signed-off-by: Hamza El-Saawy - -commit c56a09c57629f8545b80a95a43b8b25f56c05f80 -Merge: c767380d6 bbbf09216 -Author: Yuanyuan Lei -Date: Thu Feb 15 10:24:13 2024 -0800 - - Merge pull request #1998 from yyatmsft/removeInternalTests2 - - Removing internal tests from hcsshim's cri-containerd tests - -commit c767380d69409110fc7d429cc0e08a3518767df4 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Thu Feb 15 10:21:15 2024 -0800 - - Don't create container scratch per base layer (#2002) - - For WCIFS based layers, a container scratch base VHD (and a differencing VHD) both are created per unique base - layer. However, with UnionFS we - don't add any reparse points and the VHD is empty, so we don't need to create a VHD per unique base layer. Now - the CimFS snapshotter will handle container scratch VHD creation and the LayerWriter will only create the VHD - for the UtilityVM. (The UtilityVM VHD still needs to be created per unique base layer since the BCD of that - layer is configured to boot from the UtilityVM VHD and the BCD is unique per image) - - Signed-off-by: Amit Barve - -commit 23e90564c20537f3bf04b5933a9b8b72c660aa6a -Author: Maksim An -Date: Thu Feb 15 09:28:17 2024 -0800 - - tests: update docker images. (#2012) - - Update docker image hashes to satisfy compliance requirements. - - The images have been rebuilt. - - Signed-off-by: Maksim An - -commit bbbf09216f9ee50813104d8814d5ad4e64bd2385 -Author: Yuanyuan Lei -Date: Wed Feb 14 17:23:01 2024 -0800 - - remove blanks - -commit 40f4a9104046c324c5899ac34330431599de5846 -Merge: ab6e48bfa 32b760c6d -Author: Kathryn Baldauf -Date: Wed Feb 14 14:47:12 2024 -0800 - - Merge pull request #2003 from katiewasnothere/kabaldau/assigned_devices_return_multi - - Allow mounting multiple dev nodes per assigned device - -commit 32b760c6dbdae98896f7541100bafe75a1529bb5 -Author: Kathryn Baldauf -Date: Fri Jan 19 17:17:06 2024 -0800 - - update code for assigned devices to allow mounting multiple dev nodes corresponding to device - - Signed-off-by: Kathryn Baldauf - -commit ab6e48bfae1efa56367a5cc085ad059afce42933 -Merge: b09fc1038 5eb195256 -Author: Kevin Parsons -Date: Mon Feb 12 11:09:58 2024 -0600 - - Merge pull request #2021 from kevpar/jc-fix - - internal/exec: Fix stdio pipe problems - -commit b09fc1038ac887465a64ca976c64dbb26f4d3644 -Merge: 9aabef846 b62535cdf -Author: Kevin Parsons -Date: Mon Feb 12 11:09:23 2024 -0600 - - Merge pull request #2023 from kevpar/revert-io-exp - - Revert "gcs: Support routing container stdio to sidecar" - -commit b62535cdfb5ba21b4a322fc531520fe28e389180 -Author: Kevin Parsons -Date: Thu Feb 8 17:09:22 2024 -0800 - - Revert "gcs: Support routing container stdio to sidecar" - - This reverts commit b1b07686425bd7e4594f46a153aa84bf224acf66. - - This work was done as an experiment, and is no longer being used. - - Signed-off-by: Kevin Parsons - -commit 9aabef846e62bec65fc7974dd98f342a5a80e433 -Merge: 5921abb65 976716ed6 -Author: Kevin Parsons -Date: Thu Feb 8 17:07:22 2024 -0600 - - Merge pull request #2020 from kevpar/jc-leak - - Fix process handle leak when launching a job container - -commit 5921abb65dd00751cbcbd40106144fa63cd1e223 -Author: Seth Hollandsworth -Date: Thu Feb 8 13:17:38 2024 -0500 - - adding option of using buffered image reader for faster dmverity hashing (#2013) - - Signed-off-by: Seth Hollandsworth - -commit 976716ed6294e3a641d80196dcb08ac5eefd4091 -Author: Kevin Parsons -Date: Wed Feb 7 08:08:19 2024 -0800 - - Fix process handle leak when launching a job container - - CreateProcess gives us back a handle to the newly created process. - Previously, we ignored this handle, which meant it was leaking every - time we created a new job container (or anything else that uses - internal/exec in the future). - - Process handle leaks can be bad as an exited process is left as a - "zombie" until all handles to it have closed, continuing to use memory. - - Fix this by closing the handle from CreateProcess. - - Signed-off-by: Kevin Parsons - -commit 5eb1952569fae966877a8c0828a9b82a17aca2d1 -Author: Kevin Parsons -Date: Tue Feb 6 17:36:20 2024 -0800 - - internal/exec: Fix stdio pipe problems - - exec today has two problems with how it handles stdio pipes: - - - When Wait completes, closeStdio() is called. - This closes the parent-side stdio pipes for receiving IO from the - process. This is a problem because once the process has completed, we - still need to be able to receive any final output. Today data from the - process could be lost because of this. - - The parent's handles to the child-side stdio pipes are not closed - after starting the process. Leaving duplicates of these handles in the - parent process means that the other ends of the pipes are never closed - when the process exits. - - This commit makes the following changes: - - - The parent's handles to the child-side stdio pipes are now closed - after the child is started. This is necessary so that once the child - exits, the parent-side pipes will return EOF once the remaining output - drains. - - When Wait completes, the parent-side stdio pipes are not closed. The - responsibility for this is now left to the client of the exec package. - Currently the only user of exec is jobcontainers.JobProcess, which - closes handles these when Close is called. - - Additionally, the ProcThreadAttributeList is now allocated and used only - in Start. Previously it was saved on the Exec object, even though it was - not needed elsewhere. This makes the code cleaner, simplifies the Wait - logic, and eliminates the chance of leaking memory if an Exec object - is GC'd without being Wait'd. - - Signed-off-by: Kevin Parsons - -commit 788484094c585bf860986f42ccdb4ad5c1f59aa1 -Author: Yuanyuan Lei -Date: Mon Feb 5 10:19:56 2024 -0800 - - removed unused file and code - -commit ede135266b523bddd720cecd5a738b9e5296244a -Merge: 0c34909cc b0d91fb30 -Author: Yuanyuan Lei -Date: Fri Feb 2 16:50:27 2024 -0800 - - Merge branch 'mainshim_main' into removeInternalTests2 - -commit 0c34909ccdea3a8b2577100f65591f2a9f07d241 -Author: Yuanyuan Lei -Date: Fri Feb 2 16:44:12 2024 -0800 - - Addressed comments - -commit b0d91fb30c4f8cc812d9e78d2fedd54c983c343a (tag: v0.12.0-rc.3) -Author: Kirtana Ashok -Date: Wed Jan 31 16:54:25 2024 -0800 - - Switch to using new errdefs repo - - Signed-off-by: Kirtana Ashok - -commit a1319d51465c4503b30625df5bb45291d7a4600b -Merge: d4494c785 4283479a5 -Author: Kathryn Baldauf -Date: Tue Jan 30 19:24:45 2024 -0800 - - Merge pull request #1999 from microsoft/kabaldau/nvidia_log_files - - Update nvidia hook log file paths to use container bundle path as base dir - -commit d4494c78561b9ff7738d51856847ce43d1bf515b -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Thu Jan 25 14:10:11 2024 -0800 - - Add CodeQL suppression for tar extraction code (#2006) - - CodeQL is generating a warning for tar extraction code suggesting that the tar file entries are used in an - unsanitized way and that could lead to file system traversal attacks. However, during tar extraction all the - files are written to the disk using the `internal/safefile` package which ensures all the filesystem - operations during layer extraction happen under the layer root directory. So this warning can be safely - suppressed. - - Signed-off-by: Amit Barve - -commit 4283479a53be6d6a3f84caf224213f1e33c147a1 -Author: Kathryn Baldauf -Date: Wed Jan 3 14:06:41 2024 -0800 - - Update nvidia hook log file paths to use container bundle path as base dir - - Signed-off-by: Kathryn Baldauf - -commit c25f9030b8f42dd13a67b183cab96dc352bda611 -Author: Yuanyuan Lei -Date: Sat Dec 30 01:16:24 2023 -0800 - - minor fixes - -commit f30bade7f82da6b97267ac89ff1d501f37b18418 -Author: Yuanyuan Lei -Date: Sat Dec 30 01:07:25 2023 -0800 - - removed lcow tests - -commit 0285b8b2bff391202ef0918b423509efea76bb89 -Author: Maksim An -Date: Thu Dec 28 09:29:25 2023 -0800 - - tests: update test images used for cri-containerd tests (#1991) - - Signed-off-by: Maksim An - -commit 4fd5f02bee35b4f1d7488d8fe801fea7b18f2c01 -Author: Joe Powell <56188788+darracott@users.noreply.github.com> -Date: Thu Dec 28 17:13:43 2023 +0000 - - SNP Direct DM-Verity Boot (#1952) - - * Working DM-Verity boot using 5..15 kernel - - Signed-off-by: Ken Gordon - Signed-off-by: Joe Powell - - * Working to boot 6.1 or 5.15 kernels with vhd supplied userland and merkle tree. - - Signed-off-by: Ken Gordon - Signed-off-by: Joe Powell - - * PR https://github.com/microsoft/hcsshim/pull/1886 changes which are required or gcs cannot start on 6.1 - - Signed-off-by: Ken Gordon - Signed-off-by: Joe Powell - - * Use "modern" igvm tooling from github repo. - - Signed-off-by: Ken Gordon - Signed-off-by: Joe Powell - - * Clean up Makefile - - Signed-off-by: Joe Powell - - * Add boot doc - - Signed-off-by: Joe Powell - - * Remove startup_2 as it is now redundant - - Signed-off-by: Joe Powell - - * Tidying - - Signed-off-by: Joe Powell - - * print opts - - Signed-off-by: Joe Powell - - * debug - - Signed-off-by: Joe Powell - - * debug - - Signed-off-by: Joe Powell - - * Remove extra err - - Signed-off-by: Joe Powell - - * Rm fmt - - Signed-off-by: Joe Powell - - * Clean up startups - - Signed-off-by: Joe Powell - - * Kick CI - - Signed-off-by: Joe Powell - - * Add HvSock port annotation - - Signed-off-by: Joe Powell - - * Clean up merge - - Signed-off-by: Joe Powell - - * Mark ups pre-rebasing - - Signed-off-by: Joe Powell - - * gofmt - - Signed-off-by: Joe Powell - - * More concise Makefile snp target - - Signed-off-by: Joe Powell - - * Apply nits - - Signed-off-by: Joe Powell - - --------- - - Signed-off-by: Ken Gordon - Signed-off-by: Joe Powell - Co-authored-by: Ken Gordon - -commit 6901c20d697451893f847dc1d76949e999f054fe (tag: v0.12.0-rc.2) -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Wed Dec 20 08:17:29 2023 -0800 - - Minor CimFS bug fixes (#1980) - - * Minor fixes for cimfs writer - - Adds minor fixes like updating the Windows build which supports CimFS, using safefile for creating directories in CimFS writer etc. - - - * Always expand volume when expanding sandbox VHD - - Currently, ExpandScratchSize or ExpandSandboxSize functions expand the VHD itself but don't expand the volume - on that VHD (unless we are on 19H1 & build < 19020). This works because for legacy layers the PrepareLayer - call made just before starting the container will automatically expand the volume to match the size of the - VHD. However, in case of CimFS layers we don't call PrepareLayer at all, so in that case we need to expand the - volume at the time of expanding the VHD. - - This also means in case of legacy layers, we might have a small perf hit because the VHD is mounted twice for - expansion (once here and once during the PrepareLayer call). But as long as the perf hit is minimal, we should - be okay. - - Signed-off-by: Amit Barve - -commit c59eb6936378de5da0ff35fc15f4c4d7304f2616 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Mon Dec 18 09:42:05 2023 -0800 - - Use CimFS layers for Process isolated WCOW (#1971) - - Signed-off-by: Amit Barve - -commit 0bb445eba15130b20be3a26484367533896a1f43 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Dec 18 11:09:50 2023 -0500 - - Bump actions/download-artifact from 3 to 4 (#1984) - - Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. - - [Release notes](https://github.com/actions/download-artifact/releases) - - [Commits](https://github.com/actions/download-artifact/compare/v3...v4) - - --- - updated-dependencies: - - dependency-name: actions/download-artifact - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit ab53ed9282498833afe95666373ff1cf83472759 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Dec 18 11:06:57 2023 -0500 - - Bump github/codeql-action from 2 to 3 (#1983) - - Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - - [Release notes](https://github.com/github/codeql-action/releases) - - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - - [Commits](https://github.com/github/codeql-action/compare/v2...v3) - - --- - updated-dependencies: - - dependency-name: github/codeql-action - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 8f2121683a59459ee581ad0a6db41a433f0ea952 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Dec 18 11:06:37 2023 -0500 - - Bump actions/upload-artifact from 3 to 4 (#1985) - - Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - - [Release notes](https://github.com/actions/upload-artifact/releases) - - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) - - --- - updated-dependencies: - - dependency-name: actions/upload-artifact - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 7ec8848592cbf11ee7305bca8a52604dbf887053 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Dec 11 13:57:32 2023 -0500 - - Lint common error wrapping issues, update README (#1969) - - * Lint common error wrapping issues, update README - - Enable `errorlint` to catch common issues with wrapping and testing for errors. - - Wherever possible, switched to using `errors.Is` and `errors.As`. - Exceptions: - - function is defined in the same package and explicitly returns a - know error variable - - returns from functions in `io`, `binary`, `context`, `syscall`, - `golang.org/x/sys/windows`, or `golang.org/x/sys/unix` that are - (relatively) stable in error return value and type - - conversion would interact with with `github.com/pkg/errors` - - conversion would be non-trivial and require additional - testing/validation - - specifically, legacy code in `runhcs` and the root of the repo - - Rename `context` to `ctx` in `pkg\go-runhcs\*.go` to avoid - overshadowing `context` package. - - Update `README.md`: - - run markdown formatter (spaces around code blocks and headers, raw link URLS) - - add section on linter and go generate (similar to go-winio's) - - Signed-off-by: Hamza El-Saawy - - * PR: hcserrors(+tests), README - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 9fb788158b3588a1c97071f3b81fc7707f4254cd -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Dec 7 09:56:27 2023 -0500 - - Bump actions/setup-go from 4 to 5 (#1978) - - Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5. - - [Release notes](https://github.com/actions/setup-go/releases) - - [Commits](https://github.com/actions/setup-go/compare/v4...v5) - - --- - updated-dependencies: - - dependency-name: actions/setup-go - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit cff5c86900cd630ba8bcbfcf0f4b642c9a83d63c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Dec 6 11:01:56 2023 -0500 - - [test] Update manifest; go generate (#1919) - - Update description in manifest used for `test/` binaries. - - Add `test/tools.go` (similar to `tools/tools.go`), to track - `goversioninfo` command. - - Update `.github/workflows/ci.yml` to run `go generate` from within - `test/`. - - Signed-off-by: Hamza El-Saawy - -commit 04f386f4435049b1b32106c6b652ddfef1f505b7 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Dec 5 16:16:16 2023 -0500 - - Remove vSMB uses the wrong hostPath for file shares (#1974) - - When attaching a file, `foo/bar`, `uvm.AddVSMB` adds the `VSMBShare`to - `uvm.vsmbFileShares` as `foo/`, and then also sets `VSMBShare.HostPath` - to `foo/`. - So, when `(*VSMBShare).Release` calls `uvm.RemoveVSMB`, it uses `foo/` - as the `hostPath`, which, it then assumes is a directory share (stored - in `uvm.vsmbDirShares`) instead of a file share (stored in - `uvm.vsmbFileShares`) since `foo/` is a directory. - This then fails since it cannot find the VSMBShare in `uvm.vsmbDirShares`. - - Fix this by adding a `VSMBShare.isDirShare` field to indicate which - `uvm.vsmb*Shares` map it is stored under. - - Signed-off-by: Hamza El-Saawy - -commit 8570c66ca1d40bd95e6ed3e7d7b3abae8ba7a018 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Dec 5 14:42:50 2023 -0500 - - Fix CodeQL coode scanning alerts (#1972) - - Fix CodeQL alerts for unchecked downcasts from `int`s are to - `(u)int32` (or `uintptr`) without checking for overflow. - This can (potentially) cause incorrect behavior due to the value - wrapping around to an unexpected value. - - Alerts: - https://github.com/microsoft/hcsshim/security/code-scanning?query=branch%3Amain+rule%3Ago%2Fincorrect-integer-conversion - - Issue description: - https://cwe.mitre.org/data/definitions/190.html - https://cwe.mitre.org/data/definitions/681.html - - Signed-off-by: Hamza El-Saawy - -commit ecf62f22885880928a77dd7a2d5f8d141f7dd754 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Dec 4 13:45:38 2023 -0500 - - [deps] Omnibus dependency updates (#1977) - - Consolidate dependabot updates and run `go mod tidy` across modules. - PRs: - - https://github.com/microsoft/hcsshim/pull/1935 - - https://github.com/microsoft/hcsshim/pull/1942 - - https://github.com/microsoft/hcsshim/pull/1944 - - https://github.com/microsoft/hcsshim/pull/1950 - - https://github.com/microsoft/hcsshim/pull/1953 - - https://github.com/microsoft/hcsshim/pull/1954 - - https://github.com/microsoft/hcsshim/pull/1959 - - https://github.com/microsoft/hcsshim/pull/1960 - - https://github.com/microsoft/hcsshim/pull/1961 - - https://github.com/microsoft/hcsshim/pull/1975 - - Signed-off-by: Hamza El-Saawy - -commit 5c75f29c1f5cb4d3498d66228637d07477bcb6a1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Nov 14 14:52:01 2023 -0500 - - Build components in CodeQL pipeline (#1970) - - Need to build binaries for CodeQL to work: - - > For the compiled languages C/C++, C#, Go, Java, and Swift, the process of populating - > this database involves building the code and extracting data. - - docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#about-the-codeql-analysis-workflow-and-compiled-languages - - Without explicit build commands between CodeQL `init` and `analyze` - steps, CodeQL will attempt to automatically build go code using the - following logic: - docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#autobuild-for-go - - This can be see in the `CodeQL Analyze` step in out pipelines: - - ``` - Attempting to automatically build go code - Autobuilder was built with go1.21.3, environment has go1.20.10 - LGTM_SRC is /home/runner/work/hcsshim/hcsshim - Found go.mod, enabling go modules - Import path is 'github.com/microsoft/hcsshim' - Makefile found. - Trying build command make [] - make: *** No rule to make target 'base.tar.gz', needed by 'out/initrd.img'. Stop. - Running /usr/bin/make failed, continuing anyway: exit status 2 - Build failed, continuing to install dependencies. - Skipping dependency installation because a Go vendor directory was found. - Running extractor command '/opt/hostedtoolcache/CodeQL/2.15.2/x64/codeql/go/tools/linux64/go-extractor [-mod=vendor ./...]' from directory '.'. - <...> - ``` - - Rather than rely on autobuild, explicitly configure CodeQL and build - necessary targets. - - Skip running CodeQL on PRs if no code is changed. - - Based on workflow: - github.com/github/codeql/blob/0342b3eba242476cea815e601942021092d0bc10/.github/workflows/codeql-analysis.yml - - Signed-off-by: Hamza El-Saawy - -commit c2a7ff62d6ef5c9f22f88f851f7e0aab17db47ac -Author: Joe Powell <56188788+darracott@users.noreply.github.com> -Date: Tue Nov 14 16:59:54 2023 +0000 - - Check for SNP before fetching SNP report (#1967) - - Signed-off-by: Joe Powell - -commit 522ec33ec68a4afa78992b7c65b35058b65a6764 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Nov 13 16:13:18 2023 -0500 - - Update build tags, lint entire repo for Linux (#1968) - - Add (Windows) build tags to necessary files, and add - `internal\vhdx\doc.go` so that go language server does not complain that - package is missing on Linux. - - Not all updated files are Windows specific. Some (eg, - `internal\gcs\iochannel.go`) are only used by Windows code, so the go - build tag prevents `unused` lint errors when `GOOS=linux`. - - Export the `parseAnnotations(Uint32|Uint64|String)` functions in - `internal\oci\annotations.go` since other functions in the - file are used in Linux files and that was the only way to avoid `unused` - lint errors. - - Finally updated lint (in `.github\workflows\ci.yml`) and codeql - (in `.github\workflows\codeql.yml`) jobs to run on entire repo for - Linux, rather then specific directories. - - Signed-off-by: Hamza El-Saawy - -commit b9a845a091fe1f40fc2dc936490423844e0b9b63 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Mon Nov 13 09:51:22 2023 -0800 - - cimfs: Add cim layer mount/unmount functionality. (#1955) - - Signed-off-by: Amit Barve - -commit 654620c7003404bc741920b3692f82e76d882c8c -Author: Takuro Sato <79583855+takuro-sato@users.noreply.github.com> -Date: Mon Nov 13 15:59:29 2023 +0000 - - Add support for Linux kernel 6.x to fetch attestation report (#1886) - - * Add support for Linux kernel 6.x to fetch attestation report - - Signed-off-by: Takuro Sato - - * Hard code ioctl code - - Signed-off-by: Takuro Sato - - --------- - - Signed-off-by: Takuro Sato - -commit 79ab3ee7cbd85017a81a9c7390f865e64f7b182f -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Nov 10 14:58:03 2023 -0500 - - uvmboot and gcs.test bug fix (#1966) - - Fix bugs: - - Using `boot-files-path` flag name instead of value - - Explicitly passing open door policy instead of empty string - - Functional gcs tests also passed in encoded open door policy string, - which is no longer necessary. - - Remove unnecessary else blocks. - - Pass context through calls. - Use `log.G(ctx)` instead of `logrus`. - - Rename variables `cmd` and `scsi` to avoid overshadowing package names. - - Signed-off-by: Hamza El-Saawy - -commit 73c8f5ea5832a7838819900b43618d9d0d210f85 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Nov 10 14:42:22 2023 -0500 - - Add additional registry values to uVM via annotation (#1963) - - Allow callers to specify additional registry values in the WCOW OS via - the `io.microsoft.virtualmachine.wcow.additional-reg-keys` annotation. - - The intent is to test and validate bug fixes or debug uVM behavior - (eg, via setting values in `SYSTEM\CurrentControlSet\Services\wcifs`, - `SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides\*`) - without requiring a new package. - - The annotation is under `internal/annotations`, since it is not - suitable for end users to rely on. - Additionally, limit the settable registry keys to prevent it being used - (abused) as a catch all mechanism to arbitrarily modify uVM behavior. - - Additionally, add - [RegistryValueType](https://learn.microsoft.com/en-us/virtualization/api/hcs/schemareference#RegistryValueType) - and - [RegistryHive](https://learn.microsoft.com/en-us/virtualization/api/hcs/schemareference#RegistryHive) - enum types for HCS v2 schema. - - Signed-off-by: Hamza El-Saawy - -commit a27618474e0bc32622fc2890bceb77161f7e90fc -Author: Maksim An -Date: Mon Nov 6 10:54:54 2023 -0800 - - CI: add CodeQL workflow and schedule (#1962) - - Signed-off-by: Maksim An - -commit 5370edac0ee96208ba0625c558d8c7f7df0131d1 (tag: v0.12.0-rc.1) -Merge: 0af576d29 b6dde270c -Author: Kevin Parsons -Date: Thu Nov 2 15:52:28 2023 -0700 - - Merge pull request #1938 from jayanthAP/patch-1 - - Adding a new "DisableHostPort" network flag - -commit b6dde270c21a7ed344ff2e75ebb31addf136dc52 -Author: jayanthAP -Date: Thu Oct 19 09:52:18 2023 +0530 - - Add new "DisableHostPort" network flag - - When this flag is set in the network creation request, a host-port - is not created for the network. This change also includes the below: - - Added Version info for DisableHostPort flag. - - Added DisableHostPort to SupportedFeatures struct. - - Added feature check function for DisableHostPort flag. - - Added Test function for DisableHostPortSupported API. - - Since EnableNonPersistent flag was the only network flag until now, - the flag check in TestNetworkFlags() was a simple != check. - However, after the addition of DisableHostPort flag, flag - check is now done using the bitwise '&' operator. - - Signed-off-by: Jayanth Ananthapadmanaban - -commit 0af576d29d462afc6bc7fa11b83023d2226dad51 -Author: Kirtana Ashok -Date: Mon Oct 9 10:26:06 2023 -0700 - - Create container subdirectories for process dumps - if "{container_id}" suffix is specified - - Signed-off-by: Kirtana Ashok - -commit 2feaacb46cf42e17ab81bfe6341d3529ef4cb897 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Wed Nov 1 11:11:46 2023 -0700 - - cimfs: Add a LayerWriter for writing cim layers (#1873) - - Adds a new CimLayerWriter that implements the same LayerWriter interface that the legacy layer writer - implements. This CimLayerWriter can be used in containerd to pull images into the cimfs format. - - Signed-off-by: Amit Barve - -commit ab22a617d1e516baea49b8a78b54c8a74201e9c6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Oct 30 11:19:38 2023 -0400 - - Standardize LCOW uVM bootfiles update (#1861) - - `NewDefaultOptionsLCOW` sets `RootFSFile` and `KernelFile` depending - on the contents of the (default) `BootFilesPath` directory and - `KerenelDirect` field. - However, if `BootFilesPath` is subsequently updated, those fields are - not updated. - This can result in inconsistent behavior, where (depending on if the - default `BootFilesPath` contains `vmlinux` and `rootfs.vhd` files), a - uVM created with an overridden `BootFilesPath` may either use `initrd` - (`kernel`) or `vmlinux` (`rootfs.vhd`), respectively. - - Add a `UpdateBootFilesPath` function to consistently change the - `BootFilesPath` and associated options. - Update annotation handling to use `UpdateBootFilesPath`. - Security policy is still performed after the update, so settings will be - re-overridden for the confidential case, or by other annotations, so - existing (normal) behavior is persisted. - - Signed-off-by: Hamza El-Saawy - -commit a3be979527f4deefec23ec4416a34a8434e2763d -Author: Maksim An -Date: Thu Oct 26 17:48:50 2023 -0700 - - minor refactor in dmverity-vhd tool (#1948) - - Use `errors` package instead of the `github.com/pkg/errors`. - - `createVHD` accepts layer number to avoid calling `layer.DiffID()` - twice. - - Signed-off-by: Maksim An - -commit d8547ee4794c01f293410d502730d61556008b48 -Author: Heather Garvison -Date: Wed Oct 25 20:05:20 2023 -0400 - - update go_version in release ci (#1945) - - Signed-off-by: Heather Garvison - -commit baaec85ee8a91e5e5669cb65cbd4b768b1dec011 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Oct 25 12:49:52 2023 -0400 - - Also use `test/go.sum` for caching go dependencies (#1895) - - * Also use `test/go.sum` for caching go dependencies - - Update CI to look at both `go.sum` and `test/go.sum` when caching go - modules. - Update initial CI josb (`protos`, `verify-vendor`, and `go-gen`) to - download all module dependencies (that are not already vendored) to - pre-fill the cache and speed up future runs. - - Also, add `$LASTEXITCODE` check when running `go mod tidy` (and - `go mod test`) to catch errors early on. - - Finally, disable git checkout progress, which spams logs with - `Updating files:` messages (new to `actions/checkout@v4`). - - Signed-off-by: Hamza El-Saawy - - * PR: separate out go mod tidy and vendor - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit a32b15f187af0db32fe8ca62fa086ef1c5be0091 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Oct 25 11:07:12 2023 -0400 - - [test] Log to ETW for benchmarks; retry layer removal (#1947) - - Write logs to ETW instead of stdout when running benchmarks to mimic - actual deployments. - Add log level to `Run-Test.ps1` helper script. - - Add `RemoveAll` function that wraps and retries `os.RemoveAll` (waiting - in between attempts) since the OS may take a while to remove locks on a - directory after handles are closed. - - Bug: defer uVM cleanup after creation (not start) during tests. - - Signed-off-by: Hamza El-Saawy - -commit a02b3b225e25629a3e07b9a810fa5d90999f6528 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Oct 24 12:18:56 2023 -0400 - - Add Close/WaitCtx to UtilityVM & System (#1876) - - * Add `Close`/`WaitCtx` to `UtilityVM` & `System` - - Add `CloseCtx` and `WaitCtx` methods to `UtilityVM` and `System`, which - accept a context parameter and return if the context is canceled. - - This is intended to allow benchmark iterations to time out and prevent - them from spending the majority of their time waiting. - - However, the added benefit is that tracing information (trace and span - ID) will now be passed along to the `Wait` and `Close` logs (and - underlying HCS call spans). - - Additionally, fix a bug in `(*UtilityVM).Close`, where, if the uVM was - created but not started, then the `(*UtilityVM).Wait` call will - hang indefinitely. - Fix is to wait initially on the system to close, close the IO output - handler, and then wait on the uVM. - - Combine LCOW uVM benchmarks together (similar to LCOW container) to - simplify benchmark name formatting. - - Relies on https://github.com/microsoft/hcsshim/pull/1875 - - Signed-off-by: Hamza El-Saawy - - * PR: uvm.Wait err handling; doc comments - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 434adf355ffe69c80b929462d2edb86156159fc1 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Oct 23 15:10:41 2023 -0400 - - Bump golang.org/x/net from 0.10.0 to 0.17.0 (#1931) - - * Bump golang.org/x/net from 0.10.0 to 0.17.0 - - Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - - [Commits](https://github.com/golang/net/compare/v0.10.0...v0.17.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/net - dependency-type: indirect - ... - - Signed-off-by: dependabot[bot] - - * tidy ./test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 725bceed5e6a192b47aaab193c6b72ea75e7f2bf -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Oct 23 14:00:07 2023 -0400 - - Embed version info; print benchmark config (#1874) - - Update how we set/read the version and commit information, so that it - can be set via writing to files instead of needing to update all `go - build` commands to add (or update) `-ldflags` with - `-X main.version=... -X manin.gitCommit=...". - - Augment benchmark configuration with additional information, such as the - go version, number of CPUs available, start time, version, and git - branch and commit. - - This allows standardizing the configuration data across different - benchmarking suites. - - Benchmark config follow the benchmark raw data format: - https://go.googlesource.com/proposal/+/master/design/14313-benchmark-format.md - - Signed-off-by: Hamza El-Saawy - -commit cff94732c5efd9838d8354bd6f8fe16145f4712c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Oct 18 12:15:02 2023 -0400 - - Use `"hcsschema"` in `internal/hcs` (#1901) - - Use `hcsschema.ProcessModifyRequest` (and associated structs) in - `internal/hcs/process` when making modify requests and getting process - properties. - - Update `hcschema` structs to match documentation (swagger seems to - default to `int32` for generated fields regardless of the type specified - in the documentation). - - Signed-off-by: Hamza El-Saawy - -commit aad7467e620da7c4958945bb68e2f10bb0ea26b2 -Author: Kirtana Ashok -Date: Thu Sep 7 17:35:07 2023 -0700 - - Support adding mount to running containers - - Extend hcsTask.Update() to process and add - mount for running process isolated and hyperV - wcow containers - - Signed-off-by: Kirtana Ashok - -commit 6f2929c212396b3ba102fa0c958dbf88a8822f08 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Oct 12 15:18:47 2023 -0400 - - Bump go.uber.org/mock from 0.2.0 to 0.3.0 (#1907) - - * Bump go.uber.org/mock from 0.2.0 to 0.3.0 - - Bumps [go.uber.org/mock](https://github.com/uber/mock) from 0.2.0 to 0.3.0. - - [Release notes](https://github.com/uber/mock/releases) - - [Changelog](https://github.com/uber-go/mock/blob/main/CHANGELOG.md) - - [Commits](https://github.com/uber/mock/compare/v0.2.0...v0.3.0) - - --- - updated-dependencies: - - dependency-name: go.uber.org/mock - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - * go gen and go tidy - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 11700d2711d371b01e9f149d07a83b3f818bc343 -Author: Kirtana Ashok -Date: Thu Sep 28 11:49:49 2023 -0700 - - Add constants for mount types - - Signed-off-by: Kirtana Ashok - -commit a4b45456e2b45c5246222c1471e7634f7a4e454e -Merge: 4dc2c8b9f 8b69b76d3 -Author: Kevin Parsons -Date: Fri Sep 29 14:41:31 2023 -0700 - - Merge pull request #1898 from dmcgowan/update-containerd-log-dependency - - Update containerd log dependency - -commit 8b69b76d30cd3bdc9e1825bd5b8126c7b7268015 -Author: Derek McGowan -Date: Tue Sep 12 17:39:23 2023 -0700 - - Remove log package dependency - - Signed-off-by: Derek McGowan - -commit 4dc2c8b9f720ccfce9b86cd0dab5101099ec6849 (upstream-hcshsim/pullimagefailurefix, origin/pullimagefailurefix) -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Sep 25 12:58:00 2023 -0400 - - Bump actions/checkout from 3 to 4 (#1885) - - Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - - [Release notes](https://github.com/actions/checkout/releases) - - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - - [Commits](https://github.com/actions/checkout/compare/v3...v4) - - --- - updated-dependencies: - - dependency-name: actions/checkout - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 27df1b95b69faaeca97de86d25d68f48f89bc0b9 -Author: Djordje Lukic -Date: Thu Sep 14 19:50:59 2023 +0200 - - Fix closing stdin (#1899) - - Send the modify request even if stdin is nil, let the process handle it - - Signed-off-by: Djordje Lukic - -commit e7509cc6636d89ad8e748bb4c127f83af7131b05 -Author: Seth Hollandsworth -Date: Wed Sep 13 18:48:50 2023 -0400 - - defaulting to unbuffered reader for dmverity hashing (#1887) - - Signed-off-by: Seth Hollandsworth - Co-authored-by: ksayid - -commit 23d6d0199bc77f4c53da2da725887a189ca765e6 -Author: Maksim An -Date: Wed Sep 13 14:16:30 2023 -0700 - - add support for verity checking partitioned disks (#1810) - - Add an option to mount partitioned disks with dmverity. - - Additionally add support for reading verity information from - within the guest. The expectation is that verity hash device - is appended to the read-only file system. The functionality - can be enabled by passing a container annotation. - - Host no longer reads verity superblock and as a result - the `DeviceVerityInfo` protocol message is being - deprecated. The guest will always attempt to read verity - super-block when non-empty security policy is passed. - Security policy is expected to be empty only in regular - LCOW scenarios. - - Signed-off-by: Maksim An - -commit dd45838a9bf9ff8f431847aaf3e4421763c15c49 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Sep 8 15:39:09 2023 -0400 - - Skip shim tests if shim binary is not found (#1893) - - Rather than failing tests when attempting to exec the shim executable, - look up its path first and skip if it is not found. - - Most testing binaries require that other binaries be located in the same - directory as them (see `require.Binary`), but since the CI runs the shim - tests directly, add `require.BinaryInPath`, which looks for the binary - in the path or current working directory first. - - Signed-off-by: Hamza El-Saawy - -commit 2bba98f3388e886d5d1052c753e9dee304be3062 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Sep 6 12:56:13 2023 -0400 - - [test]Exclude features, add any feature check (#1853) - - * test: Exclude features, add any feature check - - Add `-exclude` flag to be able to specify all but a certain set of - flags to run, since it is common (especially locally) to want to run all - but a certain subset of tests. - eg, `functional.test.exe -exclude LCOWIntegrity` will run all test except - for those that require rego enforcement. - - Add `require.AnyFeature` function to check that at least one of the listed - feature is specified. - This allows skipping a test that with subtests that individually require - non-overlapping features, which avoids running generalized test setup - - Moved `"test/cri-containerd".requireBinary` to - `"test/pkg/require".Binary". - - Signed-off-by: Hamza El-Saawy - - * PR: docs, comments, naming - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 07353f917c34d5de4d7c6bd439ba8f349d8740c1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Sep 6 11:26:54 2023 -0400 - - Add `OutputHandlerCreator` type for uVMs (#1875) - - Currently, `NewDefaultOptionsLCOW` creates a logrus output handler using - the provided uVM ID, but if the `ID` field is changed, the `parseLogrus` - `OutputHandler` still uses the old ID. - - Change `OptionsLCOW` to take `OutputHandlerCreator`, which is a - `func(*Options) OutputHandler`, so creating the output handler is - delayed until LCOW creation, and uses the latest uVM ID specified. - - Signed-off-by: Hamza El-Saawy - -commit a143d91a77cb5e3f066d05495b74924e7867c882 -Merge: 3d1810ee7 ee73d4747 -Author: Kathryn Baldauf -Date: Tue Sep 5 12:22:43 2023 -0700 - - Merge pull request #1879 from katiewasnothere/kabaldau/clean_up_nvidia_hook - - Clean up NVIDIA hook - -commit ee73d47479e819e7c9a73753227e0b0016940907 -Author: Kathryn Baldauf -Date: Wed Aug 23 10:16:22 2023 -0700 - - Clean up GPU functional tests - - Signed-off-by: Kathryn Baldauf - -commit 496fde2f8b3dd39840dfdcb74d860620627bc6d9 -Author: Kathryn Baldauf -Date: Wed Aug 23 10:16:02 2023 -0700 - - Clean up shim code paths for nvidia gpu - - Signed-off-by: Kathryn Baldauf - -commit f302b82dae5f4855998a6a0bb34755c36f469094 -Author: Kathryn Baldauf -Date: Fri Aug 18 14:38:17 2023 -0700 - - Clean up nvidia hook, assume drivers are already present in the UVM - - Signed-off-by: Kathryn Baldauf - -commit 3d1810ee769c230938b57c20b151e6ba762c3e28 (tag: v0.12.0-rc.0) -Author: Bryce Fisher -Date: Thu Aug 24 15:53:08 2023 -0400 - - Fix SVN reference in policy readme (#1877) - - Signed-off-by: Bryce Fisher - -commit b5c7ec2cc8bca44f369f696573236c5572d7be70 -Author: Joe Powell <56188788+darracott@users.noreply.github.com> -Date: Thu Aug 24 17:10:40 2023 +0100 - - Allow setting HclEnabled to false (#1862) - - * Allow setting HclEnabled to false - - Signed-off-by: Joe Powell - - * Ensure HclEnabled field can still be omitted - - Signed-off-by: Joe Powell - - --------- - - Signed-off-by: Joe Powell - -commit 5751c1b796505d6064807461b2986c5fa2cbca41 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Aug 17 17:45:02 2023 -0400 - - Add more go vet checks (#1849) - - * Enable all go vet checks - - Turn on all [go vet](https://pkg.go.dev/cmd/vet) checks (except for - `fieldalignment`, and ignore shadowing `err` variables. - - Caught a couple minor bugs: - - ncproxy did not set the panic file for the service - - `nil`-field access in logs - - not updating `processorLimits` in `(*UtilityVM).Update` - - Simplified a couple `if` statements clauses where - [conditional evaluation](https://go.dev/ref/spec#Logical_operators) - made `!= nil` checks redundant. - - Signed-off-by: Hamza El-Saawy - - * PR: err name; decl - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit bc8097c5332f70a51d0652967fa95d3aaeeeaadf -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Tue Aug 15 10:06:31 2023 -0700 - - cimfs: Add helpers for retrieving partition information from a vhdx (#1850) - - CimFS layer import requires that we do the base scratch VHD processing without calling the HCS APIs (since - those APIs do not understand the CimFS format). This processing involves fetching the partitioning information - of the scratch VHD. This commit adds a package that adds new Go wrappers around the IOCTLs that fetch - partitions information of a device. - - Signed-off-by: Amit Barve - -commit 816f1d1201cf7e01371d4a268e1e24966ed255f3 -Merge: 0423eec16 797be573e -Author: Kevin Parsons -Date: Tue Aug 15 09:54:26 2023 -0700 - - Merge pull request #1872 from kevpar/destory - - computestorage: Fix incorrect syscall in DestroyLayer - -commit 797be573ee5a2bae6f3f66251685178c1b0d24f7 -Author: Kevin Parsons -Date: Mon Aug 14 23:11:37 2023 -0700 - - computestorage: Fix incorrect syscall in DestroyLayer - - HcsDestoryLayer -> HcsDestroyLayer - - Signed-off-by: Kevin Parsons - -commit 0423eec163d5493770569945c371011e090ab94c -Author: Maksim An -Date: Mon Aug 7 10:44:23 2023 -0700 - - retry device mapper and cryptsetup errors (#1721) - - Occasionally /dev/sd* devices arrive late and not available at the - time when verity or dm-crypt targets are created. This commit - introduces a `CreateDevice` wrapper which can retry the operation - on specific errors and always retries cryptsetup once, but with - a large retry timeout. - - Signed-off-by: Maksim An - -commit 7dfb07b1e3cc889fe128e4457ab0ac6581772e13 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 7 15:29:30 2023 +0000 - - Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#1856) - -commit c9a9ba0bae45971752bddef14106b8c2aa84652e -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 7 15:28:31 2023 +0000 - - Bump golang.org/x/sys from 0.10.0 to 0.11.0 in /test (#1868) - -commit 2e1fc1caf4b8250cb8e1bbbf7fa3debcb2c534bf -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Aug 7 15:28:04 2023 +0000 - - Bump github.com/google/go-containerregistry in /test (#1869) - -commit c8eb8236f56948f9050bd890dd39da1a5aa23652 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Aug 3 17:25:55 2023 -0400 - - [ci] Update testing job (#1854) - - Don't need `-mod=mod` flag when running tests in root repo. - - Running tests in `internal/regopolicyinterpreter/` on Windows is - redundant, since tests are already run with `./...`. - - Switch from running tests in `test/internal` to `test/...` on Windows, - since, without `-tag functional` flag, it will not run - `test/functional`, `test/cri-containerd`, and related tests, but will - encompass other tests defined. - - Signed-off-by: Hamza El-Saawy - -commit 1665e4efb97db87731c9e997aeca88c65c8a28b6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Aug 3 13:55:34 2023 -0400 - - Fall back on json encoding from protojson (#1864) - - If `protojson.Marshal` fails, fall back on `json.Marshal`. - - Failure arose when marshalling containerd's `task.ExecProcessRequest`, - since the `Spec` field is an `anypb.Any` encoded via `typeurl/v2`, which - standard protobuf unmarhsalling cannot handle. - - Also, downgrade logging about failures with formatting during logging to - Debug level, since they do not warrant always being output. - - Signed-off-by: Hamza El-Saawy - -commit fa3b77dcc71664d0594e3d0459c17e439b005fec -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jul 31 15:31:49 2023 +0000 - - Bump google.golang.org/grpc from 1.56.2 to 1.57.0 in /test (#1859) - -commit e8208853ff0f7f23fa5d2e018deddff2249d35c8 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Jul 28 14:39:56 2023 -0400 - - Add exec benchmarks (#1855) - - Add benchmarks to measure (LCOW) exec performance to functional test - suite. - - Additionally, remove helper testing functions from benchmark section - (between `b.StartTimer()` and `b.StopTimer()`), since helper functions - will call `"testing".(TB).Helper()`, which involves mutex (un)lock - operations as well as parsing stack frames. - - Signed-off-by: Hamza El-Saawy - -commit 1e6fc28c2f57d666f91269fc82d7b66c7d0d9093 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Fri Jul 28 10:09:57 2023 -0700 - - Use RtlGetVersion instead of GetVersion (#1846) - - GetVersion API returns correct OS version values only if the calling binary is manifested. Hcsshim is - manifested. However, other binaries using the osversion package from hcsshim (like containerd) are not - manifested and so they are not able to get the accurate OS version information. RtlGetVersion doesn't need - the binary to be manifested so this commit replaces the use of GetVersion with RtlGetVersion. - - Note that hcsshim is still manifested even if we aren't using GetVersion anymore. This is because there are - some other advantages of using a manifest as described here: - https://learn.microsoft.com/en-us/windows/win32/w8cookbook/application--executable--manifest. The use of a - default thread pool for RPC and the fix for a race condition in GetOverlappedResult are relevant to - hcsshim. So in order to keep these behaviors same we want to keep hcsshim binary manifested. - - Signed-off-by: Amit Barve - -commit 909134fbb702d228c5e0d4428de975aedac65783 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Jul 26 19:54:56 2023 +0000 - - Bump github.com/opencontainers/runtime-spec from 1.1.0-rc.3 to 1.1.0 (#1852) - -commit c22ab6137765d168e0eff439f6ddf2e9df9ea728 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Jul 26 15:36:06 2023 -0400 - - disable fail fast on windows tests (#1851) - - Signed-off-by: Hamza El-Saawy - -commit df195679db00b3051fceffce86c7319d11bd7929 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Jul 26 18:58:43 2023 +0000 - - Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#1845) - -commit 40d5fde4c96b27ca651f14f007ded0ee3bccc8d0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Jul 26 13:43:42 2023 -0400 - - Update tar2ext4 to convert forward slashes (#1847) - - Both `\` and `/` are valid paths on Windows, so Linux layer tar files - generated on Windows may potentially use either. - Update `tar2ext4` to convert `\` to `/` in paths when on Windows to - avoid creating invalid ext4 file systems. - - Signed-off-by: Hamza El-Saawy - -commit 34febc89b9420f8986911582f8ce6c609fffc755 -Merge: ff23f4625 bed7a8be4 -Author: Kathryn Baldauf -Date: Wed Jul 26 10:33:34 2023 -0700 - - Merge pull request #1824 from katiewasnothere/kabaldau/networkagent_v0 - - Add support for nodenetsvc v0 and readme to test network agent - -commit ff23f4625236dfdf1941ab7d1ddc436e7604a907 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Wed Jul 26 10:32:18 2023 -0700 - - cimfs: Add Offline registry API wrappers and export constants (#1842) - - offline registry API is required during CimFS layer import. This commit adds Go wrappers around it. It also - exports some constants from the wclayer package so that those constants can be used by the cim layer package - - Signed-off-by: Amit Barve - -commit 55417ac87e5dc9357bf0f6c3728539f04fd62da4 -Author: Maksim An -Date: Mon Jul 24 14:23:52 2023 -0700 - - tests: rego `get_properties` functional test (#1803) - - Update test images package to support image extract decorators - as an easy way to extend the logic if we need to chain a few - steps, in this case appending verity hashes to an ext4 fs. - - Add default mount extension logic to standalone container path - as well to enable functional tests. - - Add new `securitypolicy` package under `test/pkg` to share - some logic between cri-containerd and functional tests. - - Add lower level `get_properties` test with rego policies. - - Signed-off-by: Maksim An - -commit bed7a8be42d98d9a4748033004e4c484be27b50f -Author: Kathryn Baldauf -Date: Tue Jun 27 15:18:01 2023 -0700 - - Add linter exclusion for test networkagent - - Signed-off-by: Kathryn Baldauf - -commit 3955d351f91c91fb9d85e23ff1c0315db1455027 -Author: Kathryn Baldauf -Date: Tue Jun 27 14:57:47 2023 -0700 - - Add support for nodenetsvc v0 and readme to test network agent - - Signed-off-by: Kathryn Baldauf - -commit 28cce9cea720462e4b84498f9f79fdb836454ba0 (tag: v0.10.0) -Author: Maksim An -Date: Thu Jul 20 13:35:51 2023 -0700 - - policy: extend default networking mounts for standalone containers (#1826) - - Signed-off-by: Maksim An - -commit d71606e9f79996502ce59c01b02e60f3984674b1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Jul 20 16:01:32 2023 -0400 - - use protojson when formatting for logs (#1844) - - Signed-off-by: Hamza El-Saawy - -commit 567f6bd9538ef3b06a22e3411eb34ab409eb48f7 -Author: Maksim An -Date: Wed Jul 19 12:36:21 2023 -0700 - - make sure to close files in dmverity-vhd tool (#1770) - - Currently we're not closing output VHD files and read closers - when creating layer VHDs with dmverity-vhd tool. - - Refactor error wrapping. - - Signed-off-by: Maksim An - -commit 95c604793ea60b5e93952300c92470bf253213e1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jul 18 11:39:36 2023 -0400 - - Create tools package to isolate dependencies (#1840) - - Using a dedicated package for tools.go prevents callers who import hcshim - from adding the tools to their package's dependencies, while still - allowing us to track and vendor them.t p - - Signed-off-by: Hamza El-Saawy - -commit 5e97eb33987f69fb392dc0b650d3d4dfa2cc15e4 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Fri Jul 14 17:24:43 2023 -0700 - - cimfs: Add cimfs writer (#927) - - Add go wrappers over cimfs writer functions exported by cimfs.dll. - - Signed-off-by: Amit Barve - -commit 43d7af349640a818b3e29a475cb6ba8da082d282 -Author: Mahati Chamarthy -Date: Fri Jul 14 18:05:21 2023 +0200 - - Replace cosesign1 and didx509 resolver (#1805) - - ... with their independent pkgs - - Signed-off-by: Mahati Chamarthy - -commit 619018cdb91b75b4e29c190bad346aea75137508 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jul 11 18:23:27 2023 -0400 - - Replace deprecated github.com/golang/mock (#1839) - - Signed-off-by: Hamza El-Saawy - -commit 492992ffc1ef1cc59766e3927e1131c4ea2d85eb -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jul 11 17:18:52 2023 -0400 - - [deps]Omni-bus dependency upgrade (#1837) - - Combine several dependabot PRs to deal with `test/go.mod` module issues: - - - https://github.com/microsoft/hcsshim/pull/1834 - - https://github.com/microsoft/hcsshim/pull/1833 - - https://github.com/microsoft/hcsshim/pull/1832 - - https://github.com/microsoft/hcsshim/pull/1831 - - https://github.com/microsoft/hcsshim/pull/1830 - - https://github.com/microsoft/hcsshim/pull/1829 - - https://github.com/microsoft/hcsshim/pull/1828 - - https://github.com/microsoft/hcsshim/pull/1819 - - https://github.com/microsoft/hcsshim/pull/1808 - - Regenerate proto files since `protoc-gen-go` is updated. - - Signed-off-by: Hamza El-Saawy - -commit dbbf3b9e00c23406cec7956bbd3f106ad3a7ebe6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Jul 10 14:23:05 2023 -0400 - - [ci]Remove `Verify-GoModules.ps1` (#1836) - - `.\scripts\Verify-GoModules.ps1` does not surface roots cause of - inconsisteny and does not match local mod tidy/vendor steps. - - Replace with explicit commands, which also matches rest of `ci.yml` - jobs. - - Signed-off-by: Hamza El-Saawy - -commit decae4b80eb238cef869f382e14267f01da75ac4 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Jul 10 11:25:50 2023 -0400 - - Updated containerd1.7; google.golang.org/protobuf (#1706) - - * Update containerd1.7; google.golang.org/protobuf - - Update to containerd 1.7 and move to `google.golang.org/protobuf` - from `github.com/gogo/protobuf/gogoproto`. - - These two changes are intertwined, since containerd 1.7 changes its - ttrpc task server definitions and protobuff generation (as well as some - other API changes). - Additionally, the task server gRPC code is imported from containerd - directly, rather than being generated here, and that code now explicitly - imports `google.golang.org/protobuf` instead of - `github.com/gogo/protobuf/gogoproto`. - Upgrading to `google.golang.org/protobuf` also requires updating - the `containerd/cgroups` dependency to v3 - (`github.com/containerd/cgroups/v3/cgroup1/stats/`). - - The new `protoc-gen-go-grpc` generators do not allow directives such as - `gogoproto.customname`, so the `go-fix-acronym` command is used to - update acronym customization (which is what containerd does). - - Updated `Protobuild.toml` to specify new generators. - - Added an `Update-Proto.ps1` script to re-generate protobuf files locally - and in GitHub CI. - - Add `protobuild` and protobuff `grpc` and `ttrpc` generators to - `tools.go` so they are tracked and vendored, and can be trivially - installed via `go install`. - - Signed-off-by: Hamza El-Saawy - - * Vendor protobuf import changes - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 640a5606a855a275cda5b8862221ae32b09b6a35 (tag: v0.10.0-rc.9, adoshim/dev/kiashok/v0.10.0-rc.9) -Author: kiashok <99994218+kiashok@users.noreply.github.com> -Date: Wed Jul 5 09:51:20 2023 -0700 - - Add support for platform compatibility check for windows (#1821) - - Signed-off-by: Kirtana Ashok - -commit 6eea50b71ec863d5a82048c90ba3b1db7a7309c5 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jun 19 18:29:19 2023 -0400 - - Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 (#1812) - - * Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 - - Bumps [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) from 1.2.25 to 1.2.26. - - [Release notes](https://github.com/lestrrat-go/jwx/releases) - - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.26/Changes) - - [Commits](https://github.com/lestrrat-go/jwx/compare/v1.2.25...v1.2.26) - - --- - updated-dependencies: - - dependency-name: github.com/lestrrat-go/jwx - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - - * tidy test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 73986cab0b2d3a6f87289a77c74aeac97351e071 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jun 19 17:44:12 2023 -0400 - - Bump golang.org/x/sync from 0.2.0 to 0.3.0 (#1817) - - * Bump golang.org/x/sync from 0.2.0 to 0.3.0 - - Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.2.0 to 0.3.0. - - [Commits](https://github.com/golang/sync/compare/v0.2.0...v0.3.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sync - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - * tidy test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 74521d4d5f0e88b426115a8c305123858f6d8f28 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jun 19 16:43:43 2023 -0400 - - Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#1818) - - * Bump golang.org/x/sys from 0.8.0 to 0.9.0 - - Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.8.0 to 0.9.0. - - [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.9.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sys - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - * tidy test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 4ede1fde8a886ed0f61da514a643ea5ee72ec86e -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Jun 19 16:01:39 2023 -0400 - - skip failing test, use gotestsum (#1820) - - Signed-off-by: Hamza El-Saawy - -commit d8cf194fc9d6fcb8483af567da41956e9adf55b7 -Merge: c197eb56a 2095093fd -Author: Kathryn Baldauf -Date: Thu Jun 15 14:20:29 2023 -0700 - - Merge pull request #1807 from jsturtevant/fix-pids-query - - When fetching the pid counts for the container the state can be invalid sometimes - -commit c197eb56a29ef047285124260e4677850740dd36 -Merge: 4daa33439 46d8160d3 -Author: Kathryn Baldauf -Date: Mon Jun 12 14:14:20 2023 -0700 - - Merge pull request #1809 from katiewasnothere/kabaldau/ncproxy_v0_deprecated_tag - - Add deprecated option to all types and fields for ncproxy v0 apis - -commit 46d8160d38573d77bd4d5fea5ad798c8e9401163 -Author: Kathryn Baldauf -Date: Mon Jun 12 12:30:24 2023 -0700 - - Add new entries in golangci.yml to prevent linter errors from deprecated ncproxy api use - - Signed-off-by: Kathryn Baldauf - -commit 10a43090449146d45d2f944d4526b0888746f5ef -Author: Kathryn Baldauf -Date: Mon Jun 12 11:40:42 2023 -0700 - - Add deprecated option to all types and fields for ncproxy v0 apis - - Signed-off-by: Kathryn Baldauf - -commit 4daa33439536d55fbe5f7c7faba9a48472e6ebbb -Merge: cc9303b32 10c29fc7b -Author: Kathryn Baldauf -Date: Mon Jun 12 11:26:01 2023 -0700 - - Merge pull request #1806 from katiewasnothere/kabaldau/ncproxy_nodenetsvc - - Support v0 and v1 nodenetsvc api for ncproxy - -commit 2095093fd2d41faff65cd3a9cff7af9e9b9c9f7b -Author: James Sturtevant -Date: Fri Jun 9 17:17:30 2023 -0700 - - When fetch pid counts the contianer can be in an invalid state sometimes - - Signed-off-by: James Sturtevant - -commit 10c29fc7b15f2e93343add9683fdaaea58ebf855 -Author: Kathryn Baldauf -Date: Tue Jun 6 10:22:58 2023 -0700 - - Create a v0 nodenetsvc api and plumb through ncproxy code - - Signed-off-by: Kathryn Baldauf - -commit cc9303b3238eaee98c4cf64bdc2382a0da6b655f -Merge: b8cf9e776 37cd9df9f -Author: Kathryn Baldauf -Date: Fri Jun 9 13:15:48 2023 -0700 - - Merge pull request #1797 from katiewasnothere/kabaldau/ncproxy_v1_api - - Add support for NetworkConfigProxy v0 and v1 api - -commit 37cd9df9f1d5d3fe1956027f2833247268b04d20 -Author: Kathryn Baldauf -Date: Fri Jun 9 10:44:33 2023 -0700 - - Add file wide deprecated option to ncproxygrpc v0 api - - Signed-off-by: Kathryn Baldauf - -commit cbb43e5a5bd46e998b39acb341c4a2cc74a665a3 -Author: Kathryn Baldauf -Date: Thu Jun 1 17:02:30 2023 -0700 - - Add support for NetworkConfigProxy v0 and v1 api - * Add tests for NetworkConfigProxy v0 support - - Signed-off-by: Kathryn Baldauf - -commit b8cf9e776457b1d73dc918cf465775ffc4f89af6 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Tue Jun 6 04:06:08 2023 -0700 - - Revert image name change in the ArgsEscaped test (#1804) - - In a previous commit, the image used in the ArgsEscaped test was changed incorrectly. This fixes that. - - Signed-off-by: Amit Barve - -commit 61e011211ff579041c92e529da5d39db3ec4a553 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Jun 5 18:19:52 2023 -0400 - - Version control and vendor mockgen (#1802) - - Explicitly track `github.com/golang/mock/mockgen` as a go dependency. - (There is no change in our go.mod or go.sum, since the package is - already being used by the generated code and elsewhere). - - Add `//go:generate` directives to create the mocked files and ensure the - results are always up to date. - - Signed-off-by: Hamza El-Saawy - -commit 7193878344b2c0014095c6c99d64612a6316a7a6 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jun 5 14:26:22 2023 -0400 - - Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#1800) - - * Bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 - - Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - - [Release notes](https://github.com/sirupsen/logrus/releases) - - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) - - --- - updated-dependencies: - - dependency-name: github.com/sirupsen/logrus - dependency-type: direct:production - update-type: version-update:semver-patch - ... - - Signed-off-by: dependabot[bot] - - * tidy test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit f5c5797f78896320e92d76dede481b540da3d4cf -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Jun 2 20:38:06 2023 -0400 - - fix integration test failure (#1799) - - Signed-off-by: Hamza El-Saawy - -commit 25b6855925d2148b69cbd14a5d081921d9f59b7f -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Jun 2 15:43:56 2023 -0400 - - [ci] Enable caching for proto and integration jobs (#1755) - - Caching is enabled by default in `actions/setup-go@v4` - (https://githut b.com/actions/setup-go#caching-dependency-files-and-build-outputs) - so update the `go.sum` path when checking out hcsshim to a non-default - path. - - Additionally, disable for linting, since that often causes errors. - Without caching, wont need to explicitly delete the module cache. - - Relies on: https://github.com/microsoft/hcsshim/pull/1752 - - Signed-off-by: Hamza El-Saawy - -commit 8d4a20c4f5543300de2c0e639e935a93d3421489 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Fri Jun 2 10:17:45 2023 -0700 - - Minor fixes to SCSI mount operation (#1798) - - During a recent refactor SCSI mount operation code removed a retry logic that is needed when examining the - filesystem type on a SCSI device. Retry is needed because sometimes attempting to open a SCSI devices - immediately after attaching it results in ENXIO/ENOENT errors. This adds the retry logic back. - - Names of some images used in the tests had changed, this commit updates those names too. - - Signed-off-by: Amit Barve - -commit 8a094aee4469e4a0b3b84d83259f842e3554bd99 -Author: Maksim An -Date: Thu Jun 1 17:24:26 2023 -0700 - - tests: add rego e2e tests for dump_stacks and get_properties (#1793) - - Signed-off-by: Maksim An - -commit 4f8d26f7d627ffa68809c4f695c53bb6673d0fd1 -Author: Maksim An -Date: Tue May 30 17:09:51 2023 -0700 - - tests: fix uvm resources update tests (#1796) - - inject fragment logic has been added and the uvm resource - update tests are failing for a completely different reason. - Update the tests to check for specific "invalid resource" - message. - - Signed-off-by: Maksim An - -commit 566a34db6bbce112fb9cfa2bd582dc546a7d10cd -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 30 18:55:36 2023 -0400 - - [func.test]update lcow layer processing (#1795) - - Signed-off-by: Hamza El-Saawy - -commit 9fd0e723a603b0c144ca94199791c9774b96ad2d -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 30 18:07:59 2023 -0400 - - [gcs.test] update scratch space cleanup order (#1794) - - Signed-off-by: Hamza El-Saawy - -commit e322ac59f779cb9af5fa0c58c56374b2e99d46f6 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Tue May 30 10:55:20 2023 -0700 - - Add test for support of NFS mount (#1726) - - LCOW kernel needs to be built with certain config options(`CONFIG_NFS_FS=y`, `CONFIG_NFS_V4=y` & - `CONFIG_NFS_V4_1=y`)_in order to be able to successfully run a NFS client and mount a NFS inside a - container. This test attempts to mount a (fake) NFS server to ensure that the kernel has the capabilities of - running a NFS client. - - We don't mount a real NFS server because creating a real NFS server that will work in all kinds of test - environments is not simple. Instead, we look at the error returned by the NFS mount operation and decide if - the failure is because the server wasn't available (i.e a `Connection refused` error) or because the kernel - doesn't support NFS clients (`No Device` error). - - Limitations on different approaches of starting a real NFS server: - 1. Starting another LCOW container that runs a NFS server: By default on Linux the NFS server runs in the - kernel and to enable that the kernel must be built with `NFSD_*` config options (note that the config options - for running NFS server are different than the config options required for NFS client), which we don't - currently do and it doesn't make sense to just enable these options for a test. - 2. Running a userspace NFS server: There are a few userspace NFS server projects but getting them to run - inside the UtilityVM wasn't very easy. We didn't want to spend a lot of time on this test. - 3. Running NFS server on the windows host: Not all builds of windows support this so the test won't run in all - environments. - - Signed-off-by: Amit Barve - -commit f1a271103bcd47fe4602344f906feb02ea094072 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 30 13:34:04 2023 -0400 - - Use `gh` cli to download releases (#1792) - - Use official github cli tool to download releases, instead of manually - creating URLs. - - Signed-off-by: Hamza El-Saawy - -commit 933d9b169632ed09de95aa16017da88ae621d7aa -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Tue May 30 13:32:50 2023 -0400 - - Bump github.com/containerd/ttrpc from 1.1.1 to 1.1.2 (#1791) - - * Bump github.com/containerd/ttrpc from 1.1.1 to 1.1.2 - - Bumps [github.com/containerd/ttrpc](https://github.com/containerd/ttrpc) from 1.1.1 to 1.1.2. - - [Release notes](https://github.com/containerd/ttrpc/releases) - - [Commits](https://github.com/containerd/ttrpc/compare/v1.1.1...v1.1.2) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/ttrpc - dependency-type: direct:production - update-type: version-update:semver-patch - ... - - Signed-off-by: dependabot[bot] - - * tidy ./test - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 36359c002b0df048ea65a4c7fd27d5a4ec1310c5 -Author: Maksim An -Date: Tue May 23 13:38:16 2023 -0700 - - update tar2ext4 package (#1785) - - Add another `ReadExt4SuperBlockReadSeeker` implementation - to work with `io.ReadSeeker` in addition to working with - files directly. This way we'll be able to work with e.g. - ext4 GPT partitions. The existing `ReadExt4SuperBlock` works - the same, but has been updated to call `ReadExt4SuperBlockReadSeeker`. - - Add `ReadDMVerityInfoReader` that reads dmverity superblock - from an `io.Reader` and update `ReadDMVerityInfo` accordingly. - - Additionally write verity superblock directly without `io.SeekEnd`, - assumming that the writer is already set at correct offset. - `ComputeAndWriteHashDevice` parameters have been updated - accordingly. - - Add `Ext4FileSystemSize` function that reads ext4 superblock - from a given `io.ReadSeeker` and returns the underlying - ext4 filesystem size and its superblock. - - Signed-off-by: Maksim An - -commit c271b98fe67231d55c81fff84e42d5d2585482de -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 23 12:54:46 2023 -0400 - - [deps] combine and tidy `\test` (#1790) - - - https://github.com/microsoft/hcsshim/pull/1780 - - https://github.com/microsoft/hcsshim/pull/1781 - - https://github.com/microsoft/hcsshim/pull/1787 - - https://github.com/microsoft/hcsshim/pull/1788 - - Signed-off-by: Hamza El-Saawy - -commit 55f8c428a2d9b6f0aeced9d5dc497095160817d6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 16 18:11:54 2023 -0400 - - Update containerd-shim-runhcs-v1 tests (#1783) - - Update shim tests to match current shim behavior. - Run shim tests in GitHub CI. - - Signed-off-by: Hamza El-Saawy - -commit 7769a64af74d7608bb91e04885b337b51c8878b2 -Merge: e5af8fb8f af8c44436 -Author: Kathryn Baldauf -Date: Mon May 15 16:01:16 2023 -0700 - - Merge pull request #1757 from katiewasnothere/kabaldau/scsi_ensure_filesystem - - SCSI ensure filesystem - -commit af8c44436dd2a87f4b6852ecbff5bbc7c7a148f2 -Author: Kathryn Baldauf -Date: Thu May 4 17:56:59 2023 -0700 - - Add feature to ensure scsi device is formatted with target filesystem - * Add new `EnsureFilesystem` and `Filesystem` options on - LCOWMappedVirtualDisk - * Add matching `EnsureFilesystem` and `Filesystem` options on scsi - MountConfig - * Set `EnsureFilesystem` and `Filesystem` when attaching scratch devices - * Add plumbing in guest scsi package to support `EnsureFilesystem` and - `Filesystem`. - * Create new `Config` type in guest scsi package for passing in - setup/cleanup configuration settings - * Add new call to get a device's filesystem by reading its superblock - * Add new scsi unit tests for new features and update existing tests - * New package for formatting using xfs - * Move xfs formatting for encrypted devices out of crypt pkg into scsi - - Signed-off-by: Kathryn Baldauf - -commit e5af8fb8f605c7a6b0a70a482e24af8d7cfb4f55 -Merge: 94df0f31d 1a2aca350 -Author: Kathryn Baldauf -Date: Mon May 15 14:35:12 2023 -0700 - - Merge pull request #1747 from katiewasnothere/kabaldau/scsi_partition_guest - - Guest agent support for partitions on SCSI devices - -commit 1a2aca35078ffefe4f2970cec4e661bbe26f1d1c -Author: Kathryn Baldauf -Date: Sun Apr 30 23:08:54 2023 -0700 - - Guest agent support for partitions on SCSI devices - * Update `ControllerLunToName` to `GetDevicePath` and take in partition - as an additional param - * Wait for partition subdirectory to appear for the devices - * Update device encryption and verity device names with partition index - * Update device encryption and verity device tests - * Add new unit tests for `GetDevicePath` - - Signed-off-by: Kathryn Baldauf - -commit 94df0f31d13bd1c08bea9ab245314c94e0c71eb9 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 15 16:10:30 2023 -0400 - - [deps] weekly update (#1779) - - PRs: - - https://github.com/microsoft/hcsshim/pull/1775 - - https://github.com/microsoft/hcsshim/pull/1777 - - https://github.com/microsoft/hcsshim/pull/1778 - - (needed to update `test/go.mod` as well). - - Update dependabot.yml to avoid automated major/minor updates in - containerd-related dependencies. - - Revert `github.com/containerd/ttrpc` in `test/` to `1.1.1`, since it is - used to communicate with shim in `containerd-shim-runhcs-v1` tests, and - the versions should match. - - Signed-off-by: Hamza El-Saawy - -commit 22bf0b5fb9c8b42f9e62a6802dbe833512635557 -Merge: 5c5d85cb4 776be9a96 -Author: Kevin Parsons -Date: Mon May 15 12:26:20 2023 -0700 - - Merge pull request #1745 from kevpar/lcow-layers - - Support flexible LCOW layer parsing and partitioned layers - -commit 776be9a967974764e3ede660329ef5f50ba79298 -Author: Kevin Parsons -Date: Tue Apr 18 10:56:00 2023 -0700 - - Add lcow-partitioned-layer mount type - - Adds support for a new type of LCOW mount that can use individual disk - partitions for each read-only layer. This change adds the work to parse - the new layer type and pass it through the shim, as well as the support - to the shim-side SCSI package to send the partition index in the guest - request. - - This change does not add the GCS-side work to actually mount the - specified partition. That will come in a future change. - - This change also does not handle formatting the scratch disk. It it - desired to be able to format it on the fly when creating the container, - but that will also come in a future change. - - Signed-off-by: Kevin Parsons - -commit 76b945454adf7053f5bcae1e59ffeda8e05bd0ed -Author: Kevin Parsons -Date: Sun Apr 23 01:10:58 2023 -0700 - - Support more flexible LCOW layer parsing - - Previously, layer information for both Windows and Linux containers was - passed throughout the shim through the OCI runtime spec's - Windows.LayerFolders field. This was used to store the set of - directories used for the layers, including the scratch. The exact - semantics of what is expected in these directories differed between - Windows and Linux. This approach worked okay, but had a few annoying - limitations. For instance, there was no way to represent more complex - layer data, such as a VHD path as well as a partition index on that VHD. - - This change removes the use of Windows.LayerFolders completely for Linux - containers, and instead creates a new layers.LCOWLayers type that is - used to represent Linux layer configuration. This new type is passed - into hcsoci.CreateContainer, and from there is passed into - layers.MountLCOWLayers where it is actually used to set up the - filesystem for the container. - - The new layers.LCOWLayers type is currently quite simple, but having - this as a proper Go type allows us a lot of flexibility in the future. - We can add more fields on this struct, but we could also change out the - nested LCOWLayer type for an interface, for instance, if we wanted to - support new types of layers that have drastically different - representation. - - This change does not aim to touch the way Windows container layers are - handled, nor how the Windows UVM root filesystem is set up. These would - be good things to improve in the future, but the Windows container - layers are more complicated in how they are used, so this is left for - future work. - - Signed-off-by: Kevin Parsons - -commit 5c5d85cb4fa2afbd1d390d7cf30edd1ee1313e77 -Merge: 497a34686 d98a2ef2a -Author: Kevin Parsons -Date: Mon May 15 12:25:14 2023 -0700 - - Merge pull request #1744 from kevpar/new-scsi - - Rewrite SCSI support in new package - -commit d98a2ef2acdd75c53c72913280360f0f4ecc2c3b -Author: Kevin Parsons -Date: Thu Apr 20 15:51:39 2023 -0700 - - Rewrite SCSI support in new package - - The existing SCSI implementation in internal/uvm has evolved organically - over time into what it is today. This creates unecessary difficulty when - adding new features to the code, makes it harder to maintain, and has - been a source of bugs. - - Additionally, there is a significant functional issue that the current - scsi code tightly couples the idea of attaching a SCSI device to a VM, - with the use/mounting of that device inside the VM. This creates - difficulty when we want to re-use the same SCSI attachment multiple - times, especially in the future when we will need to mount multiple - partitions from a device. - - This is addressed here by largely rewriting the shim's SCSI code, and - moving it to a new internal/uvm/scsi package. The new code features a - main Manager type, which delegates to attachManager and mountManager for - tracking of attachments to the VM, and mounting of devices inside the - VM, respectively. attachManager and mountManager also rely on a set of - interfaces for the actual backend implementation of interacting with a - VM. This will also allow for easier testing of the scsi package in - isolation in the future. - - One consequence of this change is it is no longer possible for the - caller to request a specific UVM path for a SCSI mount. The support for - this was already kind of a sham, because if the disk was already - mounted, you would get back its existing mount path instead of the one - you wanted, so the caller already had to handle that case. Additionally, - I'm not aware of any reason why the specific location the disk is - mounted is actually relevant. Because of these reasons, and to simplify - the overall package interface, the mount path is determined by the scsi - package, using a format string passed to the Manager at creation time. - - Signed-off-by: Kevin Parsons - -commit 497a346867c8e3b72eeb956c9c9eff9c749539f3 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 15 11:51:09 2023 -0400 - - formalize ignored (test) dependency updates (#1769) - - Signed-off-by: Hamza El-Saawy - -commit 889236e0dfb1a8700be744dc71217e77fe166370 -Merge: 5d2fe12bd 655649b34 -Author: Kathryn Baldauf -Date: Fri May 12 11:44:24 2023 -0700 - - Merge pull request #1773 from katiewasnothere/kabaldau/run_guest_unit_tests - - Enable guest agent unit tests in the CI - -commit 5d2fe12bdc5ecefd15095ddd8e462ed1ed64e423 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu May 11 18:10:53 2023 -0400 - - Bump github.com/docker/distribution (#1772) - - Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - - [Release notes](https://github.com/docker/distribution/releases) - - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) - - --- - updated-dependencies: - - dependency-name: github.com/docker/distribution - dependency-type: indirect - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 154f8772df06c02711b2119bc3aac49a94778ca1 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu May 11 17:34:36 2023 -0400 - - Bump github.com/docker/distribution in /test (#1771) - - Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - - [Release notes](https://github.com/docker/distribution/releases) - - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) - - --- - updated-dependencies: - - dependency-name: github.com/docker/distribution - dependency-type: indirect - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 655649b34d6c522d593062edfbeaf5c0bd37a8ca -Author: Kathryn Baldauf -Date: Thu May 11 14:19:48 2023 -0700 - - Enable guest agent unit tests in the ci - - Signed-off-by: Kathryn Baldauf - -commit a1d874ae0425505d469e0efc0a594c68a9e0b436 -Merge: de0e11619 b1b076864 -Author: Kevin Parsons -Date: Tue May 9 16:15:34 2023 -0700 - - Merge pull request #1728 from ashishsachdeva/asachdev/logsredirection - - gcs: Support routing container stdio to sidecar - -commit b1b07686425bd7e4594f46a153aa84bf224acf66 -Author: Ashish Sachdeva -Date: Wed Apr 12 10:49:13 2023 -0700 - - gcs: Support routing container stdio to sidecar - - Signed-off-by: Ashish Sachdeva - -commit de0e11619bf99d277aad558061a514f16bcb57b8 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 8 18:30:56 2023 -0400 - - Checkout appropriate containerd ref (#1752) - - Use containerd version from go.mod when checking out and building - upstream containerd for testing. - - containerd integration tests updated in 1.6.20 to work on windows. - - Signed-off-by: Hamza El-Saawy - -commit 478b6da9f5f5a579c2815e32ca1729be5a346f40 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 8 13:42:06 2023 -0400 - - omnibus dependency updates (#1767) - - Update dependencies and vendor (and update `test/go.mod`, as - appropriate) for: - - - 1758 - - 1759 - - 1760 - - 1761 - - 1762 - - 1763 - - 1764 - - 1765 - - Signed-off-by: Hamza El-Saawy - -commit a452efa21cb50f4d209c2fb9843b8bd1a0500273 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 8 10:32:38 2023 -0400 - - Allow patch dependabot updates (#1756) - - Patch updates can be disabled for most dependencies, but ignoring - all patch-fixes has caused errors (notably containerd). - - Signed-off-by: Hamza El-Saawy - -commit 8fa2489ff65feba90a32e7bee6e9eea2d79957d3 (tag: v0.10.0-rc.8, upstream-hcshsim/hcsshim-v0.10.0-rc.8, origin/hcsshim-v0.10.0-rc.8) -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu May 4 17:57:01 2023 -0400 - - slice bounds and nil VM access fix (#1754) - - Signed-off-by: Hamza El-Saawy - -commit a8ec8c8bb9db41572ab4122f603531376c82399d -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu May 4 16:07:42 2023 -0400 - - Remove godeps from makefile (#1750) - - Go already relies on its own internal caching, and replicating that in - make adds unnecessary complexity, and is error prone, since the makefile - doesn't recognize if new files are added, and isn't aware of build - constraints. - - Remove `*.gomake` and `*.godeps` portion of makefile and invoke go directly. - Remove `hack/gomakedeps.sh` file - - Signed-off-by: Hamza El-Saawy - -commit d1b45c5f02fc5f47a0c283bf3cf166eb86f213d8 -Merge: 4c7925c23 d37e4c6f1 -Author: Kevin Parsons -Date: Thu May 4 10:13:22 2023 -0700 - - Merge pull request #1743 from kevpar/layers-rework - - Rework layer handling to return a ResourceCloser - -commit d37e4c6f13918fcac3211f864b33c75d54b278d2 -Author: Kevin Parsons -Date: Tue Apr 18 21:14:12 2023 -0700 - - Rework layer handling to return a ResourceCloser - - Currently, the layers package relies on the caller of Mount*COWLayers to - subsequently call NewImageLayers, which constructs a special ImageLayers - object that can be used to later clean up the layer mounts. However, - this requires the caller to know too much about the internals of the - layer mounting process. - - A cleaner approach, which I take here, is to instead return a standard - ResourceCloser from Mount*COWLayers which then knows how to clean up - whatever mounts were done. I have also changed the layers code to use - ResourceCloser in more places internally. - - There is a new check in resources_*cow.go, such that the layers closer - is only stored if the container is not a hypervisor-isolated sandbox - container. This duplicates the logic that was previously in - (*ImageLayers).Release. - - Signed-off-by: Kevin Parsons - -commit 4c7925c23e6f2c843793ac836d0ceb1d4533c0ae -Merge: d446b24c6 1dd217b51 -Author: Kevin Parsons -Date: Thu May 4 01:27:32 2023 -0700 - - Merge pull request #1742 from kevpar/getscsiuvmpath - - Remove dependence on GetScsiUvmPath function - -commit 1dd217b51877613500216948cec52959a3a9c676 -Author: Kevin Parsons -Date: Tue Apr 18 02:34:37 2023 -0700 - - Remove dependency on GetScsiUvmPath from WCOW-isolated mounts - - The WCOW-isolated SCSI mount process currently works as follows: - - In resources_wcow.go, go through each mount on the OCI spec, and if it - is a SCSI mount, add a mount to the UVM for it. - - in hcsdoc_wcow.go, go through each mount on the OCI spec, use - GetScsiUvmPath to determine the guest path it was mounted to, and add - an entry to the container doc for it. - - This is quite hacky, as it relies on a 1:1 mapping between host VHDs and - mounts in the guest, and also because it requires us to re-query - information we've already been given. The SCSIMount object returned when - we mounted to the guest can already tell us the guest path. - - This change resolves this problem by instead determing the set of guest - mounts that should be added to the container doc at the time when the - SCSI mounts are done, and saving it in the creation options. Then, when - we construct the actual container doc, we just grab those mounts and add - them in. - - Signed-off-by: Kevin Parsons - -commit d42948347a208dfd9ce76335f7b80e546f252f61 -Author: Kevin Parsons -Date: Tue Apr 18 14:59:50 2023 -0700 - - Remove dependency on GetScsiUvmPath from driver installation - - Currently, when installing drivers on LCOW, we use GetScsiUvmPath to - check if the VHD is already mounted, and if it is, we assume the drivers - have already been installed, so we can skip doing it again. This check - has a few problems: - - - It relies on GetScsiUvmPath, which assumes a single mount-point in the - guest for a given VHD. This assumption is not safe to make in the face - of future changes, where we could mount a device (or partitions on it) - multiple times. - - It assumes the disk has stayed attached the whole time after drivers - were installed. This may be a safe assumption today, but can be - fragile in the future. - - It does not work in the case of a VHD containing multiple sets of - drivers, or a VHD being changed/updated to newer content after first - install. Again, this is safe given the current overall design today, - but could break in the future. - - This change is still mostly a bandaid fix. Probably what is most correct - is to track driver installation in something with state (the GCS) rather - than using a separately invoked binary to do the in-guest install. - However, this change does address the first issue above, removing the - dependency on GetScsiUvmPath. I do this in the following way: - - - Change install-drivers to check if the overlay path exists already, - and exit with a no-op if it does. This encodes the assumption that the - overlay path will be consistent for a given driver set. - - Change InstallDrivers in the shim to compute a V5 GUID from the VHD - path, and use that as part of the overlay path given to the guest. - This ensures there is a unique guest overlay path for each unique host - driver VHD path. - - Signed-off-by: Kevin Parsons - -commit d446b24c6daca256e77071ba6b723c2abbe141c6 -Merge: fe4a458be cbe5c3305 -Author: Kevin Parsons -Date: Wed May 3 01:56:20 2023 -0700 - - Merge pull request #1741 from kevpar/scsidevice - - gcs: Add SCSIDevice type with remove operation - -commit cbe5c33052a1b05a8d4036a6598acf691a404b6b -Author: Kevin Parsons -Date: Mon Apr 17 13:50:24 2023 -0700 - - gcs: Add SCSIDevice type with remove operation - - SCSI devices must be unplugged by the guest before removal on the host - side, to ensure smooth operation. Previously a SCSI device was unplugged - when a LCOWMappedVirtualDisk entry was removed. However, we want to - support multiple mounts per disk, which means we need to decouple unplug - from unmount. - - This change introduces a new SCSIDevice resource type that has a remove - operation that can be used by the host to trigger an explicit unplug via - SCSI. - - This is a breaking change to the bridge protocol: - - With new host/old guest, the host will attempt a SCSIDevice remove - which will fail due to being unsupported by the guest. - - With old host/new guest, the host will expect the device to be - unplugged when the disk is removed, which will no longer occur. - - Signed-off-by: Kevin Parsons - -commit fe4a458befb13d891417ff730d1f3e6f3537053d -Merge: 4eb7dfa41 5591091fe -Author: Kevin Parsons -Date: Wed May 3 01:05:46 2023 -0700 - - Merge pull request #1740 from kevpar/remove-clone - - Remove UVM/container cloning functionality - -commit 4eb7dfa41fb9d311d764fc57e0afeef139577450 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 1 15:04:46 2023 -0400 - - [bug] Consolidate dependabot updates (#1749) - - Follow up to: https://github.com/microsoft/hcsshim/pull/1748 - Updated wrong docker dependency. - Fixes: - https://github.com/microsoft/hcsshim/pull/1732 - https://github.com/microsoft/hcsshim/pull/1733 - - Signed-off-by: Hamza El-Saawy - -commit 3d35c7b44271c9a3526686f9f6814e473c8fb977 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 1 13:27:22 2023 -0400 - - Consolidate dependabot updates (#1748) - - Easier to omni-bus updates to deal with test/go.mod update issues. - - https://github.com/microsoft/hcsshim/pull/1702 - https://github.com/microsoft/hcsshim/pull/1703 - https://github.com/microsoft/hcsshim/pull/1709 - https://github.com/microsoft/hcsshim/pull/1723 - https://github.com/microsoft/hcsshim/pull/1724 - https://github.com/microsoft/hcsshim/pull/1732 - https://github.com/microsoft/hcsshim/pull/1733 - - Signed-off-by: Hamza El-Saawy - -commit c15066271e5a8e7523f31fad1d44c783937d596d -Author: Maksim An -Date: Wed Apr 26 15:31:43 2023 -0700 - - fix: few bugs with error shadowing (#1737) - - Signed-off-by: Maksim An - -commit 5591091fe58519db0b9658bf8bb7bd444a7b101d -Author: Kevin Parsons -Date: Thu Apr 20 16:17:18 2023 -0700 - - Remove UVM/container cloning functionality - - This change completely removes the support for cloning/late cloning that - was added a few years ago. The reasoning behind this is as follows: - - There are no plans to utilize cloning at this point in time. - - The cloning support required extensive/invasive changes across many - parts of the shim. This has made future changes and refactorings more - difficult in some cases. While these changes are still possible, it - seems like an unnecessary burden if we are not going to use cloning. - - The cloning functionality was never actually utilized, and thus may - still have had fixes needed to be production-ready. - - If cloning is needed again in the future, we will be able to revert this - commit to add it back. - - Signed-off-by: Kevin Parsons - -commit d816cbe89e4deae51c0b0044e7834f9068a3f9b2 -Author: Matthew A Johnson -Date: Thu Apr 20 18:20:26 2023 +0100 - - Adding padding to base64 encoded policy decisions (#1738) - - Switching to standard encoding - - Signed-off-by: Matthew A Johnson - -commit 11439346ddf0877c71475f92c182b5807d2d527f -Merge: 792a588a3 daa723fc4 -Author: Kathryn Baldauf -Date: Wed Apr 19 11:59:51 2023 -0700 - - Merge pull request #1717 from katiewasnothere/kabaldau/add_back_ext4_formatting - - Add code to format disk as ext4 in guest - -commit daa723fc49543a1341fec30e871fa85c240a5714 -Author: Kathryn Baldauf -Date: Tue Apr 4 12:47:43 2023 -0700 - - Add code to format source as ext4 - - Signed-off-by: Kathryn Baldauf - -commit 792a588a335e09a242bada07974b5491201f2a44 -Author: Maksim An -Date: Mon Apr 17 17:22:02 2023 -0700 - - tests: write seccomp profile to a temporary file (#1736) - - Signed-off-by: Maksim An - -commit 52eee9916647740afb5e49241f88e45f93aa9c4d -Author: Matthew A Johnson -Date: Mon Apr 17 20:02:38 2023 +0100 - - Fixing the errors for missing enforcement points (#1735) - - Signed-off-by: Matthew A Johnson - -commit 61e491d7afcbbea75b52b73a79448ab2419bc30d -Author: Matthew A Johnson -Date: Sat Apr 15 01:13:05 2023 +0100 - - Policy decision truncation. (#1731) - - In some circumstances, the policy decision object returned from a policy - denial causes the resulting error message to exceed the maximum error length - imposed by Service Fabric. This PR adds some truncation logic to reduce the - size of the decision object so it first into the limit. Firstly, all standard - capability sets (privileged and unprivileged) are replaced with a placeholder. - Then, if the message is above the length limit then the following things are - truncated until the message is below the threshold: - - 1. `reason.error_objects` - 2. `input` - 3. `reason` (the rest of the reason object returned from the policy) - - Signed-off-by: Matthew A Johnson - -commit d483254a7118d1e80e1ff327ef9b7d5819345f28 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Apr 14 17:48:01 2023 -0400 - - switch from filepath.EvalSymlinks to fs.ResolvePath (#1644) - - Signed-off-by: Hamza El-Saawy - -commit b6806f37572d8570090c8c259c22b678c289eaef -Author: Julien Maffre <42961061+jumaffre@users.noreply.github.com> -Date: Fri Apr 14 18:34:06 2023 +0100 - - Make sure that security context files are readable by all (#1729) - - Update internal/guest/runtime/hcsv2/uvm.go - - Make sure that security-context directory has `0755` permissions. - - Signed-off-by: Julien Maffre - -commit b2acb03aaf23420883b109dd6659b439aa6adb99 -Merge: c9f052d90 8cb4a1f54 -Author: Kathryn Baldauf -Date: Thu Apr 13 14:12:25 2023 -0700 - - Merge pull request #1704 from katiewasnothere/kabaldau/new_exported_test_funcs - - Create new test packages that reference internal packages - -commit 8cb4a1f54f3a53b80fc0f35cfd667473e53b9b0c -Author: Kathryn Baldauf -Date: Thu Apr 13 13:17:46 2023 -0700 - - Add doc file to describe test/pkg package - - Signed-off-by: Kathryn Baldauf - -commit 815de8d38401e4ee6288a48368ad1f105034c6f8 -Author: Kathryn Baldauf -Date: Mon Mar 20 15:30:11 2023 -0700 - - Create new test packages that reference internal packages - - Signed-off-by: Kathryn Baldauf - -commit c9f052d90b83b7099c7ecfafc9fd12ada0ec5bb7 -Author: Maksim An -Date: Tue Apr 11 13:42:21 2023 -0700 - - tests: fix error assertion and container layer sha256 (#1725) - - Rego error messages are now returned base64 encoded, so direct - error message assertions don't work and we need to decode the - policy decision string first. One of the tests was missing this. - - Additionally alpine container has been updated and the layer - digest has changed, so the policy used to check backward compat - is now broken. Update it to have a valid digest. - - Signed-off-by: Maksim An - -commit f4bcf0972a0bce12a1316b77304ac60001dd0f35 -Author: Maksim An -Date: Tue Apr 11 10:08:35 2023 -0700 - - negative rego cri-integration tests (#1719) - - Enable a few negative tests for rego enforcer. Since JSON policies - will be dropped soon, replace existing negative JSON policy tests - with negative rego policy tests. - - Signed-off-by: Maksim An - -commit 8b2e3c425bbad8a2c1544fa797cec25325029331 -Author: Maksim An -Date: Mon Apr 10 10:36:07 2023 -0700 - - hack: add blanket retries on device-mapper failures with SCSI (#1720) - - After moving to 5.10+ we started seeing occasional failures when - creating verity/crypt device-mapper targets. - Longer term fix should be adding retries on particular errors - at lower level e.g. in devicemapper/crypt packages. - - Signed-off-by: Maksim An - -commit 8f5f651f39b388d0e072aeb87e74950a442e095a -Author: Matthew A Johnson -Date: Mon Apr 10 01:46:06 2023 +0100 - - Moving to structured JSON policy decisions. (#1718) - - This commit makes two major changes: - - 1. All policy enforcement points now receive a context objects and use it - to log policy errors and denial decisions. - 2. Policy denials are now conveyed as structured JSON objects. - - Whereas previously policy denial was surfaced as a text error message, - the policy now generates a bracketed base64 encoded string: - - policydecision< (base64) >policydecision - - When decoded, this will be a JSON object with the following structure: - - ```json - { - "input": , - "decision": "deny", - "reason": , - "policyError": - } - ``` - - NB: the `"policyError"` field above is only present if the denial was - triggered by an actual error in the Rego policy. - - Signed-off-by: Matthew A Johnson - -commit b0a82cb8ecbd5ce57423368b66a54674f4fd9063 -Author: Maksim An -Date: Wed Apr 5 09:04:23 2023 -0700 - - con-con: write policy, reference info and cert to container's rootfs (#1708) - - Due to `execve` limitation on the size of environment variable, write the - base64 encoded security policy, UVM reference info and host AMD certificate - to container's rootfs. - - Update existing test accordingly. - - Signed-off-by: Maksim An - -commit bf05781e4fa0276e3785e45d1700022877ecc97f -Author: Maksim An -Date: Mon Apr 3 16:09:57 2023 -0700 - - tests: Add rego cri-integration tests for plan9 mount policy. (#1651) - - Signed-off-by: Maksim An - -commit 79331e628a535296558e09f75a1c3b13f75ebe6b -Author: Maksim An -Date: Mon Apr 3 10:43:17 2023 -0700 - - sev-snp: add SEV device when security policy is present (#1679) - - This change adds SEV device to linux container spec whenever security - policy isn't empty. - - Signed-off-by: Maksim An - -commit 50e1059ca8c254a70bc3d44d46917cf7b41518d5 -Author: Matthew A Johnson -Date: Fri Mar 31 16:05:56 2023 +0100 - - Clarifying SVN vs. Version. (#1715) - -commit e7b0eab484b277ab1a30a282b7232744a34e6624 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Mar 29 13:57:55 2023 -0400 - - upgrade runc dependency (#1714) - - Signed-off-by: Hamza El-Saawy - -commit ff268a2c451cd74f865c2fc94d6a9d9780c0dc18 -Author: Matthew A Johnson -Date: Tue Mar 28 20:23:56 2023 +0100 - - Seccomp profile policy enforcement. (#1705) - - This commit adds enforcement over the seccomp profile associated with a container. The - policy author can measure their seccomp profile and include this measurement in the - policy. Subsequently, they can provided that same seccomp profile to the orchestrator - (e.g. via an annotation) and GCS will measure the provided profile and provide this as - input to the policy engine. - - This commit also adds a series of CRI tests for security context enforcement. - - Fixing error with privileged exec_in_container - Adding CRI test for privileged exec in container - - Signed-off-by: Matthew A Johnson - -commit 144a58796678fc3c0360f41bb636516d92c297c2 -Merge: 5c373d575 8fb834552 -Author: Kathryn Baldauf -Date: Thu Mar 23 16:20:55 2023 -0700 - - Merge pull request #1707 from katiewasnothere/kabaldau/clean_mod_cache - - Update golangci linter and clean go mod cache - -commit 8fb8345521071dbddffebde44148be56f7113fc8 -Author: Hamza El-Saawy -Date: Thu Mar 23 18:10:25 2023 -0400 - - Fix linter issues. - - Remove `//nolint` directives for varcheck, deadcode, and - structcheck; they were deprecated in golangci-lint v1.49. - - Removed `//nolint` directives for `unused`; it appears a new version of - that linter is less false-positive prone. - - Fix instance of loop variable being captured in closure for - `Test_RunPodSandbox_Concurrently` in `policy_test.go`. - - Signed-off-by: Hamza El-Saawy - -commit 6e2711165aa1267cc412ff8613f58cfffe9e707c -Author: Kathryn Baldauf -Date: Thu Mar 23 14:24:40 2023 -0700 - - Update golangci linter and clean go mod cache - - Signed-off-by: Kathryn Baldauf - -commit 5c373d5754c0a7faf501bf56a3d88621eb7afa7c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Mar 21 11:03:14 2023 -0400 - - NCProxy: attach to host and macpool (#1591) - - * NCProxy: attach to host and macpool - - Allow NCProxy to attach endpoints to default host namespace. - Return MAC pool information for networks. - - Signed-off-by: Hamza El-Saawy - - * pr: debug to warn - - Signed-off-by: Hamza El-Saawy - - * added tests - - Signed-off-by: Hamza El-Saawy - - * PR: test cases, end MAC addr check - - Signed-off-by: Hamza El-Saawy - - * PR: hostdefault namespace test - - Bug where `AttachToHost` field was always false. - - Test now uses `Host` namespace, instead of `HostDefault` and checks that - attaching an endpoint to the host works properly - - Simplified control flow/logic in `AddEndpoint`. - - Signed-off-by: Hamza El-Saawy - - * PR: test failure - - Signed-off-by: Hamza El-Saawy - - * PR: namespace ID, test comments - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 4cf46addd62d199d3153bce49f6eab2ecd8c149e -Author: Matthew A Johnson -Date: Mon Mar 20 23:41:20 2023 +0000 - - Adding policy for Linux capabilities. (#1683) - - This commit adds enforcement of policy over the capabilities provided to a process, - either the init process of the container, or a process being executed inside a - container (*i.e.* this affects the `EnforceCreateContainerPolicy` and - `EnforceExecInContainerPolicy` enforcement points). Linux capabilities enumerate - the things a process can do, and as such a malicious host could grant or deny - specific capabilities to processes to create an unexpected and potentially - compromised state for the container group. Users can now specify an exact - list of capabilities for each of the five sets (bounding, effective, inheritable, - permitted, and ambient). - - Users can also specify that they wish to enable *capabilities dropping*, whereby - any extraneous capabilities which are granted by the host can be dropped down to a - minimum set of needed capabilities. - - Signed-off-by: Matthew A Johnson - Signed-off-by: Sean T. Allen - -commit e05e3aa04e92571ac1479150d92538a90dc4dfc2 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Mar 20 22:07:24 2023 +0000 - - Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 (#1701) - -commit d5c1acc447e50a50985cba9ef8da0fa0e623f769 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Mar 20 18:33:53 2023 +0000 - - Bump github.com/google/go-containerregistry in /test (#1700) - -commit 8aee7cdd92b14769bfd8376c06cb27cbb3c78c57 -Author: Maksim An -Date: Mon Mar 20 09:25:28 2023 -0700 - - tests: add tests for concurrent pod startup (#1639) - - Signed-off-by: Maksim An - -commit 973a4ba52332ce5bd9a428c8569f3c52ed05f86b -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Mar 16 21:30:13 2023 -0400 - - Update dependencies (#1697) - - Consolidate dependabot PRs and update ./test/go.mod accordingly: - - https://github.com/microsoft/hcsshim/pull/1675 - - https://github.com/microsoft/hcsshim/pull/1686 - - Signed-off-by: Hamza El-Saawy - -commit 2c8ae3f42d13cd411054d2c8386816a076d7968b -Author: Sean T Allen -Date: Thu Mar 16 20:14:54 2023 -0400 - - Fix "no matches" test that can somewhat easily match (#1684) - - The number of values that a generated umask can have it rather small - and as such, will eventually be generated for both a container that - is part of a generated policy and as the "bad value" in our no match - test for umask. - - This already happened to me. - - This commit changes to using a value that can't be generated and - therefore is guaranteed to be a bad match which is all we care about - for our test. - - This change removes the spurious test failures we would otherwise get. - - Matt and I are working towards having the ability to generate unique values - per test for such things but at the moment, the infrastructure isn't in - place for it, so this change will do for now. - - Signed-off-by: Sean T. Allen - -commit 13465d5a4a51cadc377776e07b149d7e87cebe5a -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Mar 16 15:59:21 2023 +0000 - - Bump actions/setup-go from 3 to 4 (#1696) - -commit 178111d9cfe32aaab22ac70cb872c1e2299a9aff -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Mar 15 15:12:21 2023 -0400 - - Logging (JSON) formatting; span export (#1364) - - * Log (JSON) formatting hook; span export - - Added formatting for logrus export hook to marshal structs as JSON - strings, as well as format other known types (eg, time.Time). - - Updated span export to: - * include span kind - * include status code - * log if span attributes were dropped - - Added helper `log.Format*` functions to format Time and other structs - to JSON. This is already done by the logging hook, but allows spans - format their attributes consistently, since they must be converted to - strings before being exported. - - Signed-off-by: Hamza El-Saawy - - * PR: docs, un-exported func, vestigial code - - Remove unused commented out code and left-over function. - - Signed-off-by: Hamza El-Saawy - - * PR: docs, defaults, AddSpanContext/EncodeError bug - - Clarified documentation. - - Disable JSON encoding by default. - - Bug: `AddSpanContext` wasn't checked when adding span information. - Bug: `EncodeError` was unneeded. - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit 5e3a6dfa5fdcb695748e19f03d5ffb5127a7588a -Author: kiashok <99994218+kiashok@users.noreply.github.com> -Date: Tue Mar 14 13:25:06 2023 -0700 - - Fix graceful termination test errors (#1687) - - - Loosen the time interval check that measures the time taken to - stop the container with -t command to account for cloud test delays - - Add to check that OS version is V21H2Server since the graceful - termination test images are based on servercore and nanoserver 2022. - - Signed-off-by: Kirtana Ashok - Co-authored-by: Kirtana Ashok - -commit 69815bcbb5c01bdca37682c687e6eb85b869b439 -Author: Maksim An -Date: Mon Mar 13 23:02:43 2023 -0700 - - tests: rego exec in uvm cri integration tests (#1648) - - add another wrapper for shim diag. - - Signed-off-by: Maksim An - -commit 2cd8784ac82d9e7874f21bb3a9256e522376e2b3 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Mar 13 19:50:20 2023 +0000 - - Bump github.com/containerd/ttrpc from 1.1.0 to 1.2.1 in /test (#1693) - -commit 66fe5f7f91d753070ed352ce1edc1f437fe468e9 -Author: Maksim An -Date: Mon Mar 13 09:33:16 2023 -0800 - - github-ci: use go1.19.x (#1689) - - rerun protobuild - - fix: check for `exec.ErrDot` - - Signed-off-by: Maksim An - -commit 1bc5798c25aa9fe0dc790537f637949e10874f96 -Author: KenGordon -Date: Mon Mar 13 16:45:02 2023 +0000 - - Fix silly error whereby a chain was required although unnecessary. (#1682) - - Signed-off-by: Ken Gordon - -commit dd669924dbbfda544ebafe3f94a3b5d2a0e4412f -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Mar 6 18:39:13 2023 +0000 - - Bump golang.org/x/sys from 0.5.0 to 0.6.0 in /test (#1685) - -commit 8994d86322d465305157cccb0dc04dd3d27f629c -Author: Matthew A Johnson -Date: Fri Mar 3 05:57:03 2023 +0000 - - Adding policy enforcement for User. (#1669) - - This PR adds policy enforcement for the User property of container processes. - Policy authors can now explicitly allow and deny users, groups, and umasks - associated with the init process and exec processes that they define on - containers. - - Signed-off-by: Matthew A Johnson - -commit 5871d0c4436f131c377655a3eb09fc9b5065f11d (tag: v0.10.0-rc.7) -Author: Gabriel -Date: Tue Feb 28 19:47:03 2023 +0200 - - Base layer manipulation (#1637) - - * Simple baseLayerReader to export parentless layers - - This is the inverse of the baseLayerWriter: It walks Files/ and - UtilityVM/Files/ (if present) and ignores the rest of the layer data, - as it will be recreated when the layer is imported. - - Signed-off-by: Paul "TBBle" Hampson - - * Introduce hcsshim.ConvertToBaseLayer - - This API allows turning any collection of files into a WCOW base layer. - - It will create the necessary files in Files/ for - hcsshim.ProcessBaseLayer to function, validate the necessary files for - hcsshim.ProcessUtilityVMImage if UtilityVM/ exists, and then call those - two APIs to complete the process. - - Calling this on a directory containing an untarred base layer OCI - tarball, gives a very similar outcome to passing the tar stream through - ociwclayer.ImportLayer. - - The new API is used in `TestSCSIAddRemoveWCOW` to create nearly-empty - base layers for the scratch layers attached and removed from the utility - VM. - - A wclayer command is also introduced: `makebaselayer` for testing and - validation purposes. - - Signed-off-by: Paul "TBBle" Hampson - - * Include hard-linked files as hard-links in the tarstream - - Signed-off-by: Paul "TBBle" Hampson - - * Use offline registry library to generate min hive - - This change adds functions to generate valid, empty hives. - - Signed-off-by: Gabriel Adrian Samfira - - * Rename ofreg.go and close key - - Signed-off-by: Gabriel Adrian Samfira - - * Fix temp dir creation - - Signed-off-by: Gabriel Adrian Samfira - - * Cleanup tests - - Signed-off-by: Gabriel Adrian Samfira - - * Fix ORCloseHive definition - - Signed-off-by: Gabriel Adrian Samfira - - * Remove unused ctx from baseLayerReader - - Signed-off-by: Gabriel Adrian Samfira - - * Use string in sys definition and check for err - - * We can use string instead of *uint16 in the //sys definition and allow - mksyscall to generate the proper boilerplate. - * do not shadow err if it's not nil - - Signed-off-by: Gabriel Adrian Samfira - - * Close the r.proceed channel - - Signed-off-by: Gabriel Adrian Samfira - - * Return if backup reader is nil - - Signed-off-by: Gabriel Adrian Samfira - - --------- - - Signed-off-by: Paul "TBBle" Hampson - Signed-off-by: Gabriel Adrian Samfira - Co-authored-by: Paul "TBBle" Hampson - -commit 38a2b199820739a0f0c5620ba32afa355a009a3b -Author: Maksim An -Date: Mon Feb 27 22:01:52 2023 -0800 - - simplify zeroDevice to just zero first block (#1672) - - Signed-off-by: Maksim An - -commit 411a1832c3f57794d6ebbe7007491fb0317a51c0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Feb 27 16:03:34 2023 -0500 - - use gotestsum to get test summary (#1678) - - Signed-off-by: Hamza El-Saawy - -commit b759125ec521193f9e310ccf529d08fcf37e22d7 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 27 17:11:56 2023 +0000 - - Bump github.com/opencontainers/runtime-tools in /test (#1674) - -commit 8283b8e8ea5e7a6fbd695da01f5bfe62b0f1610c -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 27 17:06:59 2023 +0000 - - Bump actions/checkout from 2 to 3 (#1676) - -commit 6556516642980510752e419da65d5c85b1d1279c -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 27 16:38:43 2023 +0000 - - Bump actions/upload-artifact from 2 to 3 (#1677) - -commit 276c4354f6bd7d4fe6f0445f716c88f64355922e -Author: Sebastiaan van Stijn -Date: Fri Feb 24 20:14:06 2023 +0100 - - osversion: implement stringer interface, deprecate ToString() (#1547) - - This allows the type to be used with fm.Sprintf() and similar uses. - - Signed-off-by: Sebastiaan van Stijn - -commit b9dbd860edb053fccca0e16318191c231ecd0a3c -Author: Sean T Allen -Date: Fri Feb 24 13:03:21 2023 -0500 - - Wait longer before trying to install mingw after failing to install (#1670) - - I've been watching the mingw failures I get and I've been checking - "successes" to see if I can see the current 2 second back off being - successful. I regularly see the short retry period not working and - I've seen only once or twice that it it worked. - - This commit ups the time to retry to a longer 60 seconds which - should give a better chance at success. - - Signed-off-by: Sean T. Allen - -commit 889c53a4fdc78d30645bf32ee1706525e8e7ea65 -Author: KenGordon -Date: Wed Feb 22 21:53:51 2023 +0000 - - Format encrypted scratch disk as xfs rather than ext4fs (#1665) - - * Format encrypted scratch disk as xfs rather than ext4s to avoid - ioerror detected by the integrity layer. - - Mount the correct type of scratch FS - xfs if encrypted. - - Remove sparse file tests as EncryptDevice does not invoke it. - - Signed-off-by: Ken Gordon - - * minor cleanup - - Signed-off-by: Maksim An - - --------- - - Signed-off-by: Ken Gordon - Signed-off-by: Maksim An - Co-authored-by: Maksim An - -commit 164f75307fe1a7d6bbd2eaf9b459ebc21e985555 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Tue Feb 21 19:20:47 2023 +0000 - - Bump golang.org/x/net from 0.1.0 to 0.7.0 (#1667) - -commit 06ecd9983cb94f5a75de2ff85bf152a239fb5603 -Author: Matthew A Johnson -Date: Tue Feb 21 16:49:44 2023 +0000 - - Adding policy enforcement for NoNewPrivileges. (#1652) - - This PR adds enforcement of `NoNewPrivileges` for `CreateContainer` and - `ExecInContainer`. - - Signed-off-by: Matthew A Johnson - -commit 39e9887201f0dce8105f38a9c6cc456bf38a2651 -Author: Sean T Allen -Date: Mon Feb 20 23:52:44 2023 -0500 - - Fix compilation error caused by "PRs crossing in the night" (#1668) - - Two recent PRs of mine had an unfortunate interaction. Both passed - they should have. Bunt one was refactoring that removed a method that - the second PR relied and when they were both merged to main, compilation - error! - - Refactor commit: - - https://github.com/microsoft/hcsshim/commit/2c33d3d83a1e447e129b7487bf04c3144d14f4a9 - - Commit that didn't take the above changes into account: - - https://github.com/microsoft/hcsshim/commit/c97246d11f19a4f178f1a82fe8b2caa0b404b472 - - Signed-off-by: Sean T. Allen - -commit 0b63055437a56c5d30f3808ddc19825a6bf88e17 -Author: Maksim An -Date: Mon Feb 20 20:13:37 2023 -0800 - - tests: rego policy exec in container tests (#1635) - - Add CRI integration tests to validate rego policy enforcement - around container execs. - Additionally introduce new `PolicyConfigOpt` type for easier - policy config generation, update policy tests to use the opts. - - Add `sev-snp` flag to cri-containerd executable, which indicates - that the tests are running on hardware with SEV-SNP support. - - Signed-off-by: Maksim An - -commit c97246d11f19a4f178f1a82fe8b2caa0b404b472 -Author: Sean T Allen -Date: Sat Feb 18 23:52:10 2023 -0500 - - Provide error message when the lack of required environment variables causes policy denial (#1661) - - This commit handles the simplest case of error reporting and doesn't inform as the the - particular variables or the group them into sets based on container/process. - - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - -commit 6521a23ef84a400b676fcea45170c60131a677cf -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Sat Feb 18 00:23:47 2023 +0000 - - Bump golang.org/x/net from 0.5.0 to 0.7.0 in /test (#1666) - -commit 2c33d3d83a1e447e129b7487bf04c3144d14f4a9 -Author: Sean T Allen -Date: Thu Feb 16 16:40:47 2023 -0500 - - Update selectContainerFromConstraints to work on a container list (#1645) - - A small point of improvement that we saved away was to take a list of containers - rather than constraints when selecting a container. This will make the function - more usable elsewhere in tests. - - This change doesn't do anything but the refactoring. Future usage of the more - generally useful function can be done as needed. - - Signed-off-by: Sean T. Allen - -commit a00dee33a6415da8e2e5ec3e6b90eab61b0d3d34 -Author: Sean T Allen -Date: Thu Feb 16 11:41:08 2023 -0500 - - Make a couple tests match the naming convention around them (#1664) - - A couple of tests had a _ between Enforce and CreateContainer that - isn't part of the naming scheme we came up with for the rego - policy tests. This commit fixes those variances. - - Signed-off-by: Sean T. Allen - -commit 730efda45860d32fbe8ba4965f8f3f67fe8ae4f8 -Author: Sean T Allen -Date: Wed Feb 15 14:08:10 2023 -0500 - - Provide error message when allow_stdio_access creates and undecideable error (#1662) - - If two containers are indistinguishable at create_container or exec_external - time except for their `allow_stdio_access` value, then we are unable to proceed - as we don't know if access should be allowed or not. - - Prior to this commit, no error message at all was displayed when this was - hit making it almost impossible for someone not "in the know" to diagnose. - - This first version gives a very simple error message that will be improved - with more information in later commits. - - Signed-off-by: Sean T. Allen - -commit 69927ff7cb136a12ef95ed541fc951214a4fe439 (tag: v0.10.0-rc.6) -Author: Maksim An -Date: Tue Feb 14 00:47:33 2023 -0800 - - fix: temp file leak during hash computation (#1641) - - Fix a temp file leak when computing dmverity root hash. This - mainly affects `dmverity-vhd` tool and users may see their temp - storage filling up. - - Signed-off-by: Maksim An - -commit a996c74b98f0930bbf5c2371994da2ba2c6e50f4 -Author: Maksim An -Date: Tue Feb 14 00:43:04 2023 -0800 - - dmverity: fix padding (#1659) - - Due to a missing check for whether padding is needed or not, for - certain images we may end up with an extra 4096 zero-byte padding - in the merkle tree. Fix this by checking if padding is needed. - - Signed-off-by: Maksim An - -commit c7a0aef0f8a0cf80d9b5063e13c198e72b0cd384 -Author: Sean T Allen -Date: Mon Feb 13 20:16:55 2023 -0500 - - Fix false positive error messages on exec_external policy denial (#1658) - - Due to errors in the logic for detecting errors when exec_external - was denied, if it was denied, env list and working directory errors - would always appear because the error checks were incorrect. - - This commit fixes those errors. - - At the moment, checking to make sure we don't have false positives - in tests is difficult. Work to add those tests is planned but will - take a bit. In the meantime, this change will fix the issue that - is live in production. - - Signed-off-by: Sean T. Allen - -commit 3489fc4eec96fc0ea6d363dfcb0c725ba8117827 -Author: Sean T Allen -Date: Mon Feb 13 18:32:57 2023 -0500 - - Fix unintended data modification when redacted environment variables (#1657) - - When I did the change to redact environment variable values in policy - engine error messages, I create a "false positive error message" bug. - - If any policy check were to be denied that involved environment variables - in the check, then environment variables would be listed as a cause even - if they weren't. This was because the previous redacting code was changing - the data object used to determine the errors. - - The updated data object had the redacted environment variables which would - never match so all error messages would include that the envs were invalid. - - This commit fixes that issue but creating a new object when redacting, the - original object is still used to data checking and if redaction has been done, - the new data object is used for generating the error message. - - The current test system makes this somewhat hard to test for. I will be adding - tests to cover "false positive error messages" in the not so distant future. - In the meantime, this commit addresses the bug before it makes to production. - - Signed-off-by: Sean T. Allen - -commit 53bc3f1fe32ccb8969c123d3b111a85928e35ef4 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 13 19:02:06 2023 +0000 - - Bump golang.org/x/sys from 0.1.0 to 0.5.0 (#1655) - -commit b00804b75cda51ccf5f7b32344301eb18efa6d7a -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 13 17:49:21 2023 +0000 - - Bump google.golang.org/grpc from 1.52.3 to 1.53.0 in /test (#1656) - -commit 387c546a03dc9b6377680b1427cc2cf3b5bb72f0 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Feb 13 15:54:50 2023 +0000 - - Bump golang.org/x/sys from 0.4.0 to 0.5.0 in /test (#1654) - -commit 6a1649a4b45abe759c5aaff8b3812854e8253227 -Author: Maksim An -Date: Fri Feb 10 12:16:37 2023 -0800 - - policy: add plan9 mount type handling when generating policy (#1650) - - Signed-off-by: Maksim An - -commit 9aa3217cbe084094bfae29960c006c9c94cd38b9 -Author: Matthew A Johnson -Date: Fri Feb 10 16:21:25 2023 +0000 - - Adding a default error message. (#1647) - - If the policy does not return an error, this means that an unexpected error - has occurred. We want to signal this to the user by throwing a generic - error which will indicate to them the general nature of what has gone - wrong, i.e. that their Rego is invalid. - - Signed-off-by: Matthew A Johnson - -commit 05254393814ef6e6318ff314361f02dcc67ea89f -Author: Sean T Allen -Date: Thu Feb 9 18:22:50 2023 -0500 - - Redact environment variable values in policy error output (#1649) - - Environment variable values might contain sensitive information. This - commit scrubs those values from appearing in policy error messages. - - In any error messages "Input" section, the value of the environment - variables is replaced with "<>". - - In the errors list, only the key of the environment variable is - listed as not matching rather than the full "KEY=VALUE" string. - - Signed-off-by: Sean T. Allen - -commit 8d301cb3353ddcb1b5bc63a116295e982686f80f -Author: Maksim An -Date: Tue Feb 7 14:44:02 2023 -0800 - - fix: treat VMGS file as template when launching multiple UVMs (#1646) - - This PR fixes an issue when multiple UVMs are started in a - concurrent fashion, which results in an access denied error from - HCS when trying to load VMGS while another UVM start is using it. - - The fix is to treat the VMGS file as template and create a temporary - copy in pod's OCI bundle directory for the lifetime of the UVM. - The copy is deleted when UVM is terminated. - - Signed-off-by: Maksim An - -commit 420d7fa852e08c17575a1df467497a1929829ed6 -Author: Amit Barve <57150885+ambarve@users.noreply.github.com> -Date: Fri Feb 3 14:46:15 2023 -0800 - - Fix SCSI mount error handling (#1642) - - SCSI mount operation used to check for ENOENT ("no such file or directory") error and used to retry the mount - operation because the SCSI device sometimes takes a bit of a time to show up. However, in the recent version - of the Linux kernel the error it returns seems to have changed from ENOENT to ENXIO ("no such device or - address"). This commit updates the retry logic to retry for either of those errors. - - This also updates a test that used to specifically look for 2000 bits of entropy inside the guest. - However, Linux kernel 5.15 has changed the entropy behavior and now it only has 256 bits of entropy (with - increased security and performance). - - Signed-off-by: Amit Barve - -commit db7a679aef40e648c836b20d6b1c3bc090042747 (tag: v0.10.0-rc.5) -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jan 31 17:01:09 2023 -0500 - - test: Add CRI benchmarks for container operations (#1569) - - * test: Add CRI benchmarks for container operations - - Add CRI API benchmarks to `cri-containerd.test.exe`, and update helper - functions in `cri-containerd` to accept `tb testing.TB` instead of - `t *testing.T`. - - Switched `cri-containerd` to `test\internal\flag` so that - `test\internal\require` can be used to check if features are present - since that implementation already mirrors what `cri-containerd` does, - but accepts a `testing.TB`, and deleted old - `test/internal/stringsetflag.go` file. - - Renamed `scripts/Test-Functionl.ps1` to `scripts/Run-Tests.ps1`, and - updated it to run both functional and CRI tests and benchmarks. - - Signed-off-by: Hamza El-Saawy - - * PR: clarifying comment - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: Hamza El-Saawy - -commit d3102137a8e134b22466f058a104548b3c3142b8 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jan 31 14:50:40 2023 -0500 - - Add retry to install mingw (#1636) - - Integration test often fails because of mingw installation failure, - which in turn appears to be a web-request issues. - Adding rety and backoff/sleep to resolve issue. - - Signed-off-by: Hamza El-Saawy - -commit 9f4ddc6b7bab336b2b7475dc54469565be070081 -Author: Sebastiaan van Stijn -Date: Mon Jan 30 23:05:35 2023 +0100 - - internal/tools/securitypolicy: switch to github.com/pelletier/go-toml (#1620) - - The BurntSushi/toml module was unmaintained for a long time, and most - projects switched over to using pelletier/go-toml. While it appears - that maintenance was handed over to a new maintainer, switching to - the most commonly used implementation to simplify dependency management. - - Signed-off-by: Sebastiaan van Stijn - -commit 118344bdd83ad33a0128e9eaaafe40016186c89b -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jan 30 18:34:33 2023 +0000 - - Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 (#1629) - -commit 3c21b610943f2f62de13b99c2047bcd8604c3356 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jan 30 13:34:10 2023 -0500 - - Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 (#1630) - - * Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 - - Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0. - - [Release notes](https://github.com/containerd/cgroups/releases) - - [Commits](https://github.com/containerd/cgroups/compare/v1.0.3...v1.1.0) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/cgroups - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - * fix test mod - - Signed-off-by: Hamza El-Saawy - - --------- - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 7a8d6bbe9d5348fd748df70cc1be8b2abeead803 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jan 30 13:33:35 2023 -0500 - - Bump golang.org/x/sys from 0.3.0 to 0.4.0 in /test (#1612) - - Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.3.0 to 0.4.0. - - [Release notes](https://github.com/golang/sys/releases) - - [Commits](https://github.com/golang/sys/compare/v0.3.0...v0.4.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sys - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit a31ee4ed0684b2718cb8e32833000b24e6620b64 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Sun Jan 29 03:05:45 2023 +0000 - - Bump google.golang.org/grpc from 1.51.0 to 1.52.3 in /test - - Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.51.0 to 1.52.3. - - [Release notes](https://github.com/grpc/grpc-go/releases) - - [Commits](https://github.com/grpc/grpc-go/compare/v1.51.0...v1.52.3) - - --- - updated-dependencies: - - dependency-name: google.golang.org/grpc - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit 73b75398dfae7547ba7e7c3a9155e105bdffe063 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Sun Jan 29 03:05:21 2023 +0000 - - Bump github.com/google/go-containerregistry in /test - - Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0. - - [Release notes](https://github.com/google/go-containerregistry/releases) - - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - - [Commits](https://github.com/google/go-containerregistry/compare/v0.12.1...v0.13.0) - - --- - updated-dependencies: - - dependency-name: github.com/google/go-containerregistry - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit 80d9eb0a41e557e1ece044a7a6ce258427ffb491 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jan 30 12:11:09 2023 -0500 - - Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 in /test (#1631) - - Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0. - - [Release notes](https://github.com/containerd/cgroups/releases) - - [Commits](https://github.com/containerd/cgroups/compare/v1.0.3...v1.1.0) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/cgroups - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit fbcafad3b2dd750153596683b9661d140455c6a8 -Author: KenGordon -Date: Sat Jan 28 05:40:34 2023 +0000 - - Fragment COSE Sign1 support. Allows for a fragment presented by the host (#1575) - - to be checked for a good cert chain and a valid issuer DID that matches - the certs and so the signature. Includes DID and COSE Sign1 packages and - tooling. - - Support extracting a DID directly from a COSE Sign1 document and also - support single cert COSE Sign document checking, but not DID generation. - - `signutil` is a debug tool that allows generating valid DID given a - COSE Sign1 document and provides other utility functions like printing - cert chain, leaf certs, displaying COSE Sign1 document content etc. - - Signed-off-by: Ken Gordon - -commit 97875f7585b84c659df80c64e5d6136a0cf6fb9c -Author: Maksim An -Date: Fri Jan 27 17:48:06 2023 -0800 - - rego: fix slightly incorrect sandbox and hugepage mounts enforcement (#1625) - - Sandbox and hugepage mounts come via CRI config in the form: - `sandbox://`, however the existing enforcement and tests - expect it to be `sandbox://` which causes a problem during - mount enforcement, when the sandbox prefix is replaced with an additional - path separator in the end. - - Additionally update policy tests. - - Signed-off-by: Maksim An - -commit de1480ae0adaa72945168743f67526730f1de6ca -Author: Matthew A Johnson -Date: Sat Jan 28 00:01:23 2023 +0000 - - API Data and Framework Versioning. (#1622) - - * API Data and Framework Versioning. - - This change adds several features that are necessary to provide stable backwards - compatibility. - - The first deals with how API defaults are specified. - Previously, API default behavior was given in terms of allow/deny, i.e. - - ``` rego - "create_container": {"introducedVersion": "0.1.0", - "allowedByDefault": false} - ``` - - This does not reflect how the API has evolved, in particular the fact that GCS - expects the API to return objects and not a single boolean value. Thus, the - defaults have been updated to be default object values: - - ``` rego - "create_container": {"introducedVersion": "0.1.0", - "default_results": {"allowed": false, - "env_list": null, - "allow_stdio_access": true}}, - ``` - - The resulting default object is then combined with the value returned by the - (older) policy using an object union operation. For example, if the - default is: - - ``` json - { - "allowed": false, - "env_list": null, - "allow_stdio_access": true - } - ``` - - and the value returned by an older policy is: - - ``` json - { - "allowed": true, - } - ``` - - then then the fields of the policy result overwrite the fields of the default - to create the final result: - - ``` json - { - "allowed": true, - "env_list": null, - "allow_stdio_access": true - } - ``` - - As the API stabilizes, it will increasingly be the case that the Framework will - change independently of the API and will need its own SVN. The second major - change this PR incorporates is to add a Framework SVN to fragments and policies - which use the provided framework. This allows us to provide Framework-specific - backwards compatibility behavior. In particular, this allows us to specify - policy object versioning via the new `framework_objects.json` file. For example, - the format of the external process object is defined as: - - ``` json - "external_process": { - "command": { - "introduced_version": "0.1.0", - "default_value": null - }, - "env_rules": { - "introduced_version": "0.1.0", - "default_value": null - }, - "working_dir": { - "introduced_version": "0.1.0", - "default_value": null - }, - "allow_stdio_access": { - "introduced_version": "0.1.0", - "default_value": null - } - }, - ``` - - As new elements are added to framework policy objects, reasonable defaults can - be provided here. This has repercussions on policies in a few cases: - - 1. **`framework_svn` is missing.** If the policy or fragment does not define a - Framework SVN, then the framework must thrown an error for any rule which - uses the object defaults, as the behavior is undefined. - 2. **`framework_svn` is ahead of the executing Framework SVN**. Similarly, if - a policy or fragment specifies an SVN which is greater than that of the - executing Framework, they are indicating that they expect a different set of - constraints to be executing and thus we must thrown an error when rules - that uses object defaults are executed. - - Implementing and testing these changes required some minor alterations and - refactoring to the `regopolicyinterpreter`, in particular a method to make - raw Rego queries to facilitate testing the default application process for - candidate policy objects. - - Signed-off-by: Matthew A Johnson - -commit 5bc3c727457b1cbf451579be23efb774d233234e -Author: Maksim An -Date: Fri Jan 27 15:41:59 2023 -0800 - - fix snp-report: fake-report flag is now correctly parsed (#1626) - - Previously `fake-report` flag of `snp-report` binary was incorrectly - handled when report was requested in `binary` format. This PR fixes - the logic. - - Signed-off-by: Maksim An - -commit 3d37452b4863b510f09c2d0d7e89d1134ba69e50 -Author: Sean T Allen -Date: Fri Jan 27 18:04:08 2023 -0500 - - Make LCOWPrivileged annotation more resilient to change (#1628) - - A change to one of these two checks was requested by Hamza as part - of https://github.com/microsoft/hcsshim/pull/1624. It was decided - to get both instances in their own PR as the change was unrelated - to the work in 1624. - - Signed-off-by: Sean T. Allen - -commit 9ac9c8b5e511670845d270f98e6361c7bcdfd41a -Author: Maksim An -Date: Fri Jan 27 14:53:33 2023 -0800 - - rego enforcer: trim whitespaces from fragment namespace name (#1627) - - Signed-off-by: Maksim An - -commit aee13c81204ec10db790a947abf57418e117d6d3 -Author: Sean T Allen -Date: Thu Jan 26 21:36:58 2023 -0500 - - Add missing AllowElevated policy check when creating a container (#1624) - - * Add missing AllowElevated policy check when creating a container - - When we added AllowElevated and checked it was working correctly, we - got it slightly wrong. When a container is started, we were adding in - expected mounts that only happen for privileged containers and - using those are mounts that are allowed. - - During testing, if AllowElevated was left off, a privileged container - would fail to start seemingly indicating that all was good. However, - all was not good. - - A malicious orchestrator with control of the API could create a container - privileged that didn't contain any extra "privileged mounts" and the - container would start as privileged with everything else that being - privileged entails except for the mounts. - - This commit adds an explicit check as part of crete container to verify - that is the container is attempting to be started as privileged that it - has AllowElevated. - - Maksim and I both thought that this had been implemented. I remember it - being implemented. Apparently that memory is incorrect. Either way, it - was noticed last Thursday and here's the fix. - - Signed-off-by: Sean T. Allen - -commit 6cd5572970cf7c82813e9c29bf41d9b0bd435977 -Author: kiashok <99994218+kiashok@users.noreply.github.com> -Date: Thu Jan 26 12:43:52 2023 -0800 - - Retain pause.exe as entrypoint for default pause images (#1615) - - Signed-off-by: Kirtana Ashok - - Signed-off-by: Kirtana Ashok - Co-authored-by: Kirtana Ashok - -commit d6dd825d55450c53167018cbb010546c3aed813f -Merge: 793fcc58d b74c09ee4 -Author: Kathryn Baldauf -Date: Tue Jan 17 11:39:24 2023 -0800 - - Merge pull request #1597 from katiewasnothere/kabaldau/cleanup_shared_scratch_root_dir - - Add logic to cleanup the oci bundle root dir on container delete - -commit 793fcc58ddf5f57d1aa664f2ad87405d07645af5 (tag: v0.10.0-rc.4) -Author: Seth Hollandsworth -Date: Tue Jan 10 21:20:11 2023 -0500 - - adding tarball support for generating root layer hashes (#1600) - - This will be used in a "clean-room" scenario for use to security policy generation. Clean-room in this instance is for generating a security policy on computers without internet access or the docker daemon (or similar) running. - - The &tag passed in defaults to "latest" if only the image name is passed in. If the value of the tag is nil, the tarball must only have one image in it. Otherwise, many images can be stored in the tarball and be searched by their image name and tag. - - Signed-off-by: Seth Hollandsworth - -commit 939de61409982fb7f242a0b89c675c3519f8acbf -Author: Matthew A Johnson -Date: Tue Jan 10 23:46:46 2023 +0000 - - Adding a simulator + regopolicyinterpreter. (#1558) - - * Adding a simulator + regopolicyinterpreter. - - This PR separates all the interaction with Rego into its own extractable package - called `regopolicyinterpreter`. Instead of calling Rego directly, - the `securitypolicy` package now uses this package to implement Rego policies. - Separating out the Rego interpreter behavior in this way allows the same - code to be used by a new `policyenginesimulator` tool, which provides the - ability to simulate security policy execution on the command line. - - `regopolicyinterpreter` exposes various Rego things like modules and metadata - in a typed way to make them easier to work with: - - `RegoPolicyInterpreter` is the main interface - - `RegoModule` is a standalone Rego module that can be included in the - policy execution. There are `AddModule` and `RemoveModule` methods for - modifying the interpreter to include various modules. - - `RegoQueryResult` wraps the results that come from the Rego policy with - some useful methods for extracting scalar data types - (i.e. `bool`/`int`/`float`/`string`) - - `EnableLogging` provides a way to get multiple levels of policy logging - for debugging purposes, ranging from `Info`, which will output prints that - come from the Rego policy itself, to `Metadata`, which will dump the - entire policy metadata structure to the log with each interaction. This is - primarily intended for offline use (e.g. by the simulator). - - The `policyenginesimulator` tool uses `RegoPolicyInterpreter` to simulate - policy enforcement. Usage: - - ``` - -commands string - commands JSON - -data string - initial data state - -log string - log path - -logLevel string - None|Info|Results|Metadata (default "Info") - -policy string - policy Rego - ``` - - The commands JSON allows the user to specify the type and order of the commands - send by the host to the guest that will interact with the simulated policy, for - example: - - ``` json - [ - { - "name": "load_fragment", - "input": { - "issuer": "did:web:contoso.github.io", - "feed": "contoso.azurecr.io/custom", - "namespace": "custom", - "local_path": "custom.rego" - } - }, - { - "name": "mount_device", - "input": { - "target": "/mnt/layer0", - "deviceHash": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415" - } - }, - { - "name": "mount_overlay", - "input": { - "target": "/mnt/overlay0", - "containerID": "container0", - "layerPaths": [ - "/mnt/layer0" - ] - } - }, - { - "name": "create_container", - "input": { - "containerID": "container0", - "argList": [ - "/pause" - ], - "envList": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm" - ], - "mounts": [], - "workingDir": "/", - "sandboxDir": "/sandbox", - "hugePagesDir": "/hugepages" - } - } - ] - ``` - - Signed-off-by: Matthew A Johnson - -commit cbdbb48891f7980fddd944dff754d5b6ada8763b -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jan 10 16:32:21 2023 -0500 - - Remove goversioninfo from tools.go (#1616) - - Go includes dependencies in tools.go as an indirect - dependency when other packages import hcsshim. - Remove `github.com/josephspurrier/goversioninfo/cmd/goversioninfo` - since upstream consumers shouldn't need it. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit ec4f89691a6115ad0c70ec9c224703c8809cfe9c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jan 10 15:47:01 2023 -0500 - - Add 20H2 container image to test constants (#1611) - - Add 20H2 container to testing constants for completeness, since mcr has - corresponding nanoserver and servercore images. - - Add test constants with codenames (RS5, 20H1, etc.) and server LTSC - builds to make selection easier. - - Update `"osversion"` constants with 22H2 for Windows 10 & 11. - - Add aliases in `"osversion"` for version numbers and LTSC server builds - to ease confusion between build code names and versions. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 5cfbc2ac27e4aa4c2559a1bc7d0e4687e9279352 -Author: kiashok <99994218+kiashok@users.noreply.github.com> -Date: Mon Jan 9 09:45:11 2023 -0800 - - wcow: support graceful termination of servercore containers (#1416) - - * This commit includes the changes to enable graceful termination of WCOW containers - - Signed-off-by: Kirtana Ashok - - * Added regression tests for nanoserver and servercore base images - - Signed-off-by: Kirtana Ashok - - * Worked on Kevin's review comments - - Signed-off-by: Kirtana Ashok - - * Fixed lint failures - - Fixed lint errors caused by spelling mistakes in hcsdoc_wcow.go and stopcontainer_test.go - - Signed-off-by: Kirtana Ashok - - * Addresses Kevin's review comments - - Signed-off-by: Kirtana Ashok - - Signed-off-by: Kirtana Ashok - - Signed-off-by: Kirtana Ashok - Co-authored-by: Kirtana Ashok - -commit 6547959343d65e0cf431dd9d589f45ee2b98172c -Author: Maksim An -Date: Wed Jan 4 16:37:21 2023 -0800 - - policy: do not set policy to open door if none is provided (#1572) - - Currently hcsshim is setting an allow all open door policy if - no security policy has been provided. - On the host side, the security policy is hashed and used as - HostData when starting an SNP-uVM. However, guest receives the - aforementioned "open_door" policy and computes hash over it. - As a result, this has doesn't match the LaunchData which is - returned by the attestation report and rightfully so, GCS - rejects the security policy. - - Fix this by not special handling empty security policy on the - host side and let the guest decide what to do with it, thus - ensuring that both host and guest compute the hash over the - same thing. - - Signed-off-by: Maksim An - -commit 5d23454aac07459fe9c614709d98e65a4958d7dd -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Dec 28 13:27:14 2022 -0500 - - Updating dependencies (#1607) - - Combination of dependabot PRs: mostly to deal with running `go tidy` in - test updating root `go.mod`. - - PRs: - 1579 - 1580 - 1587 - 1598 - 1602 - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 0b8319a721ceef568157c20e5b75db88a9f6570c (tag: v0.10.0-rc.3) -Merge: 9782dee21 5fc00c5ee -Author: kiashok <99994218+kiashok@users.noreply.github.com> -Date: Mon Dec 12 10:08:32 2022 -0800 - - Merge pull request #1601 from kiashok/memLeakShim - - Remove blocking on container exit for every new exec created - -commit 5fc00c5eeb3a6e909be65bfdb7df6e26575dd182 (hcsshim/memLeakShim) -Author: Kirtana Ashok -Date: Fri Dec 9 12:16:51 2022 -0800 - - Remove blocking wait on container exit for every exec created - - Commit fixes the memory leak seen in the shim. - It removes creation of channel that waits on container exit - for every new exec. Instead, the container wait channel is exposed - through WaitChannel() function which callers can use to decide - if container has exited or not. - - Signed-off-by: Kirtana Ashok - -commit 9782dee21cf90d55a6fff7e8744d53603f9a2b57 -Author: Matthew A Johnson -Date: Wed Dec 7 18:26:16 2022 +0000 - - Add ability in policy to allow/disallow access to stdio (#1594) - - This commit adds the ability of policy at the time of create container to - allow or disallow access to standard io for that container. And on the - external process side, if an external process is allowed to access standard - io. - - This is done in the same way as dropping environment variables is implemented. - At policy enforcement time, policy will indicate if standard io access is - allowed as part of the create being allowed. So like with environment variables - where it is "allow, but only with these environment variables" now we also have - "allow, but do not allow standard io access". - - Turning off standard io for containers in a way that didn't break some expectation - within the hcs/gcs relationship turned out to be remarkably difficult. Maksim and - I tried a couple different approaches before settling on the approach of creating - a new transport for handling the disallowed standard io access case. - - One of the things we had attempted was to have special TTY and PipeRelays. However, - we abandonded that approach as it resulted in a ton of duplicated code. - - The "devnull transport approach" that this commit implements doesn't result in - duplicated code. And most importantly, has been able to pass testing and not - result in bugs somewhere else in the gcs/hcs relationship. - - When work was started on this, we expected this to take a few days to get correct. - It turned out to take several weeks because the hcs/gcs standard io relationship - is filled with expectations and invariants that aren't documented and are spread - throughtout the code. Maksim and I settled on this approach as we felt it had the - lowest overhead for maintenance and was the least likely going forward to introduce - sublte bugs while passing current testing. - - Signed-off-by: Sean T. Allen - -commit 3e090b05a82c0e226e26c0d1e2ae89d336d7ff69 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Dec 6 21:04:03 2022 -0500 - - Prevent stopping exited HCS systems and processes (#1567) - - Add checks to `hcs.System` to prevent attempting to shutdown or - terminate a compute system that has already been stopped. - The same checks could be added to other operations (eg, pause, start, - resume) but it is unclear what error should be returned in those - situations, so those operations are left untouched. - - Add checks to `hcs.Process` to prevent attempting to kill a - stopped process. - Although `hcs.Process` differs from `hcs.System` in that the latter - returns an error if the system is already stopped or closed, but the - former does not. - Therefore, `(*Process).Kill` returns `ErrProcessAlreadyStopped`, which - is the expected error in `(*hcsExec).Kill`. - - Finally, an additional check is added to `(*Process).CloseStdin` to skip - sending a modify request to the process to close stdin if the process - has already been stopped. - (And creating a span, similar to `(*Process).CloseStd(out|err)`). - - The motivation for this came from `(*UtilityVM).Close()` calling - `Terminate` on the compute system, even if the uVM was already killed - prior. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 734a0ed8dff0112ce3a12a0f4b892e1a5095eca6 (tag: v0.10.0-rc.2) -Author: Maksim An -Date: Mon Dec 5 17:05:25 2022 -0800 - - plumb AMD certs to workload containers (#1549) - - confidential containers: Add AMD cert plumbing - - Add logic to plumb AMD certificates to workload containers. The - assumption is that the certificates will be "fresh enough" for - necessary attestation and key release by the workflow and third - party services. - - Additionally add error logging when UVM reference info file - is not found - - Signed-off-by: Maksim An - -commit b74c09ee4282811c8274887dc9ecd4c43de1473d -Author: Kathryn Baldauf -Date: Tue Nov 29 14:19:40 2022 -0800 - - Add logic to cleanup the oci bundle root dir on container delete - - Signed-off-by: Kathryn Baldauf - -commit 1233dd1ef26f501dd94e1690efa3d906fd4ebbf9 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Dec 5 11:37:20 2022 -0500 - - Bump golang.org/x/sys from 0.1.0 to 0.2.0 in /test (#1596) - - Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.1.0 to 0.2.0. - - [Release notes](https://github.com/golang/sys/releases) - - [Commits](https://github.com/golang/sys/compare/v0.1.0...v0.2.0) - - --- - updated-dependencies: - - dependency-name: golang.org/x/sys - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit e4e797810bf5487cb2ee8e4fdc7d32e5e9e7c02d -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Fri Dec 2 15:12:53 2022 -0500 - - Bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 (#1583) - - * Bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 - - Bumps [github.com/cenkalti/backoff/v4](https://github.com/cenkalti/backoff) from 4.1.3 to 4.2.0. - - [Release notes](https://github.com/cenkalti/backoff/releases) - - [Commits](https://github.com/cenkalti/backoff/compare/v4.1.3...v4.2.0) - - --- - updated-dependencies: - - dependency-name: github.com/cenkalti/backoff/v4 - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - * test vendor - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: dependabot[bot] - Signed-off-by: Hamza El-Saawy - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Hamza El-Saawy - -commit 73c4f943560f36d949c42714f529d735c7aad7b5 -Author: Hamza El-Saawy -Date: Fri Dec 2 13:55:48 2022 -0500 - - test vendor - - Signed-off-by: Hamza El-Saawy - -commit 6758a4803abd5cc90b888357cb6c9737648ce800 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Nov 30 16:50:01 2022 +0000 - - Bump github.com/BurntSushi/toml from 0.4.1 to 1.2.1 - - Bumps [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) from 0.4.1 to 1.2.1. - - [Release notes](https://github.com/BurntSushi/toml/releases) - - [Commits](https://github.com/BurntSushi/toml/compare/v0.4.1...v1.2.1) - - --- - updated-dependencies: - - dependency-name: github.com/BurntSushi/toml - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - -commit b4e97dfcfa02d77674b3e8b25e93ca9716e0f307 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Dec 2 13:39:36 2022 -0500 - - Upgrade test module to go1.18 (#1593) - - Keeping test module at 1.17 causes issues when running `go mod tidy`, - due to incompatibilities with how go 1.17 and 1.18 resolve dependencies. - - Upgrading to 1.18 resolves this. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit fee9b0316c6d598883b3651f08cee75165d2e1a1 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Dec 1 15:51:21 2022 +0000 - - Bump github.com/google/go-containerregistry in /test - - Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.11.0 to 0.12.1. - - [Release notes](https://github.com/google/go-containerregistry/releases) - - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - - [Commits](https://github.com/google/go-containerregistry/compare/v0.11.0...v0.12.1) - - --- - updated-dependencies: - - dependency-name: github.com/google/go-containerregistry - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - -commit 241d35108fd98c5d686040db6c16c72a4f1acc62 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Dec 1 10:50:09 2022 -0500 - - Bump go.opencensus.io from 0.23.0 to 0.24.0 in /test (#1578) - - Bumps [go.opencensus.io](https://github.com/census-instrumentation/opencensus-go) from 0.23.0 to 0.24.0. - - [Release notes](https://github.com/census-instrumentation/opencensus-go/releases) - - [Commits](https://github.com/census-instrumentation/opencensus-go/compare/v0.23.0...v0.24.0) - - --- - updated-dependencies: - - dependency-name: go.opencensus.io - dependency-type: direct:production - update-type: version-update:semver-minor - ... - - Signed-off-by: dependabot[bot] - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 47fbd9fbac3653d9163db9209fddadfcc0a6807b -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Dec 1 10:48:40 2022 -0500 - - Bump actions/download-artifact from 2 to 3 (#1577) - - Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 2 to 3. - - [Release notes](https://github.com/actions/download-artifact/releases) - - [Commits](https://github.com/actions/download-artifact/compare/v2...v3) - - --- - updated-dependencies: - - dependency-name: actions/download-artifact - dependency-type: direct:production - update-type: version-update:semver-major - ... - - Signed-off-by: dependabot[bot] - - Signed-off-by: dependabot[bot] - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 2084da8634cc910e763f1feb4d9b4f962a0bcb2d -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Nov 30 11:49:00 2022 -0500 - - Reduce dependabot update schedule (#1588) - - Change dependebot to only check for updates on Sundays, and to ignore - patch version updates (ie, `a.b.c` -> `a.b.d` will not trigger a PR). - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit be0124affc16011cc8173db4d6ea435dd6887348 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Nov 30 15:23:32 2022 +0000 - - Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 in /test - - Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - - [Release notes](https://github.com/stretchr/testify/releases) - - [Commits](https://github.com/stretchr/testify/compare/v1.8.0...v1.8.1) - - --- - updated-dependencies: - - dependency-name: github.com/stretchr/testify - dependency-type: direct:production - update-type: version-update:semver-patch - ... - - Signed-off-by: dependabot[bot] - -commit eb84160fba24bdbee1170055c284bd27008c858e -Author: Marat Radchenko -Date: Wed Nov 30 18:22:11 2022 +0300 - - Set up dependabot (#1319) - - Dependabot automatically creates PRs for updated dependencies and tracks security vulnerabilities. - - Signed-off-by: Marat Radchenko - - Signed-off-by: Marat Radchenko - -commit 07a19e32a69b71f2bb8a6dc32311a5d1dbe32dc3 -Author: Matthew A Johnson -Date: Tue Nov 29 07:47:29 2022 +0000 - - Adding some missing policy elements from the templates. (#1571) - - When encrypted scratch was added the policy and open door templates were - not updated properly, i.e. the SVN was not incremented and - `scratch_mount` and `scratch_unmount` were not added to the open - door template. I've added a test which will keep this from happening - in the future. - - Signed-off-by: Matthew A Johnson - -commit b8d0273e29cd938cf3fba70f8fd10ae591153b9c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Nov 21 14:40:44 2022 -0500 - - [test]CRI initialization (#1566) - - Add function for restart tests to wait for CRI plugin to be fully - initialized before continuing to prevent subsequent tests failing with: - - `rpc error: code = Unknown desc = server is not initialized yet` - - `waitForCRI` waits for a specified timeout, periodically sending `Version` - gRPC requests until either a successful response returns, timeout is - reached, or another error besides `not initialized yet` is returned. - - cri-containerd restart tests pass - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit f83cc58000f01497bbf6d057f0b29b6889235fc6 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Nov 17 17:29:27 2022 -0500 - - [test]Add feature for CRI plugins (#1565) - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit a67a79a3bbc8cc16100163b9bd5edcf9ab6d4648 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Nov 16 08:52:20 2022 -0500 - - [test]logging and tracing to stdout (#1563) - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 838b9412700cce69d7439ad9138c3f74c9dbb617 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Nov 16 08:50:34 2022 -0500 - - Update CI actions (#1564) - - Update `actions/checkout`, `actions/setup-go`, and - `actions/upload-artifact` to version 3. - Version 2 of the actions uses a deprecated version of node.js, - and raises the following warning in the CI: - - ``` - Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. - ``` - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 1d141fa345d7aee273d20cace71639a1aa20cf14 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Nov 14 21:05:46 2022 -0500 - - test/functional: Add flag for container layer paths, remove containerd dependence (#1536) - - * Add flag for container layer paths - - Add lcow/wcow layer paths flag to allow providing image layer paths - instead of requiring containerd to pull and unpack it. - - The goal is to allow functional tests to be run without requiring - containerd to be installed. - - Signed-off-by: Hamza El-Saawy - - * PR: logging, cleanup, naming. - - Changed `(LazyImageLayers).ImageLayers` to `(LazyImageLayers).Layers`. - `(LazyImageLayers).Close` now returns an error. - Comment cleanup. - - Signed-off-by: Hamza El-Saawy - - * PR: replace LayerFolders and docker - - Signed-off-by: Hamza El-Saawy - - * PR: unpack individual LCOW layers, comments - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit acd87d590bb7b382fdb6d78128b705314205f8ba -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Nov 14 17:22:00 2022 -0500 - - race condition with exitCh in `(*UtilityVM).Start()` (#1562) - - `(*UtilityVM).acceptAndClose()` waits on `(*UtilityVM).exitCh`, but - `exitCh` is not created until after the goroutines with the - `acceptAndClose` calls are launched, causing a potential race - condition. - - Functional and cri-containerd tests pass. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 60598f8aa3e703c39b65d5fc3176c81c8a0937f9 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Nov 11 15:01:41 2022 -0500 - - uVM timeout handling and logging improvement (#1561) - - `(*UtilityVM).Start` was using a potentially timed-out context for its - terminate, which can cause the terminate to immediately error and not - log the correct status of the operation. - - Additionally `(*UtilityVM).Start` sets a 2 minute timeout on the context - it ultimately passes to `"vmcompute".execute`, which silently overrides - the timeout execute uses. - Improved logs to report correct timeout. - - Spelling fix. - Shortened long lines. - - Signed-off-by: Hamza El-Saawy - -commit 0a55db758b045b9a9d4d005edcb169e0febbe2a1 -Author: Maksim An -Date: Sun Nov 6 14:18:50 2022 -0800 - - rego and hardening: add enforcement and hardening for encrypted scratch (#1538) - - * rego and hardening: add enforcement and hardening for encrypted scratch - - The request to encrypt scratch comes from the host, but in confidential - scenario, the host cannot be trusted and it may attempt to mount the - read-write overlay of a container under an unencrypted path or omit the - encryption request altogether. - - To address the issue, add `scratch_mount`, `scratch_unmount` enforcement - points and `allow_unencrypted_scratch` policy config, which can be used - to (you guessed it) allow containers to run with unencrypted scratch. - - Since the request to add encrypted read-write scratch disk and mounting - container overlayfs come at different times, we also introduced minimal - (for now) hardening around adding read-write devices to the UVM. We - record the mounted read-write devices when they arrive and at the time - of adding overlayfs we check if the scratch path encrypted or not and - validate against the policy before enforcing overlay policy. - - The policy config can be set at the top level, e.g.: - ``` - allow_unencrypted_scratch := true - - containers := [...] - ``` - - The `scratch_mount` enforcement point takes an input with the following - members: - ``` - { - "target": "", - "encrypted": [true|false], - } - ``` - - Add `/internal/guest/runtime/hcsv2/uvm_state.go`, which adds a new - `hostMounts` struct which keeps track of mounted RW devices. This can - be extended in the future for more GCS hardening purposes, e.g. overlay, - RO layer mounts and other container lifecycle management. - - * crypt package refactor and adding more unit tests - - * tests: add e2e tests for scratch encryption policy - - * export and rename fetchActualControllerNumber - - As part of enforcing encrypted scratch policy, we need to make - sure that the source matches. To figure out the source for a - SCSI attachment we need to first find the actual controller number - where the SCSI is presented, which can be different from what hcsshim - has requested originally. - Rename and export `fetchActualControllerNumber` as `ActualControllerNumber` - and figure out the correct controller before calling to scsi Mount/Unmount. - Remove wrappers and update unit tests. - - Signed-off-by: Maksim An - -commit eb6202703fe4d42af0941c64ae8c46178c6cd7e5 -Author: Maksim An -Date: Thu Nov 3 08:25:57 2022 -0700 - - fix: wrong assignment after enforcing a policy (#1559) - - Signed-off-by: Maksim An - -commit 0f0c8949fd2a6633d32c8ff27740a402174dc93f -Author: Matthew A Johnson -Date: Tue Nov 1 15:10:22 2022 +0000 - - Drop unmatched environment variables. (#1550) - - * Drop unmatched environment variables. - - This adds a `allow_environment_variable_dropping` flag to `data.policy` - which allows the framework, if set, to try to drop environment variables - if there are no matching containers/processes. This is an important - aspect of serviceability, as it will allow customer policies to be - robust to the addition of extraneous environment variables which are - unused by their containers. Note throughout this that the existing logic - of `required` environment variables holds. The logic used is the - following: - - 1. Produce a set $A$ of valid environment variable subsets for each - entity (e.g. container, process) - 2. All subsets which share the maximum cardinality from $A$ form a - subset $B \subseteq A$ - 3. If $\bigcup B = \bigcap B$, return $B$ - 4. Else, return undefined - - The resulting subset of environment variables is then used to determine - the matching containers. This may be best explained via an example. - We have three containers with the following sets of environment - variables: - - $$ - c_0 = \{a, b\} \\ - c_1 = \{a, b, c\} \\ - c_2 = \{a, b, c, d\} - $$ - - If the host requests to start a container with $[a, b, c, d, e]$ then, - without dropping environment variables, the request will be denied. - However, if variables are allowed to be dropped, then we could - potentially match any of these containers: - - $$ - A = \{[a, b], [a, b, c], [a, b, c, d]\} \\ - $$ - - however, the cardinality rule means that we will choose: - - $$ - B = \{[a, b, c, d]\} - $$ - - As (in this case) $\bigcup B = \bigcap B$ is trivially true, we return - $[a, b, c, d]$ as the new set of environment variables, which will then - match with $c_2$. - - If, however, we had one more conatainer: - - $$ - c_3 = \{a, b, c, e\} - $$ - - Then we get a very different result. As before, the request would be - denied if dropping environment variables is allowed. If allowed, though, - we get the following: - - $$ - A = \{[a, b], [a, b, c], [a, b, c, d], [a, b, c, e]\} \\ - B = \{[a, b, c, d], [a, b, c, e]\} \\ - \bigcup B = [a, b, c, d, e] \\ - \bigcap B = [a, b, c] \\ - $$ - - As we can see, $\bigcup B \neq \bigcap B$ and so the result is - undefined. This is because, at this stage, we cannot choose between - these two containers fairly. - - Signed-off-by: Matthew A Johnson - Signed-off-by: Matthew Johnson (MSRC) - -commit 89ce12811f39d37f14282e3b9726c5fa61590332 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Oct 31 19:12:24 2022 -0400 - - Update LCOW boot file paths used in tests (#1551) - - * Update LCOW boot file paths - - Tests may run in a folder other than `C:\ContainerPlat`. - Update default LCOW Options generated for tests to look for directory - `containerd.exe` is in (or look for `C:\ContainerPlat\LinuxBootFiles` - and prefer those over `C:\Program Files\LinuxBootFiles`. - - This was causing `Test_RunPodSandbox_MultipleContainersSameVhd_LCOW` - tests to fail. - - Also, separated out uVM/hcshim debug logs from verbose test settings, so - enabling `test.v` only affects test `Log` statements and does not cause - all internal (logrus`) logs to be output. - - Signed-off-by: Hamza El-Saawy - - * PR: check paths, remove LazyString - - Signed-off-by: Hamza El-Saawy - - * adding VM cleanup - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 6c21874b5ea7d058ba978f0aca67de5808370d2a -Author: Maksim An -Date: Sat Oct 29 13:45:33 2022 -0700 - - Change the default policy stance to "allow" and fix logging (#1553) - - logrus uses `os.Stderr` by default, so setting output to - `os.Stdout` resulted in no GCS logs being relayed. - - Signed-off-by: Maksim An - -commit febe69b1d5e715e8d9694d504cd76f28971ce752 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Oct 28 19:30:31 2022 -0400 - - Pass ipv6 address information to Linux GCS (#1552) - - * Pass ipv6 address information to Linux GCS - - Currently, HCN endpoint ipv6 settings are not passed into the Linux - guest, so containers will not be assigned their ipv6 addresses. - - Update shim to forward that information into the guest, add updates - the guest to assign both sets of addresses. - Added tests for ipv6 functionality. - - Signed-off-by: Hamza El-Saawy - - * PR: vestigial comment, logging - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 2eafb0bf5fdd74e2911a20d3e11fe75f02c54a64 -Author: Matthew A Johnson -Date: Mon Oct 24 20:36:57 2022 +0100 - - Adding policy fragments. (#1539) - - * Adding policy fragments. - - This PR adds the ability for an authored security policy to be expanded at - runtime with policy fragments. It focuses purely on the policy enforcement - aspect, which assumes that the fragments which the guest is asking to load have - been verified to have been obtained from the issuer and feed specified. - - The `load_fragment` enforcement point takes an input with the following members: - - ``` json - { - "issuer": "", - "feed": "" - } - ``` - - Also, for the purpose of this call, the fragment is loaded as a module. - The result is of the form: - - ``` json - { - "allowed": true - "add_module": true - } - ``` - - If the value of `add_module` is `true`, then the fragment will continue to be - loaded as a module for all future executions. - - In the case that the authored security policy uses the framework, there are a - variety of ways in which a policy can quickly and easily incorporate elements - from fragments. First, the policy defines a list of `fragments` which they - are willing to include: - - ``` rego - fragments := [ - { - "iss": "", - "feed": "", - "minimum_svn": "", - "includes": [] - }, - # ...other fragments - ] - ``` - - This allows the author to quickly indicate the fragments they are willing to - use, what minimum version of that fragment is required, and further specify - what to include: - - - `containers`: include all of the containers in the fragment for use in policy - enforcement - - `fragments`: include all of the fragments in the fragment. This allows - fragments to themselves include fragments (with the policy - author's explicit consent) - - `external_processes`: include the external processes from the fragment - - `namespace`: this indicates that `add_module` should be set to true - - For most common use cases, this means that the fragment only needs to be loaded - once (during the call to `load_fragment`) so that the included entities can be - extracted, after which the policy can execute without them. - - Signed-off-by: Matthew A Johnson - -commit a1b68c584e9b91e82f78ede14bb05a172d92bb07 -Author: Sean T Allen -Date: Wed Oct 19 12:02:14 2022 -0400 - - Add enforcement of logging from the GCS runtime (#1545) - - In order to provide a confidential environment for confidential containers, - we need to provide a means for customers to control information that will - leave the UVM running their code. A key means for information to leave the - UVM is via logging. - - There's no guarantee that logging will leak information that the customer - considers confidential. There's no guarantee that it won't. To address this - issue, we are adding 2 additional enforcement points for policy related to - logging. - - The first, which is this commit, is to allow control over logging coming - from GCS itself. The second which will come in another commit is to - allow control over logging from containers. - - For GCS logging, we have exposed it in policy as the name "runtime logging" - as we don't feel that "GCS" will be particularly meaningful to the average - policy writer. - - The new enforcement point is used to decide if logging is allowed at all. - Once we receive a policy, we check to see if GCS logging is allowed or denied. - If denied, then we set the logging output for the logrus object used by GCS - to be a blackhole. Otherwise, we set it to either stdout or a file depending - on the options that GCS was started with. - - Logging before we receive policy is controlled via a flag that is set on - GCS startup for what our default policy position should be before a policy - arrives, either "allow" or "deny". This initial policy stance flag is used - to set the initial logrus output target and to create the "default" policy - enforcer used until a policy arrives over the standard GCS API. - - In GCS's main method, we do not use the enforcer but instead select an enforcer - and the logging target based on the flag. We made this design decision as - Maksim felt strongly that the ideal goal for policy is as "middleware" that - operates only at the bridge/host level of GCS and not elsewhere including not - prior to the bridge and host objects being created. - - Signed-off-by: Sean T. Allen - -commit a78617af6795e76452f91a51ad032595959ee9b0 -Author: Maksim An -Date: Tue Oct 18 09:22:41 2022 -0700 - - remove pod startup fragment functionality (#1544) - - This reverts changes introduced in microsoft/hcsshim#1521. - - Signed-off-by: Maksim An - -commit 875a40e6b05f63a66b1ebecd6f23cbac811946db -Author: Matthew A Johnson -Date: Thu Oct 13 22:51:36 2022 +0100 - - Adding DumpStacks policy enforcement point. (#1543) - - DumpStacks allows access to guest stacks. Can be used for debugging etc. - This gates it with a simple yes/no for policy. - - Signed-off-by: Matthew A Johnson - Co-authored-by: Sean T. Allen - -commit a72cbcd1ca7372a9ce3916b6e2b2c473d762df52 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Oct 12 17:53:14 2022 -0400 - - lint ext4 folder for linux (#1537) - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 53faf237449d725a32d6be39385bb09e384f6273 -Author: Matthew A Johnson -Date: Wed Oct 12 06:57:45 2022 +0100 - - Adding GetProperties policy enforcement point. (#1542) - - GetProperties allows getting information about what is running. This is related to debugging - etc. This gates it with a simple yes/no for policy. This might be used for getting stats. - - Signed-off-by: Sean T. Allen - Co-authored-by: Sean T. Allen - -commit c2a1cd9a8ff9f9dd0095bd4065456792b9905e71 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue Oct 11 11:17:50 2022 -0700 - - Add support for generating guest crash dumps (#1516) - - * Add support for generating guest crash dumps - - Adds a new annotation that can provide a path of the directory in which the guest crash dumps will be - generated if the guest crashes. Just providing a valid path for this annotation will automatically enable the - crash dumps. The dump files for each UVM will be created with the UVM ID as the prefix in the filename for - easier identification. - - Signed-off-by: Amit Barve - -commit 5e27a9bba1c44e248962c8bb347c611c90ccf89e -Author: Matthew A Johnson -Date: Fri Oct 7 02:54:32 2022 +0100 - - Add policy enforcement for overlay unmounting (#1535) - - We previously weren't doing any enforcement around whether an overlay should be allowed - to be unmounted. The initial logic is very simple and matches our device unmounting logic: - - only allow an unmount if we've seen a mount. - - When we get to the hardening PRs, we'll want to revisit this basic rule and decide if - we want to make it more vigorous in policy or if we want to put all hardening in GCS - or some mixture in-between. That's a design discussion we'll need to have. - - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - Co-authored-by: Sean T. Allen - -commit a6859d95a45b5b3c9a5c01c1f8e79e6c9d1fdd9b -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Oct 6 17:49:30 2022 -0400 - - Add `t.Helper` calls, testing linter (#1534) - - Add `t.Helper()` calls to testing helpers so the correct test name and - line number is shown during logs - [ref](https://pkg.go.dev/testing#B.Helper). - - Add [`thelper`](https://github.com/kulti/thelper) linter to settings to - make sure testing helpers correctly call `t.Helper`. - - Renamed `t testing.TB` to `tb testing.TB` to satisfy `thelper`. - - Signed-off-by: Hamza El-Saawy - -commit 7fe1fa68839d222986385dabf7f8bd1fe7afa9a9 -Author: Matthew A Johnson -Date: Thu Oct 6 06:31:55 2022 +0100 - - Add policy enforcement of mounting and unmounting plan9 devices (#1531) - - Plan9 mounts affect two separate enforcement points. The first is the point - at which a plan9 mount is mounted from the host to the guest. These mount points - (called `uvmPathForShare`) have a very constrained format. The enforcement point - for this (which is being added by this PR) is `plan9_mount`, with a matching - `plan9_unmount`. The second is `create_container`, which can contain mounts - which use a plan9 `uvmPathForShare` as a source and make it available to the - container. - - The `plan9_mount` enforcment point determines if the `target` is a valid - `uvmPathForShare`. The `plan9_unmount` enforcement point checks that the - item to be unmounted is currently mounted. Finally, there is a new - `mount_ok` rule which handles the plan9 case. - - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - Co-authored-by: Sean T. Allen - -commit 05b973dcfd091fbdd9c6c2f2aea7b75c2b91afd6 -Author: Maksim An -Date: Wed Oct 5 10:10:20 2022 -0700 - - set confidential UVM options during UVM start (#1533) - - To make the interface cleaner for cases when security policy isn't - required, call to `SetConfidentialUVMOptions` within `Start`. - When no enforcer or policy are supplied GCS will initialize an - open door enforcer. - - UtilityVM object now holds the confidential options to use them - during `Start`. - - By default the UVM reference is expected to be located at the - directory as the shim executable rather than under linux boot files. - This has been done to avoid holding this information on the UVM - object. - - `uvmboot` has been updated to take a `security-policy-enforcer` - parameter. - - Signed-off-by: Maksim An - -commit ad0d5a7b6315e777c88e7adb013be46aac7b83fb -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Sep 30 16:47:00 2022 -0400 - - Vendor go generate binaries, update CI (#1433) - - Added `go generate` job to the CI to verify that generated files are up - to date. - - Added `goversioninfo` to `tools.go` so that it is also vendored and run - locally. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit a2a86cef70a85e7b9a3597d3f6dca6523e40b2b4 -Author: Matthew A Johnson -Date: Thu Sep 29 16:28:51 2022 +0100 - - Ignoring unneeded fields in JSON policy marshalling. (#1530) - - The `ExecProcesses` and `Signals` fields on `Container`, which are needed for newly added enforcement points, - were not being ignored during JSON marshalling. These values should not be included in the marshalled object - because the new enforcement points that require them are not implemented for the - `StandardSecurityPolicyEnforcer` which uses the JSON representation for policies. - - Signed-off-by: Matthew A Johnson - - Signed-off-by: Matthew A Johnson - -commit 045973d3f378819cd50219b19c5be6484c8d7952 -Merge: a30ed8c66 e4d9824e8 -Author: Kathryn Baldauf -Date: Thu Sep 29 00:29:04 2022 -0700 - - Merge pull request #1452 from katiewasnothere/ipv6_ncproxy - - Changes to support ipv6 in ncproxy - -commit e4d9824e84ccbae8ebbc3b54282d2feecee81921 -Author: Kathryn Baldauf -Date: Mon Aug 29 22:13:51 2022 -0700 - - Add syso files for ncproxy - - Signed-off-by: Kathryn Baldauf - -commit 7f82411f9ad110259d1350fa28cc81b4802a3bc1 -Author: Kathryn Baldauf -Date: Thu Mar 10 22:22:29 2022 -0800 - - Changes to support ipv6 in ncproxy - * Update proto file and dependencies - * Update hcn code paths to return dual stack info - * Update hcn ncproxy tests with dual stack scenarios - - Signed-off-by: Kathryn Baldauf - -commit a30ed8c6664b284d28e3a895a2ea8dbd7d341e2e -Author: Maksim An -Date: Wed Sep 28 22:15:02 2022 -0700 - - fix create-scratch and other `runhcs` subucommands (#1528) - - `runhcs` subcommands were missing a call to `SetConfidentialUVMOptions` - after the uVM has been booted. This results in closed door policy - to be set for all UVM operations, including (now) execs into UVM. - Previously the exec would succeed, UVM exited and we had our scratch. - - Additionally GCS has been updated to set the policy to "open door" when - both enforcer and security policy options are empty. - - Signed-off-by: Maksim An - -commit d7e725c6d9541bc1d5384f22d6205b7cb7240503 -Author: Matthew A Johnson -Date: Thu Sep 29 06:13:02 2022 +0100 - - Device mounting and unmounting updates (#1526) - - Maksim and I agreed that as part of the confidential containers serviceability work that - the SCSI and PMem enforcer usage that occurred down in the depths of each subsystem would - be moved into the Host type in uvm.go. - - This change would put device mount and unmount enforcement in the same file with all - our new enforcement points being added during the servicability project. The idea being - that it will make it easy to see what is being enforced where and provide an overall - level of consistency. - - This commit makes that change. In the process, it removes the MountMonitoringSecurityEnforcer - as it no longer serves and purpose. The tests that used that specialized test enforcer were - also removed as they make no sense within the contex of the new design. - - While making these changes, I discovered that umount enforcement was not being done for SCSI - devices. This is ironic as the reason that Ken Gordon and I argued for the old design was so - that someone couldn't accidentally not do enforcement, yet, here we are; an enforcement point - was missed. Unmount enforcement for SCSI devices is included in this change. - - Signed-off-by: Sean T. Allen - - Signed-off-by: Sean T. Allen - Co-authored-by: Sean T. Allen - -commit f7a3edefff71aa1c82368e99d21fab22db5f94e5 -Author: Maksim An -Date: Wed Sep 28 10:46:34 2022 -0700 - - Add pod startup security policy fragment injection (#1521) - - In general case the fragment injection will happen via sandbox task - update request. However, we may need to inject fragments before the - pod is created and ready to accept the update request. One of the - examples is the pause container, which holds the pod network - namespace. - - This PR addresses this issue by adding functionality to read an - arbitrary security policy fragment from UVM's file system. - The assumption is that the fragment will be embedded into the UVM - and the path will be supplied as part of confidential UVM options - together with security policy and UVM reference. - - The actual calling into fragment validation and injection could be - changed in the future. - - Signed-off-by: Maksim An - -commit 65acc497d786688dfe9bd964d5f391685342b1a6 -Author: Maksim An -Date: Wed Sep 28 09:51:31 2022 -0700 - - fix release.yml trigger for real now (#1529) - - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push - - Signed-off-by: Maksim An - -commit ffa3d31ee8037a3bd75b432876a6e17a7143637f -Author: Maksim An -Date: Tue Sep 27 17:51:52 2022 -0700 - - fix release.yml push trigger expecting a map. (#1527) - - - Signed-off-by: Maksim An - -commit 9028ad0ecc457eaa01933a4e96bce1f07711fcf4 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Sep 26 15:56:48 2022 -0400 - - Switch to go-winio/tools/mkwinsyscall (#1409) - - * Switch to go-winio/tools/mkwinsyscall - - Added `.\tools.go" file to add mkwinsyscall to `go.mod` and track as a - dependency, as recommended by the - [go wiki](https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module). - - Using `-sort=false` flag to make changes easier to see. - (Will be undone in next commit.) - - Signed-off-by: Hamza El-Saawy - - * undoing sort=false - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 2b143a0136d3ac5302511cd20b6bd294f7f1d9b9 -Author: Maksim An -Date: Fri Sep 23 12:05:36 2022 -0700 - - fix wrong parameters passed to EnforceExecExternalProcessPolicy (#1523) - - Fixes GCS panic, because OCIProcess for exec external is nil. - - For exec external process we don't use OCIProcess field of - ProcessParameters, but instead use the top level CommandArgs, - Environment and WorkingDirectory. - - Signed-off-by: Maksim An - - Signed-off-by: Maksim An - -commit b2c8eb9da862522036368d1ef797b18bf8770dd9 -Author: Matthew A Johnson -Date: Fri Sep 23 18:52:18 2022 +0100 - - Add enforcement of sending signals to arbitrary processes in a container (#1525) - - Most people tend to think of a container as thing that does a single thing - and by extension, as a thing that is a single process. This isn't the case - but it is the mental model that people bring to containers. It also happens - to be an incredibly common scenario where a container "equals" a single process. - - Our model for representing "container constraints" in the policy engine in GCS - doesn't break out the init process of a container into a process representation. - Instead, signals going to an init process are represented as signals "on the - container" and signals going to other processes in the container are represented - as signals on an "exec_process". - - This makes understanding how to apply constraints to a container easier for - folks getting started with confidential containers. It also means that we - need to have two different bits of code for enforcing signal constraints on - processes in GCS. - - For any pid and container id combo we do the following: - - If the pid is for the init process of a container, then we know to use the - container signal list for determining if sending the signal is allowed. - - If the pid isn't for an init process, then we have a bit more work to do. - We don't have any mapping of a pid to policy entry if the pid isn't for - the init process of a container. But, we can still map from the incoming - pid to set of 0 or more valid policy exec_process entries. - - GCS stores a collection, on a per container basis, of all processes that were - started including the OCI Spec for each process started. We can match the - pid to the OCI Spec used to start the process with said pid. We can then use - the command from that process to find any valid exec process entries in the - policy for the container and see if any of them allow the signal in question. - Any matching exec process entries can then be used to do further narrowing on - possible container matches in the policy for the given container id. - - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - Co-authored-by: Sean T. Allen - -commit 1ee5cd338663c200d80070edc0aa3c4665274a75 -Author: Seth Hollandsworth -Date: Thu Sep 22 14:45:00 2022 -0400 - - updating error message to say policy does not allow restarts (#1524) - - Signed-off-by: Seth Hollandsworth - - Signed-off-by: Seth Hollandsworth - -commit be9d388f866ad278bafe5738ac21791e9190ca56 -Author: Matthew A Johnson -Date: Thu Sep 22 02:21:43 2022 +0100 - - Add policy enforcement for shutting down a container (#1518) - - Adds policy enforcement around shutting down a container. In the supplied framework, shutting down a container is always - allowed. We update metadata based on the change in state that will be used by other framework rules. This enforcement point - is important for custom policies for metadata tracking and also for allowing the creation of rules like "this container - isn't allowed to shutdown if some other container is running". - - This commit rewrites `signalContainerV2` and gives it a new name. `signalContainerV2` was only called from the kill and - shutdown container functions. Despite only having 2 possible signals it could receive, it accepted any signal. There's a - replacement method called `signalContainerShutdownV2` that has "the same functionality" as `signalContainerV2`. - `signalContainerShutdownV2` doesn't accept arbitrary signals. Instead, it takes a boolean for whether the shutdown should be - graceful (aka `SIGTERM`) or if we should do a non-graceful shutdown of `SIGKILL`. - - This commit aims to keep things "as they are" except for changes that are required for proper and non-evadable policy - enforcement. - - Actual policy enforcement is in a new method `ShutdownContainer` on the `Host` type in `uvm.go`. It is our design goal to - have all enforcement functions called from within methods in `uvm.go`. - - There's an additional new method on the `Host` as well: `SignalContainerProcess`. `SignalContainerProcess` allows for the sending - of arbitrary signals from the untrusted host computer to the UVM. The code has been extracted from `signalProcessV2` in the - bridge and moved onto the `Host` type. The move was required in order to add additional logic to `SignalContainerProcess` that - `signalProcessV2` lacked. - - `SignalContainerProcess` will check to see if the process being signaled is the init process of the container. If it is and the signal - is `SIGTERM` or `SIGKILL` then the shutdown container enforcement rule will be used. We create this "special case" as shutting - down a container is the process of sending `SIGTERM` or `SIGKILL` to the container's init process. The information for whether - a process is the init process for a container is available, but not from the module that bridge is part of, thus the move of - functionality into `Host`. - - The creation of `SignalContainerProcess` was going to be required for when we add support for enforcing policy around - sending arbitrary signals to processes. The current `SignalContainerProcess` was written with that forthcoming changing in - mind, but doesn't include any logic for the additional enforcement as that will be coming in a commit that will arrive "in - the not so distant future". - - Shutdown container policy, because it is always allowed by our framework, doesn't require changing the `securitypolicy` policy - generation tool as there's no user provided input to the new policy rule `shutdown_container`. - - When not using an open door policy, a "container not started" error will be returned if a shutdown is attempted on a container - identifier that wasn't used to start a container. - Signed-off-by: Sean T. Allen - Signed-off-by: Matthew A Johnson - - Co-authored-by: Sean T. Allen - -commit 61f9e98ee96a43083ab5c420957ad650395c7425 -Merge: f83d2f6d9 c9176f642 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Sep 21 11:29:06 2022 -0700 - - Merge pull request #1522 from dcantah/processor-spelling-fix - - Fix 'ProcessorCount' comment - -commit c9176f6427b22c127a8d504dec5469e52bd174bf -Author: Daniel Canter -Date: Wed Sep 21 09:44:14 2022 -0700 - - Fix 'ProcessorCount' comment - - GetMaximumProcessorCount -> GetActiveProcessorCount - - Signed-off-by: Daniel Canter - -commit f83d2f6d97242b3e86589989c055ef0cb91ff771 -Author: Maksim An -Date: Tue Sep 20 09:44:59 2022 -0700 - - rename SecurityPolicyEnv annotation to UVMSecurityPolicyEnv (#1517) - - Signed-off-by: Maksim An - -commit 2a2bfdd7a42b23dc0cb7e4ee7fe375346d70639d -Author: Heather Garvison -Date: Mon Sep 19 18:57:05 2022 -0400 - - update dmverity-vhd tool to accept local images (#1494) - - Updated cmd/dmverity-vhd tool to accept local images using - the local docker daemon so that the tool can be used without - internet access and added a release workflow that creates - `dmverity-vhd` Windows and Linux executables whenever a push - with a tag starting `"v"` is created -- a pre-release is created if the - tag includes `"rc"` - - Signed-off-by: Heather Garvison - -commit 92d68904c95ed65918f49d316057a61b2f56b6c7 -Author: Matthew A Johnson -Date: Mon Sep 19 17:49:09 2022 +0100 - - Adding the `exec_external` enforcement point. (#1512) - - The `exec_external` enforcement point adds policy enforcement around the running - of processes inside the UVM, *i.e.* independent of any individual container. - In order to support this change, a new list of external process constraints - has been added at the policy level, like so: - - ``` rego - package policy - - containers := [/*some containers*/] - external_processes := [ - { - "command": [/*arglist*/], - "env_rules": [/*envList*/], - "working_dir": "", - } - ] - ``` - - This change required a update to our testing fixtures to generate - all constraints (*i.e.* containers and external processes) instead of just - containers. As a result we updated all of our tests to use `generateConstraints` - instead of `generateContainers` and similar renamings for clarity. The test - functionality has not changed as a result of these renamings. - - Adding a new enforcement point requires making a lot of little changes in - several places. To ensure this process goes smoothly moving forward, we - have added a checklist to the `securitypolicy` README. In the course of writing - the checklist, we found that we had missed a few error messages for - `mount_device`, `unmount_device`, and `mount_overlay` which we have now added. - - Signed-off-by: Matthew A Johnson - -commit ed3277365e85650b652427eb1132050493d06f3a -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Sep 16 09:17:19 2022 -0400 - - Linux GCS tests and benchmarks (#1352) - - * Added GCS tests and benchmarks - - Added testing suite that can built and run directly on the Linux uVM - by sharing or adding it to the rootfs. - It primarily focuses on container (standalone and CRI) management. - - Signed-off-by: Hamza El-Saawy - - * PR: rebase, comments, bugs, cleanup, security policy, linting - - Fixed bug with calling `*hcsv2.Host.GetContainer` instead of - `*hcsv2.Host.GetCreatedContainer`. - - Removed left over comments, added clarifying comments to - `assertNumberContainers` and `listContaienrStates` interactions. - - Reordered namespace and rootfs cleanup. - - Removed underscore from consts - Removed unneeded constants - Added flag to test-lcow-uvm script to change boot type from vhd to - initrd. - - Update security policy code to use enforcer. - Updated script for changes to `uvmboot` and to use default executable - name (`gcs.test`), as produced by `go test -c`. - - Linting issues: - - `switch` to `if` - - unused `getContainer()` - - unused receivers - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 0e5cdff9b5759d6159217dfeffb583fbd4f4733a -Author: Maksim An -Date: Thu Sep 15 10:04:34 2022 -0700 - - update security policy and uvm reference env var names (#1514) - - Make sure the naming of security policy and uvm reference - env vars are consistent. Drop `HCSSHIM_` prefix and use `UVM_` - instead. The env vars now become `UVM_SECURITY_POLICY` and - `UVM_REFERENCE_INFO`. - - Signed-off-by: Maksim An - -commit 77c787d2bdbbfa3080817fa5535c3312c9dbab6c -Author: Maksim An -Date: Thu Sep 15 09:51:33 2022 -0700 - - Use alpine and pause images from MSFT mirrors in tests (#1515) - - Occasionally we've started seeing issues with docker rate limiting - image pulls when running cri-containerd tests locally. Switch to - MSFT mirrors. - - Signed-off-by: Maksim An - -commit c3f6bb7f7022c0e5bad8e847016d617fab115904 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Sep 15 10:20:44 2022 -0400 - - Update hcs errors to gov1.13 style (#1450) - - * Update hcs errors to gov1.13 style - - Add `.Is(` and `.Unwrap(` to `internal\hcs\errors.go` to using them with - `errors.Is(`, as well as `internal\gcs\bridge.go`. - - Signed-off-by: Hamza El-Saawy - - * PR: logic bug, declaration style - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 17fd158ba9ceb5078998dfeb913626e2cbc0f32e -Author: Matthew A Johnson -Date: Thu Sep 15 00:46:52 2022 +0100 - - Refactor of metadata operations. (#1513) - - Adds typing for `metadataOperation` and a enumeration of `metadataAction`. - No functionality changes as a result of this, but the code is easier to - read and support. - - Signed-off-by: Matthew A Johnson - - Signed-off-by: Matthew A Johnson - -commit 900bb74fdb4308cfa7ac12ad6b412cd25ec34163 -Author: Matthew A Johnson -Date: Wed Sep 14 02:33:53 2022 +0100 - - Adding the exec_in_container enforcement point (#1506) - - This commit adds the exec_in_container enforcement point, but as part of this change we must also perform a - refactoring of the framework to enable supporting this and other additional enforcement points which come - after creating a container. Due to the number of possible matches and the way in which each subsequent - enforcement point narrows the list of matches, we need to maintain for each container ID a list of potentially - matching containers. - - As part of making this change to the framework, we took the opportunity to build a more flexible system for a - policy to store data for use in evaluating later rules. This has the beneficial side effect of removing more policy - logic from the Go code while also creating a far more powerful and flexible system for policy authoring. - - Before, a policy would define a simple true/false rule for something like mount_device. Now, the mount_device rule - (along with all others) is expected to return an object, as seen below: - - ```rego - device_mounted(target) { - data.metadata.devices[target] - } - - default mount_device := {"allowed": false} - - mount_device := {"devices": devices, "allowed": true} { - not device_mounted(input.target) - some container in data.policy.containers - some layer in container.layers - input.deviceHash == layer - devices := { - "action": "add", - "key": input.target, - "value": input.deviceHash - } - } - This object contains a member called allowed which indicates whether the operation should proceed, but also includes one or more "metadata" commands, of the following form: - - { - "": { - "action": "", - "key": "", - "value": "" - } - } - ``` - - These metadata commands alter a special metadata namespace. The Go code, which previously contained logic for maintaining - various data structures for use by the framework, now executes these metadata commands instead. This both means that the - Go code contains almost no policy logic at this point, but also that authored policies can take advantage of all the same - kinds of data caching logic upon which the framework is based. - - A consequence of this change is that unmount_device is now a new enforcement point, allowing policy authors to have control - from the Rego side of how devices are unmounted (as they do with mounting devices at the moment). - - Signed-off-by: Sean T. Allen - - Signed-off-by: Sean T. Allen - Co-authored-by: Sean T. Allen - -commit 57c4342271e8b57818e9ed1513d27522ff18cef4 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Sep 12 18:16:05 2022 -0400 - - remove spelling linter (#1509) - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit b363b0d99bd15764fa5f3940c49a3e08c27268bf -Author: Sean T Allen -Date: Mon Sep 12 15:39:07 2022 -0400 - - Fix seeding for generative policy tests (#1508) - - We are seeding the `testRand` module level variable. However, testing/quick - was not set to use that seeded random number generator. The testing/quick - configuration has a field `Rand` which is not set, will result in a - random number generator being created and used. This created generator - hasn't been seeded so our seeding had no impact on any of our `Generate` - functions. - - This commit updates all testing/quick tests to initialize `Rand` in the - configuration to be set to our seeded `testRand`. - - Signed-off-by: Sean T. Allen - - Signed-off-by: Sean T. Allen - -commit 9f5b8f975cf75eaaf74adf6a7a4eb69e0bb63bff -Merge: 74c416d6f d84966551 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 9 10:52:26 2022 -0700 - - Merge pull request #1505 from SeanTAllen/required-rules-2 - - Adding required environment variable rules logic. - -commit 74c416d6fcbba48e678364a015d543186a1ed294 -Author: Sean T Allen -Date: Fri Sep 9 12:08:14 2022 -0400 - - Remove unused open/closed door enforcement methods (#1507) - - I did an automated refactoring a while ago and it left to unused - methods hanging around when enforce mount logic was moved into - create container enforcement logic. - - Signed-off-by: Sean T. Allen - - Signed-off-by: Sean T. Allen - -commit d84966551534fdba311e6b35ebff6d2273632f87 -Author: Matthew A Johnson -Date: Thu Sep 8 16:53:42 2022 +0100 - - Adding required environment variable rules logic. - - If an environment variable rule is marked as "required", then it must be defined in the container. - This is enforced in the Rego in the following way: - - ``` rego - env_ok(pattern, "string", value) { - pattern == value - } - - env_ok(pattern, "re2", value) { - regex.match(pattern, value) - } - - rule_ok(rule, env) { - not rule.required - } - - rule_ok(rule, env) { - rule.required - env_ok(rule.pattern, rule.strategy, env) - } - - envList_ok(container) { - every env in input.envList { - some rule in container.env_rules - env_ok(rule.pattern, rule.strategy, env) - } - - every rule in container.env_rules { - some env in input.envList - rule_ok(rule, env) - } - } - ``` - - Signed-off-by: Matthew A Johnson - -commit e374b8d4f8dad974b961ac50ea252262136851cc -Author: Maksim An -Date: Thu Sep 8 13:36:25 2022 -0700 - - Add new `ctrdtaskapi` package for shim task API support. (#1485) - - Add new typeurl registered data structure to represent - additional security policy constraint fragments, which - can be passed as part of shim's task Update request. - - Rename `UpdateContainerConstraints` to `Update` and - change the behavior to return an error when an invalid - resource is passed. - - Make sure hcsshim can consume the new resource as part - of task Update request handling and new GCS protocol - message can be properly accepted by the guest. - - Signed-off-by: Maksim An - -commit 7555bd5153043fb1bccd6d7ccbbb7ec84c1b1e37 -Merge: 92687ae90 e364ad4e5 -Author: Kathryn Baldauf -Date: Thu Sep 8 13:04:11 2022 -0700 - - Merge pull request #1383 from katiewasnothere/remove_nvidia_boot_files - - Update lcow driver installation path - -commit 92687ae90aaec0998a148f85602a2b3d19baca7b -Author: Maksim An -Date: Thu Sep 8 10:48:00 2022 -0700 - - Set HCSSHIM_UVM_REFERENCE_INFO env for workload containers (#1499) - - * Set HCSSHIM_UVM_REFERENCE_INFO env for workload containers - - Workload containers need to be aware of the reference UVM measurement - they are currently running on. The expectation is that the signed UVM - measurement file will be a part of the package and located in the - same directory as the rest of the boot files (e.g. kernel, initrd - or VMGS). The file itself is a COSE_Sign1 document containing the - measurement and related information. - The content of the file will be plumbed to the UVM as - part of setting the security policy request and can later be - presented to the containers via an environment variable. - - Signed-off-by: Maksim An - -commit 0f26f8db1b7c46d4b283391fac75f97661c8a493 -Author: Matthew A Johnson -Date: Thu Sep 8 18:46:00 2022 +0100 - - Returning OpenDoorSecurityPolicyEnforcer (when appropriate) for Rego policies. (#1504) - - Signed-off-by: Matthew A Johnson - - Signed-off-by: Matthew A Johnson - -commit 46db6ffecfbed9453cb2d3c2ebac03a414e0985b -Author: Matthew A Johnson -Date: Thu Sep 8 18:43:27 2022 +0100 - - Moving rego api test fixtures to a separate file (#1503) - - Signed-off-by: Matthew A Johnson - - Signed-off-by: Matthew A Johnson - -commit e364ad4e5d40238b3d10c041c2484525067444c7 -Author: Kathryn Baldauf -Date: Mon Jul 25 12:56:44 2022 -0700 - - Update go modules - - Signed-off-by: Kathryn Baldauf - -commit ea36a2799745eda858d4dbbebb977d8d2b179d8d -Author: Kathryn Baldauf -Date: Wed Apr 27 19:48:14 2022 -0700 - - Update test modules - - Signed-off-by: Kathryn Baldauf - -commit fac8ff6a94ded29fd24d3dbfa6d906d0147552af -Author: Kathryn Baldauf -Date: Wed Apr 27 19:24:50 2022 -0700 - - Update lcow driver installation path - - update `install-drivers` tool to take in additional parameter for - driver read/write path - - update call to `install-drivers` to take in new param - - update nvidia hook to use CreateRuntime instead of Prestart hook - - Signed-off-by: Kathryn Baldauf - -commit 2b2bd8fd24ba472a31754f1385f8dbbf15212102 -Author: Sean T Allen -Date: Thu Sep 8 01:46:38 2022 -0400 - - Move rego only test fixtures into the rego tests file (#1502) - - This will avoid linter errors. - - Signed-off-by: Sean T. Allen - -commit 04d537c9785b63bf7b8284e346cfe8516a18da1f -Author: Sean T Allen -Date: Wed Sep 7 19:35:36 2022 -0400 - - Adds versioning to the framework (and policies). (#1496) - - This enables backwards compatibility and fine-tuned behavioral logic based upon version - comparisons. Every enforcement point will now be explicitly linked to a introduced version - and given a default behavior (allow/not allow) which should be applied automatically below that - version. The logic looks like this: - - ```go - func (policy *regoEnforcer) allowed(enforcementPoint string, input map[string]interface{}) (bool, error) { - results, err := policy.query(enforcementPoint, input) - if err != nil { - // Rego execution error - return false, err - } - - if len(results) == 0 { - info, err := policy.queryEnforcementPoint(enforcementPoint) - if err != nil { - return false, err - } - - if info.availableByPolicyVersion { - // policy should define this rule but it is missing - return false, fmt.Errorf("rule for %s is missing from policy", enforcementPoint) - } else { - // rule added after policy was authored - return info.allowedByDefault, nil - } - } - - return results.Allowed(), nil - } - ``` - - A Rego query for a rule that doesn't exist returns an empty result set. - If we receive no results, we first check to see if the rule _should_ be there - by checking whether it was introduced after the policy was authored. If the - enforcement point should be defined (*i.e.* it was added before the policy was - authored), we raise an error. If it is new, then we use the default behavior. - If there are results, then the rule was present and we proceed as normal. - - The enforcement point info is provided by a new Rego namespace called `api`: - - ```rego - package api - - svn := "0.1.0" - - enforcement_points := { - "mount_device": {"introducedVersion": "0.1.0", "allowedByDefault": false}, - "mount_overlay": {"introducedVersion": "0.1.0", "allowedByDefault": false}, - "create_container": {"introducedVersion": "0.1.0", "allowedByDefault": false}, - } - - default enforcement_point_info := {"available": false, "allowed": false, "unknown": true, "invalid": false} - - enforcement_point_info := {"available": available, "allowed": allowed, "unknown": false, "invalid": false} { - enforcement_point := enforcement_points[input.name] - semver.compare(svn, enforcement_point.introducedVersion) >= 0 - available := semver.compare(data.policy.api_svn, enforcement_point.introducedVersion) >= 0 - allowed := enforcement_point.allowedByDefault - } - - enforcement_point_info := {"available": false, "allowed": false, "unknown": false, "invalid": true} { - enforcement_point := enforcement_points[input.name] - semver.compare(svn, enforcement_point.introducedVersion) < 0 - } - ``` - - This namespace provides a way for us to express in Rego and expose to policy authors - the current API, which at the time being consists of a series of enforcement - points. - - Signed-off-by: Matthew A Johnson - - Signed-off-by: Matthew A Johnson - Co-authored-by: Matthew A Johnson - -commit 213a02e7a6aa8c2dabe22d9cc123d9d6764b3956 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Sep 7 19:01:02 2022 -0400 - - Add step to check test/go.mod, updated test/go.mod (#1501) - - Pipeline does not check that `./test/go.mod` is up to date, which can - cause issues with linting and other stages. - - Combined verifying `test/go.mod` and `./go.mod` into one stage. - Simplified the job ordering to increase the number of possible parallel - runs. - - Removed `build_gcs` dependence on vendoring stage, since that is - subsumed by `test-linux`. - - Removed `build_gcs` and `build` dependence on `integration-tests`, since - those fail frequently and ideally integration testing requires - successfully building executables. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 44a2b278ce93b7c5bb3287f386f8fa822d0c8e90 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Sep 7 11:21:09 2022 -0400 - - Enable linting on test directory (#1491) - - * Enabling linting for tests and linux files - - Updated CI to lint from within test directory. Currently, it does not - since it is a different module. - Additionally, golangci-lint uses `GOOS` to decide what files to - evaluate, so matrix was upddated with GOOS. - - Updated lint config to analyze test files, both within `./test` with - `functional` tag, and unit tests with `integration` tag. - - Signed-off-by: Hamza El-Saawy - - * Fix linting issues - - Removed unnecessary code, added exceptions for most issues. - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 895853a43cdbe18c9a08faa7368c0f8d2dd3615e -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu Sep 1 15:23:18 2022 -0700 - - Fix nil pointer dereference in addSCSI (#1497) - - The new change that we added to fix a race condition in addSCSI introduced a bug where the code ends up accessing a - nil pointer in certain situations. For example, the deferred function to unblock any waiters of the attach - SCSI operation accesses the scsi mount object to propagate any errors. However, this pointer is a named return - value of the function and is set to `nil` when returning an error. In those cases the deferred function panics - with the nil pointer dereference error. To fix this we don't use the named return value for the scsi mount - object anymore. - This change also removes the check for zero SCSI controllers since that check is done by the - `allocateSCSIMount` function. - - Signed-off-by: Amit Barve - - Signed-off-by: Amit Barve - -commit 435a376a0fa864030f8139ec95332f93ec3ce4be -Author: Matthew A Johnson -Date: Thu Sep 1 18:04:37 2022 +0100 - - Add support for accepting Rego policy code. (#1495) - - * Add support for accepting Rego policy code. - - Refactors (due to build tags): - - Internal classes (needed for Rego marshaling) moved to `securitypolicy_internal.go` - - Marshal code (needed for Rego marshaling) moved to `securitypolicy_marshal.go`. Once the JSON input/output is removed, this code can safely be moved to the `securitypolicy` tool - - Rego error logic has been moved to `framework.rego` - - `open_door.rego` added as Rego alternative to OpenDoor, and the `allow_all` logic has been removed from `policy.rego` - - New Features: - - `MarshalPolicy` method which supports turning a policy into either JSON or Rego - - `securitypolicy` now takes a `t` parameter that can be equal to either `rego` or `json` and a `r` parameter which indicates whether it should output the raw output in addition to the base64 encoded policy - - `createRegoEnforcer` can now handle either a JSON policy or a Rego policy as input - - Signed-off-by: Matthew A Johnson - - * tests: add cri-containerd test coverage for positive rego scenarios - - Rename a few tests under cri-containerd/policy_test.go for easier - wildcard matching. - - Negative test cases will come in a subsequent PR. - - Signed-off-by: Maksim An - - Signed-off-by: Matthew A Johnson - Signed-off-by: Maksim An - Co-authored-by: Maksim An - -commit af624d9287c323cd692a4a24a8ae7e02e15bf661 -Merge: e88b487ec 239225bf0 -Author: KenGordon -Date: Wed Aug 31 09:43:54 2022 +0100 - - Merge pull request #1493 from SeanTAllen/rego-policy-enforcer - - Adding a Rego Policy Enforcer. - -commit 239225bf0df6fb8939ebf79c5abee37b84126e62 -Author: Sean T. Allen -Date: Tue Aug 30 18:03:57 2022 -0400 - - Adding a Rego Policy Enforcer - - The standard policy enforcer is a domain-specific logical language implemented in go over JSON. In the future, policy enforcement will need to increase in complexity and coverage. Instead of increasing the complexity of the DSL in turn to address these needs, it is preferable to use a policy language designed to express these constraints, such as Rego. This PR adds an alternate Rego policy enforcer which expresses the same logic as the StandardPolicyEnforcer entirely in Rego. - - We've added a RegoPolicy which implements SecurityPolicyEnforcer in securitypolicyenforcer_rego.go and a full test suite in regopolicy_test.go. The main design idea is that there are three elements which are used for evaluating the policy: - - Policy objects (i.e., containers) which are translated into Rego from our existing JSON format. - Policy behavior, which is Rego that is in source control (policy.rego) which translates the enforcement logic currently in securitypolicyenforcer.go. - Policy data (i.e., state) which is maintained over the course of enforcement and fed into the Rego during a query - There is an additional element, namely the Microsoft Policy Framework (in framework.rego) which contains the majority of the enforcement logic. While at the moment this is used by the static policy.rego file, in the future it can be made available to customers who can choose to author their own policies. - - To add some details on the implementation, for each Enforce* method, we query the Rego policy with a set input. On success, we modify the data object. For a simple example, see how EnforceDeviceMount works: - - ```golang - func (policy *RegoEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) error { - policy.mutex.Lock() - defer policy.mutex.Unlock() - - input := map[string]interface{}{ - "name": "mount_device", - "target": target, - "deviceHash": deviceHash, - } - result, err := policy.Query(input) - if err != nil { - return err - } - - if !result.Allowed() { - input_json, err := json.Marshal(input) - if err != nil { - return fmt.Errorf("Unable to marshal the Rego input data.") - } - - return fmt.Errorf("device mount not allowed by policy.\ninput: %s", string(input_json)) - } - - deviceMap := policy.data["devices"].(map[string]string) - if _, found := deviceMap[target]; found { - input_json, err := json.Marshal(input) - if err != nil { - return fmt.Errorf("Unable to marshal the Rego input data.") - } - - return fmt.Errorf("device %s already mounted.\ninput: %s", target, string(input_json)) - } - - deviceMap[target] = deviceHash - return nil - } - ``` - - The corresponding Rego for this is: - - ```rego - default mount_device := false - mount_device := true { - some container in data.policy.containers - some layer in container.layers - input.deviceHash == layer - } - ``` - - We believe that this logic is much easier to reason about and maintain over time as opposed to the current system, while also allowing for a straightforward expansion in coverage over time. - - Note: This PR was intended to be additive and non-invasive, but in order to add the Rego dependencies - multiple package revs appeared to be required. This is the source of the vast majority of the files - that have been touched (i.e., in the vendor directory). - - Signed-off-by: Sean T. Allen - -commit e88b487ec04322b5b116c1ac2204adedcd10ee22 -Merge: b295b1a86 6f6e1c8cb -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 26 18:08:10 2022 -0700 - - Merge pull request #1462 from dcantah/hpc-mounts-ro - - Readonly option for hostprocess mounts - -commit 6f6e1c8cb58a261cb56c3b5161f3fc2d0aa53d0d -Author: Daniel Canter -Date: Tue Jul 19 22:08:57 2022 -0700 - - Readonly option for hostprocess mounts - - Add in ability to parse read only mount options for hostprocess mounts. - Change the API of ApplyFileBinding to take in a readOnly bool instead of - it signifying a merged binding. We don't have any use for merged bindings - as the default for containers is to shadow the directory we're binding - to. We could alternatively pass in a set of options/flags as this argument, - but readonly seems to be the only thing needed as of now. - - Signed-off-by: Daniel Canter - -commit b295b1a866b1263ddede4f00dddf7a129b96c114 -Merge: 338bb2c6a 6f55abc15 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 26 13:53:38 2022 -0700 - - Merge pull request #1486 from dcantah/shimdiag-tasks - - Add Tasks command to shimdiag - -commit 338bb2c6a01c496ef169cc61be4adb625b06f121 -Author: Maksim An -Date: Thu Aug 25 08:57:04 2022 -0700 - - add test utility func that waits for particular container state (#1492) - - additionally refactor some of the existing tests to use the new func - - Signed-off-by: Maksim An - -commit f12cf48c6ea7a6ebd389c8d5824cc5760fd3dfd8 -Merge: ab849cf06 cae120b42 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Aug 24 10:59:15 2022 -0700 - - Merge pull request #1488 from dcantah/timeout-terminate - - Call container.Terminate() on shutdown timeouts - -commit ab849cf065b3e43f97fe420b7f72b7073afa1c6f -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Aug 24 13:26:26 2022 -0400 - - Linux/LCOW bugs (#1489) - - Container/runc commands used `runcCommandLog` instead of `runcCommand`, - which fails to run properly. - Since they do not need to use a log file, the latter call is correct. - - Bug with how `uvmboot` sets security policy arg. - - Missing windows build tag. - - Linting/style changes: - - unnecessary `if err != nil { return err }` statement - - simplified nested if statments - - unused method receivers - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit c089b49e828225e4e60dbfa6b67f763786c48060 -Author: Maksim An -Date: Wed Aug 24 06:57:17 2022 -0700 - - fix unmarshaling of LCOWSecurityPolicyEnforcer (#1487) - - - Signed-off-by: Maksim An - -commit cae120b42536adea72101e6a358183c74a0bdac5 -Author: Daniel Canter -Date: Tue Aug 23 19:31:11 2022 -0700 - - Call container.Terminate() on shutdown timeouts - - We were logging if HcsShutdownComputeSystem failed, but we weren't - trying to force kill the container via Terminate after if we timed - out waiting for it to complete. Shutdown is async and we wait for - a notification for success, so most of the time the call itself will - return nil, but it doesn't indicate indicate success until we can - see that the system exited. So now we will fallback to Terminate for: - - 1. Shutdown returning an error that doesn't indicate the result is - to be waited on. - 2. The async result of shutdown was non-nil - 3. Waiting for the result passed the timeout we set. - - Signed-off-by: Daniel Canter - -commit feaf10a0803e62aaa2afd640c00f91c373d0cf6d -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Aug 23 16:22:24 2022 -0400 - - Added LCOW functional tests and benchmarks for uVMs and containers. (#1351) - - * Added LCOW functional tests and benchmarks - - Split out utility functions from `test/functional` into an internal package, - separate from functional tests. - Updated code to use containerd instead of docker. - - Added new functional tests and benchmarks for LCOW uVM containers, and - updated other LCOW tests as well. Not all (LCOW) functional tests were - updated, and most others are now explicitly skipped. - - Updated `k8s.io/cri-api` to v0.22 to include `WindowsPodSandboxConfig` - struct - - Signed-off-by: Hamza El-Saawy - - * Updating tests to use new test\internal package - - Signed-off-by: Hamza El-Saawy - - * PR: doc, simplified signatures - - Added deprecated warning to `layers.LayerFolders`, which relies on - docker. - Added doc comment to functional tests to clarify overlap with other - tests. - Removed unnecessary parameter in `WaitForError`. - Updated snapshotter logic - - Signed-off-by: Hamza El-Saawy - - * PR: refactor, updated image names in cri tests - - Signed-off-by: Hamza El-Saawy - - Signed-off-by: Hamza El-Saawy - -commit 6f55abc153a9124821d78070512147d0e13faa24 -Author: Daniel Canter -Date: Tue Aug 23 12:14:34 2022 -0700 - - pr feedback - - Signed-off-by: Daniel Canter - -commit 86e98693ee196a88aa7414fa872ac378cb39afac -Author: Daniel Canter -Date: Mon Aug 22 21:59:11 2022 -0700 - - Add Tasks command to shimdiag - - This command prints the tasks that are currently being managed - by a given shim instance, and optionally the execs in each task. - - There've been a couple times where our shim and containerd have - seemingly disagreed on what tasks are still running.. This should - make it easy to see the state of the world from our shims point - of view. - - Signed-off-by: Daniel Canter - -commit 477d5b40ba3a4e2b209967679d3f8cd4020f8078 -Author: Sean T Allen -Date: Thu Aug 18 17:00:35 2022 -0400 - - Remove wait mounts functionality (#1474) - - Wait mounts was originally added as a synchronization mechanic that - allows to build dependencies between containers via security policy. - - Some issues: - - - Only available via policy so, you can't use in a non-confidential scenario - - Mixes configuration into policy enforcement - - Completely bespoke - - With our moving to a rego based policy engine, we've decided to stop doing - anything that is "include configuration in policy" and instead switch to - "policy controls if a bit of configuration is allowed to be changed". This - approach eliminates wait mounts as a possibility to move over even if we - decided that the issues listed above weren't problematic. - - We expect that any customer using wait mounts functionality via policy - will switch to handling dependencies amongst containers as they usually - would. Allow the container that is missing a dependency to fail in a fashion - that will get the orchestrator to restart it until such time as the dependency - is available. For wait mounts, this means exiting if the mounted drive is - missing a known good file that is expected to exist thereby indicating that - the drive in question wasn't available at the time the container started and - instead, an empty directory was mounted. - - These changes are a prerequisite for the soon to arrive change to switch from - the bespoke JSON based policy language I wrote to using Rego. - - Signed-off-by: Sean T. Allen - -commit 83511587d71dff3acff8c9f43b487c7311c81e3e -Author: Maksim An -Date: Thu Aug 18 10:44:45 2022 -0700 - - securitypolicy: add security policy enforcer registration and defaults (#1476) - - * Stub out Rego policy enforcer and hide it behind a build tag. - - Add enforcer registration logic and support for default enforcer. - The host can request which security policy enforcer to use with - supplied policy, if none supplied, GCS code tries to make a "guess" - as to which enforcer should be used: "allow all" or "default". - Default enforcer is set to `StandardSecurityPolicyEnforcer` unless - GCS is built with "rego" tag present. In that case, the default - enforcer will be set to `RegoEnforcer`. - - New annotation has been added that allows callers to pick which - enforcer to use, e.g. - ```pod.json - { - ... - "annotations": { - "io.microsoft.virtualmachine.lcow.enforcer": "rego" - }, - ... - } - ``` - - Signed-off-by: Maksim An - -commit dca430eb856bad1992391dcc48a5d7f60b526697 -Merge: 09cb21116 7ef9edefd -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Aug 18 10:27:50 2022 -0700 - - Merge pull request #1484 from dcantah/shortcircuit-stats - - Short circuit Properties calls if NULL handle - -commit 7ef9edefd0fc4c9fa98c7c95347103246035b0d9 -Author: Daniel Canter -Date: Wed Aug 17 12:39:42 2022 -0700 - - Short circuit Properties calls if NULL handle - - The only two methods on a compute system that didn't short circuit if - the system was already closed were Properties and PropertiesV2. - - Signed-off-by: Daniel Canter - -commit 09cb211165157283efd5eef4da372eabac466423 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue Aug 16 14:38:24 2022 -0700 - - Fix a race condition in addSCSI (#1483) - - addSCSI currently uses the mutex only to check if a disk is already attached to the UVM. However, no mutex is - held when actually attaching the disk to the UVM. Because of this if two goroutines try to add the same SCSI - disk to a UVM at the same time, one of them will see that the disk is not already attached, will add an entry - into the controller/LUN map and continue with the attach process. The other goroutine will just see the entry - in the map and returns thinking that the SCSI disk is already attached to the UVM. At this point the disk - attach operation from the first goroutine is still in progress so if the second goroutine tries to use that - disk inside the UVM it fails with cryptic errors from overlayfs (or whatever other component in the guest that - tries to use this disk). - - To get around this problem, we now include a channel in each SCSIMount struct that should be used by all the - goroutines (except for the very first goroutine that adds this disk) to wait until the mounting of that SCSI - disk is complete. Only the very first goroutine that adds this disk should close it. - - Signed-off-by: Amit Barve - - Signed-off-by: Amit Barve - -commit 298b31d151ab799c1d7686f8ee9eec1cb4213926 -Merge: 774ce8fed bf8bdb0fa -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Aug 16 00:33:19 2022 -0700 - - Merge pull request #1480 from dcantah/fix-lint-issues - - Fix golangci-lint issues - -commit bf8bdb0fa5befb4e0e36d50b8e43f3880bc74416 -Author: Daniel Canter -Date: Fri Aug 12 04:53:42 2022 -0700 - - Update lint/setup-go setup in CI - - v3 golangci-lint action removed the skip-go-installation flag - and now explicitly requires using the setup-go action to function. - - - Get rid of skip-go-installation - - Swap to v3 of setup-go - - Remove only-new-issues usage - - Signed-off-by: Daniel Canter - -commit 9364e4c0bb457f4f1746a9cc877738450419c8dd -Author: Daniel Canter -Date: Fri Aug 12 04:52:00 2022 -0700 - - gofmt -s the world - - gofmt -s on go 1.19 - - Signed-off-by: Daniel Canter - -commit b6cd0c39099976da6544336981624a75671e3cc6 -Author: Daniel Canter -Date: Fri Aug 12 04:02:20 2022 -0700 - - Don't lint neterror.Temporary - - We're reworking the hcs/errors package soon, but in the meantime - don't lint the use of the deprecated err.Temporary. - - Signed-off-by: Daniel Canter - -commit 030e864800ed47cc9b35cfaef3fe6d04bef6e912 -Author: Daniel Canter -Date: Fri Aug 12 03:36:32 2022 -0700 - - Move CopyFileW definition to /internal/winapi - - We had a stray use of syscall.Syscall that should be in winapi with the - rest of our defs. - - Signed-off-by: Daniel Canter - -commit 483afe927baef6eea344667aaf575b60e52ffda4 -Author: Daniel Canter -Date: Thu Aug 11 21:03:40 2022 -0700 - - Get rid of io/ioutil usage - - Gets rid of io/ioutil usage in favor of the os and io replacements. - ioutil has been deprecated since 1.16. - - This additionally starts to use t.TestDir() in some tests instead which - is a nice side effect. - - Signed-off-by: Daniel Canter - -commit 774ce8fedebe45e870ccb8d4ab40a9280a499ff9 -Author: Maksim An -Date: Mon Aug 15 17:14:31 2022 -0700 - - tests: add test coverage for https://github.com/microsoft/hcsshim/pull/1456 (#1482) - - - Signed-off-by: Maksim An - -commit 3cf65d16bcfb08bc0b316e12af4e01dfdc6af147 (tag: v0.10.0-rc.1) -Merge: 5f3659a22 e3845fe6b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 12 16:26:07 2022 -0400 - - Merge pull request #1481 from dcantah/fix-jobobj-def - - Fix OpenJobObject definition - -commit e3845fe6be054ae42ee4e78f59f42be228c16689 -Author: Daniel Canter -Date: Fri Aug 12 06:06:11 2022 -0700 - - Fix OpenJobObject definition - - BOOL is a typedef for int not a boolean - - Signed-off-by: Daniel Canter - -commit 5f3659a22c22fc16f458e1cd32e11c6c4ec4522f -Merge: 0de9beec5 f7f0a24ae -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Aug 11 21:25:55 2022 -0400 - - Merge pull request #1478 from dcantah/fix-logentry - - Properly assign logrus entry for fallback queries - -commit f7f0a24ae26b02352c95b76d0238394a6e63be99 -Author: Daniel Canter -Date: Thu Aug 11 11:14:03 2022 -0700 - - Properly assign logEntry for fallback queries - - I didn't reassign the logEntry that contained the error reason if - querying for stats in the shim failed - - Signed-off-by: Daniel Canter - -commit 0de9beec519bfe0fd0b50558219a212261da1f4a -Merge: 2a9d2d99a 7b51f8ddf -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Aug 11 20:34:38 2022 -0400 - - Merge pull request #1479 from dcantah/pin-gover - - Update to Go 1.18 - -commit 7b51f8ddfe8ce46807d0b4c47bded28e44638a03 -Author: Daniel Canter -Date: Thu Aug 11 15:19:08 2022 -0700 - - Update golangci-lint to v3 and newer version - - Might as well stay up to date, and the version we were using I - believe didn't support linting generics - - Signed-off-by: Daniel Canter - -commit 2a2380bc4a05521210f3937a8eccf9380f94bd8e -Author: Daniel Canter -Date: Thu Aug 11 14:55:12 2022 -0700 - - Pin CI to 1.18.x - - This change pins the CI to a patch release of 1.18. Prior we were - using a caret specifier set to ^1.17.0 which matches to - - >= 1.17.0 but <2.0.0 - - Additionally move all go-version calls to read from a global environment - variable so we only need to edit one spot to change the go version. - - Signed-off-by: Daniel Canter - -commit dbbbd14069af0aef1ccc7aa79d07882cfd99bfa5 -Author: Daniel Canter -Date: Thu Aug 11 14:38:12 2022 -0700 - - go.mod: Upgrade to 1.18 - - 1.17 is out of support as of 1.19's release and there's no real pressing - need to stay on 1.17. 1.18 apparently has a smarter traversal of deps as - quite a few entries get plucked out. - - Signed-off-by: Daniel Canter - -commit 2a9d2d99a9f7713590bc9a8049e1aa25f0ff9b7e -Merge: ba4bfca3f 2c82abd0b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Aug 10 09:32:09 2022 -0400 - - Merge pull request #1463 from dcantah/computestorage-ver-fixes - - Remove osversion usage in computestorage APIs - -commit ba4bfca3fdbe5421395db4a5d65788646c780adf -Author: Maksim An -Date: Mon Aug 8 11:15:58 2022 -0700 - - enforcement: fix use case when the same target has different hashes (#1469) - - Fix an issue when the same mount target could have different hashes - during device mount policy enforcement. - Although it's possible to mount different devices at the same mount - location, this doesn't make sense for read-only container layers. - The device mount enforcement logic has been updated to cover this - case. - This was discovered by randomized security policy unit tests. - - The tests have been updated, to minimize the chance of it happening - by adding a minimal length for a random string and appropriate unit - test has been added to cover the change. - - Signed-off-by: Maksim An - -commit 2c82abd0bf732a08de4882653ec93b0318a36482 -Author: Daniel Canter -Date: Mon Aug 1 14:05:55 2022 -0700 - - Document breaking change in HcsFormatWritableLayerVhd - - Add a comment on our wrapper of HcsFormatWritableLayerVhd to describe that - it expects a different handle on anything above ws2019. Additionally add - a comment above SetupBaseOSVolume stating what build it's supported on - and that the application must be manifested - - Signed-off-by: Daniel Canter - -commit a177a5acecf4d27751aa91ba0d6d1191d09de2ec -Author: Daniel Canter -Date: Mon Aug 1 13:54:15 2022 -0700 - - Revert "Pass disk handle for computestorage.FormatWritableLayerVhd on RS5 (#1204)" - - This reverts commit aaf5db90ef6961e767a4d5ca4bcf7f1f6465bcca. - - We'd added a change to FormatWritableLayerVhd to help the caller work around - a breaking change in the OS, but this would actually cause a breaking change - in our wrapper of it if the caller was already working around the issue - themselves. To avoid this scenario, revert the commit that added the - "friendly" behavior. - - Signed-off-by: Daniel Canter - -commit a244751aa576c193c22d490f6de22291ddd24e1f -Merge: fcf074dcb 5cfa86d4e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Aug 3 15:33:17 2022 -0700 - - Merge pull request #1473 from dcantah/hpc-pshell-path - - Add powershell to hostprocess container paths - -commit 5cfa86d4e726888f8ddd13b555623eec65b3d29d -Author: Daniel Canter -Date: Wed Aug 3 06:54:56 2022 -0700 - - Add powershell to hostprocess container paths - - A large use case for these containers is to get a shell onto a node or - to carry out administrative tasks via powershell commands, but a lot - of images have a PATH defined in the docker file that only includes system32. - - Before any sort of slim image is available for these that doesn't have a - PATH set (so it will just use the hosts) add in powershell and the system32/wbem - dir for wmic to alleviate some "what is going on" moments. Additionally - rearrange some code closer together that was a bit too spread for no reason. - - Signed-off-by: Daniel Canter - -commit fcf074dcb6f50a82964047432a7e4e1217318708 -Author: Maksim An -Date: Thu Jul 28 00:31:08 2022 -0700 - - tests: run securitypolicy tests in github CI (#1470) - - Add new "test-linux" job and update existing "test" - job to "test-windows". Also update job dependencies. - - Signed-off-by: Maksim An - -commit 176bb0601a2e5c613f586bae0c5fb6ea71bd10b0 -Author: Maksim An -Date: Thu Jul 21 17:50:37 2022 -0700 - - VPMem device unmap VHD, don't remove VPMem itself. (#1456) - - When using VPMem multi-mapping feature, we can end up in a - situation when a VHD at offset 0 is not the last VHD that - is being removed: - 1. Add the very first VHD (vhd1) and essentially VPMem - (vpmem1) device itself will add the vhd1 at offset `0`. - Mapped VHD count: `1` - 2. Add second VHD (vhd2), which be mapped at offset `N`. - Mapped VHD count: `2` - 3. Remove vhd1 at offset `0`. Mapped VHD count: `1` - 4. Try removing vhd2 will result in removing the VPMem - device itself, however, HCS API doesn't allow that. - Which is most likely a bug. Removing VPMem with 0 - mapped VHDs also doesn't work. - - As a work-around, keep the VPMem "intact" and just remove the - last mapped VHD. The VPMem can still be used later to map new - VHDs. - - Signed-off-by: Maksim An - -commit 41d8f5a2fead90a08b280c1728cc354d16f08475 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jul 21 14:40:51 2022 -0700 - - Remove uneccessary use of silos in jobobject tests (#1464) - - Two tests added recently by yours truly don't need to be running as - silos. Remove the silo field set to true. Was running into this when - trying to backport a fix to a branch that doesn't have the silo work. - - Signed-off-by: Daniel Canter - -commit 598ea471a75ced1cdb74f33b6e6afb4179cd521c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jul 20 14:02:50 2022 -0700 - - Add IO tracking option for job objects (#1459) - - * Add IO tracking option for job objects - - HCS enables this to get more in depth IO stats for the silo of the - container. I'd swapped hostprocess containers to querying for - these stats but without the prerequisite of actually enabling them :) - - This change adds a new option on jobobject.Options{} to enable this - functionality and adds a new test to ensure we can actually call - StorageStats now. - - Signed-off-by: Daniel Canter - -commit 84e0f9d19bffe65c26c2f54c3d318b309ea5c683 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jul 20 01:32:21 2022 -0700 - - Add annotations passthrough for host process containers (#1423) - - * Add annotations passthrough for host process containers - - This changes adds in a way for annotations specified for a sandbox - container to be passed through to every container in the pod. - K8s only passes annotations to the RunPodSandbox call and not to individual - containers unfortunately. To accomplish this I cache the pod sandboxes OCI - spec on the pod object as well as expose a method that passes through - specific annotations from the pod spec through to an individual containers. - - This is useful for a couple of host process containers annotations, like - microsoft.com/hostprocess-rootfs-location which specifies a non-default - path for the rootfs of the container to show up at. - - Signed-off-by: Daniel Canter - -commit 9ad494a1f57f7d72119eac2e046d55c821863a09 (tag: v0.10.0-rc.0) -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jul 18 15:28:00 2022 -0700 - - Backwards compat for hostprocess cntrs mounts (#1458) - - In beta, mounts couldn't be unique per silo so they were mounted - to a relative path under the rootfs for the container. There's a - bunch of pod specs/apps floating around that were written with that - in mind so as to make a smooth transition, additionally keep mounting - them under the rootfs for now via the same approach (symlink the dir/file). - - Signed-off-by: Daniel Canter - -commit f59b1f249e6584cc535e7eecfe1829c17f5434d1 -Author: Maksim An -Date: Thu Jul 14 12:31:55 2022 -0700 - - Add vpmem mount capability to uvmboot (#1455) - - Signed-off-by: Maksim An - -commit 873b8e122faae117e6daaa2df7244dd40a7080cd -Author: Maksim An -Date: Thu Jul 14 12:12:00 2022 -0700 - - linter: fix linting issues (#1457) - - Additionally fix the queue tests logic. - - Signed-off-by: Maksim An - -commit 12d4cd8f9abaf895ee4a2daa6c5837554b92e33d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jul 12 22:56:53 2022 -0700 - - Rework /internal/queue package (#1449) - - * Rework /internal/queue package - - Given our use cases for this package, we don't need methods that don't block - on reads if there's no value to be read. Due to this, I've removed the - ReadOrWait function and did a small redesign of the methods to be more - in line with standard queue method naming. - - * Change Read/Write/IsEmpty to Dequeue/Enqueue/Size and remove ReadOrWait. - Now there is no version of Read/Dequeue that doesn't block if the queue - is empty. - * Fix up tests to be in line with this removal of the non-blocking read - and simplified most of the tests. - - Signed-off-by: Daniel Canter - -commit 94f78da96a60b45258ca27bf82d2d5e392b0b0cc -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Jul 12 12:54:58 2022 -0400 - - Add CI stage dependencies (#1453) - - * Add CI stage dependencies - - Reorganize CI to run in stages, so lint and protobuild are dependencies - for vendoring, which in turn is required for testing then building. - - This allows issues to be caught early on, and prevents long-running - test stages to run before lint or vendor issues fail CI. - - Ran YML formatter on ci.yml file. - - Added `if` condition to uploading test binary artifices for non PR - runs, to avoid unnecessary uploading and storage. - - Signed-off-by: Hamza El-Saawy - - * PR: job names - - Github branch protection is confused by names, so remove them - - Signed-off-by: Hamza El-Saawy - -commit a6e48768b57d2e5242da835d5252e91c26c2fecc -Author: Gabriel -Date: Fri Jul 8 03:45:02 2022 +0300 - - Fix access denied when killing stopped container (#1447) - - This change fixes access denied errors when killing an already stopped - host process container. - - This change also uses errors.Is() to compare errors in various functions - of the hcs error package. This allows error wrapping while still - properly validating that a wrapped error is of a certain type. - - Signed-off-by: Gabriel Adrian Samfira - -commit 70499977f085dd880592c5b925963464910369a5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jun 29 13:48:06 2022 -0700 - - Correctly set silo field when opening job object (#1437) - - * Correctly set silo field when opening job object - - We don't set the silo field on Open of an existing job object today. - This is useful if once opening a job we want to bind a file that only - that silo can see as it relies on atomically checking the `silo` u32 - field to determine if we can carry out the operation. - - The manner in which we check if the job is a silo is by using a new - jobobject information class with QueryInformationJobObject that fails - unless the job is a silo. - - Signed-off-by: Daniel Canter - -commit aa4005736c4e03e3182c5a877d6bb3db1d94dbf3 -Merge: 362e3d254 e6ee5669a -Author: Maksim An -Date: Tue Jun 28 14:16:47 2022 -0700 - - Merge pull request #1441 from anmaxvl/policy-duplicate-layers - - Fix policy enforcement to handle identical layers. - -commit e6ee5669a36470dc596173d3db7b4cb8f0c7c985 -Author: Maksim An -Date: Tue Jun 28 13:46:56 2022 -0700 - - Use single testRand instance for the entire test run. - - Signed-off-by: Maksim An - -commit 57a1f7e742f847c7328a6993fe0f7f8ee756610b -Author: Maksim An -Date: Tue Jun 28 13:31:08 2022 -0700 - - Add unit test to validate that overlay with duplicate layers can be mounted. - - Signed-off-by: Maksim An - -commit f6b45ccb15b9944b0e5e2bcc6c16247adad14739 -Author: Maksim An -Date: Mon Jun 27 18:17:05 2022 -0700 - - Update `StandardSecurityPolicyEnforcer` docs. - - Signed-off-by: Maksim An - -commit 3f1f195dc3a05e8c9c1d4bb7772f7e00bb6cf65c -Author: Maksim An -Date: Thu Jun 23 11:59:16 2022 -0700 - - Fix policy enforcement to handle identical layers. - - Read-only container layer enforcement currently tracks which layers - have been mounted for each container. The state is being tracked - by maintaining a 2D slice of device targets and each slice represents - a potential overlay FS that can be used for a given container. - Index `i` in the Devices slice corresponds to container at index `i` - in the policy. For example for containers with the following hashes: - ``` - [ - [hash1, hash2, hash3], - [hash1, hash4], - ] - ``` - The corresponding Devices slice will look something like: - ``` - [ - [/mnt/target1, /mnt/target2, /mnt/target3], - [/mnt/target1, /mnt/target4], - ] - ``` - - Each individual slice then corresponds to a potential overlay fs: - - overlay1: `[/mnt/target1, /mnt/target2, /mnt/target3]` - - overlay2: `[/mnt/target1, /mnt/target4]` - - The issue arises when container contains duplicate layers like: - ``` - [ - [hash1, hash2, hash2], - [hash1, hash4], - ] - ``` - The potential overlays will be computed as following: - ``` - [ - [/mnt/target1, /mnt/target2, /mnt/target2], - [/mnt/target1, /mnt/target4], - ] - ``` - Instead of: - ``` - [ - [/mnt/target1, /mnt/target2, /mnt/target3], - [/mnt/target1, /mnt/target4], - ] - ``` - The issue is reproducable by the following Dockerfile: - ``` - FROM ubuntu:latest - COPY script.sh . - RUN chmod +x script.sh - ``` - where `script.sh` already has executable permission flag set. - - To address the issue, the logic to track currently mounted devices - and enforcing the overlay has been updated. - Instead of tracking potential overlays, we track the devices that - have been mounted and their hashes: - ``` - { - /mnt/target1: hash1, - /mnt/target2: hash2, - /mnt/target3: hash2, - } - ``` - During overlay, we map the mount targets to the hashes and check - the resulting hash chain against the ones in the policy. - - Signed-off-by: Maksim An - -commit 362e3d25472f3142a5ab2ec592a962a2ff44f2c9 -Merge: 9d94ed916 85c80e30d -Author: Maksim An -Date: Mon Jun 27 14:53:56 2022 -0700 - - Merge pull request #1442 from douglasmaciver/domac/secpol-unittest-a - - Fixed securitypolicy unit tests: AllowElevated and struct references. - -commit 85c80e30deb25d04ee3cbef4dc71bb6cdeec7f84 -Author: Douglas MacIver <62668331+douglasmaciver@users.noreply.github.com> -Date: Sun Jun 26 15:52:27 2022 -0800 - - Fixed securitypolicy unit tests: AllowElevated and struct references. - - Signed-off-by: Douglas MacIver <62668331+douglasmaciver@users.noreply.github.com> - -commit 9d94ed91682e0b3fcf41f6e30aaee4739b0e9a38 -Author: Maksim An -Date: Fri Jun 24 10:00:23 2022 -0700 - - Always set SECURITY_POLICY env var, even for open door policy. (#1397) - - Previously SECURITY_POLICY env var was set for container init process - only when StandardSecurityPolicyEnforcer was in use, however the - environment variable is useful even with OpenDoor enforcer. - - Address this gap by updating enforcers and adding an accessor - method. - - Add annotation to set SECURITY_POLICY env for containers. - - Export oci.ParseAnnotationsBool - - Update tests - - Signed-off-by: Maksim An - -commit 0d44ba488b03437176dadd16ee2a55ca91f5af8b -Author: Maksim An -Date: Fri Jun 24 07:39:39 2022 -0700 - - downgrade mingw to 10.2.0 (#1440) - - For more context on the reason for the downgrade containerd/containerd#7062 - - Signed-off-by: Maksim An - -commit 2c31b1ac6f70ad3c79ff5c457ed46c0a5c04074d -Merge: 1ec8cadfb 138c05c21 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jun 23 22:34:17 2022 -0700 - - Merge pull request #1434 from dcantah/upgrade-test-criapi - - Fix up hostprocess integration tests - -commit 1ec8cadfb2b85b2de2e3c8a5128fb16f7f9822d9 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jun 23 07:51:18 2022 -0700 - - Fix unsafe uses of unsafe.Pointer (#1438) - - Per rule 4 of unsafe.Pointer usage, conversion of a unsafe.Pointer - to a uinptr to pass to the syscall.Syscall family should only be done in - the argument list. We had a couple spots where we were passing it in as - an argument to a small wrapper function until it reached the underlying - syscall.Syscall*. - - https://pkg.go.dev/unsafe#Pointer - - Signed-off-by: Daniel Canter - -commit bc3b951b6ed926bc34a8fd319125cecbe2e302c1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Jun 22 17:22:30 2022 -0400 - - Remove log file from runc commands (#1436) - - Certain runc commands (eg, Delete, State) do not need to use a log file - since they do not pass stdio to the container. - This PR switches the commands to consume the error directly from stderr, - without needing to parse from a file. - - This fixes a bug where the directory containing the runc log file for a - container is deleted before the container itself can be deleted via the - runc command. - - Signed-off-by: Hamza El-Saawy - -commit 6a191649836d428adcc5dafcbb7cd61f1f4da8e7 -Merge: 06ce0c3c3 f128b6050 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jun 22 11:45:28 2022 -0700 - - Merge pull request #1427 from gabriel-samfira/add-cri-integration-job - - Adds cri-integration job - -commit f128b60500c5d636e76b5489369fe60f0284f1d6 -Author: Gabriel Adrian Samfira -Date: Thu Jun 9 17:48:25 2022 +0300 - - Add integration tests - - This change adds integration tests to hcsshim. We currently run only the - containerd tests, with tasks already written (but disabled) to run the - cri-containerd tests in this repo. - - Signed-off-by: Gabriel Adrian Samfira - -commit 06ce0c3c367904ee6e27130344b021bb66007c7c -Author: Maksim An -Date: Fri Jun 17 17:22:22 2022 -0500 - - fix shared scratch scenario (#1435) - - When mounting container layers we override containerScratchPathInUVM - with scsiMount.UVMPath after calling into vm.AddSCSI(...), which is - fine in scenarios when scratch disk isn't shared. In case when scratch - sharing is enabled, the scsiMount returned has sandbox container's - scratch path and we end up mounting all of the workload containers' - overlay at `/run/gcs/c//container_` instead of - `/run/gcs/c//container_` and `/run/gcs/c//container_`. - - Fix by removing the unnecessary assignment. - - Signed-off-by: Maksim An - -commit 138c05c21febfd09364e9df0563d6165d7eab2e2 -Author: Daniel Canter -Date: Fri Jun 17 11:01:50 2022 -0700 - - Fix up hostprocess integration tests - - This fixes a couple issues with the host process integration tests. - - - Instead of passing the annotation to ask for a host process pod, use the - hostprocess CRI fields instead. The annotations used to work, however - containerd now overrides these with the value of the hostprocess CRI field - so this is the only way to ask for hpc now. - - - The VHD test would hit a "Paramter is incorrect" error on attaching the vhd. - Not sure what's causing this but it's probably the set of flags used to open - the vhd inside AttachVhd, as supplying no flags has the open succeed. - - - Now that there's new behavior for mounts for hpc if the bindflt dll is - available, gate some of the tests that tested the old behavior behind - rs5 for now. - - Signed-off-by: Daniel Canter - -commit 087198148867e51a55b3bea60f7d32899b734a8c -Author: Daniel Canter -Date: Fri Jun 17 10:58:28 2022 -0700 - - go.mod /test: Upgrade CRI API to 0.24.1 - - Upgrades CRI api dep to the same containerd depends on at the moment. This - is mostly to get access to the HostProcess fields that were added in 1.22. - - Signed-off-by: Daniel Canter - -commit d7b9771ff6ffb2a0ca10bb643c15a91cf2c227c3 -Author: Maksim An -Date: Fri Jun 17 12:16:24 2022 -0500 - - Add Plan9 support when booting from VMGS (#1429) - - Signed-off-by: Maksim An - -commit c50f2afc8dce88f47669a22b079d8be92e4241b8 -Merge: 5fcd02ca0 38880f85d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jun 16 10:57:56 2022 -0700 - - Merge pull request #1407 from microsoft/users/GitHubPolicyService/a8cc929d-2f10-430a-915d-ceb313709830 - - Adding Microsoft SECURITY.MD - -commit 5fcd02ca0e53d3332bf31308029fb6bfca13a928 -Author: Maksim An -Date: Fri Jun 10 11:23:56 2022 -0500 - - update docs for security policy tool (#1426) - - After adding "allow_elevated" config to contianer policy the - docs hasn't been updated. - - Signed-off-by: Maksim An - -commit bebc7447316b33a2be4efdbd30e306f2c30681a5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jun 8 15:03:25 2022 -0700 - - Change bind filter API used (#1424) - - Change to using BfSetupFilter instead of BfSetupFilterEx. The Ex variant is - only useful if you want to pass a SID to perform the bind as a specific - user. We don't use this functionality, and it didn't exist on some - versions of Windows as well. - - Signed-off-by: Daniel Canter - -commit c7b6cdd44a00b3dbc11d65e86c7303db51e9374f -Merge: 671ec23d7 de43d1348 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jun 7 16:14:13 2022 -0700 - - Merge pull request #1422 from dcantah/remove-testvendor-again - - Remove /test/vendor.. again - -commit de43d1348676d5d043624e29aadd49a80be6b160 -Author: Daniel Canter -Date: Tue Jun 7 15:41:32 2022 -0700 - - Remove /test/vendor.. again - - Think a bad rebase on my previous commit to remove this - brought back portions of the vendor dir. This should get rid of - all of it. - - Signed-off-by: Daniel Canter - -commit 671ec23d733d9ea1592b7dec246d644cf8efe7b8 -Merge: 360c32048 baf9ebe4c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jun 7 10:19:01 2022 -0700 - - Merge pull request #1420 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.13 - - Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 in /test - -commit 38880f85d59de94ef43f3d18a9d897d2ef0d533b -Author: microsoft-github-policy-service[bot] <77245923+microsoft-github-policy-service[bot]@users.noreply.github.com> -Date: Fri May 20 14:51:16 2022 +0000 - - Microsoft mandatory file - -commit baf9ebe4c7b78f862ad7598f26c69b8a9de69424 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Tue Jun 7 17:07:33 2022 +0000 - - Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 in /test - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.10 to 1.5.13. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.10...v1.5.13) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 360c32048f55688fce22fcfde2e53bbb5a56c644 -Merge: 4e602397a 19ddef516 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jun 7 10:06:36 2022 -0700 - - Merge pull request #1421 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.13 - - Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 - -commit 19ddef516daffd47c56f0ef15ef67845a7e339f7 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jun 6 22:12:59 2022 +0000 - - Bump github.com/containerd/containerd from 1.5.10 to 1.5.13 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.10 to 1.5.13. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.10...v1.5.13) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 4e602397ae0a3cf1f1df4f06929c5175e2c61d65 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 3 16:30:47 2022 -0700 - - Remove vendor dir in /test (#1417) - - Given this slows down development both for us and external contributors - as for most changes one would need to run `go mod vendor` in /test to - bring in the latest local hcsshim changes, I think it's time we removed - this. - - Pros: - 1. Easier for automated tooling like dependabot, and more recently a - Microsoft security bot, to make PRs that can just be checked in. - All of these automated PRs tend to fail as the bot doesn't know it would - need to run go mod vendor in /test as well for our repo. The approach today - to check these in is typically someone manually checks out the branch - dependabot (or whatever other bot) made, vendor to test, and then push a - new commit to those automated PRs and then we can check them in. - - 2. Speeds up development flow as we don't need to go mod vendor in test - before pushing almost every change. - - 3. Speeds up external contributions as well as there's no extra step to - follow to make a change to most things in /internal anymore. We state that - this needs to be done in our README, but it's probably a testament to how - odd our setup is that it's missed here and there. - - Cons: - 1. We lose the main selling point of vendoring for our test dependencies - which is that if one of our dependencies is no longer accessible - (deleted, renamed, whatever else) we don't have a local copy included - in our repo. This will increase our dependence on the Go modules proxy - server which seems like a fair tradeoff, and I think we're fine with this for - test dependencies at least. - - I've removed the references to this extra step in the README as well as - got rid of the CI step verifying that the vendor dir was up to date. I - don't think we needed the mod=vendor env var either, as since go 1.14 if - there's a top level vendor folder I believe the flag is transparently set - for commands that accept it. - - Signed-off-by: Daniel Canter - -commit 37ceff70a2725065af2379bf675d9648141fb21b -Author: Maksim An -Date: Fri Jun 3 15:30:58 2022 -0500 - - Rename ExpectedMounts to WaitMountPoints (#1413) - - `ExpectedMounts` was a poor name choice and was confusing in the - context of mount policy enforcement. - - Signed-off-by: Maksim An - -commit 5f581714d3b1c5d0359469385c1b0b0cdd01ee43 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 3 11:02:15 2022 -0700 - - Fix spelling mistake in runhcs options (#1415) - - protentially -> potentially - - Signed-off-by: Daniel Canter - -commit a4ae0fa29340bbfae4f6f01b4cc491806b4fe575 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 3 10:44:34 2022 -0700 - - Fix nil deref in Windows layer setup (#1418) - - The OS of the UVM was being checked by a pointer method at the start - of the function when passing in a UVM object is optional. For process - isolated and host process containers nil would be passed where this - would be hit. - - Signed-off-by: Daniel Canter - -commit 883146dddbf92a0875adb60acab9eee22c889697 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 3 09:55:57 2022 -0700 - - Implement file binding support for host process containers (#1344) - - * Implement file binding support for host process containers - - This change adds in file binding support for host process containers - if the host has the functionality available (bindfltapi.dll exists). - This makes it so mounts in the runtime spec actually show up in the - container at mount.Destination instead of simply being symlinks to a - relative path, as well as are completely unique per container. This is - achieved by upgrading the job object to a silo and making use of silo - local file bindings that the Bind Filter supports. - - This support additionally opens up the opportunity for the rootfs for the - container to be container local and unique. So instead of the rootfs showing - up to any process on the host and being located at C:\C\, it - now (by default at least) will be present at C:\hpc and be unique in - each container as well. In a similar fashion to the mount changes, this - only takes affect if the host has file binding support available. - - Signed-off-by: Daniel Canter - -commit a750a7fa43a5c93e736d3e1cc12d8b6b04ca60fe -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri May 27 08:59:58 2022 -0700 - - Cleanup for shared container scratch (#1414) - - * Cleanup for shared container scratch - - Normally, container scratch is a separate VHD that is mounted at `/run/gcs/c/` The - mount vhd call to gcs creates this directory and mounts the disk at that path. The modify - combined layers call creates the `upper` & `work` directories at `/run/gcs/c//upper` - & `/run/gcs/c//work` and also creates the rootfs directory at - `/run/gcs/c//rootfs`. Finally, overlayfs is mounted at `/run/gcs/c//rootfs` for - the container to run. The remove combined layers call will remove the - `/run/gcs/c//rootfs` directory. The unmount VHD will remove the `/run/gcs/c/` - directory. The `upper` & `work` directories continue to live on the container sandbox VHD - until that snapshot is removed. - - However, when the container scratch VHD is shared with the UVM (the UVM scratch is mounted - at /run/gcs/c/) the container scratch vhd mount doesn't do anything since the VHD - is already mounted. It just increases the ref count of this VHD by 1. Hcsshim sets the - container scratch as `/run/gcs/c//container_` and makes the combine layers - call. The modify combine layers call creates the `upper` & `work` directories at - `/run/gcs/c//container_/uppper`, `/run/gcs/c//container_/work` and - the rootfs is created at `/run/gcs/c//rootfs`. (Note that all of these are mkdirAll - calls so they create any non-existing parent directories too). The remove combined layers - call removes the `/run/gcs/c//rootfs` directory but the unmount VHD call doesn't - actually do anything, it just reduces the ref count by 1. So, in this case, the - `/run/gcs/c//container_` directory never gets cleaned up and continues to - occupy space on the UVM scratch VHD. - - GCS currently doesn't know anything about the container scratch directory path, so it - never cleans it up. Even when `DeleteContainerState` request is made. This is okay when - the scratch is not shared since the container scratch VHD is separate and it will be - cleaned up when containerd removes the container snapshot. However, in the shared scratch - case these scratch directories are leaked. - - To correctly handle this case, we need to cleanup the container scratch directory during - the `DeleteTask` call. This commit updates the container creation request doc to also - include the container scratch directory path so that gcs has this path when the - `DeleteContainerState` request is made to the GCS. Also, previously we called - `DeleteContainerState` during `ReleaseResources` call. However, `ReleaseResources` is - called during `KillTask`/`ShutdownTask` request and shouldn't delete any resources that - belong to the container so that call is removed. - - - Signed-off-by: Amit Barve - -commit bf98c3da3c4385f8f30468847146898891f044c3 -Author: Maksim An -Date: Wed May 25 11:15:42 2022 -0700 - - Add security policy config to allow containers to run in privileged mode (#1366) - - Add new container security policy config "AllowElevated", which when set - allows running container in privileged mode. As an initial implementation - this adds sysfs and cgroup mount constraints with "rw" mount option to - the container's mount policy. Later, more thorough container spec validation - for privileged containers should be added (e.g. validating capabilities in - container spec). - Introduce `standardEnforcerOpt` type which allows updating internal - security policy representation and add an opt to append mount constraints for - privileged container mounts,`NewSecurityPolicy` now accepts enforcer options. - securitypolicy.Containers.toInternal now returns a slice of pointers rather - than objects. This makes sure that modification through enforcer options are - presereved. - - Add CRI tests to cover the new functionality. - - Signed-off-by: Maksim An - -commit 96c81335c6102ce3dc46584becbdd0b75cad1947 -Author: Maksim An -Date: Tue May 24 17:08:25 2022 -0700 - - fix unused commandArgs (#1411) - - Signed-off-by: Maksim An - -commit ffc59370a9227ce9b6284f55004d70d038f9ca2a -Author: Maksim An -Date: Mon May 23 13:19:33 2022 -0700 - - Add handling of ENTRYPOINT and CMD when "command" not in policy (#1304) - - Container images may contain ENTRYPOINT and CMD directives and in - the case when "command" is missing in policy config, that information - needs to be inferred from the image itself. - - Signed-off-by: Maksim An - -commit ce36677c16415736a1cb3cc51e80b6dc69dc4107 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 23 10:39:35 2022 -0400 - - Pass span context in ociwclayer (#1402) - - Bypass function in base packaged (layers.go) and use layer functions - defined in `internal/wclayer`, since those allow propagating (span) - context. - - Signed-off-by: Hamza El-Saawy - -commit 5c518f1f0f5530e1bb92b3c6ea02af011154e8f7 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 20 13:50:27 2022 -0700 - - Fix nil deref if no shim options were specified (#1398) - - * Fix nil deref if no shim options were specified - - This fixes a nil deref possible if no shim options for the runtime - specified were supplied. For example: - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options] - - vs. - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options] - SandboxIsolation = 0 - - Signed-off-by: Daniel Canter - -commit be02f1d1ce8a826ac864a3d907066aa1b7c2e9a0 -Merge: ed5d58e0d 9ef6876c8 -Author: Maksim An -Date: Fri May 20 10:17:16 2022 -0700 - - Merge pull request #1404 from edef1c/dm-verity-unsafe - - Don't use unsafe.Sizeof where encoding/binary.Size suffices - -commit ed5d58e0d8ee26b1db324ee075fb92233602cf9b -Author: Sean T Allen -Date: Fri May 20 10:51:11 2022 -0400 - - Fix typo in comment (#1406) - - Signed-off-by: Sean T Allen - -commit 9ef6876c8df48928895f590e8a33090c94ee99f1 -Author: edef -Date: Thu May 19 21:05:05 2022 +0200 - - Don't use unsafe.Sizeof where encoding/binary.Size suffices - - unsafe.Sizeof depends on ABI details, but we're not actually using the - raw memory layout of dmveritySuperblock. We're just writing it out with - encoding/binary.Write, so encoding/binary.Size gives the relevant size. - - Signed-off-by: edef - -commit 0b7e02b6b5a035fda83846c29c6fdacf2d95dacd -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed May 18 13:46:30 2022 -0400 - - extra ` (#1401) - - Signed-off-by: Hamza El-Saawy - -commit 2e6e81a2bb55044402f32705c94e4feb966c4004 -Author: Maksim An -Date: Wed May 18 10:16:58 2022 -0700 - - Add secure hardware support for uvmboot (#1390) - - Fix a bug where resource modifications are not rejected when running - in non-snp mode by setting a default open door policy when no - security policy is passed and making sure that security policy is - always set for UVM. Additionally, don't assume that security hardware - is present when a security policy is set explicitly. - - Add a flag to boot from VMGS file. - - Signed-off-by: Maksim An - -commit c6aa049302f737aec2f1bbd093af3ee4fdf50b01 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue May 17 10:23:00 2022 -0700 - - Fix Hyper-V check in late clone spec comparisons (#1400) - - In the function that handles checking if the cloned containers spec - retrieved from the registry matches the current spec, it was comparing - the hyperv field on the runtime spec using the != operator which won't - work as the hyperv field is a pointer so it would just be comparing the - addr. Swap to reflect.DeepEqual. - - This became an 'issue' as we set the hyperv field now if in our shim - options SandboxIsolation is set to the HYPERVISOR option. This doesn't - have much of an effect being set for containers that are going to be launched - IN the UVM, so this is mostly just a bug that was surfaced from a field - that didn't use to be set. - - This additionally changes to errors.New instead of fmt.Errorf where - there was no formatting in the error. - - Signed-off-by: Daniel Canter - -commit 4a1216ae5debefa6411171b12cfe467bd49eaaf3 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 13 14:40:01 2022 -0700 - - wcow-process: Query Stats directly from shim (#1362) - - This change adds in functionality to query statistics directly in the shim instead of reaching out to HCS. One of the main motivators behind this was poor performance for tallying up the private working set total for the container in HCS. - - HCS calls NtQuerySystemInformation with the class SystemProcessInformation which returns an array containing system information for every process running on the machine. They then grab the pids that are running in the container and filter down the entries in the array to only what's running in that silo and start tallying up the total. This doesn't work well as performance should get worse if more processes are running on the machine in general and not just in the container. All of the additional information besides the WorkingSetPrivateSize field is ignored as well which isn't great and is wasted work to fetch. - - HCS only let's you grab statistics in an all or nothing fashion, so we can't just grab the private working set ourselves and ask for everything else separately. We can open the silo ourselves and do the same queries for the rest of the info, as well as calculating the private working set in a more efficient manner by: - - 1. Find the pids running in the silo - 2. Get a process handle for every process (only need - PROCESS_QUERY_LIMITED_INFORMATION access) - 3. Call NtQueryInformationProcess on each process with the class - ProcessVmCounters - 4. Tally up the total using the field PrivateWorkingSetSize in - VM_COUNTERS_EX2. - - This change additionally: - - Changes the jobcontainers package to use this new way to calculate the - private working set. - - Change the query the StorageStats method in the jobobject package uses - to grab IO counters to match what HCS queries. - - - Signed-off-by: Daniel Canter - -commit d4f0f15fbf75e0d3494a906563889bce7019b0a7 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed May 11 13:57:12 2022 -0400 - - Add _test suffix (#1395) - - Signed-off-by: Hamza El-Saawy - -commit bf5045eb3a69ec5a2474253854ab0da7d8729032 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed May 11 10:26:32 2022 -0700 - - Remove vsock consts (#1396) - - They're defined in the vsock package we use, and we never used the CidAny - const anywhere. - - Signed-off-by: Daniel Canter - -commit 25b67340dfe7eb35a4591fddf97025cf7e417f69 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 10 15:30:15 2022 -0400 - - testing bugs (#1394) - - Process-isolated tests used the wrong runtime constant. - - Renamed CRI plugin file to have `_test` suffix so language server does - not complain about undefined functions and values. - - Signed-off-by: Hamza El-Saawy - -commit 2bc1cc03b6a7871694380cd73a410b790c5ac4e0 -Merge: ebe034c66 521aae8a0 -Author: Kathryn Baldauf -Date: Mon May 9 17:34:15 2022 -0700 - - Merge pull request #1393 from katiewasnothere/gitattributes_update - - Unset text attribute for vendored files in gitattributes - -commit 521aae8a021d43f225b9e1c35cad1d60d512f1d4 -Author: Kathryn Baldauf -Date: Mon May 9 17:07:06 2022 -0700 - - Unset text attribute for vendored files in gitattributes - - Signed-off-by: Kathryn Baldauf - -commit ebe034c666dba0b11ef7319e0b7cd16bc578c873 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 9 14:31:28 2022 -0400 - - rpc string conversion (#1391) - - Signed-off-by: Hamza El-Saawy - -commit 9efc65486d7ab7599b751a5035e718c4330ec8f0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 9 11:11:28 2022 -0400 - - Log context integration changes (#1382) - - Log integration changes - - Changed `internal\log` functions interacts with context. - `log.G` no longer adds trace/span IDs to entry. - - Added logrus hook to add trace/span ID to entry when exporting log - entry. - - Added `log.S()` to set the log entry stored in the context with - provided fields. `log.G()` now checks the context for a stored - context. - - Added `log.Copy()` to add log entry and trace span from source context - to destination, allowing for duplicating contexts but not cancellation. - - Added `log.U()` to update the context an entry (in the context) points - to, allowing it to reference the latest span and other information. - - Added `oc.StartSpan[WithRemoteParent]` to set the context for log entries - to reference the newly created context. - - Switch to oc.StartSpan to update log context - - Signed-off-by: Hamza El-Saawy - -commit 18f47614a2a08233b53edc47d27a7c68d4802c9f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 6 11:05:49 2022 -0700 - - Fill in HyperV field if sandbox option is set (#1388) - - As part of the work to get WCOW-Hypervisor working for the upstream - Containerd CRI plugin, parse our shims SandboxIsolation field here and - set the HyperV runtime spec field if it's set to the HYPERVISOR option. - This avoids us needing to parse our shim specific options in upstream - Containerd which is always a plus. - - Signed-off-by: Daniel Canter - -commit d12d411f94902528faa9d4f7dae9093585e713a7 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri May 6 13:07:53 2022 -0400 - - Change file path for restart tests to avoid permission issue (#1389) - - Signed-off-by: Hamza El-Saawy - -commit 840593a9fa94b4d272dd913fb9f5debc584648ad -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu May 5 11:24:45 2022 -0400 - - Only pull appropriate images for testing (#1387) - - Signed-off-by: Hamza El-Saawy - -commit 1c049f10a81675e5b869187b263244ddd0b17ac2 -Author: Maksim An -Date: Wed May 4 14:56:01 2022 -0700 - - tests: add tests for wait-paths (#1384) - - Follow up PR to add tests for wait-paths after initial PR #1258 - was merged. - - Signed-off-by: Maksim An - -commit 1e01dcce30b86bbc22c8abc9f582a742fe2e9914 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue May 3 18:42:09 2022 -0400 - - GCS tests and features/bugfixes to support them (#1360) - - Exposed data and functionality for testing GCS: - * `internal\guest\runtime\hcsv2.Container.InitProcess()` - * `internal\guest\runtime\hcsv2.GetOrAddNetworkNamespace()` - * `internal\guest\runtime\hcsv2.RemoveNetworkNamespace()` - * `internal\guest\runtime\hcsv2.Host.SecurityPolicyEnforcer()` - * `internal\guest\runtime\hcsv2.Host.Transport()` - - Fixed bug where `host.RemoveContainer` did not remove the network - namespace for standalone and pod containers. - - Updated go-winio version to include bugfixes for closing hvsockets, - specifically to close a socket for writing (needed by internal\cmd - to signal that the stdin stream has finished). - - Added doc.go files to guest packages to prevent linter/compiler errors - under windows. - - The tests themselves are broken out here: - https://github.com/microsoft/hcsshim/pull/1352 - https://github.com/microsoft/hcsshim/pull/1351 - - Signed-off-by: Hamza El-Saawy - -commit 2b176abe98b8509382195f3428fd1eeda39602d0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon May 2 17:08:35 2022 -0400 - - Tests for task and sandbox reset/restart (#1273) - - * Tests for task and sandbox reset/restart - - Adds tests for resetting tasks and containers explicitly with CRI - plugin API, and implicitly using annotations and start/stop commands. - - PR relies on accompanying CRI PR (https://github.com/kevpar/cri/pull/13) being merged. - - Signed-off-by: Hamza El-Saawy - - * PR: wrappers, annotation, comments - - Signed-off-by: Hamza El-Saawy - -commit a783367ca0827c5772215217bec25fdb48f9e0fe -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Apr 27 17:00:49 2022 -0400 - - Adding more logfield entries (#1380) - - Signed-off-by: Hamza El-Saawy - -commit 24d486642f7de89e419a24d5e19f189f1f2b894f -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Apr 27 16:57:40 2022 -0400 - - Missing constraint, doc.go (#1381) - - Signed-off-by: Hamza El-Saawy - -commit b6a97d81dd1ffe8f7f397c9d2affac3e2eddd8bf -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Apr 27 09:50:23 2022 -0700 - - Fix wrong word use (#1377) - - Manor -> manner - - Signed-off-by: Daniel Canter - -commit fc593904017098b7f925d95852cb35cc2a4e5924 -Merge: 544a27de1 be9ebd6c5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Apr 27 09:49:48 2022 -0700 - - Merge pull request #1374 from TBBle/random-fixes-broken-out-of-base-layer-work - - Random fixes broken out of base layer work - -commit be9ebd6c5a745ab55021637be58a0f210b981a92 -Author: Paul "TBBle" Hampson -Date: Sat Mar 26 16:29:02 2022 +1100 - - Include all the built binaries in the archive - - I also sorted the archive step list of binaries to match the calls to - `go build` so that it's clear when a binary has been overlooked. - - Signed-off-by: Paul "TBBle" Hampson - -commit 8c2391d8fe389fb03269551667e715bcb73620a3 -Author: Paul "TBBle" Hampson -Date: Sat Dec 12 23:31:58 2020 +1100 - - Fix a typo in a comment - - Signed-off-by: Paul "TBBle" Hampson - -commit af4457cf3fcb4015bb7589c0bc8b8c14ef4c17e8 -Author: Paul "TBBle" Hampson -Date: Wed Feb 17 18:38:48 2021 +1100 - - Introduce safefile.MkdirAllRelative, like os.MkdirAll - - Signed-off-by: Paul "TBBle" Hampson - -commit 76119123d40006a8472d28f56a5f4e12dcda1777 -Author: Paul "TBBle" Hampson -Date: Thu Dec 3 00:30:47 2020 +1100 - - Typo fix contaler->container - - Signed-off-by: Paul "TBBle" Hampson - -commit 298101e0e9642e18146a60c40cbb912747be10f3 -Author: Paul "TBBle" Hampson -Date: Thu Dec 3 00:30:07 2020 +1100 - - Document LayerReader interface - - Signed-off-by: Paul "TBBle" Hampson - -commit 544a27de1237516bf1fe3948a8bd7558cf6a332d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Apr 26 20:30:27 2022 -0700 - - Add ArgsEscaped exec test (#1372) - - This adds a test to validate execs work with ArgsEscaped images. - ArgsEscaped refers to a non-standard OCI image spec field - that indicates that the command line for Windows Containers - should be used from args[0] without escaping. This behavior - comes into play with images that use a shell-form ENTRYPOINT - or CMD in their Dockerfile. The behavior that the test is testing - is that execs work properly with these images. Hcsshim prefers - the commandline field on the OCI runtime spec and will ignore - Args if this is filled in, which ArgsEscaped does. In Containerd/cri - plugin the containers runtime spec is used as a base for the execs - spec as well, so if commandline isn't cleared out then we'll end up - launching the init process again instead of what the user requested. - - Signed-off-by: Daniel Canter - -commit 12a54a377658a5f83ece3acb8fde848d3b40c289 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Apr 26 19:55:31 2022 -0400 - - uvmboot functionality (#1359) - - * uvmboot functionality - - Added functionality to internal\tools\uvmboot for LCOW: - * specifying boot file path; - * picking kernel or vmlinux file; - * mounting SCSI VHDS and sharing files into the uVM; - * disabling the time sync; - * setting the uVM security policy. - - Added `IsElevated() bool` function to `internal/winapi` to quite early - if the command is not run with admin privileges rather than returning a - cryptic error. - - This is to support testing and benchmarking the Linux GCS. - - Signed-off-by: Hamza El-Saawy - - * PR: math - - Signed-off-by: Hamza El-Saawy - - * PR: spelling - - Signed-off-by: Hamza El-Saawy - -commit f6694adc15afcceddce576c74abe2aec10891ed3 -Author: Justin -Date: Tue Apr 26 15:14:16 2022 -0700 - - Include CommandLine in CreateProcess errors (#1363) - - Signed-off-by: Justin Terry - -commit a3a8aa19626adb296221a0dd23513e6935c06a7d -Author: Maksim An -Date: Tue Apr 26 14:16:30 2022 -0700 - - Hold lock when updating DefaultMounts (#1367) - - Signed-off-by: Maksim An - -commit dbb347e403747f0eb470bf9f17bf7ec32da14b0a -Author: Ameya Gawde -Date: Mon Apr 25 09:27:32 2022 -0700 - - Adding ExternalPortReserved flag to NatPolicy for HNS API V1. THis is a flag exposed for docker to avoid port reservation conflict with external port (#1370) - - HNS API V2 will use NatFlags to check and see if ExternalPortReserved is set - - (cherry picked from commit b85f3fdc17dad534a2cebbc67e0c18f77fb0fca8) - Signed-off-by: Ameya Gawde - - Co-authored-by: Kendall Stratton - -commit 113a929df3c22a23ce19be4e64c5ec1e19f03785 -Merge: 4a33ed557 6b9204445 -Author: Maksim An -Date: Fri Apr 22 17:08:56 2022 -0700 - - Merge pull request #1347 from anmaxvl/port-grantvmgroupaccess-code - - Port grantvmgroupaccess code from go-winio and extend functionality. - -commit 6b920444509e2cd25ff44f5f918cf7fbc8ae438d -Author: Maksim An -Date: Wed Apr 6 18:59:51 2022 -0700 - - Extend GrantVmGroupAccess to support write/execute/all permissions - - Add masks for GENERIC_WRITE, GENERIC_EXECUTE and GENERIC_ALL and update - function signatures accordingly. - Update grantvmgroupaccess tool to support granting permissions from above. - - Ignore various linter errors resurfaced after code copy-paste. - Remove mksyscall_windows.go and update old unit tests and cleanup helper - functions and packages used. - - Add unit test coverage for new functionality. - - Signed-off-by: Maksim An - -commit fb706b397132bb9c5a44fcde461c00beb0af5cb7 -Author: Maksim An -Date: Wed Apr 6 18:28:15 2022 -0700 - - Port grantvmgroupaccess code from go-winio repo for further extension - - Signed-off-by: Maksim An - -commit 4a33ed55759ea267f3ebf4d33fef5a1d29f0c45a -Author: Maksim An -Date: Fri Apr 22 15:04:50 2022 -0700 - - Allow multiple CreateContainer operations at the same time. (#1355) - - Prior to this change, GCS allowed only one CreateContainer operation - at a time. This isn't an issue in general case, however this doesn't - work properly with synchronization via OCI runtime hook. - - Synchronization via runtime hook was introduced in: - https://github.com/microsoft/hcsshim/pull/1258 - It injects a `CreateRuntime` OCI hook, if security policy provides - wait paths. - This allows container-A to run after container-B, where container-B - writes to an empty directory volume shared between the two containers - to signal that it's done some setup container-A depends on. - In general case, container-A can be started before container-B which - results in a deadlock, because `CreateContainer` request holds a lock - to a map, which keeps track of running containers. - - To resolve the issue, the code has been updated to do a more granular - locking when reading/updating the containers map: - - Add a new "status" field to Container object and atomic setter/getter, - which can be either "Created" or "Creating". New `uint32` type alias - and constants were added to represent the values (`containerCreated` - and `containerCreating`) - - Remove locking from `CreateContainer` function - - Rework `GetContainer` to `GetCreatedContainer`, which returns - the container object only when it's in `containerCreated` state, - otherwise either `gcserr.HrVmcomputeSystemNotFound` or - `gcserr.HrVmcomputeInvalidState` error returned. - - Add new `AddContainer(id, container)` function, which updates the - containers map with new container instances. - - Rework `CreateContainer` to initially add new container objects into - the containers map and set the "status" to `containerCreating` at the - start of the function and set it to `containerCreated` only when the - container is successfully created in runtime. - - Reworking `GetContainer` to `GetCreatedContainer` seemed to be the least - invasive change, which allows us to limit updates in the affected places. - If `GetContainer` is left unchanged, then handling of containers in status - "Creating" needs to take place and this requires handling cases when (e.g.) - a modification request is sent to a container which isn't yet running. - - Additionally update synchronization CRI tests to use go routines - to properly reproduce the scenario. - - Signed-off-by: Maksim An - -commit 57bff8854d1a52a92315d3389de5a95b07694206 -Author: Maksim An -Date: Fri Apr 22 10:33:04 2022 -0700 - - Change receivers and returns for security policy enforcers (#1369) - - Signed-off-by: Maksim An - -commit 8e6c081423e3b9dda3c30c58b736edfe1b74a4f8 -Author: Maksim An -Date: Fri Apr 22 10:31:59 2022 -0700 - - Revert "Fix working_dir negative test error expectation (#1348)" (#1368) - - This reverts commit 2028de8b8d5e0516e0e65664f9085dab02a6a5e2. - - During local testing a gcs with an older version of security policy - was used when doing the fix: #1322. As we can see, the quotations - weren't there. However, later a PR was merged, which added them: #1311 - - Signed-off-by: Maksim An - -commit 51a69190b8f477b42265944f58ccff688b4caca7 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Apr 22 11:46:27 2022 -0400 - - spelling (#1365) - - Signed-off-by: Hamza El-Saawy - -commit db5e1b1743a3138bf211ad90eca7fdf23d0f326c -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Wed Apr 20 16:17:00 2022 -0400 - - Splitting out GCS test and build (#1361) - - Signed-off-by: Hamza El-Saawy - -commit 98519f22466ae73d3d7fdde81beaa84b79ce9ff3 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Apr 19 14:21:00 2022 -0400 - - Linux GCS flags use 1 -, not 2 (#1358) - - Signed-off-by: Hamza El-Saawy - -commit a4c9777c1fa101d581f8facd257281349853be29 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Apr 18 13:23:05 2022 -0700 - - Use /internal/memory constants (#1354) - - * Use /internal/memory constants - - We have a bunch of 1024 * 1024 or 1024 * 1024 * 1024 numerical constants - (or just other megabyte constants) lying around. This changes to using - the constants we have defined in the /internal/memory package. - - This additionally changes the names of the constants from MegaByte/GigaByte to MiB/GiB and - changes them to untyped constants. - - Signed-off-by: Daniel Canter - -commit 54a5ad86808d761e3e396aff3e2022840f39f9a8 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Apr 18 15:16:58 2022 -0400 - - Reorganizing makefile and adding info to rootfs (#1350) - - * Reorganizing makefile and adding info to rootfs - - Reorganized makefile to read from top to bottom, and added additional - files to LCOW rootfs that include the time stamp of of the vhd creation, - the image build date, and its full name (pulled from a *.testdata.json - file in the LSG release, that appears to be one of the only location - of that information). - - Signed-off-by: Hamza El-Saawy - - * PR: checking if jq is installed - - Signed-off-by: Hamza El-Saawy - -commit 2baf93b5ccc718a23627df219a66a8cda63d1c98 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Apr 15 12:25:05 2022 -0400 - - removing global setting dependence from shim publisher (#1343) - - Signed-off-by: Hamza El-Saawy - -commit 655b7e11fd2297529b21291cd7cce313a5d76b68 -Author: Maksim An -Date: Fri Apr 15 04:03:50 2022 -0700 - - Add support for mount policy enforcement. (#1311) - - * Add support for mount policy enforcement. - - It is possible that a malicious mount can be used to attack an LCOW pod. - If the attacker has knowleldge of the workload running, they could - possibly change the environment for a container and alter its execution. - - This PR adds support for describing and enforcing mount policy for a - given container. The mount policy closely follows OCI spec to be as - explicit as possible to the user. The policy can be made less explicit - in the future if needed. - - The dev tool has been updated to support mount configurations and the - configuration spec is similar to CRI config with the exception of - unsupported features (e.g., selinux config). - The tool translates CRI config to appropriate mount type and options in - mount policy. Initial implementation doesn't support any wildcards for - the Destination, but supports REGEX for the Source. - - CRI adds some default mounts for all Linux containers and they had to be - hardcoded in this codebase as well. Extra caution is needed in the - future, in case the list expands. - - Additional changes have been made to how sandbox and hugepages mounts - are generated to make sure that the same utility functions are used to - generate appropriate mount specs. - - Add positive and negative tests for security policy mount constraints - Hide mount enforcement behind a LCOWIntegrity feature flag - - Update securitypolicy tool docs - - Signed-off-by: Maksim An - -commit ccec73f6d54f32aa46ad8c3632162106946b6f7e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 14 16:21:18 2022 -0400 - - Swap to fmt.Errorf in jobobject package (#1353) - - * Swap to fmt.Errorf in jobobject package - - This change swaps to fmt.Errorf for wrapped errors in the jobobject package - from errors.Wrap. We'd had talks of moving this code to winio where we've - removed our pkg/errors dependency so this would make the port easier. - - Signed-off-by: Daniel Canter - -commit 13ceffd8e8ae1764ea0b0c526d371764b91e9b2a -Author: Maksim An -Date: Wed Apr 13 12:51:38 2022 -0700 - - Add guest package for fetching attestation report via syscall (#1341) - - Add `internal/guest/linux package`, which contains linux ioctl - definitions. Devicemapper code is refactored to use the new package. - Introduce new `amdsevsnp` package with Introduce ioctl wrappers and - structs required to fetch attestation report. - Validate that `LaunchData` provided to HCS during UVM boot and - `HostData` returned as part of attestation report match. - - Add utility binary to fetch SNP report and update Makefile to - support `DEV_BUILD` parameter, which includes test utilities inside - LCOW image. - Fake attestation report can be used when testing integrations. - - Signed-off-by: Maksim An - -commit 8af6c33eb931a5b926c4b831d648e18fb6e89cc4 -Author: Kazuyoshi Kato -Date: Mon Apr 11 17:02:11 2022 -0700 - - Specify go_package in its full path (#1345) - - The newer version of protoc-gen-go doesn't support the current form. - - Signed-off-by: Kazuyoshi Kato - -commit 2028de8b8d5e0516e0e65664f9085dab02a6a5e2 -Author: Maksim An -Date: Sun Apr 10 15:10:13 2022 -0700 - - Fix working_dir negative test error expectation (#1348) - - Signed-off-by: Maksim An - -commit 70b87e3d4b7ca6dd33335a01f2b8241178d1f686 -Author: Maksim An -Date: Thu Apr 7 18:07:52 2022 -0700 - - Add tests for security policy enforcement (#1325) - - Add basic positive and negative tests for security policy enforcement. - Hide policy tests behind LCOWIntegrity feature flag. - Add ContainerConfigOpt and builder functions for creating security - policy configs. - - Signed-off-by: Maksim An - -commit 2957199154505ce5b884004ed4fe51ca68df985e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 7 10:00:29 2022 -0700 - - Pin go version for linter to 1.17.x (#1346) - - Some of the tooling golangci-lint uses doesn't fully support 1.18 yet - resulting in a bunch of hard to decode errors. We were using ^1.17.0 - as our version listed so we ended up resolving to 1.18 a couple of days - ago and finally ran into this. v1.45.0 of golangci-lint has a - workaround for this which is disabling some of the problematic linters, - but these are some of our most used. This seems like a sane fix for - now until the kinks are worked out and things are working on 1.18. - - Signed-off-by: Daniel Canter - -commit 6b31cba6647165e2faa1a94e63a0818d6af07072 -Author: Kazuyoshi Kato -Date: Tue Apr 5 14:00:36 2022 -0700 - - Run Protobuild on GitHub Actions (#1302) - - containerd is planning to migrate off from github.com/gogo/protobuf - which will affect hcsshim. - See https://github.com/containerd/containerd/issues/6564 for - the overall progress. - - Before that, this commit runs Protobuild in GitHub Actions to - make sure all generated files are reproducible from .proto files. - - Signed-off-by: Kazuyoshi Kato - -commit 949e46a1260a6aca39c1b813a1ead2344ffe6199 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Apr 5 01:07:45 2022 -0400 - - Adding build constraints (#1340) - - * Adding build constraints - - Adding windows build constraints to code to allow tests and benchmarks - to be run on Linux. - - Added doc.go to modules (with doc string, where appropriate) to prevent - compiler/linter errors about broken imports. - In some cases (ie, winapi and wclayer), the package already had an - OS-agnostic file of the same name, along with a doc string. A doc.go - file was added to preempt situations where windows-specific code is - added to that file in the future. - - Signed-off-by: Hamza El-Saawy - - * Renaming test files - - Renaming files in `test\cri-containerd` to end with `_test.go` so they - can include variables and functions defined in other `_test.go`. For - example, `gmsa.go` imports `gmsaAccount`, which is defined in - `main_test.go`. - - Signed-off-by: Hamza El-Saawy - -commit bedca7475220426727ba4a0d11f042de6b8e73cc -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Apr 4 13:18:41 2022 -0700 - - Add Go bindflt/silo definitions (#1331) - - * Add Go bindflt/silo definitions - - This change adds a couple Go bindings for calls and constants from bindfltapi.dll - as well as some silo flags for job objects. Together these allow file bindings - (think bind mounts on Linux) to be performed for a specific job object. The bindings - are only viewable from processes within that specific job. - - This additionally adds a couple unit tests for this behavior. - - Signed-off-by: Daniel Canter - -commit 8c246952f89e1e0c7eb9e1dbb97249201b5a13b2 -Author: Maksim An -Date: Thu Mar 31 00:24:35 2022 -0700 - - Fix dm-verity target naming format in linux guest (#1338) - - When adding layer integrity checking feature for SCSI devices, - the dm-verity device format naming was inconsistent with the - already existing pmem based verity target. - Make the naming consistent by changing `verity-scsi-...` to - `dm-verity-scsi-...`. - - Signed-off-by: Maksim An - -commit d36cc7c2080c44fae477869f871a372def8988e0 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Mon Mar 28 16:04:53 2022 -0700 - - Support for multiple SCSI controllers (#1328) - - * Support for multiple SCSI controllers - - Enable using upto 4 SCSI controllers for LCOW UVMs. HCS currently doesn't respect the - SCSI controller number provided with the Add SCSI disk requests. Hence, the SCSI disk can - show up at some different controller inside the LCOW UVM. To avoid this, now we use GUIDs - to represent each controller and use that GUID with the Add SCSI disk request. - GCS code is also modified to identify the controller number from the controller GUID. Now if a LCOW pod is created with an annotation that sets VPMEM device count to 0, we will automatically enable 4 SCSI controllers. Even the rootfs.vhd will be attached via SCSI in that scenario. - - Signed-off-by: Amit Barve - -commit 6dd7225ec1f7d929d1f83f16a4cc9b4f92fe524f -Author: Paul "TBBle" Hampson -Date: Tue Mar 29 07:57:50 2022 +1100 - - Go 1.17 is the minimum version in all cases (#1337) - - This ensures: - - CI explicitly requires Go 1.17 - - README specifies Go 1.17 - - Tests also depend on Go 1.17 - - The go.mod already specifies 1.17 as the minimum Go version, so this - shouldn't be a difference in practice. - - GitHub Actions setup-go was installing Go 1.17 already, presumably - honouring the value in go.mod. - - One interesting change is that in 1.17, go.mod lists indirect - dependencies, and vendoring does not capture go.mod/go.sum, so the - test/vendor directory got slightly less noisy. - - Signed-off-by: Paul "TBBle" Hampson - -commit 93505d7b473eeae3b44f575fc7552be40e290f3a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Mar 23 18:34:15 2022 -0700 - - Fix up job object options for unit tests (#1335) - - Most of the `jobobject` package tests we have ask for options that aren't - actually needed/used. This change makes it so that any test that doesn't need - a named job object doesn't ask for one and any test that doesn't plan on - using the iocp messages doesn't flip the notifications field either. This - wasn't causing any issues, but it's probably best to filter down what's - being tested to only what's needed. - - Additionally fixes TestExecsWithJob that used log.Fatal instead of t.Fatal - in the test. - - Signed-off-by: Daniel Canter - -commit dfe9b5e1a35047a2080e8fe0282026a2ccd23955 -Author: Maksim An -Date: Tue Mar 22 08:59:57 2022 -0700 - - Fix gcs init args wrapping when ConsolePipe is enabled (#1334) - - GCS init fails to parse the entropy socket when enabling ConsolePipe. - Fix by separating entropy parameters from the rest init args and - wrapping only init args with `sh -c`. - - Changes: - `/init sh -c "-e 1 /bin/vsockexec -e 109 /bin/gcs -v4 -log-format json -loglevel debug & exec sh"` - to - `/init -e 1 sh -c "/bin/vsockexec -e 109 /bin/gcs -v4 -log-format json -loglevel debug & exec sh"` - - Signed-off-by: Maksim An - -commit 7adccbbc6b0f02fa2ce65e44fb6b5827ea8e3ca1 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Mar 22 11:34:58 2022 -0400 - - rootfs make target (#1333) - - New makefile target to create rootfs.vhd from rootfs.tar using tar2ext4. - Requires building cmd/tar2ext4 locally. - - Signed-off-by: Hamza El-Saawy - -commit 51aee6bd9e4da920dd6473137929370606402ad1 -Author: Maksim An -Date: Mon Mar 21 21:45:17 2022 -0700 - - Add new gcs hooks, add expected mounts to security policy (#1258) - - Introduce a new `wait-paths` binary, which polls file system - until requested paths are available or a timeout is reached. - - Security policy has been updated to have `ExpectedMounts` entries, - which will be used in conjunction with "wait-paths" hook for - synchronization purposes. - - Refactor oci-hook logic into its own internal package and update - existing code to use that package. Copy runc HookName and constants - definitions to break dependency on runc - - Introduce `ExpectedMounts` as part of security policy language and - the logic to enforce the policy, which resolves the expected mounts - in the UVM and adds a wait-paths hook to the spec. - - Add positive and negative CRI tests. - - Signed-off-by: Maksim An - -commit a2ed14ceef9ece8176f962cec75ffe85527b1c42 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Mar 17 16:44:23 2022 -0400 - - scrubbing bugfix: incorrect return variable (#1332) - - Signed-off-by: Hamza El-Saawy - -commit cf6b2c91e41a2ed9c355151eb9c5a0a4316e14de -Author: Maksim An -Date: Tue Mar 15 23:26:54 2022 -0700 - - Default to deny all security policy. (#1320) - - When bringing up the UVM default to closed door security policy - to reject any modification requests prior to security policy is set - inside GCS. - When security policy is empty, default to open door policy. - - Signed-off-by: Maksim An - -commit abf92f5a8ebccda04b1ee53c9fb3d443342bac84 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Mar 15 14:35:10 2022 -0700 - - Respect console size for hostprocess containers (#1326) - - Previously the values in the spec weren't being used. - - This change additionally changes the defaults to an 80 width and 25 height - to match what cexecsvc/hcs sets. - - Signed-off-by: Daniel Canter - -commit 326001d24d36fb52ef7466525a5eabd81c84f245 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Mon Mar 14 14:02:34 2022 -0400 - - Scrubbing annotations from logs (#1324) - - Updated scrubbing for guest side, and added scrubbing for annotations - -commit e1ee40b64358dd1b7482cc3eeb9f9c1511e00a4b -Author: Maksim An -Date: Fri Mar 11 10:28:13 2022 -0800 - - Fix WorkingDir missing in securityPolicyContainer (#1321) - - When creating internal representation of security policy for a container - WorkingDir field wasn't properly initialized, which broke the policy - enforcement. - - Update README.md for security policy tool. - - Signed-off-by: Maksim An - -commit 041d23c6f46e3cec142f99d15a13a4ce2eb97c7f -Author: KenGordon -Date: Fri Mar 11 17:47:34 2022 +0000 - - Revert to v2.5 schema GuestStateFileType to support release target OS (#1318) - - Signed-off-by: Ken Gordon - -commit 5f4ec160a744a86509b76e76c6b31c6857302bf5 -Author: Sean T Allen -Date: Thu Mar 10 13:26:34 2022 -0500 - - Fix typo in error message (#1322) - - Signed-off-by: Sean T. Allen - -commit 24ccf48759030888ce0e81b45555c21e635ef5cf -Author: Maksim An -Date: Wed Mar 9 19:06:57 2022 -0800 - - Add helper functions for generating security policy and setup CRI tests (#1309) - - Split dev tool logic to create security policy into several helper - functions, which can be reused in other places, e.g., integration tests. - Create a small helpers package under internal/tools/securitypolicy, - which hosts the above functions. Another option would be to put these - functions into securitypolicy package, however the dev-tool does - network requests, which didn't look like a good dependency to add for - the securitypolicy package itself, since creating a policy by itself - doesn't require any network access, given that caller knows all the - necessary information, mainly root hashes. - - Add simple integration tests for running a pod with container and - security policy passed via annotations. - - Signed-off-by: Maksim An - -commit d512c703e577ee85c4eabcffbe49f0d01f1e1af0 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Mar 8 16:48:53 2022 -0500 - - Scrubbing env vars from logs (#1315) - - Added code to remove environment variables from code path. - - Signed-off-by: Hamza El-Saawy - -commit f50f9750ce18de430c47bff1f16fa855daaf124e -Author: Maksim An -Date: Mon Mar 7 09:42:09 2022 -0800 - - Working directory enforcement (#1305) - - * Add current working directory enforcement. - - The working directory can be set as part of container image - by WORKINGDIR Dockerfile directive or could be explicitly - set inside CRI container config. Changing the CWD of container - can change the expected behavior of a container. - - If the working_dir config is not present or empty inside the - policy config, this information will be gathered from container - image spec. - - Add logic to enforce CWD enforcement inside GCS and extend - policy dev tool and policy structure to support this scenario. - The enforcement is an exact string match between what's in the - policy and what's in the generated container spec. If the paths - don't match, the container will fail to start. - - * Minor refactor of securitypolicy_test - - Add a utility funcion that picks a random container from an array - and generates a valid/invalid overlay for that container. Refactor - tests to use the new utility function. - - * Add unit tests for enforcing working directory - - Signed-off-by: Maksim An - -commit 3c1a37f636a392750f6851287f7b0465bfeb32aa -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Fri Mar 4 15:48:27 2022 -0800 - - Bump github.com/containerd/containerd from 1.5.9 to 1.5.10 (#1313) - - * Bump github.com/containerd/containerd from 1.5.9 to 1.5.10 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.9 to 1.5.10. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.9...v1.5.10) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - - * go mod tidy && go mod vendor test folder - - Signed-off-by: Maksim An - - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Maksim An - -commit 15d381cfaf1d21049c7e72231113e874a3df60bb -Author: Maksim An -Date: Thu Mar 3 16:59:55 2022 -0800 - - fix lint issue (#1314) - - Signed-off-by: Maksim An - -commit 47214119f46d2e745b48f5f03400da710d432e42 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Mar 3 10:35:57 2022 -0800 - - Replace winapi GetQueuedCompletionStatus bind with x/sys/windows (#1307) - - Previously we had our own definition for GetQueuedCompletionStatus as x/sys/windows - had an incorrect definition for it. This was remedied a bit ago in this change - https://github.com/golang/sys/commit/683adc9d29d7bd1f0f778e1f7f2eeb61b415f4d5 - so we're alright to remove our own at this point. - - Signed-off-by: Daniel Canter - -commit 643ef46feef41b347d2d8579247b4bc8e6c236a2 -Author: Eng Zer Jun -Date: Wed Mar 2 02:17:52 2022 +0800 - - test: use `T.TempDir` to create temporary test directory (#1308) - - * test: use `T.TempDir` to create temporary test directory - - The directory created by `T.TempDir` is automatically removed when the - test and all its subtests complete. - - Reference: https://pkg.go.dev/testing#T.TempDir - Signed-off-by: Eng Zer Jun - -commit b8f77342111c213926a0fa9d91a8152bad579e67 -Author: cui fliter -Date: Tue Mar 1 15:08:18 2022 +0800 - - all: fix typo (#1310) - - * all: fix typos - - Signed-off-by: cuishuang - -commit d0f3c8555210c33714e78787e3a039a61ad98523 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 25 22:31:13 2022 -0800 - - Add local user account creation for host process containers (#1286) - - * Add local user account creation for host process containers - - This allows a user the ability to pass a Windows group name as the username for the container. What happens in this - case is: - - 1. Client provides a Windows group name as the username for the container - 2. We validate that it's a group, and if so then make a temporary local - account. - 3. Add local account to the group passed in and run the container under the - account. - 4. On container exit delete the account. - - This allows a client to setup a group with whatever permissions/restrictions - needed on it and have any host process containers run as a user in the group. - The blocker for not just creating a user itself with the right permissions is - there's no cri field to pass a user password, and passwordless logon seems to be - blocked on Windows by default. - - Signed-off-by: Daniel Canter - -commit a483a5a66841af3c935da66084d495adc4cd8ecd -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Feb 24 11:39:18 2022 -0500 - - Disable unsafe container options (#1260) - - Add annotations to disable unsafe container operations, regardless of container spec: - * adding writable vSMB or plan9 file shares to hypervisor isolated containers' UVM - * using gMSAs for WCOW containers - (Annotation to disable vSMB direct maps already exists) - - Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com - -commit 14414dd562b1bf51cf2d3e3df8aa9be5e8804067 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Sat Feb 19 04:07:09 2022 -0800 - - Linux GCS: Log disk info on ENOSPC errors (#1297) - - * Linux GCS: Log disk info on ENOSPC errors - - We've had quite a few times where creating the upper or work directories in - the guest fails with ENOSPC but we don't have any view into what the mount - looks like at the time we get this. This change just catches any ENOSPC errors - when creating an overlayfs mount, calls statfs and logs the disk space and inode - info for the mount the failed directory is on. This should make investigating - these types of issues much easier. - - This may be followed up with a change to delete the upper and work directories - for a container, as this becomes troublesome with the model for sharing a scratch volume. - - Signed-off-by: Daniel Canter - -commit c7fa7edd431dd5f9861b3a4f4ba5d9b2a0a702c4 -Merge: bb3403c4e 53deaa71e -Author: Kathryn Baldauf -Date: Fri Feb 18 10:20:53 2022 -0800 - - Merge pull request #1298 from katiewasnothere/skip_cpu_group_tests - - Skip test for updating VM cpugroup membership for now - -commit bb3403c4e5c84fccd8c559d81c4eb962cffb9787 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Feb 17 17:00:10 2022 -0800 - - Put Linux build tag on /internal/guest/transport/vsock.go (#1301) - - Most of the code in /internal/guest has build tags as it's all Linux specific - so apply one for vsock.go as well as vsock.Dial is unimplemented on Windows. - - This also fixes a linter issue we've been seeing on the push trigger for - golangci-lint. It complains that the error check we're performing can - never be true (err == nil) because on linting this file with GOOS=windows - it will check the Windows implementation for vsock.Dial which is hard coded - to return an unimplemented error always. - - Signed-off-by: Daniel Canter - -commit 12b02a180881297d330d6261e166a97a79023fe2 -Author: Maksim An -Date: Tue Feb 15 14:02:28 2022 -0800 - - Fix bugs in network setup introduced by a refactor PR (#1299) - - When consolidating guest protocol into its own package - in https://github.com/microsoft/hcsshim/pull/1240 wrong constant - definition was used for adding a network namespace. Fix this by - using the correct constants. - - Signed-off-by: Maksim An - -commit 53deaa71ee22ddef2b56d095b2851b6d76e6614c -Author: Kathryn Baldauf -Date: Tue Feb 15 11:45:24 2022 -0800 - - Skip test for updating VM cpugroup membership for now - - Signed-off-by: Kathryn Baldauf - -commit 51f5ab825d8e45b852c48096a1b3dc3cfe665b98 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 11 17:31:01 2022 -0800 - - Cleanup 'getUserTokenInheritAnnotation' (#1294) - - This function used to just return a bool of whether the annotation was "true" - or not which is a bit diffferent than what the name implied. Change to inheritUserTokenIsSet - to be more clear. It also used to check if the annotation was set internally which - shouldn't be needed as we only cared about whether it was "true" or not. If the - value isn't in the map we should just get back the default value of a string which - is fine for what it was being used for. - - Additionally moves a comment that was mistakingly directly above the function body - to the top of the file. - - Signed-off-by: Daniel Canter - -commit afce23edcaf579d435d029ff69649e3aa4c605f2 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 11 14:05:58 2022 -0800 - - Fix comment placement for layers.MountContainerLayers (#1295) - - The comment had an empty line between it and the declaration so it didn't - show up for go doc. - - Signed-off-by: Daniel Canter - -commit 7fbdca16f91de8792371ba22b7305bf4ca84170a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Feb 9 15:38:21 2022 -0800 - - Fix Network Namespace Bug For Ctr (#1270) - - If you try and run a hypervisor isolated container through ctr - (.\ctr.exe run --runtime io.containerd.runhcs.v1 --rm --isolated - mcr.microsoft.com/windows/nanoserver:1809 xenon-test cmd /c "echo Hello - World!") currently you'll get "ctr: failure while creating namespace for - container: network namespace not found: unknown". The normal path through - ctr is no network namespace is passed, so our shim will try and make one. - The namespace was being created via `hns.CreateNamespace` which stores the - ID of the namespace in all caps, however later on in the process when we - go to add the namespace to the uvm we re-grab a namespace object via - `hcn.GetNamespaceByID` which populates the Id field in all lowercase. - - When we originally store the namespace in our map of known namespaces we use - the hns packages casing, and when we go to add any endpoints to the vm - (there shouldn't be any anyways if we went through ctr and didn't provide --cni) - then we'll fail to find the namespace due to a casing mismatch. We already create - the namespace for cri interactions with the hcn package so this truthfully - brings this fallback path in line. - - Signed-off-by: Daniel Canter - -commit 5a3c0efea7ccefbbda5b163facb48815fbf2bd8b -Author: Maksim An -Date: Wed Feb 9 09:45:08 2022 -0800 - - Add new guest request/resource packages (#1240) - - hcsshim and GCS redefine protocol messages. Any change to - the protocol requires redefinitions in both hcsshim and GCS. - This PR combines the two protocol definitions into one to - resolve this. - - Create new guestrequest and guestresource internal packages - and update references in code. - - Signed-off-by: Maksim An - -commit aa793a24d9a33f057ba9ec4ebb1a35813795981b -Merge: f9c0efaab 5e5baea6e -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Tue Feb 8 14:04:31 2022 -0500 - - Delete shim workloads tasks in pod. #1271 - - This commit supports restarting containers and pods using CRI: - kevpar/cri#13 - - This PR allows the service to remove tasks from a pods workloadTasks map after the task and associated execs have been shut down during in a delete task request, allowing for proper deletion of the task and freeing up associated resources when - received by the service. Namely, this frees up the deleted task's ID, so that new tasks can be created with that same ID after the original task has been deleted (ie, so a task can be restarted within a running pod). - - A DeleteTask function was added to the shimPod interface to implement most of this functionality. - - Additionally, the service, in deleteInternal, resets its internal reference to the init task (shimPod or shimTask) reference, taskOrPod, if the delete is issued for the init task, as a marker that the service is no longer operational and to prevent future operations from occurring. - - Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com - -commit 5e5baea6e70eb846dde3c0b11ef405a613b189f3 -Author: Hamza El-Saawy -Date: Mon Feb 7 19:24:31 2022 -0500 - - PR: error messages, docs, and formatting - - Signed-off-by: Hamza El-Saawy - -commit f9c0efaab4ed4a9435579be25d8467f56ab05407 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 4 15:48:58 2022 -0800 - - Enable gofmt in linter (#1293) - - Will be nice to have this on to catch go fmt offenders - - Signed-off-by: Daniel Canter - -commit c019e22aaddfb83405b8648a8c16427f89b00350 -Merge: e382e6d62 9d05b5b66 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 4 15:47:48 2022 -0800 - - Merge pull request #1292 from jsturtevant/expand-job-envs - - Expand env variables for job containers to job mount path - -commit 9d05b5b66d4cc3e678b4cd87b50a54977820101c -Author: James Sturtevant -Date: Thu Feb 3 16:17:35 2022 -0800 - - Add test case for job env expansion - - Signed-off-by: James Sturtevant - -commit e382e6d62466230d2cd11e7fd33ceba8d8c940c7 -Merge: 71baff48e 60d133f98 -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Fri Feb 4 11:39:30 2022 -0500 - - Shutdown hcsshim properly #1289 - - Currently, when a Shutdown request is received, service calls os.Exit to forcefully exits the binary without cleaning up resources and IO channels, ending spans, or flushing logs. Primarily this prevents logging of shim-wide or long running spans but can also leak un-closed system resources. - - For reference, the runc shim within containerd does not respect the ShutdownRequest.Now parameter, and calls several cleanup callbacks instead of exiting immediately via os.Exit - - Added .Done() and .IsShutdown() methods to service to signal that a service shutdown request from containerd for the init task was received, and updated the serve action to wait on a shutdown request to close the ttrpc servers and pipes. - - Added NewService method and creation options to properly initialize the service struct, namely to create the internal channel to signal shutdown. - - Added tests for shutdownInternal. - - Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com - -commit 014849a4b0dcf88831921f34ba751b0400716203 -Author: James Sturtevant -Date: Thu Feb 3 14:20:51 2022 -0800 - - Expand env variables to job mount path - - When installing tools into container it is sometimes desirable to have - those tools on the path for the current process. Since the Windows - doesn't support variable expansion on the PATH variable and the - job mount path as something that isn't know at runtime we need to expand - it for the passer. This could go away if the mount path is no longer - used in the future. - - Signed-off-by: James Sturtevant - -commit 71baff48e5c02e5cfa4c298845e5d6dc1ea3ba3f -Merge: c740798fb ebc1d85be -Author: Hamza El-Saawy <84944216+helsaawy@users.noreply.github.com> -Date: Thu Feb 3 14:11:30 2022 -0500 - - Bug fix with runc container lifetime management #1272 - - Fixed bug where container is cast as a process, which then causes the - container to be deleted prematurely before when the container finishes - executing. - Currently, whenever an LCOW container is stopped, the logs show multiple - errors being raised that runc cannot find the container, which cause the - Kill command issued by containerd to exit unsuccessfully. - - Added conversion of runc log file error strings into error types that - wrap HResult error types. - Wrapped runc errors from log file, which is more informative that error - returned from cmd execution. - - Added traces to guest container operations, to trace low level container - operations. - - Signed-off-by: Hamza El-Saawy hamzaelsaawy@microsoft.com - -commit 60d133f98161034dee5a161527168ced7b6fff9c -Author: Hamza El-Saawy -Date: Thu Feb 3 12:02:05 2022 -0500 - - PR: error messages, naming, tests - - Checking return value of `shutdownInternal` for cleanup in service - tests. - - Signed-off-by: Hamza El-Saawy - -commit 707bd112c9197f5e29d79af74a5ba43dbddd876d -Author: Hamza El-Saawy -Date: Wed Feb 2 19:11:51 2022 -0500 - - PR: ttrpc shutdown timeout - - ttrp.Shutdown( has a 200ms ticker, not a timeout. - Adding a proper timeout in case shutdown takes too long. - - Signed-off-by: Hamza El-Saawy - -commit 82f585374dd0acde9b8ff839f0e48cd93f83f359 -Author: Hamza El-Saawy -Date: Wed Feb 2 14:39:01 2022 -0500 - - Adding proper shim shutdown - - Currently, Shutdown requests forcefully exits the binary without - cleaning up resources and IO channels, or flushing logs. - - Added `.Done()` and `.IsShutdown()` methods to service watch for - service shutdown requests from containerd, and appropriately close - background servers and go routines. - - Added `NewService` method and creation options to properly initialize - the `service` struct. - - Signed-off-by: Hamza El-Saawy - -commit c740798fbba52170ca249d7b0fa839430d375423 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Wed Feb 2 13:48:30 2022 -0800 - - Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 (#1241) - - * Bump github.com/opencontainers/runc from 1.0.2 to 1.0.3 - - Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.2 to 1.0.3. - - [Release notes](https://github.com/opencontainers/runc/releases) - - [Commits](https://github.com/opencontainers/runc/compare/v1.0.2...v1.0.3) - - --- - updated-dependencies: - - dependency-name: github.com/opencontainers/runc - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - - * vendor test - - Signed-off-by: Maksim An - - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Maksim An - -commit b846a9aefb9ac57bfc7807e74113c89f14809f70 -Author: Hamza El-Saawy -Date: Tue Feb 1 18:14:35 2022 -0500 - - PR: .Wrapf( to .Wrap( - - Signed-off-by: Hamza El-Saawy - -commit 95e0bcc9c2c1b53f9fcea471a217b955a6a5257c -Merge: 3ac1cea98 a7ef15343 -Author: Kevin Parsons -Date: Tue Feb 1 14:49:53 2022 -0800 - - Merge pull request #1288 from microsoft/createpod-err-shadow - - shim: Don't shadow err return in createPod - -commit a7ef153433cc0fe33119883a106b4e87507380d3 (hcsshim/createpod-err-shadow) -Author: Kevin Parsons -Date: Tue Feb 1 14:31:45 2022 -0800 - - shim: Don't shadow err return in createPod - - Correctly uses a named return value on createPod. Previously if err was - redeclared in a nested scope and then returned, defers would not see the - returned error value. In particular this prevented the UVM cleanup defer - from working properly. - - Signed-off-by: Kevin Parsons - -commit 3ac1cea982c360f03c6fa22c299214c12a9220e4 -Author: Maksim An -Date: Fri Jan 28 14:47:58 2022 -0800 - - Refactor code for security policy (#1279) - - The current implementation exposes some internal structure, - which is unnecessary as well as some structs are duplicated - across security policy package and security policy tool. - This PR refactors code to de-duplicate exported structures - and hides internal implementation behind new factory methods. - - Signed-off-by: Maksim An - -commit d082725f6fc43269dd4adf659a3cd72e989c9783 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jan 25 22:11:04 2022 -0800 - - Fix checkptr error with > 1 process in job object (#1284) - - The `AllPids` method on JOBOBJECT_BASIC_PROCESS_ID_LIST would allocate a - very large array to store any pids in the job object, cast the memory to - this array, and then slice down to what elements it actually took up in - the array based off the value of what was in the NumberOfProcessIdsInList - field. The checkptr compile option doesn't like when slices don't have - an explicit length and capacity so this change updates the slicing to use - a three-index slice to set the capacity to the same as the length. - - Before for fmt.Println(len(arr), cap(arr)) -> 2, 134217727 - After: -> 2, 2 - - This change additionally adds a test in internal/jobobject and modifies the - TestExecWithJob test in internal/exec to verify that checkptr doesn't get angry - when we hit a codepath that performs the cast - - Signed-off-by: Daniel Canter - -commit 134fdfa81e5e1274d0493c465bed223dceb5bfc6 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jan 25 15:17:21 2022 -0800 - - Skip TestPseudoConsolePowershell for now (#1285) - - This test is fairly flaky on the Github CI but seems to run fine locally (maybe pure - luck). Skip this for now to let contributions continue without a hitch and until we - can replace this with a better suited test shortly. - - Signed-off-by: Daniel Canter - -commit ebc1d85be9556c8670a7146524ef4e9d2ebcaacb -Author: Hamza El-Saawy -Date: Sat Jan 22 21:30:21 2022 -0500 - - PR: idiomatic error names - - Signed-off-by: Hamza El-Saawy - -commit 61aa915d2f74e909b00e17ec3e4bdfddc768c0b0 -Merge: 48586c11d 256eaa74a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jan 21 15:41:22 2022 -0800 - - Merge pull request #1281 from dcantah/add-retrylayer-log - - Add logging to layer retry code path - -commit 48586c11d065047256890b183afb14912c8192c2 -Merge: 92d8d3643 37b27830c -Author: Kathryn Baldauf -Date: Thu Jan 20 14:53:10 2022 -0800 - - Merge pull request #1239 from katiewasnothere/ncproxy_network_endpoint - - Update ncproxy to include new ncproxy network and endpoint types - -commit 92d8d3643ff75771f541c26bc060fa9fe0ff314e -Merge: 040cbe5e2 3a44b8dc8 -Author: Kathryn Baldauf -Date: Thu Jan 20 14:52:09 2022 -0800 - - Merge pull request #1283 from anmaxvl/fix-extended-process-info-test - - Fix Test_ExtendedTask_ProcessorInfo CRI test - -commit 36b39fe23dcbd38df21a1422514563576a237c9e -Author: Hamza El-Saawy -Date: Thu Jan 20 17:49:54 2022 -0500 - - PR: log message - - Signed-off-by: Hamza El-Saawy - -commit 3a44b8dc8790ed02efe2e8e7e4d70f532e2db34f -Author: Maksim An -Date: Thu Jan 20 09:50:38 2022 -0800 - - Fix Test_ExtendedTask_ProcessorInfo CRI test - - Test_ExtendedTask_ProcessorInfo had a minor bug, when the - processor info request would return an error and the error was - expected. The test would still proceed to check the processor - count from the response in whicn case the response is nil and - the check results in nil point dereference. - - Signed-off-by: Maksim An - -commit 256eaa74a9ee112d528d0e05f0c3d8bfeed2aeaf -Author: Daniel Canter -Date: Wed Jan 19 15:01:55 2022 -0800 - - Use timeout in .golangci.yml - - We have a timeout defined in the golangci.yml file but it doesn't get honored - as the commandline flags have higher priority. This change removes the --timeout - specified for args so the timeout from the config will be used. - - Signed-off-by: Daniel Canter - -commit 2c7d2d70ee502d7e97c4e65446d7fb0747df2a8b -Author: Daniel Canter -Date: Wed Jan 19 14:27:53 2022 -0800 - - Add logging to layer retry path - - This change adds a small log to the code path that handles retrying layer - setup if we encountered a set of known error codes that we'd observed on - ws2019. This is mostly just so we can tell how often we're actually hitting - this and see which error is most prevalent. - - Signed-off-by: Daniel Canter - -commit 040cbe5e2578a2741d33e7de1e8969aa95cc2255 -Merge: 05093b3d5 1ff2dd2a3 -Author: Kathryn Baldauf -Date: Wed Jan 19 14:13:32 2022 -0800 - - Merge pull request #1243 from katiewasnothere/querycompute - - Add new service for querying compute systems' information - -commit 37b27830c38678e7ae0ebe55bb9b114f2117c3d7 -Author: Kathryn Baldauf -Date: Wed Jan 19 14:09:21 2022 -0800 - - Add log statements when querying ncproxy database fails - - Signed-off-by: Kathryn Baldauf - -commit 1ff2dd2a36765c73115b7f319ed8b9653b13cca2 -Author: Kathryn Baldauf -Date: Wed Jan 19 13:33:14 2022 -0800 - - Rename service internal call to match naming scheme - - Signed-off-by: Kathryn Baldauf - -commit 05093b3d521603ae81d89692dc7b5b4610d2a842 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jan 14 19:43:33 2022 -0800 - - Update Go module version to 1.17 (#1222) - - Update Go module version to 1.17 - - This change does three things: - - 1. Runs gofmt on Go 1.17 in /internal, /cmd, /hcn, and /test. Go 1.17 added a new syntax for build tags that gofmt automatically applies. The new format will just be ignored on older builds and 1.17 and up will prefer the new syntax (which is much nicer if I may add), so this should be harmless. - - 2. Updates the go directive in our go.mod to be 1.17. We don't currently make use of any 1.17 features but we plan to (as well as the 1.16 io/fs additions). - - 3. Runs go mod vendor in the root of the repo and in /test for the new module graph pruning (https://go.dev/ref/mod#graph-pruning) - - Signed-off-by: Daniel Canter - -commit 617d439d8cb0da67cbd9fb24ba74ce811c779dc4 -Author: Maksim An -Date: Thu Jan 13 12:12:27 2022 -0800 - - Fix ReadDMVeritySuperBlock function (#1257) - - Make sure to assert the value of dmveritySuperblock.Signature before - trying to read the root hash. Without the check, any valid footer with - with valid size would be treated as a dm-verity superblock. - - Additionally wrap original Read errors, rather than custom errors. - In some places when returning an error from ReadDMVeritySuperBlock, - a custom error was wrapped, rather than the original error, which - complicates assertions with errors.Cause/errors.Unwrap. - - Add unit tests to cover other edge cases. - - Signed-off-by: Maksim An - -commit 790bcae4c9e9734f4ca50d0e17b03ed749f2b4d9 -Author: Gabriel -Date: Thu Jan 13 20:13:48 2022 +0200 - - Add ErrInvalidHandle and fix list stats (#1276) - - When querying the stats of a container that is in the process of being - stopped, an ERROR_INVALID_HANDLE (0x6) may be returned. This change - ignores that error and returns an empty stats object. - - This change also fixes the return values of Stats() when encountering - one of the expected errors. Returning nil stats when error is nil will - break caller assumptions of finding a valid value when error is nil. - Instead, an ErrNotFound is returned. - - Signed-off-by: Gabriel Adrian Samfira - -commit fae5736ce67dfbcfceea4d475f59ca798baafb79 -Author: Kathryn Baldauf -Date: Wed Jan 12 13:55:50 2022 -0800 - - Address PR feedback - * Clean up GetEndpoints and GetNetworks calls - * Use individual testing object for tests with subtests - * Misc clean up - - Signed-off-by: Kathryn Baldauf - -commit b70f091776c2a9ee8e18907fbfbaf07a3c61203b -Author: Kathryn Baldauf -Date: Tue Jan 4 17:03:14 2022 -0800 - - Address PR feedback - * Move ncproxy related package to unified location - * Add manifest to ncproxy binary - - Signed-off-by: Kathryn Baldauf - -commit 03f5839bd04e976e8d62790f42547740de5798fb -Author: Kathryn Baldauf -Date: Thu Oct 28 20:18:03 2021 -0700 - - Update ncproxy to include new ncproxy network and endpoint types - - Signed-off-by: Kathryn Baldauf - -commit 6aad8d45ed44bf98bfc0a68c6d97bcbd2051e6d4 -Author: Kathryn Baldauf -Date: Tue Jan 11 16:26:10 2022 -0800 - - Update service name to ExtendedTask - - Signed-off-by: Kathryn Baldauf - -commit 13de685dfc51e9710aabe5fd0487158a6c891dbf -Author: Kathryn Baldauf -Date: Tue Jan 11 16:11:54 2022 -0800 - - Add cri-containerd tests for Query Compute service - - Signed-off-by: Kathryn Baldauf - -commit 9bc8d28a2a1ff27d2712ef7ac7bee5842524ec7e -Author: Kathryn Baldauf -Date: Mon Dec 13 13:38:06 2021 -0800 - - Add new service for querying compute systems' information - * Motivation: SRIOV enabled network endpoints need information about - the target compute system's CPU count to determine appropriate settings, - specifically the number of queue pairs to use. Since the network - agent sets up network endpoints via ncproxy, this information is - not readily available. - * This change creates a new service `QueryCompute` that the network - agent can query to get any necessary information about compute - systems. - * For now `QueryCompute` has a single message `ProcessorInfo` that's - only supported by a pod task to address the immediate motivation above. - * Create a test tool for dev testing. - - Signed-off-by: Kathryn Baldauf - -commit 5e7e3bbeb8a7cfcb5b7b8745e3ead4a94ea3578b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jan 10 17:02:24 2022 -0800 - - Rework process dump cri-containerd tests (#1267) - - * Rework process dump cri-containerd tests - - This change aims to deflake the Windows process dump test by continuously - checking for a .dmp instead of waiting some arbitrary amount of time and - then checking once. While we haven't seen any flakes with the Linux version - of this test for generating coredumps, the same logic is employed for the - LCOW test as well. - - Signed-off-by: Daniel Canter - -commit a46015228ff1115614e9e4d7859e7d91cb955458 -Merge: 77c027042 a8605ecca -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jan 10 16:56:12 2022 -0800 - - Merge pull request #1269 from gabriel-samfira/handle-process-already-stopped - - Make kill noop on second run - -commit b2e849f29bc224307a1dd528df48962db2ccdacd -Author: Hamza El-Saawy -Date: Mon Jan 10 11:42:25 2022 -0500 - - Bug fix with runc container lifetime management - - Fixed bug where container is cast as a process, which then causes the - container to be deleted prematurely before when the container finishes - executing. - - Added conversion of runc log file error strings into `error` types that - wrap HResult error types. - Wrapped runc errors from log file, which is more informative that error - returned from cmd execution. - - Added traces to guest container operations, to trace low level container - operations. - - Signed-off-by: Hamza El-Saawy - -commit 2b7d97888fff8e11ae040aa9642f245938667b56 -Author: Hamza El-Saawy -Date: Mon Jan 10 11:35:51 2022 -0500 - - Delete shim workloads tasks in pod. - - This commit supports restarting containers and pods using CRI. - - Delete task request now removes tasks from `pod`'s `workloadTasks` map, - and added `DeleteTask` function to `shimPod` interface so new tasks can - use the same ID (ie, so a task can be restarted in a running pod). - - Signed-off-by: Hamza El-Saawy - -commit a8605eccaa4bfdca42f199ab3b4d5901791dcab0 -Author: Gabriel Adrian Samfira -Date: Fri Jan 7 23:11:31 2022 +0200 - - Make kill noop on second run - - If a kill has already been delivered, ignore subsequent calls to - Kill() and simply return the previous status. - - This change also defines ErrProcessAlreadyStopped and ignores that - error if encountered during kill. - - Signed-off-by: Gabriel Adrian Samfira - -commit 77c0270424049ab4c850c076601add11882e7c1e -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Jan 6 16:00:41 2022 -0800 - - Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 (#1266) - - * Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.8 to 1.5.9. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.8...v1.5.9) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - - * revendor test - - Signed-off-by: Maksim An - - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - Co-authored-by: Maksim An - -commit c285d152e802860615bd2d5d6561a15dd5885947 -Merge: 6241c53e0 876cf72b3 -Author: Maksim An -Date: Thu Jan 6 13:00:47 2022 -0800 - - Merge pull request #1265 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.9 - - Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 in /test - -commit 876cf72b385d28745f6b05bc8391901d02409600 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Jan 6 17:50:23 2022 +0000 - - Bump github.com/containerd/containerd from 1.5.8 to 1.5.9 in /test - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.8 to 1.5.9. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.8...v1.5.9) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 6241c53e02a8fb9cbfb67d86ad583c31bf090caa -Merge: 422eb31c3 a6edb2596 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jan 5 23:00:32 2022 -0800 - - Merge pull request #1249 from gabriel-samfira/wait-for-init-exit - - Wait for waitInitExit() to return - -commit a6edb2596b408a6476e8a0b5b1b1b830423b4a55 -Author: Gabriel Adrian Samfira -Date: Mon Dec 20 17:57:58 2021 +0200 - - Wait for waitInitExit() to return - - This change gives waitInitExit() a chance to cleanup resource - when DeleteExec() is called, before returning. - - This should fix situations where the shim exits before releasing - container resources. - - Signed-off-by: Gabriel Adrian Samfira - -commit 76881a295eb81d774cc764ce33291b239d0ea731 -Author: Gabriel Adrian Samfira -Date: Thu Dec 23 13:19:57 2021 +0200 - - Fix Range() iteration - - The function passed into the Range function of sync.Map will stop the - iteration if false is returned. This commit makes sure we iterate - through all elements in the map. - - Signed-off-by: Gabriel Adrian Samfira - -commit 422eb31c36e8f3908bb4b1d6e5e001867d4dfac8 -Merge: e093fbd40 bfd638206 -Author: Kathryn Baldauf -Date: Wed Jan 5 17:57:14 2022 -0800 - - Merge pull request #1246 from katiewasnothere/endpoint_settings_add_nic - - Add endpoint settings to add nic call - -commit bfd63820696c509ff093e6def37541c4a77d51b4 -Author: Kathryn Baldauf -Date: Tue Jan 4 17:09:23 2022 -0800 - - Update AddNIC test to use correct expected error value - - Signed-off-by: Kathryn Baldauf - -commit e093fbd404aeaa51f9728dab1125bd48b52f3d5a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Dec 31 08:48:00 2021 -0800 - - Rework TestPseudoConsolePowershell (#1255) - - Before this test used to write something to the pty and then see if we - could read the same thing shortly afterwards. Really all we wanna test here - is just that we can write things in general, so the same thing that - TestExecStdinPowershell is currently doing should suffice. - - If the process exits then the 'exit' write went through so that should be - plenty for this test. This change additionally adds a timeout for waiting - for the process to exit for TestPseudoConsolePowershell as well as - TestExecStdinPowershell so we have some indicator for if the 'exit' write - didn't work. - - Signed-off-by: Daniel Canter - -commit 42d6961ef52bf324ddb4ffd9a108fb6a917efb1b -Author: Maksim An -Date: Thu Dec 30 13:04:52 2021 -0800 - - Fix deferred os.Umask usage in loops (#1256) - - Signed-off-by: Maksim An - -commit 3f2848ac3c9167f3a60b43385a6620c405227a03 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Dec 29 19:06:22 2021 -0800 - - Change redundant conpty.ConPTY struct name (#1259) - - This change renames the ConPTY struct in the conpty package to - Pty. - - Signed-off-by: Daniel Canter - -commit 58caeedaebd9cd721a74fafd2bdcbc274d8d21b9 -Author: Gabriel -Date: Wed Dec 29 20:52:26 2021 +0200 - - Ignore ERROR_ACCESS_DENIED on Kill (#1252) - - When calling HcsTerminateProcess on a process that has exited, but we - still have open handles to, an ERROR_ACCESS_DENIED may be returned. - - https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess#remarks - - Signed-off-by: Gabriel Adrian Samfira - -commit 0124eb3ce35da1d9946c02e9271627d8f2305511 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Dec 27 13:20:59 2021 -0500 - - Rename conpty.New to conpty.Create (#1254) - - This change renames conpty.New, the method used to create a new ConPTY - object, to Create instead. Mostly preference and to stay in line with what - we'd named the method for creating a job object. The windows API used to - create the pty is named 'CreatePseudoConsole' so to me it makes more sense. - - Signed-off-by: Daniel Canter - -commit e1ddd01d53d7167618ca1874d9d8da22d17cfe17 -Author: KenGordon -Date: Tue Dec 21 17:31:45 2021 +0000 - - HCS fixes for HclEnabled and guest state file type. (#1250) - - * HclEnabled is required or it SEEMS to work but the vmgs gets written on. - - * Match the regular code - adds HclEnabled and correct guest state file type. - - Signed-off-by: Ken Gordon - -commit 03803124b08fd910b12d7bf18e96b62d9c86f665 -Merge: 2314362e9 ba2abba88 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Dec 20 17:08:01 2021 -0500 - - Merge pull request #1248 from dcantah/hpc-tty - - Swap to the internal/exec pkg for host process containers - -commit ba2abba8840aeb9064cd177c6babfe8593cdc897 -Author: Daniel Canter -Date: Sun Dec 19 11:32:42 2021 -0500 - - Add tty support for host process containers - - This change adds in the necessary bits to get tty support for host - process containers working by leveraging the pseudo console APIs in - Windows and the new internal/exec package. - - Signed-off-by: Daniel Canter - -commit 11f91057913bc449893296cf8d0d9f6152dd7226 -Author: Daniel Canter -Date: Sun Dec 19 11:17:40 2021 -0500 - - Change to using internal/exec pkg for host process containers - - This change swaps to using the new internal/exec package for host process - containers to make use of the pseudo console functionality and ability to - launch a process in a job object at creation time instead of assigning - shortly after. This does not add in the implementation for pseudo console - usage, just changes to the package that allows the functionality. - - Signed-off-by: Daniel Canter - -commit 2314362e977aa03b3ed245a4beb12d00422af0e2 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Sat Dec 18 09:11:05 2021 -0500 - - Add new exec package for host process containers (#1233) - - * Add new exec package for host process containers - - This change adds a new exec package thats main goal is to run - external processes on Windows. Unfortunately due to a couple - things that can't be accomplished with the stdlib os/exec package, - this new package is meant to replace how processes for host process - containers are launched. - - The main shortcomings are not being able to pass in a pseudo console to use - for tty scenarios, and not being able to start a process assigned to a job object - instead of doing the Create -> Assign dance. Both of these issue are centered - around not having access to the process thread attribute list that is setup inside - of syscall.StartProcess. This is needed to be able to properly setup both cases, - as it requires calling UpdateProcThreadAttribute and passing in what's necessary - for both scenarios. - - This change ends up bumping x/sys/windows as well to grab some fixes for the attribute list functionality. - - Signed-off-by: Daniel Canter - -commit 27c40c68d50b5f65ab1508b8ebebebf68822d6fb -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Dec 16 22:52:16 2021 -0500 - - Bump github.com/opencontainers/image-spec from 1.0.1 to 1.0.2 in /test (#1247) - - Bumps [github.com/opencontainers/image-spec](https://github.com/opencontainers/image-spec) from 1.0.1 to 1.0.2. - - [Release notes](https://github.com/opencontainers/image-spec/releases) - - [Changelog](https://github.com/opencontainers/image-spec/blob/main/RELEASES.md) - - [Commits](https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2) - - --- - updated-dependencies: - - dependency-name: github.com/opencontainers/image-spec - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - - Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - -commit 1d27d4ab2d07891c15accd6cc50a41046ce10095 -Merge: 3c6830393 b128cacc3 -Author: Kathryn Baldauf -Date: Thu Dec 16 13:20:52 2021 -0800 - - Merge pull request #1238 from ambarve/e2e_unordered_test - - Add E2E test for pulling images with unorderd tar - -commit 13e30f2df903f29eb8ee066a18c2faef558c40f1 -Author: Kathryn Baldauf -Date: Thu Dec 16 12:55:06 2021 -0800 - - Add endpoint settings to add nic call - - Signed-off-by: Kathryn Baldauf - -commit 3c68303936d7a6e751d7993b8667e3bd375f2ee2 -Merge: f8cbd0b11 0a92f8b9c -Author: Kathryn Baldauf -Date: Wed Dec 15 10:23:13 2021 -0800 - - Merge pull request #1244 from dcantah/fix-ci - - Revendor in /test and remove dead code - -commit 0a92f8b9c79808d798df34721b9fe8256edecd9c -Author: Daniel Canter -Date: Wed Dec 15 11:22:19 2021 -0500 - - Revendor in /test and remove deadcode - - Somehow after the last two check-in's the CI (specifically our linter) - started whining about ext4BlockSize being dead code. With the last check-in - to master our verify-test-vendor step also somehow didn't catch that - /internal/winapi/process.go was updated and needed to be pulled in. This - change fixes both of those issues. - - Signed-off-by: Daniel Canter - -commit f8cbd0b11c7ae5d6ab253851d6525aa745ed4f47 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Dec 15 08:01:54 2021 -0800 - - Add conpty (pseudo console) package (#1228) - - * Add conpty (pseudo console) package - - This change adds a conpty package that houses go friendly wrappers around - the Pseudo Console API in Windows. This will be used to support tty scenarios - for Host Process containers. - - There's not many tests I can add here as you need to hook this up to a running - process, where that work is coming. - - Signed-off-by: Daniel Canter - -commit 9238796d7764a588f26571d9a97b5c64b045c04b -Author: Maksim An -Date: Mon Dec 13 15:24:15 2021 -0800 - - Add function to write hash device (#1235) - - Split hash-device computation and writing into a separate function. - This allows to store hash device in a separate file, which (e.g.) can - be converted to VHDs and exposed inside VMs as separate block devices. - - Update `dmverity-vhd` command-line utility to support writing hash device - as a separate VHD - - Signed-off-by: Maksim An - -commit b128cacc3492b6bb354e4093d5ea4d87fda211fc -Author: Amit Barve -Date: Mon Dec 6 06:23:26 2021 -0800 - - Remove unused imports - - Signed-off-by: Amit Barve - -commit 719f012f64d7687c11bdb6df457365b50bfc8b50 -Merge: f099e3487 6d388654a -Author: Kathryn Baldauf -Date: Fri Dec 3 10:35:23 2021 -0800 - - Merge pull request #1212 from katiewasnothere/ncproxy_api_hcn_only - - Update ncproxy API and adjust hcn support - -commit 6d388654a52dbc5d1ebfb95c6c3fda74bedfbbbb -Author: Kathryn Baldauf -Date: Thu Oct 28 20:18:03 2021 -0700 - - Update ncproxy API and adjust hcn support - - Signed-off-by: Kathryn Baldauf - -commit f099e34878c260511ff37873b7231b5f2c769199 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Dec 1 11:47:06 2021 -0700 - - Add ws2022 image/build to cri-containerd tests (#1160) - - * Add ws2022 image/build to cri-integration tests - - This change adds a new case to the getWindowsServerCoreImage and - getWindowsNanoserverImage functions to return ws2022 on a ws2022 or higher - build. The higher case is because of some recent efforts to improve down-level - compatability for Windows container images. For reference, the ltsc2022 image - works on a win11 host without hypervisor isolation. - - Signed-off-by: Daniel Canter - -commit ae9f6139382b8ccffbb95c437eebd9c57cddc8a9 -Author: Amit Barve -Date: Wed Dec 1 08:18:41 2021 -0800 - - go mod vendor & go mod tidy - - Signed-off-by: Amit Barve - -commit b26965778521d8eb635665952c0d1c3156ef2f61 -Author: Amit Barve -Date: Tue Nov 30 23:17:21 2021 -0800 - - Add E2E test for pulling images with unorderd tar - - Signed-off-by: Amit Barve - -commit 7646525e7a4d2608288ac2bcc7137d71e21d5297 -Merge: f52c34677 80376f872 -Author: Kathryn Baldauf -Date: Mon Nov 29 16:59:40 2021 -0800 - - Merge pull request #1215 from katiewasnothere/support_lcow_assigned_device - - Support assigning devices into LCOW - -commit 80376f8726dea4ef55a531f30443135fd5c08049 -Author: Kathryn Baldauf -Date: Mon Nov 29 16:29:12 2021 -0800 - - respond to PR feedback - - Signed-off-by: Kathryn Baldauf - -commit f52c34677adb0fca2e912cf5ee35c00a14c293c2 -Author: Maksim An -Date: Tue Nov 23 11:40:30 2021 -0800 - - Fix ReadExt4SuperBlock function (#1229) - - Previously the function would read bytes from a given file - and convert them into internal ext4 super block object, - without checking that the read bytes are actually ext4 - super block. - Fix the behavior by checking ext4 super block magic. - - Signed-off-by: Maksim An - -commit dccc62d2dd2cc3dcf9df7bbe1ef4165443b6ed49 -Merge: 3b78eb38e 29eeb4306 -Author: Kathryn Baldauf -Date: Mon Nov 22 16:37:43 2021 -0800 - - Merge pull request #1216 from katiewasnothere/restructure_ncproxy_apis - - Restructure location of various ncproxy apis - -commit 29eeb43065c37042dbf790cc7a001b142a05e9e2 -Author: Kathryn Baldauf -Date: Mon Nov 22 15:06:48 2021 -0800 - - Update doc files to include package name - - Signed-off-by: Kathryn Baldauf - -commit c40eb70128db878b55998bab295d32aa93db42bf -Author: Kathryn Baldauf -Date: Wed Nov 3 16:09:19 2021 -0700 - - Restructure location of various ncproxy apis to accomodate future changes - - Signed-off-by: Kathryn Baldauf - -commit 3b78eb38eb8a933128189539e3ba44e6fb543715 -Merge: 0f39fc7d1 fa17cd83e -Author: Kathryn Baldauf -Date: Mon Nov 22 11:16:23 2021 -0800 - - Merge pull request #1231 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.8 - - Bump github.com/containerd/containerd from 1.5.7 to 1.5.8 - -commit fa17cd83e149344912edadce267a46d2340cdcc1 -Author: Kathryn Baldauf -Date: Fri Nov 19 15:09:13 2021 -0800 - - Update containerd from 1.5.7 to 1.5.8 in /test - - Signed-off-by: Kathryn Baldauf - -commit a152a19df9858e5ccceeef66431125436aa22cff -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Thu Nov 18 16:45:43 2021 +0000 - - Bump github.com/containerd/containerd from 1.5.7 to 1.5.8 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.7 to 1.5.8. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.7...v1.5.8) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 0f39fc7d19500769dcd4e5eb09800d9e5f448f9a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Nov 17 17:37:49 2021 -0800 - - Set default time zone for WCOW UVM (#1192) - - For the v2 hcs code paths it seems the only time a time zone is set is if - a new field on the guest connection settings is present (which we don't have) - while using the internal guest connection (shim -> hcs -> gcs). Otherwise - the guest is just left without a time zone set, so things like tzutil or - the get-timezone powershell cmdlet will return an invalid time zone set. - We swapped to always using the external guest connection we maintain in the - shim so we need to set a time zone explicitly. - - This change issues a request to the gcs to set a timezone via the same method that - hcs uses internally. It sets the guests time zone to whatever is present on - the host which is the docker behavior, and then all containers in the vm - should inherit this. Additionally expose an option to override this behavior and - just set the time zone to UTC. If the container wants to change its time zone - to something else, it is free to on supported images. - - See https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/virtual-time-zone - - Signed-off-by: Daniel Canter - -commit db9908f6da0f7da3590c25f4d0b24964d1f885ef -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri Nov 12 12:03:34 2021 -0800 - - Time synchronization inside LCOW UVM (#1119) - - Start time synchronization service in opengcs - - Changes to the opengcs to start the chronyd service after UVM boots. - - Signed-off-by: Amit Barve - - * - - Signed-off-by: Amit Barve - - * TimeSync service inside LCOW UVM. - - Add test to verify both chronyd running & disabled cases. Minor fixes in chronyd startup - code. - - Signed-off-by: Amit Barve - - * Run Chronyd with restart monitor - - Signed-off-by: Amit Barve - - * Force chronyd to step update time if difference is big - - Signed-off-by: Amit Barve - - * Fixes after rebase - - Signed-off-by: Amit Barve - - * go mod vendor & tidy - - Signed-off-by: Amit Barve - - * Use backoff package instead of manually calculating backoffs - - Signed-off-by: Amit Barve - - * Rename gcs cmdline params, use io.ReadFull instead of io.Read - - Minor other fixes. - - Signed-off-by: Amit Barve - - * go mod vendor - - Signed-off-by: Amit Barve - - * Ignore err if file doesn't exist - - Signed-off-by: Amit Barve - - * Use ioutil.ReadFile to read clock_name file - - Signed-off-by: Amit Barve - - * minor fix - - Signed-off-by: Amit Barve - - * Remove incorrect usage of backoff.MaxElapsedTime - - Signed-off-by: Amit Barve - -commit ddab09b33a352e5d66fe2419066a2858b337c544 -Author: Maksim An -Date: Thu Nov 11 15:55:03 2021 -0800 - - Rework merkle tree implementation to use io.Reader instead of byte array (#1209) - - MerkleTree implementation requires the entire content of ext4 file - system to be read into a byte array when computing cryptographic digest. - - This PR reworks the existing implementation to work with io.Reader - interface instead. - - Additionally update the existing usages of MerkleTree with the new - MerkleTreeWithReader implementation. - - Separate tar to ext4 logic of Convert into a ConvertTarToExt4 - function. - - Signed-off-by: Maksim An - -commit 3a8cd1e08c39c7efa59da94e349816da34a90359 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Nov 11 10:47:15 2021 -0800 - - Add 21H2 definitions to osversion package (#1205) - - * Add 21H2 definitions to osversion package - - This change adds three new definitions to the osversion package. All - three definitions are all of the 21H2 builds across Windows 10, Windows Server - and Windows 11, which all have different build numbers. - - The approach taken was to add a suffix to the definitions with Win10, Server and - Win11 respectively. - - Signed-off-by: Daniel Canter - -commit d230699f3b34933cb46281ceaedd1e61b6cce04a -Author: Stavros Volos -Date: Thu Nov 11 18:17:29 2021 +0000 - - security policy appended to container's environment variables (#1219) - - security policy appended to environment variables so that containers can have access to it at runtime - - Signed-off-by: Stavros Volos - -commit 041736614696a7394edcb733292688c2bab69ead -Author: Maksim An -Date: Wed Nov 10 15:34:10 2021 -0800 - - Add DefaultContainerAnnotations runhcs option (#1210) - - protos: Add default_container_annotations to runhcs options protos - - Assign default container annotations from runhcs options to - container spec Annotations, without overriding the ones that are - explicitly passed - - Signed-off-by: Maksim An - -commit 9e3ba9c8118307649b7839825cad06f236a3c5b9 -Author: Netal Gupta (negup) -Date: Wed Nov 10 15:29:13 2021 -0800 - - Add json struct tag to SetPolicyType's Type field (#1194) - - Add json struct tag to SetPolicyType's Type field - - The "Type" fieldname was interfering with an internal "Type" field. Added a struct tag to marshal it as "PolicyType" instead. - - Signed-off-by: netal - -commit 37ee929b0f0d80eed36fac7755bc7c90d3f96c75 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Nov 10 10:51:44 2021 -0800 - - go.mod: Bump ttrpc to 1.1.0 (#1223) - - This tag contains a fix for a deadlock we'd observed on Windows when multiple - requests were made in parallel. - - Signed-off-by: Daniel Canter - -commit aaf5db90ef6961e767a4d5ca4bcf7f1f6465bcca -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Nov 5 17:49:37 2021 -0700 - - Pass disk handle for computestorage.FormatWritableLayerVhd on RS5 (#1204) - - Pass disk handle for FormatWritableLayerVhd on RS5 - - On RS5 the HcsFormatWritableLayerVhd call expects to receive a disk handle. - On 19h1+ you can pass a vhd handle and internally they will do the same - work we're doing in this change to grab a disk handle to perform the format. - - Signed-off-by: Daniel Canter - -commit a1756afbc5e6d01acba33be06a7c6bf6832252a0 -Merge: 9c385bfd9 352791551 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Nov 5 16:38:19 2021 -0700 - - Merge pull request #1220 from dcantah/update-readme-goversion - - Update readme to list accurate go version - -commit 352791551847dbc62a8f880594664a4005468f5c -Author: Daniel Canter -Date: Fri Nov 5 16:31:33 2021 -0700 - - Update readme to list accurate go version - - Our README stated that you'd need go 1.9 or newer to build. Our go.mod - currently lists 1.13 however. - - Signed-off-by: Daniel Canter - -commit 9c385bfd904209184eca2b61b65b4ced32001f6c -Merge: 4230df2fb aea3b96d5 -Author: Kathryn Baldauf -Date: Thu Nov 4 22:59:56 2021 -0700 - - Merge pull request #1211 from katiewasnothere/sandbox_mounts_perm - - Fix permissions issues with sandbox mounts - -commit 4230df2fbfa9f0bf629c5aa60e27d04e15b29f36 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu Nov 4 15:15:04 2021 -0700 - - Handling of out-of-order whiteout files during tar expansion (#1218) - - Handling of out-of-order whiteout files during tar expansion - - When extracting a container image layer tar, some files can show in an out of order - fashion (i.e the file shows up first before its parent directory shows up). We already - handle this by creating these parent directories if they don't already exist. However, - that handling didn't apply to whiteout files. This commit fixes that. - - Signed-off-by: Amit Barve - -commit aea3b96d55b9ecd541427ecf523f9300c1b64c8e -Author: Kathryn Baldauf -Date: Thu Oct 28 15:40:29 2021 -0700 - - Fix permissions issues with sandbox mounts - - Signed-off-by: Kathryn Baldauf - -commit b8917e19cc175015248b327ed2ec74eb5e751ccb -Author: Maksim An -Date: Tue Nov 2 21:51:50 2021 -0700 - - Add retries when removing device mapper target (#1200) - - Add retries when removing device mapper target - - Additionally ignore the error from device mapper if target removal - still fails. The corresponding layer path is already unmounted - at that point and this avoids having an inconsistent state. - - Signed-off-by: Maksim An - -commit 3271c6eac70274d7b66bc2ecb1a5a36826456e50 -Author: Kathryn Baldauf -Date: Thu Oct 14 18:16:19 2021 -0700 - - Support assigning devices into containers - - Signed-off-by: Kathryn Baldauf - -commit 97ca2e099383e43b3a8f8f4bff1a4a3bb0ca40d8 -Merge: 47b617153 af37ae593 -Author: Kathryn Baldauf -Date: Tue Nov 2 10:47:23 2021 -0700 - - Merge pull request #1195 from katiewasnothere/lcow_install_modules - - Add tool to install modules in lcow and plumb through shim - -commit 47b6171536c0007446925be76619a507a7b6ea93 -Author: KenGordon -Date: Tue Nov 2 08:49:11 2021 -0700 - - Support booting isolated SNP from a GuestStateFile rather than separate kernel and userland (initrd.img) (#1206) - - Mainly this refactors the code that creates the hcs api json document into two paths. One is the previous - logic that will create a kernel command line and boot the kernel and userland from individual files using - the "LinuxKernelDirect" scheme. With isolation enabled this must be replaced with "GuestState/GuestStateFilePath" - etc to load from a vmgs file. - - There are updates and addition files in the schema2 directory to support the newer hcs API so that the existing - way where an object that represents the hcs api json is built and then serialised to json can be used with - isolation_setting etc. - - If a SecurityPolicy annotation is present it will boot the vmgs file unless - "io.microsoft.virtualmachine.lcow.no_security_hardware" is set to true. The various example pod.json files - will need to be updated for use with non SNP machines. - - Signed-off-by: Ken Gordon - -commit af37ae5930a29145b8200f944b7f8f6f6a0c6ec0 -Author: Kathryn Baldauf -Date: Mon Nov 1 12:57:54 2021 -0700 - - Move lcow install out of pnp file, remove unnecessary InstallWindowsDriver - - Signed-off-by: Kathryn Baldauf - -commit 7f72e50d237ad1413ef1b7fe400565e6a1d9a1fe -Merge: 27c580da3 1313fe1a1 -Author: Kathryn Baldauf -Date: Mon Nov 1 12:53:02 2021 -0700 - - Merge pull request #1196 from katiewasnothere/vpci_lcow_adapter - - Add support for finding net adapters that were assigned with vpci - -commit 27c580da303677f224d3d58de76da04f87fb3612 -Merge: 5f5e3ea28 573c1375f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Oct 29 08:39:11 2021 -0700 - - Merge pull request #1197 from dcantah/retry-stdio-conns2 - - Add reconnect logic for stdio pipes - -commit 1313fe1a1be58e765207beec3eb716019387570c -Author: Kathryn Baldauf -Date: Thu Oct 28 13:09:43 2021 -0700 - - Address inconsistent vmbus naming, use of io/fs, and style - - Signed-off-by: Kathryn Baldauf - -commit 573c1375f5d664c52a589f3b910e126fb54b7e4d -Author: Daniel Canter -Date: Wed Oct 20 06:20:09 2021 -0700 - - Add reconnect logic for stdio pipes - - This change adds retry logic on the stdio relay if the server end of the named pipe - disconnects. This is a common case if containerd restarts for example. - The current approach is to make a io.Writer wrapper that handles the - reconnection logic on a write failure if it can be determined that the error - is from a disconnect. A new shim config option is exposed to tailor the retry timeout. - - This changes also adds cenkalti/backoff/v4 as a dependency to be used for handling - exponential backoff logic for the stdio connection retry attempts. Retrying - at a fixed interval is a bit naive as all of the shims would potentially - be trying to reconnect to 3 pipes continuously all in bursts. - This allows us to space out the connections, set an upper limit on timeout - intervals and add an element of randomness to the retry attempts. - - Signed-off-by: Daniel Canter - -commit 9ed0296c1f540d0c647d4e47efe69c385e061751 -Author: Kathryn Baldauf -Date: Thu Oct 28 12:34:22 2021 -0700 - - Remove io/fs package in favor of filepath functions - - Signed-off-by: Kathryn Baldauf - -commit d76a8dc422de2d77c6d0e7162f0b602daccd13e5 -Author: Kathryn Baldauf -Date: Thu Oct 14 12:11:23 2021 -0700 - - Add tool to install modules in lcow and plumb through - - Signed-off-by: Kathryn Baldauf - -commit 5f5e3ea28e8098234348f33b586d831eb2fee3dd -Merge: 08a61726e ac4a76a71 -Author: Kathryn Baldauf -Date: Wed Oct 27 11:19:57 2021 -0700 - - Merge pull request #1202 from katiewasnothere/cpugroup_update - - Support updating cpugroup membership - -commit 08a61726edab7d21845e3649bf48a901003031b2 -Merge: f174aa8e2 bc5e91468 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Oct 26 18:15:44 2021 -0700 - - Merge pull request #1207 from dcantah/jobcontainer-cmdline-fix - - Fix commandline double quoting for job containers - -commit bc5e9146833ced319652576721db0f052ce4c882 -Author: Daniel Canter -Date: Mon Oct 25 09:46:13 2021 -0700 - - Add test for job container cmdline quoting behavior - - This change adds a test to verify that commandlines with quotes don't get - additional quotes added on to them when combining the arguments given. - - Signed-off-by: Daniel Canter - -commit 7cb95b67220468546e50086a05d0d46d1ed48640 -Author: Daniel Canter -Date: Fri Oct 22 15:11:15 2021 -0700 - - Fix commandline double quoting for job containers - - We already escape the arguments passed to us by Containerd to form a - Windows style commandline, however the commandline was being split back - into arguments and then passed to exec.Cmd from the go stdlib. exec.Cmd - internally also does escaping, which ended up applying some extra quotes - in some cases where the commandline had double/single quotes present. This change - just passes the commandline as is to the Cmdline field on the Windows - syscall.SysProcAttr. Go takes this field as is and doesn't do any further - processing on it which is the behavior we desire. - - Signed-off-by: Daniel Canter - -commit f174aa8e22dc25924943984ae74bafc238228f62 -Author: Maksim An -Date: Fri Oct 22 13:28:18 2021 -0700 - - tests: Add CRI tests for integrity protection of LCOW layers (#1193) - - Add tests that validate that integrity protection is checked when - LCOW layers have dm-verity hashes appended. - - Signed-off-by: Maksim An - -commit 821c9a91dd8b5f4c28d9578eee56f68e9fec98ba -Merge: 60b5fa7ee d244780dd -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Oct 22 04:23:31 2021 -0700 - - Merge pull request #1203 from dcantah/computestorage-fix-layerdata - - Fix LayerData not being usable for ComputeStorage package - -commit d244780dd3c493de08037cd591678d755e3919e5 -Author: Daniel Canter -Date: Thu Oct 21 09:27:53 2021 -0700 - - Fix LayerData not being usable for ComputeStorage package - - Previously the LayerData structure in the computestorage package used - definitions from the hcs schema from /internal so it was not actually possible - to create a LayerData structure for an outside caller. - - This just creates local type aliases for hcsschema.Version and hcsschema.Layer - so a client can create the structure now using computestorage.Version and - computestorage.Layer respectively. - - Signed-off-by: Daniel Canter - -commit ac4a76a71168cd35647f72f22ff729eedd07725f -Author: Kathryn Baldauf -Date: Wed Oct 20 10:49:26 2021 -0700 - - Support updating cpugroup membership - - Signed-off-by: Kathryn Baldauf - -commit 60b5fa7eea6f95295888d71b0621eb1c1291fb67 -Merge: af3d66091 510109ed5 -Author: Kathryn Baldauf -Date: Wed Oct 20 12:59:30 2021 -0700 - - Merge pull request #1187 from katiewasnothere/allow_hardlinks_to_symlinks - - Remove block preventing us from making hardlinks to symlinks - -commit 510109ed51dcfee02585800d255460645ac62db8 -Author: Kathryn Baldauf -Date: Mon Oct 4 14:23:11 2021 -0700 - - Remove block preventing us from making hardlinks to symlinks - - Signed-off-by: Kathryn Baldauf - -commit af3d660913acc6c7a852990fd6d28a0d76f872de -Author: Maksim An -Date: Tue Oct 19 17:16:03 2021 -0700 - - Extend integrity protection of LCOW layers to SCSI devices (#1170) - - * extend integrity protection of LCOW layers to SCSI devices - - LCOW layers can be added both as VPMem and as SCSI devices. - Previous work focused on enabling integrity protection for read - only VPMem layers, this change enables it for read-only SCSI - devices as well. - Just like in a VPMem scenario, create dm-verity target when - verity information is presented to the guest during SCSI device - mounting step. - - Additionally remove unnecessary unit test, since the guest logic - has changed. - - Add pmem and scsi unit tests for linear/verity device mapper - targets - - Signed-off-by: Maksim An - -commit 51ce91cb9f70b3db255fe5f3d57bd3c17cfe988a -Author: Maksim An -Date: Tue Oct 19 16:19:40 2021 -0700 - - Export hcsshim annotations into its own package (#1201) - - Previously hcsshim annotations were not exported, which lead to use - of hardcoded strings in various places (e.g. tests, guest code etc). - This change creates a package just for the hcsshim annotations. - - Signed-off-by: Maksim An - -commit b406abf17bf5ea869c827d84e9eb2cd30fb70fd2 -Merge: 1b1197ba4 5ec59dcbc -Author: Kevin Parsons -Date: Tue Oct 19 13:22:00 2021 -0700 - - Merge pull request #1188 from kevpar/restart-tests - - Support restarting containerd in tests, add restart test case - -commit 5ec59dcbcd73b81aa0cffb239eab0532b1ad9b63 -Author: Kevin Parsons -Date: Fri Oct 15 14:10:57 2021 -0700 - - Add TerminateOnRestart feature flag for new test - - Signed-off-by: Kevin Parsons - -commit 7b098b06f30281941fdfdcd22f3b5c8cb8b1960c -Author: Kevin Parsons -Date: Fri Oct 15 14:07:16 2021 -0700 - - Address PR feedback - - Signed-off-by: Kevin Parsons - -commit 007ec077b22f0dc2a164972c39fcdf6d6c823fde -Author: Kathryn Baldauf -Date: Thu Oct 14 12:40:11 2021 -0700 - - Add support for finding net adapters that were assigned with vpci - - Signed-off-by: Kathryn Baldauf - -commit 1b1197ba4bfeb47a66fff780e21d95609a728939 -Merge: 2a4f8142a 2d0978cf7 -Author: Kathryn Baldauf -Date: Fri Oct 8 16:46:49 2021 -0700 - - Merge pull request #1067 from katiewasnothere/test_network_agent - - Add test network agent for ncproxy dev work - -commit 2d0978cf76311a2512b0282b0bf7f60495c73b3b -Author: Kathryn Baldauf -Date: Fri Jul 9 11:05:44 2021 -0700 - - Add test network agent for ncproxy dev work - - Signed-off-by: Kathryn Baldauf - -commit 2d35b70f54af6e3306800c2bb565005900f7db39 -Author: Kevin Parsons -Date: Tue Oct 5 16:18:53 2021 -0700 - - cri-containerd.test: Add containerd restart test - - Adds a test case that runs a pod+container, restarts containerd, then - verifies that the pod+container were terminated. This validates the - change made in the CRI fork [1] to terminate containers when containerd - is restarted. - - [1]: https://github.com/kevpar/cri/commit/f8e83e63cc027d0e9c0c984f9db3cba58d3672d4 - - Signed-off-by: Kevin Parsons - -commit 2a4f8142a0da714dbb0da87eb8cd0d75486970d2 (tag: v0.9.0) -Merge: 8dacd2313 1628c8723 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Oct 6 13:21:45 2021 -0700 - - Merge pull request #1191 from dcantah/revert_21h2 - - Revert V21H2 osversion definition - -commit 1628c8723eee39deb2bb1e5a1736db0062109676 -Author: Daniel Canter -Date: Wed Oct 6 12:57:56 2021 -0700 - - Revert "Update windowsbuilds.go" - - This reverts commit 7b6e3dac2b3b0c2e06ab5d0bf2a0665fb80ae511. The reason - for this is because the tag 21h2 actually refers to a couple different - Windows builds now unfortunately. It's the tag for the latest Windows 10 - update, for Windows 11, and Windows Server 2022. We're looking into how - best to actually name these going forward if we're going to account for an - event like this again. - - Signed-off-by: Daniel Canter - -commit 8dacd2313fe9c6e9d2f0724c54e6cf173f9c0a83 -Merge: 4a1e168a4 6ad0944ea -Author: Kathryn Baldauf -Date: Wed Oct 6 10:01:26 2021 -0700 - - Merge pull request #1189 from katiewasnothere/update-ncproxy-resource-names - - Update names of ncproxy proxy resources with test name included - -commit f5ca517bd44f863fa7be07be9e249d3a1d866842 -Author: Kevin Parsons -Date: Wed Sep 8 09:49:13 2021 -0700 - - test: Add containerd start/stop support - - This change lets the cri-containerd tests start/stop containerd as - needed, rather than assuming it is always running. This is done through - the addition of startContainerd/stopContainerd functions which can be - called from tests. As all of the existing tests need containerd to be - running, this currently is not used in any tests. Future tests can take - advantage of this functionality. - - Tests assume that containerd is running when they start, and should not - need to explicitly start containerd before calling into it. This means - that if a test stops containerd, it needs to ensure containerd is - started again. If containerd crashes during a test, then subsequent - tests will fail, but that's the same as the current behavior. - - An unfortunate side effect of this change is that, due to a standing - issue with Go's service support and containerd, the service can - sometimes exit with ERROR_PROCESS_ABORTED when it is stopped. Combined - with the fact that recovery actions are used for containerd, this can - result in the service being restarted by the service control manager. To - work around this, we need to first disable recovery actions for the - service before running tests. This can be done with: - - sc failure containerd reset=0 actions= command= - - Signed-off-by: Kevin Parsons - -commit 4abfd066a5e0828bc55cd4abe35db100b11bd8bd -Author: Kevin Parsons -Date: Wed Sep 8 09:39:49 2021 -0700 - - test: Make main.go a test file - - Previously main.go didn't have _test suffix, so it was not considered a - test file. Notably this meant that TestMain was never actually invoked - because it must be in a test file. It seems we were fortunate that there - was nothing in TestMain that wasn't done automatically by the Go test - infrastructure. - - As the cri-containerd directory is all test code, it is probably safe - to rename all other files in the directory to be test code as well. - However, that is left for a future change. - - Signed-off-by: Kevin Parsons - -commit 6ad0944ea350fbf0c19ed70fc5c5944e11ae73f6 -Author: Kathryn Baldauf -Date: Tue Oct 5 16:24:02 2021 -0700 - - Update names of ncproxy proxy resources with test name included - - Signed-off-by: Kathryn Baldauf - -commit 4a1e168a4aecd0cce49347b2d7c9558c744205a5 -Merge: ab02b159f bf9daeedc -Author: Kathryn Baldauf -Date: Tue Oct 5 12:59:43 2021 -0700 - - Merge pull request #1097 from katiewasnothere/compute_agent_store - - Add compute agent store for ncproxy reconnect - -commit bf9daeedcb59dac1730800b77b98e629ce6d28b3 -Author: Kathryn Baldauf -Date: Fri Oct 1 15:14:59 2021 -0700 - - Update comments for database and reconnect, document failure cases - - Signed-off-by: Kathryn Baldauf - -commit ab02b159f6f11b5d91aa4e66afcba9f8f2698919 -Merge: 851b2a53d 9268c25e8 -Author: Kathryn Baldauf -Date: Mon Oct 4 16:01:00 2021 -0700 - - Merge pull request #1186 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.7 - - Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 - -commit 9268c25e8f6e1ef6db935f620c9912075235feb9 -Author: Kathryn Baldauf -Date: Mon Oct 4 15:40:28 2021 -0700 - - Update golangci build in ci pipeline - - Signed-off-by: Kathryn Baldauf - -commit 76a1b225a557ea5436935a3b5cad3333e476fb96 -Author: Kathryn Baldauf -Date: Mon Oct 4 14:42:48 2021 -0700 - - Remove deprecated runc configs device type - - Signed-off-by: Kathryn Baldauf - -commit 07d25d4a51fb95c9d493cc1ef507be93183fae3d -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Oct 4 21:02:13 2021 +0000 - - Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.4 to 1.5.7. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.4...v1.5.7) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 851b2a53de9ec3d8c9dabed3d73f8816f31c046f -Merge: 2304a1b2d 608375c86 -Author: Kathryn Baldauf -Date: Mon Oct 4 13:51:00 2021 -0700 - - Merge pull request #1185 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.7 - - Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test - -commit 608375c862617f2c1ff48e2907467339cf3093a4 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Oct 4 20:45:17 2021 +0000 - - Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.4 to 1.5.7. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.4...v1.5.7) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 3c6ebddee8d420dd23745111d3f007e28c81c0e1 -Author: Kathryn Baldauf -Date: Mon Aug 23 18:41:53 2021 -0700 - - Prevent client connection leaks, address feedback - - Signed-off-by: Kathryn Baldauf - -commit 71695fd99ba1a1a309ad5ac3aa9a8ed489d44a3f -Author: Kathryn Baldauf -Date: Fri Aug 6 12:01:11 2021 -0700 - - Add compute agent store for ncproxy reconnect - - Signed-off-by: Kathryn Baldauf - -commit 2304a1b2dd5087f7646671dcd40249ab5073192b -Merge: a0d87926d 8ab28b159 -Author: Kathryn Baldauf -Date: Fri Oct 1 14:39:16 2021 -0700 - - Merge pull request #1182 from katiewasnothere/add_compute_agent_unit_tests - - Add unit tests for computeagent - -commit a0d87926d7651eb7428a0e408d199574a51c3f94 -Author: Maksim An -Date: Fri Oct 1 14:09:47 2021 -0700 - - tests: Fix ExecUser LCOW tests using old function signature (#1184) - - Signed-off-by: Maksim An - -commit 8ab28b159b45a2753bd4a7c5c9512bacf24a32fd -Author: Kathryn Baldauf -Date: Fri Oct 1 14:00:15 2021 -0700 - - Add back containerID to computeagent requests - - Signed-off-by: Kathryn Baldauf - -commit f3d7b87e78e18f9518a5005978d53493994cada1 -Author: Paul "TBBle" Hampson -Date: Fri Oct 1 11:25:58 2021 +1000 - - Also run tests on Windows Server 2022 GitHub Runner (#1176) - - Signed-off-by: Paul "TBBle" Hampson - -commit d524163f9139be2604fa28b932814a0ab586394a -Author: Kathryn Baldauf -Date: Wed Sep 29 14:36:12 2021 -0700 - - Add unit tests for computeagent - - Signed-off-by: Kathryn Baldauf - -commit 7ed4bb01a0eeb0becbfe674b32c7173636110347 -Merge: 5cd83e58f 9d8ccad09 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Sep 30 15:11:09 2021 -0700 - - Merge pull request #1181 from dcantah/remove-unused-memory-winapi - - Remove unused definitions in winapi - -commit 5cd83e58fbaa5046ea56e7dfc2fd3857cfea4805 -Author: Maksim An -Date: Wed Sep 29 16:01:45 2021 -0700 - - tests: Fix tests that used old pullRequiredLCOWImages func name (#1183) - - Lack of rebase when merging - https://github.com/microsoft/hcsshim/pull/1180 resulted in some - test files being out of date and containing old helper function - name - - Signed-off-by: Maksim An - -commit 8debf44d62391eaebbc5d2a80999ab1221d31873 -Author: Maksim An -Date: Wed Sep 29 15:18:17 2021 -0700 - - Refactor pod config generation in tests (#1180) - - Add SandboxConfigOpt func type, which enables pluggable configuration - of PodSandboxConfig. - - Signed-off-by: Maksim An - -commit 057bebe3caf7811ed63efae5b83bf893f21648d4 -Merge: 3046e940b b3b21da84 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Sep 28 19:44:29 2021 -0700 - - Merge pull request #1178 from dcantah/exec-username - - Rework LCOW username setup/exec behavior - -commit b3b21da849b2e1c605c4684bf17edcebee7bd5d0 -Author: Daniel Canter -Date: Tue Sep 28 18:15:22 2021 -0700 - - Revert cri-containerd windows container image mistake - - A previous change I'd made that was just for local testing changed the panic - in our cri-containerd test suite to choose a set image. This simply reverts - that. - - Signed-off-by: Daniel Canter - -commit e0dc7053de42642bd8fadeefc270187eb26224d3 -Author: Daniel Canter -Date: Fri Sep 17 02:21:52 2021 -0700 - - Rework LCOW username setup/exec behavior - - This change swaps to checking the OCI specs username field instead of - our custom annotation to match upstream. The real change is in how what - user an exec runs as is handled. In most places in Containerd an execed process - gets assigned the process spec of the container it’s getting launched in - (so it will inherit anything set on the container spec), but due to the nature - of LCOW there’s some OCI spec fields we set in the UVM instead as they’re not - able to be handled on the host (in a clean manner at least). One of these is - the user for the container. - - On a Linux host, Containerd will check if the user exists in the filesystem for - the container before setting the user on the spec. On LCOW we just have vhd’s with - the contents of the layers when making the spec which makes this a bit infeasible, so - we defer that work until we’re in the guest and then edit the spec if the user exists. - This has the outcome that the user is never set on the containers spec on the host for - LCOW, but we do have the final amended spec in the UVM with whatever user was - requested (or was set in the image via USER and so on). - - The way this is handled is by setting the Username field on the spec and then - grabbing the uid:gid based on this string in the guest. The same is done for - an exec. If a custom user is specified, try and find the uid:gid for the string - provided. Otherwise, if Username is an empty string, just inherit whatever user - the container spec contained. - - Signed-off-by: Daniel Canter - -commit 9d8ccad09f1990f8951487599cfd6bf5290f57a3 -Author: Daniel Canter -Date: Tue Sep 28 05:46:34 2021 -0700 - - Remove unused definitions in winapi - - This change removes some unused memory related definitions in internal/winapi. - They were originally going to be used for stats for host process contaienrs - but NtQuerySystemInformation was used instead. - - Signed-off-by: Daniel Canter - -commit 3046e940be41002e8836ed07bea7bb63eaa242cd -Merge: 18e235657 7931c55ed -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Sep 28 05:05:57 2021 -0700 - - Merge pull request #1173 from SeanTAllen/switched-policy-json-format - - Update json format for security policy - -commit 7931c55edaf61ee3b1cd998d58f2687376159348 -Author: Sean T. Allen -Date: Tue Sep 21 10:50:50 2021 -0400 - - Update json format for security policy - - These changes come by way of a suggestion from Maksim who noted that this - new format keeps the same information as the previous format, but organizes - it in a way that makes it easier to maintain the creation code and can - allow for the usage of a custom JSON marshaller to remove a source - of possible bugs in keeping the number of elements and the field that - is the length of said elements in sync, - - Signed-off-by: Sean T. Allen - -commit 18e235657cc592b49db4a8fce98847e4a3dbdba7 -Merge: 50c48dea7 f964e2838 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 24 16:48:28 2021 -0700 - - Merge pull request #1062 from dcantah/coredump - - Add process dump functionality for WCOW/LCOW - -commit f964e283873cd13c1feec0c0d54b6e2e8dcfc920 -Author: Daniel Canter -Date: Fri Sep 24 15:57:43 2021 -0700 - - Add process dump cri-containerd testcases - - This change adds cri-containerd testcases that excercises the process dump - functionality. It sets up two containers, using images that stackoverflow/ - throw an exception shortly after starting. This should generate a dump - file in the sandbox mount location in the test. Then the second container - mounts the same sandbox mount and just verify that the core dump file generated - by the first is present. - - Signed-off-by: Daniel Canter - -commit e92d4009e7c8bc96b8982d1604caa80d31b15eba -Author: Daniel Canter -Date: Fri May 21 16:40:37 2021 -0700 - - Add process dump functionality for WCOW/LCOW - - This commit adds support for generating process dumps for hypervisor isolated containers. This includes - a new annotation to specify where process dumps should get placed on creation, which is global - to all containers. - - Signed-off-by: Daniel Canter - -commit 50c48dea7db638b29e65a978348e3ee433fb9bc7 -Merge: 2608ae21b 7a8989623 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 24 12:24:21 2021 -0700 - - Merge pull request #1174 from dcantah/jobcontainer-noextension-fix - - Set PATHEXT for job containers to handle binaries with no extension - -commit 2608ae21b2759e2df63e528900cc8a7345f435d2 -Merge: 1f8211a77 52d76e85a -Author: Kathryn Baldauf -Date: Fri Sep 24 10:46:19 2021 -0700 - - Merge pull request #1163 from katiewasnothere/virtual_function_vpci - - Add support for passing in a virtual function index to assign pci device - -commit 1f8211a77a20be7a196e31f49d007ccc61dd0981 -Merge: 4275e49e4 92004da68 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 24 03:38:03 2021 -0700 - - Merge pull request #1087 from dcantah/sandboxmount-wcow - - Add WCOW sandbox mount support - -commit 92004da684484c39ade5aa7d2c0b556d56e77fa4 -Author: Daniel Canter -Date: Fri Sep 24 02:37:59 2021 -0700 - - Add WCOW sandbox mount tests - - This change adds two cri-containerd tests to test WCOW sandbox mounts. - One test verifies the general functionality by having two containers - supply the same sandbox:// mount and validating that each container - can see whats in the mount. Another tests verifies that if we don't supply - the sandbox:/// mount for another container in the pod, it doesn't have access - to the mount. - - Signed-off-by: Daniel Canter - -commit 3c9e4ff7d9e290b385698a20c2934155166ccb89 -Author: Daniel Canter -Date: Fri Sep 24 02:11:47 2021 -0700 - - Add WCOW sandbox mount support - - This change adds sandbox mount like support for WCOW. Sandboxmounts are our LCOW - solution similar to a k8s empty dir mount. We create a directory that will house - various other subdirectories that a user can specify by supplying a sandbox:// prefix - for the host path of a mount. In the usual case the hostpath of a mount is in the context of the - physical host (e.g. I want C:\path on my machine mapped to C:\containerpath in my container), - however for sandbox mounts the host path is treated as relative to this directory we have - made in the VM. The root directory for these sandbox mounts I defined as C:\SandboxMounts - - Example: - "mounts": [ - { - "container_path": "C:\\test", - "host_path": "sandbox:///test" - } - ] - - The above will make a directory at C:\SandboxMounts\test in the Utility VM that will be mapped to - C:\\test in the container. If another container in the same pod supplied the same mount then - you would end up "sharing" this directory with the other container, meaning you would - both see anything placed/modified in this directory. - - The backing storage for these mounts will be the UVMs scratch disk, which currently is always 10GB - (8.5 actually usable) as that's whats hardcoded in HCS for the call we use that generates the vhd. - For some reason the expand vhd function from HCS doesn't function for the VM scratch disk which needs - some investigation :( - - Signed-off-by: Daniel Canter - -commit 4275e49e499d21186a2a75e05e85a4f760b3215c -Merge: 369c47426 9518added -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 24 01:10:20 2021 -0700 - - Merge pull request #1137 from dcantah/jobcontainer-fixworkdir - - Rework how working directories function for job containers - -commit 7a89896235fd80d8128dbb6809951b9c08215bc2 -Author: Daniel Canter -Date: Thu Sep 23 17:40:49 2021 -0700 - - Set PATHEXT for job containers to handle binaries with no extension - - This change sets the PATHEXT environment variable which Go checks during - exec.Cmd startup to do some path resolution. PATHEXT contains a semicolon - separated list of extensions to check against if a path ended without one - (e.g. /path/to/my/binary). This simply adds an empty string entry to the end - so that binaries with no extension can be launched correctly. Although this isn't - a common occurrence it's still a good thing to support. Windows Server containers - are able to handle this fine, and CreateProcess is perfectly happy launching - a valid executable without an extension. - - This is mainly to support the agnhost image which is a common k8s testing image whose - entrypoint is a binary named agnhost with no extension. - https://github.com/kubernetes/kubernetes/blob/d64e91878517b1208a0bce7e2b7944645ace8ede/test/images/agnhost/Dockerfile_windows - - Signed-off-by: Daniel Canter - -commit 369c47426a5b1ae16ea82c91eb6596a04d88371f -Merge: 9eaa531ba e6eaeee1b -Author: Kathryn Baldauf -Date: Wed Sep 22 13:33:27 2021 -0700 - - Merge pull request #1172 from katiewasnothere/update_kernel_driver_annotation - - Update kernel driver annotation for accuracy - -commit e6eaeee1bc71dc4870b618de174d6c546a79a56c -Author: Kathryn Baldauf -Date: Tue Sep 21 14:07:30 2021 -0700 - - Update kernel driver annotation for accuracy - - Signed-off-by: Kathryn Baldauf - -commit 9eaa531ba2929a1ca458da0903194f64ea790dd1 -Author: Sean T Allen -Date: Tue Sep 21 12:57:04 2021 -0400 - - Change internal data structure in SecurityPolicyEnforcer (#1171) - - This commit changes the data structure that we use to track possible - GCS container ids for a given security policy container from an array - to a set. - - Set is the correct data structure to represent our constraint of "id - should only appear once". - - Additionally, it makes this tricky bit of code slightly easier to understand. - - Signed-off-by: Sean T. Allen - -commit f20a064a5395e27dbd6634b367e94bd50bd8c2d1 -Author: Maksim An -Date: Mon Sep 20 11:35:35 2021 -0700 - - fix vmAccess param usage in AddSCSI (#1167) - - AddSCSI wasn't using vmAccess parameter when making addSCSIRequest - - Signed-off-by: Maksim An - -commit 54234dcdca1a1250978edf8b221921983434732d -Author: Sean T Allen -Date: Mon Sep 20 13:59:41 2021 -0400 - - Rename EnforceStartContainerPolicy (#1169) - - The security policy enforcement point named "EnforceStartContainerPolicy" is - enforced at container create, not container start. - - This commit changes to the more appropriate and less potentially confusing name. - - Signed-off-by: Sean T. Allen - -commit e1d9c69b74ad8bdee3a1d42e68849ee02f2d2f6e -Author: Sean T Allen -Date: Mon Sep 20 13:50:27 2021 -0400 - - Rename variable in SecurityPolicyEnforcer (#1168) - - Once upon a time, naming the variable that represented the type as - "policyState" made sense, it no longer does. - - At Maksim's suggestion, this commit renames from "policyState" to "pe" which is short - for "policy enforcer". - - Signed-off-by: Sean T. Allen - -commit 8f21c1144e53ba8e9186e0b2878cd68e01c44f70 -Author: Sean T Allen -Date: Mon Sep 20 13:40:01 2021 -0400 - - Update naming in internal security policy tool (#1166) - - Maksim pointed out that when we added information beyond the image of an image - that the "image" entries in a TOML policy generation file weren't describing - images; the describe containers. - - The addition of command line, environment variables, and what not to allow - is a description of a container that should be allowed to be created. The - only image specific bit is the name. - - Signed-off-by: Sean T. Allen - -commit 2d31cba7dcba59cd0a8e38774e682cd87bb6e292 -Author: Sean T Allen -Date: Mon Sep 20 12:22:16 2021 -0400 - - Remove unused variable (#1165) - - Signed-off-by: Sean T. Allen - -commit 5eaf8dc71bb9535505b3f43dc91f3eeaaa53a384 -Author: Sean T Allen -Date: Mon Sep 20 11:25:48 2021 -0400 - - Make policy environment variable rules consts (#1164) - - This was a small change that came up in the initial code review that we put - off "for a later date". - - The valid strategy strings are now shared between the policy tool and gcs - so they can't end up with a mismatch. - - Signed-off-by: Sean T. Allen - -commit 52d76e85a39091b015544f38ac49430e484706df -Author: Kathryn Baldauf -Date: Fri Sep 17 19:22:53 2021 -0700 - - Add support for passing in a virtual function index to assign pci device - - Signed-off-by: Kathryn Baldauf - -commit 403164d6066f8c5246713481a6746b48ee06dde9 -Author: Sean T Allen -Date: Thu Sep 16 17:22:57 2021 -0400 - - Enforce security policy at unmount (#1162) - - This is the first iteration of policy enforcement at unmount. There is an additional set - of functionality that will come as part of a larger change in the near future. - - With this commit, we record that a device has been unmounted such that it isn't eligible to - be used in any overlay after unmounting. - - In a future commit, I will be adding disallowing unmounting a device that is being used by a - running container. - - Signed-off-by: Sean T. Allen - -commit 65979d6d6238064bfe34c54dfc9377e21152662f -Author: Maksim An -Date: Wed Sep 15 17:41:26 2021 -0700 - - Enable scratch space encryption via annotation (#1095) - - Add bool annotation "io.microsoft.virtualmachine.storage.scratch.encrypted" - that enables scratch space encryption. - Update guest request protocols to allow encryption for SCSI - devices. - - Signed-off-by: Maksim An - -commit ae271bff40eaf81c1b35f94edc8b21a96dbddc00 (tag: v0.9.0-rc0) -Merge: 2811ffe26 c8afad4a1 -Author: Maksim An -Date: Tue Sep 14 12:13:30 2021 -0700 - - Merge pull request #1158 from SeanTAllen/scsi-with-dmverity - - Add security policy enforcement for SCSI devices - -commit c8afad4a1e72bcfc2ccc8bd517757da9f725741d -Author: Sean T. Allen -Date: Fri Sep 10 13:05:57 2021 -0400 - - Add security policy enforcement for SCSI devices - - Previously, we only had support for VPMem devices, however, under some scenarios, container - layer devices will be mounted as SCSI; for those scenarios, we will to enforce policy. - - Currently, we only enforce policy for read-only devices in a guest as those are the only ones that - are container layers. The scratch space for containers is mounted as read-write and we do - not want enforce policy for them. - - Actually dm-verity setup isn't included in this commit and will be added in a future change. - - Signed-off-by: Sean T. Allen - -commit 2811ffe26952c3ecf75e441b8fca2d3816967883 -Merge: 7866b484c edb95abf5 -Author: Maksim An -Date: Tue Sep 14 12:02:06 2021 -0700 - - Merge pull request #1161 from SeanTAllen/securitypolicy-tool-login - - Update securitypolicy tool to support multiple registries - -commit edb95abf5e1862a785de5a430271a7cda7256151 -Author: Sean T. Allen -Date: Tue Sep 14 09:26:40 2021 -0400 - - Update securitypolicy tool to support multiple registries - - Before this change, the securitypolicy tool could authorize with a registry - by providing a username and password as command-line options. - - This approach worked fine as long as all images were being pulled from the - same registry. It doesn't work if you need to access multiple registries. - - After this change, authorization is provided in the policy.toml on a per-image - basis. This allows for mixing and matching different registries together as - part of a pod. - - Signed-off-by: Sean T. Allen - -commit 9518addeda73352f3209ff248142e5bb2531aacb -Author: Daniel Canter -Date: Mon Sep 13 16:03:51 2021 -0700 - - Add test cases for the working directory functionality - - This change adds a couple tests to make sure that the working directory functions as - expected. Also some very small adjustments on the dockerfiles for the other tests - (which really didn't need to be changed, but makes it more explicit). - - Signed-off-by: Daniel Canter - -commit 3e7e5efbc6a5c52203074e428e6017e11effbc2c -Author: Daniel Canter -Date: Fri Aug 27 13:10:49 2021 -0700 - - Rework how working directory for job containers - - Instead of taking the working directory as is, change to joining the working directory - requested with where the sandbox volume is located. It's expected that the default behavior - would be to treat all paths as relative to the volume as this would be equivalent to a - normal Windows Server Containers behavior. - - For example: - A working directory of C:\ would become C:\C\12345678\ - A working directory of C:\work\dir would become C:\C\12345678\work\dir - - Signed-off-by: Daniel Canter - -commit 7866b484c574a64dccb834973bd79c6b2050915c -Merge: c7c555d47 7b6e3dac2 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Sep 13 10:43:14 2021 -0700 - - Merge pull request #1155 from adelina-t/patch-1 - - Update windowsbuilds.go - -commit 7b6e3dac2b3b0c2e06ab5d0bf2a0665fb80ae511 -Author: Adelina Tuvenie -Date: Thu Sep 9 20:50:58 2021 +0300 - - Update windowsbuilds.go - - Updates windowsbuilds to include build number for Windows Server 2022. - - Signed-off-by: Adelina Tuvenie - -commit c7c555d47fcb7867d01cbfcb6914c40742ff3d02 (hcsshim/cc-preview) -Merge: 106f5a88b b755c2668 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Sep 10 17:59:55 2021 -0700 - - Merge pull request #1159 from katiewasnothere/modules_ci_warning_update - - Add additional information to the error message when validating modules - -commit b755c2668556e0e19418b11826e5c0c17ce2bed7 -Author: Kathryn Baldauf -Date: Fri Sep 10 14:50:14 2021 -0700 - - Add additional information to the error message when validating modules - - Signed-off-by: Kathryn Baldauf - -commit 106f5a88b1d5ffe26082cae39f7a73d5e8fe8fca -Merge: 322931025 eea18abbb -Author: Kathryn Baldauf -Date: Fri Sep 10 13:18:49 2021 -0700 - - Merge pull request #1153 from katiewasnothere/internal_cmd_request_struct - - Add new internal cmd package request struct to remove shimdiag package import - -commit 3229310256a97c4785bc835bb8eaf9a83a236364 -Merge: 04d8aa4dd 7671a8456 -Author: Maksim An -Date: Fri Sep 10 09:57:56 2021 -0700 - - Merge pull request #1154 from SeanTAllen/maps-in-policy-3 - - Switch JSON policy schema from using arrays to maps - -commit 7671a84561e9c30d5e0963554d8e32edf1d81cb4 -Author: Sean T. Allen -Date: Thu Sep 9 09:25:17 2021 -0400 - - Switch JSON policy schema from using arrays to maps - - The existing array based policy doesn't work with managed HSMs query language, so, we have switched - it up to using maps instead of arrays. Map keys correspond to the array index that an entry would have. - This allows us to keep ordering. - - Signed-off-by: Sean T. Allen - -commit 04d8aa4dd737246af34931dc66db2d21236a6abb -Merge: e15e9940a 89d75bf14 -Author: Kathryn Baldauf -Date: Thu Sep 9 18:42:59 2021 -0700 - - Merge pull request #1143 from katiewasnothere/ncproxy_tests - - Add unit tests to ncproxy - -commit 89d75bf147d79530f4b0371bb6b0e820e6f0b72c -Author: Kathryn Baldauf -Date: Mon Aug 30 11:39:49 2021 -0700 - - Add unit tests to ncproxy - * Add mocked grpc and ttrpc services for ncproxy testing - - Signed-off-by: Kathryn Baldauf - -commit e15e9940abeafacdfd98e216a114d9d4ffff33b9 -Merge: b33088e48 f09308df1 -Author: Kathryn Baldauf -Date: Thu Sep 9 18:13:31 2021 -0700 - - Merge pull request #1157 from katiewasnothere/update_ci_go_modules - - Update script to verify go modules to match hashes of all files - -commit f09308df1c2199870ba9652518a2796e88bbc108 -Author: Kathryn Baldauf -Date: Thu Sep 9 13:48:13 2021 -0700 - - Update main and test modules - - Signed-off-by: Kathryn Baldauf - -commit b33088e48f9550f95c538c719c753f6650c3406f -Merge: 28c74fbbc bcab623e9 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Sep 9 13:42:48 2021 -0700 - - Merge pull request #1156 from dcantah/readme-mention-test - - Add note about test directory go mod vendor steps to README - -commit 43ced3322a4832ae9415325680ca5c65730e9b22 -Author: Kathryn Baldauf -Date: Thu Sep 9 13:30:45 2021 -0700 - - Update script to verify go modules to match hashes of all files in the directory - - Signed-off-by: Kathryn Baldauf - -commit bcab623e91df934690c3db9452e9e875d2c8ee3d -Author: Daniel Canter -Date: Thu Sep 9 12:51:54 2021 -0700 - - Add note about test directory go mod vendor steps to README - - This change adds a quick blurb about the test directory situation for contributors. - As the test directory is a bit odd and our CI will fail if the condition - isn't met, this seems like a good thing to call out. - - Signed-off-by: Daniel Canter - -commit eea18abbb891a70aae6f630c0f67092a25779fdc -Author: Kathryn Baldauf -Date: Fri Sep 3 18:25:21 2021 -0700 - - Add new internal cmd package request struct to remove shimdiag package import - - Signed-off-by: Kathryn Baldauf - -commit 28c74fbbc93ffe9d0effc23a32c4624c4ed3502a -Merge: 358f05d43 c0cd5e8ff -Author: Maksim An -Date: Wed Sep 8 13:20:46 2021 -0700 - - Merge pull request #1146 from SeanTAllen/enforce-env - - Add security policy enforcement of environment variables - -commit c0cd5e8ff089b6cc67a44227a2db565b9cb6781a -Author: Sean T. Allen -Date: Fri Sep 3 10:08:46 2021 -0400 - - Add security policy enforcement of environment variables - - Supports two different matching schemes: - - - string - - This is a direct string match. All characters must be equal. - - - re2 - - The rule is an re2 regular expression that will be matched against the environment variable. - - Environment variables are in the form "KEY=VALUE" as a single string. - - The securitypolicy tool has been updated to automatically include any environment variables defined - in the image spec for an image to the allowed environment variables in the generated policy. - - Signed-off-by: Sean T. Allen - -commit 358f05d43d423310a265d006700ee81eb85725ed -Merge: f0ab29e1c ab8929cf7 -Author: Kathryn Baldauf -Date: Tue Sep 7 15:53:16 2021 -0700 - - Merge pull request #1151 from katiewasnothere/update_test_vendor_hugepages - - Update test modules with up to date hcsshim code - -commit ab8929cf7388299a08e809bd6effdb76be9147de -Author: Kathryn Baldauf -Date: Tue Sep 7 15:49:16 2021 -0700 - - Update test modules with up to date hcsshim code - - Signed-off-by: Kathryn Baldauf - -commit f0ab29e1c2d39f9fc7112cf0dae80040c2195271 -Merge: e16581161 6fba53bf8 -Author: Kathryn Baldauf -Date: Tue Sep 7 15:40:56 2021 -0700 - - Merge pull request #1118 from ninzavivek/vivek_hugepages_mount - - Hugepage support for LCOW - -commit e1658116181e3791f256f44add287a5baf2a5e0c -Merge: 36361330f f53295d52 -Author: Kathryn Baldauf -Date: Tue Sep 7 15:21:18 2021 -0700 - - Merge pull request #1112 from katiewasnothere/verify_modules - - Add ci step to validate that modules have been vendored in - -commit f53295d5261bf1dcccdc5ed064a16187cfdad2ab -Author: Kathryn Baldauf -Date: Thu Aug 12 10:02:30 2021 -0700 - - Add ci step to validate that modules have been vendored in - - Signed-off-by: Kathryn Baldauf - -commit 36361330f33ca4b658a285b28ee47b6a23b2cd9e -Merge: 99733ae21 acfca301d -Author: Kathryn Baldauf -Date: Tue Sep 7 15:13:28 2021 -0700 - - Merge pull request #1150 from katiewasnothere/update_test_vendor - - Update test modules with hcsshim changes - -commit acfca301d8115059264755c1e2029cc246cfdaa4 -Author: Kathryn Baldauf -Date: Tue Sep 7 15:07:42 2021 -0700 - - Update test modules with hcsshim changes - - Signed-off-by: Kathryn Baldauf - -commit 99733ae2108b71e5a9ff33873156c7cb0b45232b -Merge: 958272a9d 76c63b50c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Sep 7 14:55:46 2021 -0700 - - Merge pull request #1117 from dcantah/job-container-filepath - - Job container path touchups + rework tests - -commit 76c63b50c130e519118ee74cc1081c55040212f5 -Author: Daniel Canter -Date: Fri Aug 13 18:28:51 2021 -0700 - - Remove filepath.Clean usage + touchup job containers path tests - - This change does a couple of things for the path resolution logic. - - 1. I was using filepath.Clean to remove any initial '.' paths in the command line - to handle relative paths with a dot. However it changes all forward slashes - to backslashes, which hinders command lines like the following: - - `"cmd /c ping 127.0.0.1"` - - as the /c argument will be altered. Windows Server containers don't handle - relative paths with a dot, so it doesn't seem necessary to support them for - job containers either, so just get rid of the call entirely. - - 2. Remove empty spaces off the end of the cmdline if it's quoted. There was - an empty space in this case as I was using strings.Join to join the arguments - after the quoted element. This had no effects on actual usage/functionality, - but to compare commandlines for tests, this made things easier. - - 3. When replacing instances of %CONTAINER_SANDBOX_MOUNT_POINT% in the commandline, - the path of the volume we were replacing it with had a trailing forward slash, so - you'd end up with C:\C\12345678abcdefg\\\mybinary.exe (two forward slashes). This - also didn't have much of an effect on anything, but just to clean things up. - - 4. Lastly, this change also refactors the job container path tests as they - were a bit unwieldy and were due for the t.Run treatment. This moves the - tests to being run via t.Run and a slice of configs to test different path, - working directory, env matrixes. Also adds some new test cases to try out. - - Signed-off-by: Daniel Canter - -commit 6fba53bf8cd74d993e20d77db34f918602b8b77c -Author: Vivek Aggarwal -Date: Mon Aug 16 18:26:54 2021 -0700 - - Hugepage support - - Signed-off-by: Vivek Aggarwal - -commit 958272a9dd25ee19221007f84d9681f2f5b1b108 -Author: Maksim An -Date: Tue Sep 7 11:14:03 2021 -0700 - - Add more messages when guest relays and init process finish (#1104) - - Additionally cleanup dead code during scsi mount, bump scsi mount - timeout to 5 seconds. - - Signed-off-by: Maksim An - -commit 9c8adb8b41669fbfa67e3ee06b83798c9445636c -Merge: 6e218877c 52251b715 -Author: Kathryn Baldauf -Date: Fri Sep 3 18:31:39 2021 -0700 - - Merge pull request #1145 from praenubilus/yunhao/add-disk-size-constant-092021 - - add RecommendedVHDSizeGB constant - -commit 6e218877c428142d9e62025271608034e3afec8a -Author: Maksim An -Date: Fri Sep 3 17:43:27 2021 -0700 - - Enable dm-verity for multi-mapped LCOW layers (#1089) - - Previously dm-verity was enabled only for dedicated VPMems. This - change adds dm-verity footer parsing logic to multi-mapped LCOW - layers - - Signed-off-by: Maksim An - -commit 52251b715f626b87e24cd331d6e102d4ba0ffc65 -Author: Yunhao Wan -Date: Fri Sep 3 22:07:31 2021 +0000 - - add VHD size constant - - Signed-off-by: Yunhao Wan - -commit 0e9cd549c6fb9288c55cb04f9476078c47a15b91 -Merge: 233357dfd d7cdc0f0a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Sep 1 14:14:59 2021 -0700 - - Merge pull request #1125 from dcantah/add-stylecheck - - Add stylecheck linter to golangci-lint CI runs - -commit 233357dfd1dea04e8863888fb63b23a3677ca0e7 -Merge: 8a7773ca9 bef81a6fe -Author: Kathryn Baldauf -Date: Tue Aug 31 10:57:35 2021 -0700 - - Merge pull request #1142 from katiewasnothere/cleanup_sandbox_dir_on_err - - Fixup logic for sandbox and container cleanup on failure - -commit bef81a6fe7faff6b1aa151655136c91bbe84d26c -Author: Kathryn Baldauf -Date: Mon Aug 30 15:28:36 2021 -0700 - - Fixup logic for sandbox and container cleanup on failure - - Signed-off-by: Kathryn Baldauf - -commit 8a7773ca93e89cffecb3b700aaa8f32b76ec241d -Merge: 1ca8616cb 3c2539745 -Author: Kathryn Baldauf -Date: Mon Aug 30 14:32:41 2021 -0700 - - Merge pull request #1141 from katiewasnothere/update_test_modules - - Update test package go modules - -commit 3c2539745b49c1c001c0256873c322ef2a507bfd -Author: Kathryn Baldauf -Date: Mon Aug 30 14:09:02 2021 -0700 - - Update test package go modules - - Signed-off-by: Kathryn Baldauf - -commit 1ca8616cba915b89edc78307a0ca20868d372902 -Merge: 69cf1c271 e0ecc18c3 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Aug 30 12:39:14 2021 -0700 - - Merge pull request #1140 from dcantah/dco-readme-note - - Add extra info about DCO check to README - -commit e0ecc18c33d180a8bdcaaa015f2857d613f63d40 -Author: Daniel Canter -Date: Mon Aug 30 11:43:45 2021 -0700 - - Add extra info about DCO check to README - - We recently added the DCO github app and it will get run on every PR. This change - adds a small blurb to our README to give more information on DCO for contributors. - - Signed-off-by: Daniel Canter - -commit 69cf1c27111eb971a95e86d90367ec9fc2ae9641 -Merge: e7fd842da 85b8ec055 -Author: Kathryn Baldauf -Date: Mon Aug 30 10:14:21 2021 -0700 - - Merge pull request #1139 from thaJeztah/double_failure - - Fix duplicate "failed" in HCS errors - -commit e7fd842da715873202253f232212a7fa925be63c -Merge: cc540938b 587be85a4 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri Aug 27 16:38:34 2021 -0700 - - Merge pull request #1138 from ambarve/unicodestr_bugfix - - Bugfix for UnicodeString constructor - -commit 587be85a4cc3ae962665adcf20be1bfe511ab741 -Author: Amit Barve -Date: Fri Aug 27 16:12:50 2021 -0700 - - Add test for UnicodeString Limit - - Signed-off-by: Amit Barve - -commit 85b8ec055ccc40246c6bf66d3928412d20938104 -Author: Sebastiaan van Stijn -Date: Sat Aug 28 00:36:48 2021 +0200 - - Fix duplicate "failed" in HCS errors - - HcsError.Error() already appends "failed" to the error message, which resulted - in some uses to contain a duplicate "failed", for example: - - re-exec error: exit status 1: output: hcsshim::ImportLayer - failed failed in Win32: The system cannot find the path specified. (0x3) - - Signed-off-by: Sebastiaan van Stijn - -commit 0afb0c9f89a5e7e3a0c64e0572460f44923ac888 -Author: Amit Barve -Date: Fri Aug 27 14:11:14 2021 -0700 - - Bugfix for UnicodeString constructor - - The existing UnicodeString constructor creates a unicode string object by taking the - length of a given GO string. This works fine for ASCII strings but fails when the input - string contains non ASCII characters. This change fixes it. - - Signed-off-by: Amit Barve - -commit d7cdc0f0a4ab5cebb55f56301f5254b19d65be46 -Author: Daniel Canter -Date: Fri Aug 27 05:43:21 2021 -0700 - - Add exclusions for rule ST1003 from stylecheck for some packages - - ST1003 checks for if any initialisms don't follow the Go idiom of all capitals. - However, due to this repo having a really high number of packages that have OS - bindings/constants, generated schema files that we generally try and not touch, - and some calls that have been exported and used forever so changing them would - introduce a breaking change, I've taken to excluding some directories from this - specific check. Stylecheck should still check for double imports, and any error - message shenanigans. - - This change additionally fixes all of the ST1003 errors in the packages that aren't - excluded. - - Signed-off-by: Daniel Canter - -commit c4c867d1df60b5fe9cc29198059af18df108ac0e -Author: Daniel Canter -Date: Tue Aug 24 06:13:43 2021 -0700 - - Fix golangci-lint stylecheck issues - - This change fixes the issues that the stylecheck linter for golangci-lint - brings up. Most of them are errors starting with a capital letter/ending with - punctuation, but there's two that are for double imports. Also adds -v to the - golangci-lint args, so it's easier to tell what's going on. - - In internal/layers/layers.go we were importing the /internal/uvm package twice, - as we used any constants from the package under a package alias of uvmpkg and then - any uses of a pointer to a UtilityVM object were passed around as `uvm`. I've changed - the latter to be passed around via vm, as we use this elsewhere to store a UtilityVM - object, and then simply replaced umvpkg with the package name itself, uvm. - - Signed-off-by: Daniel Canter - -commit 2ea1344710a3f00adca963040ca46a90af4f0189 -Author: Daniel Canter -Date: Tue Aug 24 06:24:44 2021 -0700 - - Add stylecheck linter to golangci-lint CI run - - This change adds the stylecheck linter to our golangci-lint ci run. - This catches a few nice things like double imports, checking if errors - end with punctuation/aren't capitalized. It also by default checks if - common initialisms (CPU, ID, HTTP, TLS) are in all caps, but this sets off a - metric ton of errors because of the amount of generated schema files we have. - We could exclude these directories from being linted altogether, but would like - to hear what others think. I don't see a way to exclude directories for only certain - checks (so if someone knows a way please do tell) - - Signed-off-by: Daniel Canter - -commit cc540938b6fc1b6ee13c616eb6633ae5139f8447 -Merge: c7c44e13f 662c3dd5c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Aug 26 18:24:20 2021 -0700 - - Merge pull request #1121 from dcantah/ncp-urfav - - Make ncproxy a urfave/cli app - -commit 662c3dd5c2c99ea04a5171793c9b32dfd0541861 -Author: Daniel Canter -Date: Wed Aug 18 06:59:01 2021 -0700 - - Make ncproxy a urfave/cli app - - This kind of started solely because the containerd version of the service flags - (because of urfave/cli) are double dashed, while flags from the flag package in - the stdlib are single, so writing generic code to launch both services just - by providing the name of the service was *mildly* annoying 😋. - - After actually thinking about it though, there's probably a couple commands - down the road that might be helpful. One to start is to output a default config - for ncproxy for local testing or for actual production use which is in this - change. It will output a default config to stdout or to a file if the --file - flag is specified. - - Signed-off-by: Daniel Canter - -commit c7c44e13fdacc83a07931653b47a21579f39063c -Merge: a88c2931b 3af4cb6b0 -Author: Kathryn Baldauf -Date: Wed Aug 25 13:53:17 2021 -0700 - - Merge pull request #1126 from katiewasnothere/container_id_to_compute_agent_sync - - Update ncproxy compute agent cache map - -commit a88c2931bdc2e3b4fc0e5cd6aaae7e11f2e341c2 -Merge: 3febf28db f445fb749 -Author: Kathryn Baldauf -Date: Wed Aug 25 11:06:08 2021 -0700 - - Merge pull request #1127 from SeanTAllen/patch-1 - - Fix spelling error - -commit f445fb7497a6a6d5d0d8487c9f73f958beab12f0 -Author: Sean T Allen -Date: Wed Aug 25 13:36:56 2021 -0400 - - Fix spelling error - - Signed-off-by: Sean T Allen seanallen@microsoft.com - -commit 3af4cb6b0c656ec09c8d2f8e04658b6d7eb2adaf -Author: Kathryn Baldauf -Date: Tue Aug 24 14:38:37 2021 -0700 - - Move containerID to compute agent cache from being a global and make it a sync map - - Signed-off-by: Kathryn Baldauf - -commit 3febf28db3d0454f000ecde87ca242f445214722 -Merge: 12f00a386 5abd1703d -Author: Scott Brender -Date: Tue Aug 24 09:39:14 2021 -0700 - - Merge pull request #1116 from SeanTAllen/enforce-command - - Add security policy enforcement of command line options when starting containers - -commit 12f00a38643ba1ff6772e03f8673977060515d01 -Merge: 409e4849c a342ac7e1 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Aug 23 13:40:46 2021 -0700 - - Merge pull request #1115 from dcantah/check-nil-pipes - - Check if stdio pipes are nil for job containers/fix windows.Close usage - -commit 409e4849c42112bf0169101f32f8c90fdf4883f0 -Merge: 2b5a08d79 57c5d6094 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Aug 19 17:14:54 2021 -0700 - - Merge pull request #1123 from dcantah/new-hcn-features-call - - Add GetCachedSupportedFeatures method to hcn package - -commit 57c5d6094e233bbb15f08b662e9eb3edafb0b131 -Author: Daniel Canter -Date: Thu Aug 19 13:24:02 2021 -0700 - - Fix GetSupportedFeatures' comment to please godoc - - Signed-off-by: Daniel Canter - -commit 16435c703bed94918583e90811669ae449c08e94 -Author: Daniel Canter -Date: Thu Aug 19 12:08:07 2021 -0700 - - Fix hcn GetSupportedFeatures's error log msg - - Signed-off-by: Daniel Canter - -commit f78d0ffd3ad7ebe3073cd1be149af64ab6be6697 -Author: Daniel Canter -Date: Thu Aug 19 03:51:58 2021 -0700 - - PR feedback - - - Change versionErr -> featuresErr - - Move work inside of the sync.Once out to its own function so we - can use standard return err error handling and simply assign the - output in GetCachedSupportedFeatures - - Mark GetSupportedFeatures as deprecated. - - Signed-off-by: Daniel Canter - -commit 112b5e7a30d0cac219085a26fc3a8188bc471db9 -Author: Daniel Canter -Date: Wed Aug 18 20:06:20 2021 -0700 - - Add GetCachedSupportedFeatures method to hcn package - - To avoid a breaking change on GetSupportedFeatures introduce a new - GetCachedSupportedFeatures method. This method does the feature check - and version parsing once and then assigns a global with the information. - This can be used to optimize for situations where many uses of the - hcn.IsXSupported methods are going to be used (kube-proxy for example). - - Signed-off-by: Daniel Canter - -commit 2b5a08d79b7ec0ebdafbf6c7c70a93266248edb8 -Merge: a0b514937 adc35b064 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Aug 18 18:06:09 2021 -0700 - - Merge pull request #1122 from dcantah/add-sleep-layerops - - Add sleep before layer operation retries - -commit adc35b064429d1e80be4bf5022a0f8504a9197ae -Author: Daniel Canter -Date: Wed Aug 18 16:05:28 2021 -0700 - - Add sleep before layer operation retries - - This change adds a small sleep before a re-attempt on layer operation - failures. These failures should only happen on RS5 and the probable cause is because - of a different way in which container loopback vhds were mounted on this OS version. - A theory of why things might go awry on RS5 is due to some events from pnp getting reported - too late/early. If the prognosis is correct, a small sleep might help to try and get - things back into a "good" state before a reattempt. - - Signed-off-by: Daniel Canter - -commit 5abd1703de66bfb4bf57be5f82434205aa388fce -Author: Sean T. Allen -Date: Wed Aug 4 15:13:04 2021 -0400 - - Add security policy enforcement of command line options when starting containers - - This includes a small switch from the first version of policy tool that had - command as a string. The single string was problematic as that isn't the - representation in gcs. I updated the representation to match as part of this PR. - -commit a342ac7e10862d4ea399218d534fcc72d4c069f0 -Author: Daniel Canter -Date: Mon Aug 16 05:11:45 2021 -0700 - - Misc. job containers cleanup - - This change does two things: - - 1. Checks if the stdio pipes are nil before closing them via the CloseStdout, - CloseStderr, CloseStdin methods. This just brings it inline with the other - `cow.Process` implementations that check for nilness. - 2. Fix an oversight where windows.Close was being used instead of windows.FreeLibrary - after loading kernel32.dll - - Signed-off-by: Daniel Canter - -commit a0b514937762363a4cc10caa89eb3aea34f16dd0 -Merge: 3ac13eef7 f8784aa2c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 13 15:58:34 2021 -0700 - - Merge pull request #1102 from jsturtevant/add-network-stats - - Add network stats to the enable getting stats directly - -commit 3ac13eef7f5afb02b3c7e92a013fd5bfbba7b9db -Merge: bd67428d8 ad0eaf384 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 13 13:05:36 2021 -0700 - - Merge pull request #1108 from ninzavivek/vivek_kernel_options - - Support for Kernel Boot Options - LCOW - -commit ad0eaf384ddb820339942272eaef01dc5f311e39 -Author: Vivek Aggarwal -Date: Tue Aug 10 17:09:50 2021 -0700 - - Support for Kernel Boot Options - - Signed-off-by: Vivek Aggarwal - -commit bd67428d86518b34cf065cc06098c08b2f14aafc -Author: Maksim An -Date: Thu Aug 12 21:15:36 2021 -0700 - - tests: fix VPMem layer packing tests (#1109) - - Previously ubuntu:18.04 container had 3 image layers, which is not - true anymore. Pin image digest to make sure that this issue doesn't - resurface. - -commit cbe2cc166b6797e915f5e26cfe777e004b92d7de -Merge: 8fc847f9d f55f5d4fe -Author: Maksim An -Date: Thu Aug 12 17:32:23 2021 -0700 - - Merge pull request #1105 from SeanTAllen/patch-1 - - Fix variable naming - -commit 8fc847f9d9213e951bf7d2a1c099baa8c5916e19 -Merge: 3f1e9b4d2 65a975144 -Author: Maksim An -Date: Thu Aug 12 17:32:08 2021 -0700 - - Merge pull request #1106 from SeanTAllen/patch-2 - - Fix incorrect variable casing - -commit 65a9751445292d8f11f3e6f52855a69a4dc85638 -Author: Sean T Allen -Date: Thu Aug 12 09:14:22 2021 -0400 - - Fix incorrect variable casing - -commit f55f5d4fec9b284fdf4507dd6c02f0bf798c7b5a -Author: Sean T Allen -Date: Thu Aug 12 08:42:48 2021 -0400 - - Fix variable naming - - I tend to use snake case rather than camel case. These snuck through previous reviews. - -commit 3f1e9b4d29697bdbe10a77231fe1a4e24aadf0f9 -Merge: bf946774b 84fcbce4d -Author: Maksim An -Date: Wed Aug 11 14:33:05 2021 -0700 - - Merge pull request #1099 from anmaxvl/skip-empty-policy - - Skip setting security policy when it's empty - -commit f8784aa2cdd7fb94ade0ee02a6fb003f2e4410a8 -Author: James Sturtevant -Date: Fri Aug 6 23:10:27 2021 +0000 - - Expose containers that are associated with network - - Signed-off-by: James Sturtevant - -commit 11375bf35d8b8abc83dc0a514f73dcfe6f269e80 -Author: James Sturtevant -Date: Fri Aug 6 20:54:26 2021 +0000 - - Add network stats for endpoints - - Signed-off-by: James Sturtevant - -commit bf946774bacb7532d0bf09a47f19e4f6b37223cd -Merge: 5036eccca 6e425b4ca -Author: Maksim An -Date: Wed Aug 11 10:40:38 2021 -0700 - - Merge pull request #1096 from anmaxvl/guest-storage-cleanup - - chore: Cleanup guest pmem package - -commit 6e425b4ca38b76ee7fd66122e33d1b9bea06e2b8 -Author: Maksim An -Date: Sun Aug 8 15:30:18 2021 -0700 - - chore: Cleanup guest pmem package - - Move device mapper code from pmem to devicemapper package. - - Signed-off-by: Maksim An - -commit 84fcbce4d326f082813bb5b8a3c177375bcff153 -Author: Maksim An -Date: Tue Aug 10 15:26:32 2021 -0700 - - fix: Skip setting security policy when it's empty - - Due to an error ignored when calling to json.Unmarshal the call - to SetSecurityPolicy with an empty or invalid string policy results - in a policy with no Containers and AllowAll set to false. No - container can be run as a result. - - Fix the behavior by not sending modification request for SetSecurityPolicy - when policy string is empty (which is the default) and checking the - error result from json.Unmarshal call - - Signed-off-by: Maksim An - -commit 5036eccca2d36a2f5cd47ae7e821bed20c02ab2a -Merge: d300e457d ab1fcc8ba -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Aug 11 11:28:33 2021 -0400 - - Merge pull request #1103 from SeanTAllen/patch-1 - - Fix incorrect casing in error message - -commit ab1fcc8bafe02196354f7660a037bcedc881d831 -Author: Sean T Allen -Date: Wed Aug 11 10:59:09 2021 -0400 - - Fix incorrect casing in error message - - I have a habit of capitalizing the first letter of error messages. We missed this one as part of the review for my PR that added the security policy functionality. - -commit d300e457d6f503eff3fe5b12b48f88628711ebc5 -Merge: b8f71acfd fd0cf7b89 -Author: Kathryn Baldauf -Date: Tue Aug 10 10:12:48 2021 -0700 - - Merge pull request #1098 from katiewasnothere/fix_mount_functional_test - - Fix build break in functional tests - -commit fd0cf7b895597b3e9af63895345da10d620a620a -Author: Kathryn Baldauf -Date: Mon Aug 9 17:39:52 2021 -0700 - - Fix build break in functional tests - - Signed-off-by: Kathryn Baldauf - -commit b8f71acfda791a67444b85059eb29ce81359d383 -Merge: 264a47d1a 01b99119b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Aug 6 02:17:55 2021 -0700 - - Merge pull request #1091 from dcantah/retry-layerops - - Add retry around wclayer operations for process isolated containers - -commit 01b99119beb113ad3c5c4aa39f55b2e30c2951da -Author: Daniel Canter -Date: Mon Aug 2 16:44:34 2021 -0700 - - Add retry around wclayer operations for process isolated containers - - This change adds a simple retry loop to handle some behavior on RS5. Loopback VHDs - used to be mounted in a different manor on RS5 (ws2019) which led to some - very odd cases where things would succeed when they shouldn't have, or we'd simply - timeout if an operation took too long. Many parallel invocations of this code path - and stressing the machine seem to bring out the issues, but all of the possible failure - paths that bring about the errors we have observed aren't known. - - On 19h1+ this retry loop shouldn't be needed, but the logic is to leave the loop if everything succeeded so this is harmless - and shouldn't need a version check. - - Signed-off-by: Daniel Canter - -commit 264a47d1abd8e310dfe64e6f82b8968e843c5afb -Merge: c65d826c0 95091013d -Author: Maksim An -Date: Tue Aug 3 20:42:20 2021 -0700 - - Merge pull request #1094 from SeanTAllen/minimalist-policy - - Add basis for allowing the creation of configuration enforcement in gcs - -commit c65d826c081e296971e16f3e4e948b5ff4600d35 -Merge: 8bbd2047b 69994fcda -Author: Maksim An -Date: Tue Aug 3 17:46:48 2021 -0700 - - Merge pull request #1090 from AntonioND/encrypted-scratch - - Add support to encrypt SCSI scratch disks with dm-crypt - -commit 8bbd2047b849176a84c605f2fe5913a38c64d019 -Merge: 477581578 3d5b0eb9f -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue Aug 3 16:11:18 2021 -0700 - - Merge pull request #1093 from ambarve/assigned_dev_vsmb_clone_bugfix - - Minor bug fixes - -commit 3d5b0eb9f63b4d3d16691166e2060d9e10f536ce -Author: Amit Barve -Date: Mon Aug 2 21:02:41 2021 -0700 - - Minor bug fixes - - Fix container creation failure when container config has empty device extensions. - Use the `getVSMBShareKey` function during vsmb share cloning. - - Signed-off-by: Amit Barve - -commit 95091013da2a918422dea63d18b4dc4b85526478 -Author: Sean T. Allen -Date: Tue Aug 3 09:46:46 2021 -0400 - - Add basis for allowing the creation of configuration enforcement in gcs - - This commit is the minimal set of functionality needed to allow users - to create a configuration policy that gcs can enforce. - - Policy enforcement will allow users to state "only these containers, with these - command lines, etc etc" should be run. If anything in gcs doesn't match the - user supplied policy, it will end container run and report an error. - - Currently, only container filesystem policy is enforced. This is done at - two points. When a pmem device is mounted, its dm-verity root hash is checked - against policy to see if it is allowed. - - At the time of overlay creation, the order of layers is compared to policy to - make sure that the container is being constructed as the user expected. - - Additional policy enforcement that is coming in future commits includes: - - - enforce policy for scsi mounts - - enforce container command line - - enforce environment variables - -commit 69994fcda2b604aea51737de887c205cdfc48306 -Author: Antonio Nino Diaz -Date: Mon Jun 28 12:00:02 2021 +0100 - - Add support to encrypt SCSI scratch disks with dm-crypt - - This protects the files generated by the guest from the host OS, as they - are encrypted by a key that the host doesn't know. - - This commit adds a new argument to the scsi.Mount() function, `encrypted`, - that makes the SCSI drive be mounted using dm-crypt. It also uses - dm-integrity for integrity checking. This makes the boot process a couple - of seconds slower. - - Also, it adds scsi.Unmount(), which also has the `encrypted` argument, - and it does the necessary cleanup for a drive that has been mounted as - an encrypted drive. - - All the pre-existing SCSI tests have been fixed to work with the new - scsi.Mount() function prototype. New tests have been added for the new - code. - - This is all disabled for now, it has to be enabled in a future patch. - - Important note: This depends on cryptsetup and mkfs.ext4. Also, the - kernel must be compiled with dm-crypt and dm-integrity support. - -commit 4775815789710f1aa6d8b79c6920abce837fdac2 -Merge: 834c0e5a6 2a1685eb8 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Wed Jul 28 14:19:21 2021 -0700 - - Merge pull request #1039 from ambarve/storage_spaces - - Support for extensible virtual disks as data disks - -commit 834c0e5a6b2effe30703e7c8abe55b05f9f2f88d -Merge: 5184adc1a 461cf9f1c -Author: Maksim An -Date: Wed Jul 28 14:09:29 2021 -0700 - - Merge pull request #1052 from anmaxvl/container-dev-shm-size - - make container's shared memory configurable via annotation - -commit 5184adc1a74fc11586a113cb351b7c819000456c -Merge: a8f5f611a d75f9f86e -Author: Maksim An -Date: Wed Jul 28 14:07:01 2021 -0700 - - Merge pull request #1088 from anmaxvl/increase-opengcs-test-verbosity - - tests: increase opengcs tests verbosity - -commit d75f9f86e5b949ffd9eb7f5184ccf3a365891f04 -Author: Maksim An -Date: Wed Jul 28 12:57:36 2021 -0700 - - tests: increase opengcs tests verbosity - - currently opengcs unit tests are not verbose enough and it's hard - to tell which tests are actually run. Increase verbosisty by - adding -v flag - - Signed-off-by: Maksim An - -commit 461cf9f1c2dc8093fc2d7c671c3b3efe1de26e54 -Author: Maksim An -Date: Mon Jun 21 15:26:40 2021 -0700 - - make container's shared memory configurable via annotation - - add annotation "io.microsoft.container.storage.shm.size-kb" to - set container's /dev/shm tmpfs size. - - this overrides any existing /dev/shm mounts in the spec - - additionally move the annotations parsing logic into a separate - function - - Signed-off-by: Maksim An - -commit a8f5f611a65940f3f974697105e000497b49bbea -Merge: c066f5969 3f47d4789 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jul 26 15:27:51 2021 -0700 - - Merge pull request #1084 from microsoft/dependabot/go_modules/github.com/opencontainers/runc-1.0.0-rc95 - - Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 - -commit 3f47d47898a4818bfd7532c129854919ad688f97 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jul 26 22:09:10 2021 +0000 - - Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 - - Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.0.0-rc93 to 1.0.0-rc95. - - [Release notes](https://github.com/opencontainers/runc/releases) - - [Commits](https://github.com/opencontainers/runc/compare/v1.0.0-rc93...v1.0.0-rc95) - - --- - updated-dependencies: - - dependency-name: github.com/opencontainers/runc - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit c066f5969c5cb978673bc91a9b7b56b41b8131ee -Merge: 562190a84 1b3ef3cd0 -Author: Kathryn Baldauf -Date: Mon Jul 26 15:00:20 2021 -0700 - - Merge pull request #1083 from microsoft/dependabot/go_modules/github.com/containerd/containerd-1.5.4 - - Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 - -commit 562190a84ac12c22113102b14681e6a3d33ae1bb -Merge: 826ec7f3f 7972e6405 -Author: Kathryn Baldauf -Date: Mon Jul 26 14:57:18 2021 -0700 - - Merge pull request #1082 from microsoft/dependabot/go_modules/test/github.com/containerd/containerd-1.5.4 - - Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test - -commit 1b3ef3cd0c71b43541fd6f7bf0cc736e580b388e -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jul 26 21:36:53 2021 +0000 - - Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.2 to 1.5.4. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.2...v1.5.4) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 7972e6405c9223a0fdd0350d8680f1f14fecf2d0 -Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> -Date: Mon Jul 26 21:35:21 2021 +0000 - - Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test - - Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.5.2 to 1.5.4. - - [Release notes](https://github.com/containerd/containerd/releases) - - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - - [Commits](https://github.com/containerd/containerd/compare/v1.5.2...v1.5.4) - - --- - updated-dependencies: - - dependency-name: github.com/containerd/containerd - dependency-type: direct:production - ... - - Signed-off-by: dependabot[bot] - -commit 826ec7f3f6058c6393465036e4712e6615bde132 -Merge: 8ef3c7401 03422a5a9 -Author: Kathryn Baldauf -Date: Mon Jul 26 11:54:14 2021 -0700 - - Merge pull request #1060 from katiewasnothere/device_extensions - - Add support for reading in device extension files for container create hcs document - -commit 8ef3c7401da37d3f5e6ce34a0bc36f7a015a2fcf -Merge: 8b8eac9c1 7a1ce51cc -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jul 23 12:46:32 2021 -0700 - - Merge pull request #1081 from dcantah/jobcontainer-workdir - - Fix relative paths (with dot) not working for job containers - -commit 8b8eac9c19d060715fcca9137ddf7d3500b2062c -Merge: 5961bcea3 c0a5047ba -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jul 23 12:09:45 2021 -0700 - - Merge pull request #1078 from elweb9858/hns_schema - - Updating HNS v1 policy schemas with correct omitEmpty fields - -commit 7a1ce51ccf39a7409713c2f8a75bec6e7958adc0 -Author: Daniel Canter -Date: Thu Jul 22 18:43:04 2021 -0700 - - Fix relative paths (with dot) not working for job containers - - Relative paths supplying a dot don't make it through our commandline - parsing for job containers, this change fixes that. - - In addition to this, this change adds logic to actually honor the working - directory specified for the container. - - Signed-off-by: Daniel Canter - -commit 2a1685eb8478006f206bf2bd8275bd0b9bc7435e -Author: Amit Barve -Date: Thu May 27 13:59:52 2021 -0700 - - Support for extensible virtual disks as data disks. - - This commit adds support in hcsshim to mount an extensible virtual disk data disk into a - container. In container config the host_path in the mount entry should - use the format evd:/// to specify an extensible virtual disk. - - Signed-off-by: Amit Barve - -commit 5961bcea3b5c8e2721e694f596f793d40c4e3ab7 -Merge: 40d90107f 7a55c170e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jul 19 21:50:07 2021 -0700 - - Merge pull request #1079 from dcantah/fix-update-tests - - Gate CRI update container tests behind feature flag - -commit 7a55c170ebdf0a69c4361d49c29b30bf609b7698 -Author: Daniel Canter -Date: Mon Jul 19 20:48:35 2021 -0700 - - Gate CRI update container tests behind feature flag - - Upstream containerd/cri doesn't have support for updating container resources, - so running these tests currently fails. - - Signed-off-by: Daniel Canter - -commit c0a5047ba474134d22e2118e8f42afeaf2ad3a88 -Author: elweb9858 -Date: Mon Jul 19 11:34:29 2021 -0700 - - Updating HNS v1 policy schemas with correct omitEmpty fields - - Signed-off-by: elweb9858 - -commit 40d90107f86cc5319b782e29a0d227b5b11b45f6 -Merge: 837c300f1 90a193c83 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jul 15 15:10:08 2021 -0700 - - Merge pull request #1057 from dcantah/jobcontainer-volume - - Add volume mount support for job containers - -commit 837c300f15fadd2bd0ee831658de2c726d345493 -Merge: 8f527b2ed f7d10cb13 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jul 13 23:30:06 2021 -0700 - - Merge pull request #1074 from TBBle/remove-leftover-schema-file - - Remove leftover generated HCS2 schema file - -commit f7d10cb13f286164c334785166524fcab51384d2 -Author: Paul "TBBle" Hampson -Date: Wed Jul 14 16:24:25 2021 +1000 - - Remove leftover generated HCS2 schema file - - This was left behind due to an unlucky conflict between #1004 and #930. - - The file already existed with the same content at the new location, and - nothing was referencing this location, so a trivial deletion. - - Signed-off-by: Paul "TBBle" Hampson - -commit 8f527b2edd78add26082415412d77901cd8c0b3d -Merge: 4378e839c 45ea8def8 -Author: Kathryn Baldauf -Date: Tue Jul 13 11:24:39 2021 -0700 - - Merge pull request #1071 from TBBle/rename-conflicting-opencensus-attribute - - Fix lost span attribute for NameToGuid - -commit 45ea8def8fd5938791844026752d4b6b8383cd77 -Author: Paul "TBBle" Hampson -Date: Tue Jul 13 16:18:25 2021 +1000 - - Fix lost span attribute for NameToGuid - - "name" is also used for the span title, so this attribute is lost, at - least in the textual output. - - Signed-off-by: Paul "TBBle" Hampson - -commit 4378e839c4fcff4e3b7d4c89f8c66df0af45795c -Merge: e36a7ab4d 35874b7f8 -Author: Kathryn Baldauf -Date: Tue Jul 13 10:18:29 2021 -0700 - - Merge pull request #1070 from katiewasnothere/ncproxy_dump_stacks - - Add support to dump stacks for ncproxy when requested - -commit 35874b7f8b3f807bc3cf4fef05b35baaaa64998a -Author: Kathryn Baldauf -Date: Mon Jul 12 17:59:58 2021 -0700 - - Add support to dump stacks for ncproxy when requested - - Signed-off-by: Kathryn Baldauf - -commit 03422a5a93ecc21904c3e352b45aca666e7666ae -Author: Kathryn Baldauf -Date: Tue Jul 6 16:14:02 2021 -0700 - - Add support for reading in device extension files for container create hcs document - - Signed-off-by: Kathryn Baldauf - -commit e36a7ab4dc5bec0ab521ddd5d99d581313a6cc57 -Merge: 7ca08bc6e ad02a2c1b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jul 12 06:15:50 2021 -0700 - - Merge pull request #1069 from TBBle/fix-missing-build-tag - - Add missing 'functional' tag to test source - -commit ad02a2c1b6329d6b893e29a11ef7827783ad7212 -Author: Paul "TBBle" Hampson -Date: Mon Jul 12 18:39:53 2021 +1000 - - Add missing 'functional' tag to test source - - Without this tag, gopls under VSCode notes that this file calls - undefined functions when no build tags are defined (the default). - - Signed-off-by: Paul "TBBle" Hampson - -commit 90a193c8352f0673e365992b9ea3b86a324e8edb -Author: Daniel Canter -Date: Thu Jul 1 06:15:30 2021 -0700 - - Add volume mount support for job containers - - This adds basic directory mount support for job containers. As any path on the host - is already accessible from the container, the concept of volume mounts is a bit funny - for job containers. However, it still makes sense to treat the volume mount point where - the container image is mounted as where most things should be found regarding the container. - - The manner in which this is done is by appending the container mount path for the volume to - where the rootfs volume is mounted on the host and then symlinking it. - - So: - Container rootfs volume path = "C:\C\123456789abcdefgh\" - - Example #1 - -------------- - { - "host_path": "C:\mydir" - "container_path": "\dir\in\container" - } - - "C:\mydir" would be symlinked to "C:\C\123456789abcdefgh\dir\in\container" - - Example #2 - --------------- - Drive letters will be stripped - { - "host_path": "C:\mydir" - "container_path": "C:\dir\in\container" - } - "C:\mydir" would be symlinked to "C:\C\123456789abcdefgh\dir\in\container" - - Signed-off-by: Daniel Canter - -commit 7ca08bc6ee86e174a6aa01837a0b4f00ad174d74 -Merge: 657ae58fb 2f6ae7ec1 -Author: Kevin Parsons -Date: Fri Jul 9 13:19:12 2021 -0700 - - Merge pull request #1068 from aledbf/1.5.2 - - Bump containerd to 1.5.2 - -commit 2f6ae7ec13277966608e37e49a80e48f9d42683c -Author: Manuel Alejandro de Brito Fontes -Date: Fri Jul 9 15:12:30 2021 -0400 - - Bump containerd to 1.5.2 - -commit 657ae58fbdf4a26a8745e949bb480b81d45e02fc -Merge: 137317f90 70d89bce4 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jul 8 15:45:42 2021 -0700 - - Merge pull request #1046 from dcantah/ncproxy-service - - Support registering and unregistering ncproxy as a Windows service - -commit 70d89bce4231228a02ebc14dc1ce6751f79cddca -Author: Daniel Canter -Date: Sat Jun 12 21:40:38 2021 -0700 - - Support registering and unregistering ncproxy as a Windows service - - Borrowed heavily from the Containerd implementation: - https://github.com/containerd/containerd/blob/master/cmd/containerd/command/service_windows.go - - Go mod vendor to bring in the x/sys/windows/svc package - - Signed-off-by: Daniel Canter - -commit 137317f90336da70a4e21624ac230faa1c5f54aa -Merge: c7a62d50a a2d897c20 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jul 8 13:38:43 2021 -0700 - - Merge pull request #1058 from dcantah/diff-log-level - - Support specifying a specific logrus log level for shim log output - -commit c7a62d50a0fbe23d23d8b641c4f4631d8ab4049e -Merge: 40b1634fc 8e69c5855 -Author: Kathryn Baldauf -Date: Thu Jul 8 13:32:25 2021 -0700 - - Merge pull request #1061 from katiewasnothere/export_annotations - - export annotations for use in test suite - -commit 8e69c5855c574d830968f0f4837f0f5136b8f942 -Author: Kathryn Baldauf -Date: Tue Jul 6 18:08:38 2021 -0700 - - export annotations for use in test suite - - Signed-off-by: Kathryn Baldauf - -commit 40b1634fc725ea68ab2946d6dbe1a997fa05a03f -Merge: 0ac60a299 d78544d6c -Author: Kevin Parsons -Date: Thu Jul 8 11:56:05 2021 -0700 - - Merge pull request #1064 from kevpar/container-leak - - Remove ERROR_PROC_NOT_FOUND from error checks - -commit a2d897c201cc1178f6e3ee5b1df26c13fe760893 -Author: Daniel Canter -Date: Mon Jul 5 22:08:52 2021 -0700 - - Support specifying a specific logrus log level for shim log output - - Sometimes debug is a bit too noisy and can cause log rotation at a higher than - ideal rate. - - This will be accompanied by an audit of our use of log levels throughout to make sure - they actually fit what level they're under. - - Signed-off-by: Daniel Canter - -commit d78544d6c2c2cbfde54155662138bf275cab7fca -Author: Kevin Parsons -Date: Wed Jul 7 15:16:49 2021 -0700 - - Remove ERROR_PROC_NOT_FOUND from error checks - - Previously, certain error check functions like IsAlreadyStopped returned - true if the error was ERROR_PROC_NOT_FOUND. Based on the comment in the - file, this was intended to be used to indicate a case where the process - could not be found. However, it seems this may have been added - erroneously. ERROR_PROC_NOT_FOUND is actually typically used to mean - that a _procedure_ lookup failed, and has nothing to do with processes. - - The original change[1] to check against ERROR_PROC_NOT_FOUND was made - five years ago, and did not contain much information on why this error - would be returned. We are removing this now based on several factors: - - - We are not aware of any condition where HCS would intentionally return - ERROR_PROC_NOT_FOUND to indicate a condition "process does not exist". - - There is an issue where HcsShutdownComputeSystem sometimes returns - ERROR_PROC_NOT_FOUND due to something failing internally. The current - error checks are causing this to be treated as "the container has - already exited", causing moby to not properly stop the container via - HcsTerminateComputeSystem. - - This change leaves the definition for ErrProcNotFound in the code, as it - may be used by external callers, but fixes its comment. - - [1]: See commit 0ae7e7ecebd7b5609582153ed680c35ba666a264 - - Signed-off-by: Kevin Parsons - -commit 0ac60a2990061c1b264d35182ee500d9249340c1 -Merge: 43d161b63 4df3a6e9d -Author: Kathryn Baldauf -Date: Wed Jul 7 13:53:04 2021 -0700 - - Merge pull request #1063 from katiewasnothere/fix_functional_mount_test - - Fix functional tests build and revendor - -commit 4df3a6e9d38aec48f76dd84e0dd9d5b4ca74dd7a -Author: Kathryn Baldauf -Date: Wed Jul 7 13:18:57 2021 -0700 - - Fix functional tests build and revendor - - Signed-off-by: Kathryn Baldauf - -commit 43d161b6313f5771fa4b346a7b4f085df1f4010f -Merge: ef584efeb bbf558965 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 25 21:03:33 2021 -0700 - - Merge pull request #962 from dcantah/job-containers-shim - - Add containerd-shim plumbing for job containers - -commit ef584efeb02e8728d7a959ac4b5a3c0a39b6ec87 -Merge: d793bf097 6288bb971 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Jun 25 14:20:06 2021 -0700 - - Merge pull request #1053 from dcantah/hcn-log-cleanup - - Get rid of redundant logs in HCN version range checks - -commit d793bf0970ea693844588dc1cec8ca74f02a2143 -Merge: 60b791395 a7ad80ff2 -Author: Maksim An -Date: Thu Jun 24 11:47:21 2021 -0500 - - Merge pull request #1054 from anmaxvl/fix-wrong-error-logging - - fix wrong error logged when dm-verity footer read fails - -commit a7ad80ff203aa7ea078fa09b1af5216cf793e1d5 -Author: Maksim An -Date: Thu Jun 24 09:34:21 2021 -0700 - - fix wrong error logged when dm-verity footer read fails - - Signed-off-by: Maksim An - -commit 6288bb97125c8a25d79b87ffd3a597258fa4e0bc -Author: Daniel Canter -Date: Tue Jun 22 16:19:03 2021 -0700 - - Get rid of redundant logs in HCN version range checks - - Kubeproxy logs are filled with redudnant version check spam from an unexported call that's invoked - as part of checking if a feature is supported. The logs don't detail what feature(s) are even being checked - so it just seems like spam. With the way things are implemented all of the hcn features are checked for support in - any of the `hcn.XSupported()` calls not just the one being checked, so these logs come up quite a bit if there's - many features that aren't supported on the machine. - - Add two new logs in a sync.Once that logs the HNS version and supported features. This should be enough - to investigate version issues. - - Should remedy https://github.com/microsoft/hcsshim/issues/1043 - - Signed-off-by: Daniel Canter - -commit 60b791395cdc0febc5ff3f239a125ab76ad6457d -Merge: 1c8b91e38 9dc13ebaf -Author: Maksim An -Date: Thu Jun 24 02:06:16 2021 -0500 - - Merge pull request #1008 from anmaxvl/read-vhd-verity-footer - - Read vhd verity footer - -commit 9dc13ebafb2f9c0af4c501d7cd3848d12fe4cd34 -Author: Maksim An -Date: Tue Apr 20 23:18:40 2021 -0700 - - add logic to parse dm-verity footer from layer VHDs - - this builds on top of the dm-verity footer feature that - has been previously added. changes to opengcs have already been - made where the verity info (root hash, merkle tree etc) is expected - to be appended to the ext4 data and this change enables passing - in the actual verity information. - - If dm-verity footer read fails, fallback to the original behavior as - if the footer wasn't present at all. - - Signed-off-by: Maksim An - -commit 1c8b91e38d229216622e466799611e2d6af7bf8e -Merge: 9bc76cd06 9ed930028 -Author: Maksim An -Date: Wed Jun 23 11:44:46 2021 -0500 - - Merge pull request #930 from anmaxvl/user/maksiman/device-mapper - - add logic to stack lcow layers on a single VPMEM device - -commit bbf558965c70f14fac7d8649be1be8071d28b8a2 -Author: Daniel Canter -Date: Wed May 19 22:17:18 2021 -0700 - - Add containerd-shim plumbing for job containers - - * Add the necessary plumbing in containerd shim to be able to create a job container - if asked for via the annotation. - - * Rework jobcontainers package a bit to return a resources struct to avoid some hacks during cleanup. - This was resource cleanup for wcow/lcow is the exact same for job containers in the shim. - - * Change some of the layer code to handle taking in a volume mount point - - Signed-off-by: Daniel Canter - -commit 9bc76cd068a2c05a76f678253b5d4dad27629f9c -Merge: 62680e0b8 49c3e4b2a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jun 15 12:41:13 2021 -0700 - - Merge pull request #1047 from dcantah/dnsdomain - - Add DNSDomain to hns endpoint object - -commit 49c3e4b2a084930e9c16589a299836d2559ac250 -Author: Daniel Canter -Date: Mon Jun 14 16:26:40 2021 -0700 - - Add DNSDomain to hns endpoint object - - It was missing from our go definition. For instance if the hcn definitions were used to set the - dns information/make the endpoint and then we requery for the endpoint with the v1 hns schema/calls, - this information won't be present. - - This controls the `Connection-specific DNS Suffix` you'd see on ipconfig for example. - - Signed-off-by: Daniel Canter - -commit 9ed9300284206b37e987b94d0f3ea025c916ada8 -Author: Maksim An -Date: Fri Feb 12 00:09:51 2021 -0800 - - add support for packing multiple LCOW layers onto single VPMem - - add VirtualPMemMapping schema and update gcs types - - add memory allocator interface and implementation - - VPMem multi-mapping support has been added in 19H1, which enables - packing multiple VHDs onto a single VPMem device. - This feature enables an optimization, where multiple LCOW container - layers can be packed onto a single VPMem device. - - This change uses memory allocator introduced above to keep track - of the VPMem surface allocation. - - Additionally, introduce new structs to keep track of the internal - state of each mapped LCOW layer VHD and update HCS/GCS calls - accordingly. - - The optimization is enabled by default on supported systems and - fall-back to old behavior otherwise. - - add CRI tests - - Signed-off-by: Maksim An - -commit 62680e0b85326a67506094fc0f89ceac239b8820 -Merge: 43d30843e a0e93da59 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jun 10 11:37:45 2021 -0700 - - Merge pull request #1045 from netal/user/negup/networkLevelACLPolicy - - Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy - -commit a0e93da5933a9fc59ff8e3c07b6a3e8c37a2b62a -Author: netal -Date: Thu Jun 10 10:51:01 2021 -0700 - - Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy - - Signed-off-by: netal - -commit 43d30843e27c72233aa8609ce13379de4313d9e5 -Merge: 106fa2a01 3b54b4f15 -Author: Kathryn Baldauf -Date: Tue Jun 8 17:12:21 2021 -0700 - - Merge pull request #1044 from katiewasnothere/fix_exec_in_shim_host - - use requested stdio in call to exec in shim host - -commit 3b54b4f1544b198493fc63fb13f73511e161566f -Author: Kathryn Baldauf -Date: Tue Jun 8 16:14:04 2021 -0700 - - use requested stdio in call to exec in shim host - - Signed-off-by: Kathryn Baldauf - -commit 106fa2a01215711329a5ddf3c9e5e41f413a54d0 -Merge: 0de8ce769 c793ff47a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Jun 7 05:34:07 2021 -0700 - - Merge pull request #1026 from dcantah/ncproxy-dns - - Add DnsSettings to ncproxy CreateEndpointRequest - -commit c793ff47ab49bc5fc2aa2b95d9e6c2ce5e3d20e8 -Author: Daniel Canter -Date: Thu May 13 10:27:58 2021 -0700 - - Add DnsSettings to CreateEndpointRequest - - To be able to set DNS configurations on the endpoint add a new DnsSettings message to - be used on the hcn endpoint. - - This PR also fixes up a spelling mistake in subnet_ipadress_prefix -> subnet_ipaddress_prefix, - and a couple casing changes on the proto file. - - Signed-off-by: Daniel Canter - -commit 0de8ce769783af195f3049098667ceaff96c8fb2 -Merge: 5558027a8 15f794e7d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jun 1 11:15:38 2021 -0700 - - Merge pull request #1034 from dcantah/opengcs-readme - - Add instructions to build containerd-shim and gcs binaries - -commit 15f794e7d3d311bf1c50277526cc2e804747355d -Author: Daniel Canter -Date: Wed May 19 17:11:15 2021 -0700 - - Add instructions to build containerd-shim and gcs binaries - - Touch up the README a bit to add instructions on how to build some of the - important binaries. - - Add a small README to the ./internal/guest directory. - - Remove the stray ./opengcs/README.md that was leftover from the merge. - - Signed-off-by: Daniel Canter - -commit 5558027a8516f1955f59956d8e63715212ccbd43 -Merge: 71e1621e1 cd895b4d1 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 28 20:10:18 2021 -0700 - - Merge pull request #1038 from dcantah/remove-internal-guestconn - - Remove internal GCS connection functionality - -commit 71e1621e1ce4b4532622402905e978b8572fccc2 -Merge: 4b9542467 450cdb150 -Author: Kevin Parsons -Date: Fri May 28 16:55:10 2021 -0700 - - Merge pull request #1041 from kevpar/shim-delete - - shim: Clean up delete invocation behavior - -commit 450cdb150a74aa594d7fe63bb0b3a2a37f5dd782 -Author: Kevin Parsons -Date: Fri May 28 15:45:08 2021 -0700 - - shim: Clean up delete invocation behavior - - This changes the behavior when the shim is invoked with the "delete" - command line argument. - - Previously, the delete path did two things it should not: - - Attempted to locate the sandbox container for the pod and delete it as - well. This meant if "shim delete" was invoked for a workload - container, it could bring down the whole pod. The only reason we did - not see this in the past is that prior to containerd 1.5 "shim delete" - was not called for successful container stop operations. - - - Deleted the bundle directory. We shouldn't do this in the shim, as - containerd does it itself. - - For reference on what the Linux shim does, see here: https://github.com/containerd/containerd/blob/master/runtime/v2/runc/v2/service.go#L291 - - Signed-off-by: Kevin Parsons - -commit cd895b4d114093e858d48139ed8dc214727cac7d -Author: Daniel Canter -Date: Thu May 27 11:55:51 2021 -0700 - - Remove internal GCS connection functionality - - HCS maintains an internal guest connection to the GCS normally if you request it. - However, there are certain features that require us to maintain an external connection - (external in this sense meaning not in HCS) instead like late cloning. - - We had swapped to always managing the connection to the GCS ourselves some time ago and - afaik there's been no fallout from it, so I propose let's get rid of the internal branches - altogether. This greatly simplifies the work for going through a different virtstack for - hypervisor isolated containers as well. - - Ran go mod vendor in /test to bring in the changes as well. - - Signed-off-by: Daniel Canter - -commit 4b95424673b5f34c7072b8bfd2c7c4b0e1b1e9be -Merge: 3d01d8241 575db04c9 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed May 26 01:11:44 2021 -0700 - - Merge pull request #955 from dcantah/share-scratch-tests - - Add tests for LCOW shared scratch space work - -commit 3d01d8241f28aec4d4eb2fa75c3f09b568387ce0 -Author: Sean T Allen -Date: Tue May 25 13:51:36 2021 -0400 - - VHD with dm-verity (#985) - - * Adds a dm-verity integrity option to VHDs created from tar files. - - - allow for the creation of dmverity superblocks - - getting the complete merkle tree - - getting a roothash from an existing tree - - tar2ext4 now takes an additional option to include tree information in - the - generated VHD. Information will be stored as: - - ext4 / verity superblock / merkle tree / VHD footer - - assuming that all optional content is included. - - At time, the salt value for all verity code is hardcoded. It could be - changed later as with the usage of a superblock, we no longer need - to know the salt on the use side as it will be obainted from the - superblock. - - The included `cmd/dmverity-vhd` and `cmd/roothash` commands can be used - for testing. - - dmverity-hd takes the name of a docker image which it will download - and for each layer, it will generate a VHD in the provided output - directory. - - The layer VHDs are named after the SHA for the given layer. - - dmverity-vhd outputs the name of each vhd created. - - roothash takes the nane of a docker image which it will download and for - each - layer, it will output the roothash for the layer. - - For example: - - ``` - > ./dmverity-vhd -i alpine:3.10 -o test - test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 - - > ./roothash -i alpine:3.10 - 680edf0d62d42085f446efc20f34d02f5d21f4a2eec1ab79506809321105a13a - - > dumpe2fs - test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 - dumpe2fs 1.45.5 (07-Jan-2020) - Filesystem volume name: - Last mounted on: - Filesystem UUID: - Filesystem magic number: 0xEF53 - Filesystem revision #: 1 (dynamic) - Filesystem features: ext_attr sparse_super2 filetype extent flex_bg - large_file huge_file extra_isize read-only - Default mount options: (none) - Filesystem state: clean - Errors behavior: Continue - Filesystem OS type: Linux - Inode count: 496 - Block count: 1544 - Reserved block count: 0 - Free blocks: 7 - Free inodes: 3 - First block: 0 - Block size: 4096 - Fragment size: 4096 - Blocks per group: 32768 - Fragments per group: 32768 - Inodes per group: 496 - Inode blocks per group: 31 - Flex block group size: 2147483648 - Last mount time: n/a - Last write time: Wed Dec 31 19:00:00 1969 - Mount count: 0 - Maximum mount count: 0 - Last checked: Wed Dec 31 19:00:00 1969 - Check interval: 0 () - Reserved blocks uid: 0 (user root) - Reserved blocks gid: 0 (group root) - First inode: 11 - Inode size: 256 - Required extra isize: 24 - Desired extra isize: 24 - - Group 0: (Blocks 0-1543) - Primary superblock at 0, Group descriptors at 1-1 - Block bitmap at 1542 (+1542) - Inode bitmap at 1543 (+1543) - Inode table at 1511-1541 (+1511) - 7 free blocks, 3 free inodes, 90 directories - Free blocks: 2-8 - Free inodes: 494-496 - - > veritysetup verify --data-blocks=1544 \ - --hash-offset=6324224 \ - test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 \ - test/483b65c07faaf8ee7f1f57c6d7de0eda9dfd61a34f03337926650b8178db5286 \ - 680edf0d62d42085f446efc20f34d02f5d21f4a2eec1ab79506809321105a13a - - ``` - - where no output from the verifysetup command means that - everything is working as expected. - - * vendor new dependencies - - * create a new cli app for dmverity-vhd - - additionally combine dmverity-vhd and roothash into a single app - with corresponding subcommands. - - Signed-off-by: Maksim An - - Co-authored-by: Maksim An - -commit 91974a2b0a9d17a5dbf6a721110651a8aa21fff9 -Merge: f444c40a2 7d4dbe4d2 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 21 18:29:52 2021 -0700 - - Merge pull request #1023 from dcantah/remotevm-uvm - - Remotevm UVM implementation - -commit f444c40a23266d231a0102b74001c9ce46765aed -Merge: 9ca705de1 b9c244e7b -Author: Kathryn Baldauf -Date: Fri May 21 16:53:10 2021 -0700 - - Merge pull request #1032 from dcantah/gitattr - - lf line endingify stray opengcs files - -commit b9c244e7b22b07a5393d4b547193c908dfb55b9c -Author: Daniel Canter -Date: Tue May 18 17:26:20 2021 -0700 - - lf line endings opengcs files - - For some reason there's 2 opengcs files that are crlf, 2 out of the 3 files in - vsockexec.. - - Run go mod vendor + tidy in test in case - - Signed-off-by: Daniel Canter - -commit 575db04c9001bb68d5760f986c2ced9880c3d045 -Author: Daniel Canter -Date: Fri Feb 26 19:28:45 2021 -0800 - - Add tests for LCOW shared scratch space work - - First test validates that after launching a pod and one container there is only a single - scsi disk available in the guest. - - Second test launches two workload containers both sharing the pod sandbox containers scratch space. A - file is written in the first workload container and the available size left on the rootfs is then checked in - both workload containers. The success case is if both containers show the same available size left. - - Signed-off-by: Daniel Canter - -commit 9ca705de1ba636d259491c73728eeb0ddbc5842e -Merge: 236b8e1d4 6779771ed -Author: Kathryn Baldauf -Date: Thu May 20 14:39:16 2021 -0700 - - Merge pull request #1036 from katiewasnothere/fix_cpugroup_test - - fix break in cpu groups test on machines with build < 20124 - -commit 6779771ed92e8fd9558e50a492b0053625bf771b -Author: Kathryn Baldauf -Date: Thu May 20 14:20:56 2021 -0700 - - fix break in cpu groups test on machines with build < 20124 - - Signed-off-by: Kathryn Baldauf - -commit 236b8e1d44186eeb99e1894c1ad9e7680e9ce4d2 -Merge: 640d38098 f0de01365 -Author: Kathryn Baldauf -Date: Tue May 18 19:26:20 2021 -0700 - - Merge pull request #1033 from dcantah/fix-critests - - Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break - -commit f0de013658e00c021091e395be2df36290c64195 -Author: Daniel Canter -Date: Tue May 18 19:08:59 2021 -0700 - - Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break - - In this PR (https://github.com/microsoft/hcsshim/pull/1019) I changed how we pass annotations to - the cri-containerd suite, but this PR (https://github.com/microsoft/hcsshim/pull/1030) got in before - which added a new test. This caused the CI to fail on checkin of the first PR. Always rebase kids - - Signed-off-by: Daniel Canter - -commit 640d38098eb87e7ae802ab259ffaded192e74ab6 -Merge: fc68b2a1d 1a8a5d861 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue May 18 19:01:34 2021 -0700 - - Merge pull request #1019 from dcantah/remotevm-test - - Add new flags to integration tests to specify virtstack - -commit fc68b2a1de8a3d2fbb206ce07d31e14d3444100b -Merge: 79f91508d dffc7ef16 -Author: Kathryn Baldauf -Date: Tue May 18 18:48:29 2021 -0700 - - Merge pull request #931 from katiewasnothere/task_update_implementation - - support pod and container updates - -commit dffc7ef169deb77e36437130f64a9da37515651b -Author: Kathryn Baldauf -Date: Fri Dec 4 16:02:39 2020 -0800 - - support pod and container updates - - Signed-off-by: Kathryn Baldauf - -commit 7d4dbe4d25dfe057a620557fad6d24a56f1531fb -Author: Daniel Canter -Date: Mon May 10 17:07:57 2021 -0700 - - Remotevm UVM implementation - - Add an implementation of the vm.UVM interface using the vmservice ttrpc - definitions. - - Fix up cpugroup HypervisorId type to be a uint64 - - Signed-off-by: Daniel Canter - -commit 79f91508d66583957c9b8295693649ddc38d6b19 -Merge: 5a7e7e04f a4bdb0736 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue May 18 17:37:34 2021 -0700 - - Merge pull request #1031 from katiewasnothere/makefile_lf - - Change Makefile file type from crlf to lf - -commit a4bdb0736ea01721f58539b1704ef581a9e899d6 -Author: Kathryn Baldauf -Date: Tue May 18 16:30:03 2021 -0700 - - Change Makefile file type from crlf to lf - - Signed-off-by: Kathryn Baldauf - -commit 5a7e7e04fdf9d253de919bcb3f3e2c50770bdf19 -Merge: 482a0b89f e43978ff2 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue May 18 15:36:06 2021 -0700 - - Merge pull request #1029 from ambarve/shim_panic_limit - - Read max 1MB data from panic.log - -commit e43978ff239e889326c92ab938bd90bc73bcbfb2 -Author: Amit Barve -Date: Tue May 18 12:42:02 2021 -0700 - - Read max 1MB data from panic.log - - Panic.log file can get very large if there are other log statements writing to - stderr. Avoid reading the entire file - - Signed-off-by: Amit Barve - -commit 482a0b89f2e2e2af624fe76877cf3a922ca3c1b4 -Merge: 0feed3f8e 11cd03de3 -Author: Kathryn Baldauf -Date: Tue May 18 15:15:57 2021 -0700 - - Merge pull request #1030 from katiewasnothere/vsmb_no_direct_map - - Add option to set no direct map by default on wcow VSMB devices - -commit 11cd03de39e6786fc28c9ef05a9d2dc606d5b003 -Author: Kathryn Baldauf -Date: Tue May 18 14:31:30 2021 -0700 - - Add option to set no direct map by default on wcow VSMB devices - - Signed-off-by: Kathryn Baldauf - -commit 0feed3f8e9ddde800d3bf1c3185394b53bfcf5c7 -Merge: 264333450 4cd8e71b3 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue May 18 12:43:54 2021 -0700 - - Merge pull request #1021 from ambarve/scsi_vsmb_fix - - Fix bug with VSMB & SCSI mounts on the same host path - -commit 2643334504a19e7a777a85416fd8bb959da33ae4 -Merge: 3b82d4106 6fcfcf10b -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue May 18 12:05:18 2021 -0700 - - Merge pull request #1028 from ambarve/late_clone_test_build_fix - - Run late clone tests on 20H2+ builds only. - -commit 3b82d41068eb4d64d130626f06a65a9b55ccb29a -Merge: 407147a88 0c991565c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon May 17 16:57:19 2021 -0700 - - Merge pull request #973 from dcantah/merge-opengcs - - Merge Microsoft/opengcs and Microsoft/hcsshim - -commit 0c991565c4f31ce595a014e5ff15ed9524604242 -Author: Daniel Canter -Date: Thu Apr 29 01:33:21 2021 -0700 - - Fix up opengcs CI issues/remove ginkgo from Makefile - - We're not using ginkgo for any of our tests anymore (that I can see) so for Makefile - test just swap to running every test in /internal/guest which comprises (mostly) all of the - Linux specific guest features. - - This commit also adds linter tags to a couple things to fix up deadcode warnings as well as fixes - a casing mistake on the setSubreaper function in /internal/guest/runtime/runc/runc.go - - Signed-off-by: Daniel Canter - -commit f8a46eb21dea329e93d93ee2a3c0a090076e57f5 -Author: Daniel Canter -Date: Wed Apr 28 10:39:03 2021 -0700 - - Add build tags to everything so testing at root works - - Running our CI explodes as when it gets to anything in /internal/guest there's a whole - bunch of unix going on. - - Signed-off-by: Daniel Canter - -commit 29eb4983a0ea34e1488edd374029463cf9b1a398 -Author: Daniel Canter -Date: Wed Apr 28 06:09:38 2021 -0700 - - Get rid of need for containerd/sys/reaper - - The exported function we were using just calls a unix syscall, so just call - this directly. - - Signed-off-by: Daniel Canter - -commit a9a05626b53677086cc2fe785d9758a7921083d8 -Author: Daniel Canter -Date: Wed Apr 28 05:55:05 2021 -0700 - - Fix up Makefile to build gcs binaries from /cmd - - Signed-off-by: Daniel Canter - -commit ef9e2810beaabc85ee3e81fbf85a873abf3f26dd -Author: Daniel Canter -Date: Mon May 17 15:54:53 2021 -0700 - - Vendor in opengcs dependencies - - Bring in the opengcs dependencies: - github.com/linuxkit/virtsock - github.com/vishvananda/netlink - github.com/vishvananda/netns - github.com/opencontainers/runc - github.com/mattn/go-shellwords - - Signed-off-by: Daniel Canter - - Signed-off-by: Daniel Canter - -commit 9f7d3a8f46ee00128f6cd4185b2d7173cb8c517a -Author: Daniel Canter -Date: Wed Apr 28 05:36:26 2021 -0700 - - Fix up imports for opengcs files + build tag for gcs binary - - * Change import paths to actually reflect where the files currently reside. - * Put a linux build tag on the gcs binary - * Get rid of the secondary gitignore file in the service directory, afaict this isn't - actually needed from checking what it's actually exlcuding. This was likely a relic of - a much older version of the gcs and binaries/artifacts that used to be built out of it. - - Signed-off-by: Daniel Canter - -commit 5d97cc3f5234a7f0bbcc9997835c0eba820a8e2a -Author: Daniel Canter -Date: Wed Apr 28 04:55:57 2021 -0700 - - Add opengcs build job to github actions CI - - Add new job to the CI to run the Makefile for opengcs and delete the existing - opengcs CI yml file living in /opengcs/.github - - Signed-off-by: Daniel Canter - -commit 6eb9d6fb4c40421c56b8e2bbf97f53cddbee2fc5 -Author: Daniel Canter -Date: Wed Apr 28 04:51:03 2021 -0700 - - Move opengcs service/gcs and service/libs code to internal/guest - - Move all of the code that used to live in the opengcs service directory to the - internal guest package to live with the rest of the opengcs internal code. - - Signed-off-by: Daniel Canter - -commit 4d20492c6d01a7e03a4ba85b67147cc4b16bb8a5 -Author: Daniel Canter -Date: Wed Apr 28 04:23:26 2021 -0700 - - Build gcs and gcstools binaries out of cmd - - This commit moves the code for the main opengcs binary and the gcstools binary - to cmd so we can build the binaries the same way we do for the all of the other - binaries we care about. - - The Makefile will be edited in a future commit to be aware of this rearrange. - - Signed-off-by: Daniel Canter - -commit 686fc6e20ca814158e89bbc82d960f617af23a92 -Author: Daniel Canter -Date: Wed Apr 28 04:16:44 2021 -0700 - - Move opengcs/internal to /internal - - The debug package is useful and not strictly related to guest behavior so I've moved this to - a new debug package in internal, however for everything that's either Linux specific or opengcs - specific I've created a new `guest` package that houses these. This includes the kmsg package - (linux specific) the hcs v2 runtime guest code, all of the storage functionality that ends up - leading to mount syscalls, and guest side vmbus/pci related code. - - Signed-off-by: Daniel Canter - -commit 2de739712f6d14ce58ae9c54f96d59fdcacfe152 -Author: Daniel Canter -Date: Wed Apr 28 03:17:47 2021 -0700 - - Remove unneccessary opengcs/log and opengcs/oc packages - - These were just exact copies of the log and oc packages already in hcsshim. - - Signed-off-by: Daniel Canter - -commit 4cdb366e845b2e1da73ae88ae31424efa5ccb1a2 -Author: Daniel Canter -Date: Wed Apr 28 03:11:42 2021 -0700 - - Move all non gcs code to top level - - * Move hack/, init/, vsockexec/ and Makefile top level - - Signed-off-by: Daniel Canter - -commit 86d8b454101c59499c21d0537c01a042f91ef13b -Author: Daniel Canter -Date: Wed Apr 28 03:09:23 2021 -0700 - - Remove vendor dir for opengcs - - No need for it, all the deps wil be going in the hcsshim vendor directory. - - Signed-off-by: Daniel Canter - -commit ba9332e1cb9b25323b742023d9079b82652af375 -Author: Daniel Canter -Date: Wed Apr 28 03:03:32 2021 -0700 - - Get rid of unnecessary opengcs files - - * Add gitignore rules to top level gitignore and remove files that have - duplicates and make no sense here anymore (LICENSE, CODEOWNERS, go.mod/sum) - - Signed-off-by: Daniel Canter - -commit 9d39093d9a9711d795df3eda966e3359e8ca1033 -Merge: 407147a88 2dcf9121a -Author: Daniel Canter -Date: Mon May 17 15:07:30 2021 -0700 - - Merge Microsoft/opengcs and Microsoft/hcsshim - - Merge Microsoft/opengcs and Microsoft/hcsshim - - This was done more or less like the following: https://www.nomachetejuggling.com/2011/09/12/moving-one-git-repo-into-another-as-subdirectory/ - - This is solely just adding the repo to hcsshim in an opengcs subdirectory with the history, nothing else. - - The reason for this is really that there's no reason for opengcs to be it's own repository anymore. The gcs binary itself - is built out of the repo but opengcs itself isn't really used as a library anymore so positives like versioning aren't as important. - The repository itself will live on and we cut a tag before removing all of the v1 codebase so I think the bases are covered. - -commit 6fcfcf10b1dd7835fae00f8e3c6e4b62a121b6e4 -Author: Amit Barve -Date: Mon May 17 14:19:34 2021 -0700 - - Run late clone tests on 20H2+ builds only. - - Late clone needs some registry settings when running on builds older than 20H2. We do not - add these registry settings on such builds by default so the late clone tests might fail - on machines with builds older than 20H2. Skip running these tests on such machines. - - Signed-off-by: Amit Barve - -commit 407147a8825c21b2f1f1ef4e53b24b27fb8632fb (tag: v0.8.17) -Merge: 0f5799e5e eba372547 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu May 13 22:00:50 2021 -0700 - - Merge pull request #1027 from Priyankasaggu11929/psaggu-bump-containerd-to-1.5.1 - - bump containerd version to v1.5.1 - -commit eba372547321473e09161ac34a266f499ffdb78a -Author: Priyanka Saggu -Date: Fri May 14 06:57:30 2021 +0530 - - bump containerd version to v1.5.1 - - Signed-off-by: Priyanka Saggu - -commit 0f5799e5e9fe19aa85ea3b0f4a6285c8640daa6c -Merge: 710d70470 ce4f34789 -Author: Kevin Parsons -Date: Thu May 13 16:01:22 2021 -0700 - - Merge pull request #1025 from kevpar/close-stdio - - internal/cmd: Close individual IO pipes when the relay finishes - -commit ce4f347898357e7dcf025409716a44789b1a7f5a -Author: Kevin Parsons -Date: Tue May 11 10:19:02 2021 -0700 - - internal/cmd: Close individual IO pipes when the relay finishes - - The shim is expected to close its end of the IO pipes from the gcs when - it is done using them. This is done to ensure that no data is left - buffered in the pipes on the gcs's end. Previously, this was - accomplished via the ioChannel closing its underlying connection if Read - returned EOF. - - However, this is not sufficiently robust, as it will not work in cases - where the shim's IO relay breaks on the write end (e.g. if CRI has gone - away). - - To resolve this, we now expose individual methods on cow.Process to - close each IO pipe (in/out/err), and call those from the Cmd - implementation once the IO relay completes. - - This should be a good first-pass fix here, until we can apply some more - focused cleanup to the IO relay code in the future. - - Some minor renaming/cleanup as well. - - Signed-off-by: Kevin Parsons - -commit 710d704708cb3a468f551880f83197d6ea2760c9 -Merge: 18de184a3 47674600e -Author: Kevin Parsons -Date: Wed May 12 16:36:37 2021 -0700 - - Merge pull request #1024 from kevpar/log-cleanup - - internal/hcs: hcsshim -> hcs in operation name strings - -commit 18de184a3c14e33b8eec883f68b0f5096b2e6cff -Merge: 20ce9b887 70edd1250 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed May 12 01:19:54 2021 -0700 - - Merge pull request #1022 from vikas-bh/tieracl5 - - Add support for tier acl policy - -commit 47674600ef0f7f1979bde38f1840ccc2d6b88843 -Author: Kevin Parsons -Date: Tue May 11 10:12:11 2021 -0700 - - internal/hcs: hcsshim -> hcs in operation name strings - - e.g. hcsshim::System::Modify -> hcs::System::Modify - This should make the log messages a bit clearer. - - Signed-off-by: Kevin Parsons - -commit 70edd1250e3e415a2b6ff83d56fa1bc70a38aa14 -Author: Vikas Bhardwaj -Date: Thu Jan 14 10:30:34 2021 -0800 - - Changes for tier acl policy - - Signed-off-by: Vikas Bhardwaj - -commit 20ce9b887fbf8d1ee4077b2490b29facf2be0a28 -Merge: 2895e629f 4641e993c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri May 7 18:08:31 2021 -0700 - - Merge pull request #1009 from dcantah/vm-package - - Add abstractions for direct HCS interactions - -commit 4cd8e71b358ab00a4f3955f7bcfeb6a7f42ed6cd -Author: Amit Barve -Date: Fri May 7 15:27:43 2021 -0700 - - Fix bug with VSMB & SCSI mounts on the same host path - - When mounting a VHD at host path `C:\data\test.vhdx` into the container over SCSI and also - sharing the same VHD inside the container over VSMB the current code just shares the VHD - inside the container for both mounts instead of actually SCSI mounting the VHD for one of - the mounts. This change fixes that. - - Signed-off-by: Amit Barve - -commit 1a8a5d861fd2b4dcda866e86b89787c1fc915577 -Author: Daniel Canter -Date: Thu May 6 01:18:31 2021 -0700 - - Add new flags to integration tests to specify virtstack - - Add some new flags to the integration test suite that enables choosing what virtstack - to use for hypervisor isolated containers. This makes it so we can re-use our existing tests - and just pass in new flags to run them with a new stack. - - To have this play nice with the test suite I changed `getRunPodSandboxRequest` to take in whatever - annotations we'd want to set on the pod config directly instead of us having to set them on the - returned object itself. - - Signed-off-by: Daniel Canter - -commit 2895e629ff5e1ab0811d3e1d21597761457f2e6a -Merge: 2d5a2c3c0 880590bca -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed May 5 23:15:24 2021 -0700 - - Merge pull request #1017 from dcantah/fix-codeowners - - Take off hcn package CODEOWNERS line - -commit 4641e993ca02a8c98ef95a840bc2b24da28bee8a -Author: Daniel Canter -Date: Thu Apr 22 03:32:57 2021 -0700 - - Add abstractions for direct HCS interactions - - Add vm package, uvm and uvmbuilder interfaces to abstract away the operations that we call directly into - hcs for. This will be useful for having these operations be performed by a different virtstack - so long as it supports what is needed for containers. - - Signed-off-by: Daniel Canter - -commit 2d5a2c3c03768113f35f75172d0db295f72fd31d -Merge: 691999834 0882cf37d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue May 4 17:59:47 2021 -0700 - - Merge pull request #1003 from jsturtevant/update-ipv6-versioning - - WS 2004 supports dual stack - -commit 691999834a8854517e18bcf8d3a8fa42765bfd78 -Merge: f105e0775 7299e2e4f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue May 4 17:30:26 2021 -0700 - - Merge pull request #1016 from erfrimod/erfrimod/l4wfpproxy-policy - - Adding proxy exceptions to L4WFP Proxy Policy - -commit 7299e2e4fa03df8981e3a18cd5ea43d709f8342d -Author: Erik Frimodig -Date: Tue May 4 16:10:09 2021 -0700 - - Adding proxy exceptions to L4WFP Proxy Policy - - Signed-off-by: Erik Frimodig - -commit 880590bca4dff2abf383cf183bf31118a4eb51d0 -Author: Daniel Canter -Date: Tue May 4 17:07:46 2021 -0700 - - Take off hcn package codeowners line - - The CODEOWNERS logic for the hcn package shouldn't work as the required reviewer - doesn't have write access which is required. - - From https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners: - - "The people you choose as code owners must have write permissions for the repository. When the code owner - is a team, that team must have write permissions, even if all the individual members of the team already have - write permissions directly, through organization membership, or through another team membership." - - Signed-off-by: Daniel Canter - -commit f105e07757c116119c3af0665641151d3b0e7d2d -Merge: e481a139d 6212521e6 -Author: Kathryn Baldauf -Date: Tue May 4 13:22:32 2021 -0700 - - Merge pull request #1015 from dims/updated-to-containerd-v1.5.0 - - Updated to containerd v1.5.0 - -commit 6212521e67f47c01515f015bb721e8fc4f433947 -Author: Davanum Srinivas -Date: Tue May 4 13:15:11 2021 -0400 - - Updated to containerd v1.5.0 - - Signed-off-by: Davanum Srinivas - -commit e481a139d6e1bfcd216372e5ea62cfd6fb7a6a2c -Merge: 1175109e8 716eddc8e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Apr 30 13:27:40 2021 -0700 - - Merge pull request #1013 from vikas-bh/ipv6fields1 - - Add NatFlags flag to OutboundNatPolicySetting - -commit 1175109e82dfa984459977a26f9128494f4f2e99 -Merge: bf20b75af 06256be9f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 29 22:08:54 2021 -0700 - - Merge pull request #1014 from dcantah/fix-spelling - - Fix spelling mistake with `notificationWatcherContext` - -commit 06256be9f531bc38af378a5d37adb567be7b793d -Author: Daniel Canter -Date: Thu Apr 29 18:18:52 2021 -0700 - - Fix spelling mistake with `notificationWatcherContext` - - notifcationWatcherContext -> notificationWatcherContext - - Signed-off-by: Daniel Canter - -commit 716eddc8e0ab29db0341108d1c523bd08e1c80cc -Author: Vikas Bhardwaj -Date: Thu Apr 29 16:33:51 2021 -0700 - - CR feedback - - Signed-off-by: Vikas Bhardwaj - -commit f568d433f83efc97f2eaecb882ef8e1e79357f23 -Author: Vikas Bhardwaj -Date: Thu Apr 29 15:58:53 2021 -0700 - - CR feedback - - Signed-off-by: Vikas Bhardwaj - -commit d3f1ab7aff4da7a2e367a9a05ab5b2c6c919fcca -Author: Vikas Bhardwaj -Date: Wed Apr 28 18:13:27 2021 -0700 - - Add ipv6 flag to OutboundNatPolicySetting - - Signed-off-by: Vikas Bhardwaj - -commit 2dcf9121abc025834baaa0151f00c8bd3dc8bc25 -Author: Daniel Canter -Date: Wed Apr 28 02:45:49 2021 -0700 - - Getting ready for hcsshim merge - - * Move entire repo into opengcs subdir - * `gofmt -s -w .` all the files to satisfy linter - - Signed-off-by: Daniel Canter - -commit bf20b75af1b95345d2ee526b66942b9cc98908ea -Merge: 8656c9baa 377e39a5b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Apr 27 17:01:55 2021 -0700 - - Merge pull request #1006 from dcantah/cpugroup-onstart - - Add support for assigning cpu group on creation - -commit 377e39a5b739ffe533e68930ed079cf201262cc0 -Author: Daniel Canter -Date: Wed Apr 21 14:11:05 2021 -0700 - - Add support for assigning cpu group on creation - - In recent builds of Windows there was support added to the HCS to allow assigning - a cpugroup at creation time of the VM instead of afterwards. The current approach in this - repo of adding a vm after start was only a workaround as this wasn't supported at the time. - The current approach isn;t ideal due to some wonky behavior on machines with - multiple NUMA nodes as we can suffer performance penalties because of remote memory access on - machines with > 1 node when adding a VM after start. - - Signed-off-by: Daniel Canter - -commit 0882cf37d229ebd85bc69c423bd3c2aebc85321a -Author: James Sturtevant -Date: Thu Apr 15 14:28:19 2021 -0700 - - WS 2004 supports dual stack - -commit 8656c9baa760afb56717c0bb674ae7464426d617 -Merge: faecc38b9 a7fe5d3af -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Apr 27 13:23:57 2021 -0700 - - Merge pull request #1012 from estebanreyl/esrey/rootNotInitializedBug - - Fix tar2vhd on specific unordered tars - -commit a7fe5d3af6467e3c04d3c75d690d05374f32294f -Author: Esteban Rey -Date: Tue Apr 27 10:42:19 2021 -0700 - - Added fix for unordered tars not starting with a - root folder file. - - Signed-off-by: Esteban Rey - -commit faecc38b9fbd3cfe8d2ecd11f15af11e3897cc9e -Merge: 141e8c092 5d1799c3f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Apr 26 18:25:15 2021 -0700 - - Merge pull request #1010 from dcantah/vmservice - - Add vmservice ttrpc interface - -commit 5d1799c3fb121bcdd5054c023840859569b544e1 -Author: Daniel Canter -Date: Fri Apr 23 00:10:05 2021 -0700 - - Add vmservice ttrpc interface - - This change brings in a new generated ttrpc service intended to be implemented - by a virtstack to facilitate running hypervisor isolated containers. - - The goal is to have the operations we need and rely on for running hypervisor based - containers be abstracted away so we're not calling directly into HCS for everything - anymore, but rather make it a configurable option on what underlying virtstack is chosen. - These definitions are missing some key Windows features like VSMB but what's here - currently is enough to run a Linux guest at the moment with networking. - - There will be future work to add an implementation of the UVM interface (https://github.com/microsoft/hcsshim/pull/1009) - based off of these definitions. - - Signed-off-by: Daniel Canter - -commit 141e8c0923c7474aff700d16c46053a8c149545b -Merge: b35557ddb fec8e08ab -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu Apr 22 12:36:18 2021 -0700 - - Merge pull request #1007 from ambarve/shim_panic_create_pod_fixes - - Minor fixes to shim panic log & create task functions - -commit b35557ddbc85daa1e64d5c6278f1aff2537747ed -Merge: 01c70382b ff9c76f69 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Apr 21 19:21:43 2021 -0700 - - Merge pull request #1004 from dcantah/resourcepath - - Move around HCS schema and resource path definitions - -commit 01c70382bcabfe856276cf1a3d215bdd13ef2e6a -Merge: d9474d26c 3cd77f39f -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Apr 21 17:34:49 2021 -0700 - - Merge pull request #1005 from dcantah/hcn-port - - Add VmEndpointRequest in hcn for eventual usage in the shim - -commit fec8e08ab641b9e3f0c9121861a6d8cba020f3fe -Author: Amit Barve -Date: Wed Apr 21 16:51:19 2021 -0700 - - Minor fixes to shim panic log & create task functions - - The change to collect shim panic logs during shim delete command does not work in cases - when the delete command itself runs into some error. To avoid losing shim panic logs in - such cases we log the shim panic logs (if found) as first thing in the delete command. - - CreateTask function had `wcl` mutex lock that wasn't really being used anywhere, this - change removes that. We also don't add a `nil` entry for a new task in the `workloadTasks` - map anymore to avoid the shim panic in some cases where a `GetTask` function might - be called while we are still in the process of creating the task and haven't updated the - nil entry with the actual task struct reference. - -commit ff9c76f69b6c6ecc47aae4e701596ee4998bb4af -Author: Daniel Canter -Date: Wed Apr 21 10:51:39 2021 -0700 - - Move around HCS schema and resource path definitions - - As both the V1 and V2 HCS schema are tied to HCS itself, it makes more sense - to have the schema definitions co-located under the hcs package. The resource paths - are also tied to HCS and in preparation of some work where we'll need the resourcepaths available - outside of the uvm and gcs packages, move the resource paths for both virtual machines and containers - to their own package. - - Signed-off-by: Daniel Canter - -commit 3cd77f39f5df37ca4476454af401682c6aa7870d -Author: Daniel Canter -Date: Wed Apr 21 11:07:17 2021 -0700 - - Add VmEndpointRequest for eventual usage in the shim - - HCS today for adding a network adapter to a virtual machine sets up the switch - port itself by making a VmEndpointRequest. There are cases where we will want to - do this ourselves, and we need the switch ID for this which will only exist after - this request. - - Signed-off-by: Daniel Canter - -commit 9c5f6dbaf5fd7686e509e2a9b2091bfb2ba298ca -Merge: 5eca651ab 00dbf04d0 -Author: Kathryn Baldauf -Date: Tue Apr 20 14:34:00 2021 -0700 - - Merge pull request #405 from katiewasnothere/remove_travis - - Remove travis files and related dockerfile - -commit 00dbf04d0ba8424b58b35d3f742b3eb63cc987fe -Author: Kathryn Baldauf -Date: Tue Apr 20 12:49:12 2021 -0700 - - Remove travis files and related dockerfile - - Signed-off-by: Kathryn Baldauf - -commit 5eca651ab77c6559176cab3a46620c317344f1ad -Merge: 3bfc2da24 9ee477cb5 -Author: Kathryn Baldauf -Date: Tue Apr 20 12:34:10 2021 -0700 - - Merge pull request #402 from katiewasnothere/gh_actions - - Switch to Github actions - -commit 9ee477cb55029fc90e0125ae68fbaf2ca7200f37 -Author: Kathryn Baldauf -Date: Tue Apr 13 18:19:23 2021 -0700 - - Add CI github action - - Signed-off-by: Kathryn Baldauf - -commit 3bfc2da24bc55e1a6e1c94490a3ccaa67d8d7187 -Merge: b1ad9ad87 02bb73fc5 -Author: Maksim An -Date: Tue Apr 13 23:04:23 2021 -0700 - - Merge pull request #403 from anmaxvl/fix_storage_tests - - fix wrong type in pmem debug message, pmem and scsi unit tests - -commit 02bb73fc59afd0ee9a41b6b748e0a629e6712633 -Author: Maksim An -Date: Tue Apr 13 22:50:32 2021 -0700 - - minor bugfix in pmem debug message. fix pmem and scsi unit tests - - Debug message format in pmem package was using a wrong type. - - Unit tests for pmem and scsi were using old structs and function - signatures. - - Trigger unit tests in Makefile - - Signed-off-by: Maksim An - -commit b1ad9ad878f2ec1bf605c62ec3b313d85961404c -Merge: 8f1f0a0b0 7913d73b5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Apr 13 22:57:21 2021 -0700 - - Merge pull request #404 from dcantah/gcs-core-remove - - Get rid of service/gcs/core/gcs - -commit 7913d73b5870d53b41ae43e1c3fbe3945d356c40 -Author: Daniel Canter -Date: Tue Apr 13 22:34:04 2021 -0700 - - Get rid of service/gcs/core/gcs - - Remnants of the v1 gcs removal. I don't see this used anywhere. - - https://github.com/microsoft/opengcs/commit/e972b276edcc73be63c6f05a53e623bf38e5332a - - Signed-off-by: Daniel Canter - -commit 8f1f0a0b08a75765cc8344b12f4d32e54b13b425 -Merge: 2ed586680 7604c07f9 -Author: Kathryn Baldauf -Date: Tue Apr 13 16:06:45 2021 -0700 - - Merge pull request #401 from katiewasnothere/fix_generichook_dep - - Update generichook package to fix broken dependency - -commit 7604c07f956f4ccd3dcc73962f99d7cab7b454f1 -Author: Kathryn Baldauf -Date: Tue Apr 13 15:55:11 2021 -0700 - - Update generichook package to fix broken dependency - - Signed-off-by: Kathryn Baldauf - -commit 2ed586680c70550301feefe3440d0e6ab1ee26c0 -Merge: daa2c7856 50edeb3dd -Author: Kathryn Baldauf -Date: Tue Apr 13 15:40:13 2021 -0700 - - Merge pull request #400 from katiewasnothere/vendor_missing_deps - - Update go modules to get missing dependencies - -commit 50edeb3dd1b3febf8f472353043c3e85a5deb172 -Author: Kathryn Baldauf -Date: Tue Apr 13 15:32:00 2021 -0700 - - Update go modules to get missing dependencies - - Signed-off-by: Kathryn Baldauf - -commit d9474d26c57bed6081b3941dd7980d5e8457148e -Merge: c1d36212c 442a9aa4c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Apr 13 14:41:05 2021 -0700 - - Merge pull request #1001 from dcantah/remove-mergemaps-v2 - - Get rid of mergemaps functionality for v2 codepaths - -commit c1d36212c6b98c43d2e6ff6b0d4453f2d27df7aa -Merge: 840644c77 d5f4aeef4 -Author: Kathryn Baldauf -Date: Tue Apr 13 14:36:54 2021 -0700 - - Merge pull request #987 from katiewasnothere/fix_propagation_lcow - - Support passing in propagation flags on scsi mounts for LCOW - -commit d5f4aeef4245025bef2fe717f2a975a953618792 -Author: Kathryn Baldauf -Date: Thu Mar 25 17:03:37 2021 -0700 - - Support passing in propagation flags on scsi mounts for LCOW - - Signed-off-by: Kathryn Baldauf - -commit 840644c77d02d44939bab31570c644c9e94c0bec -Merge: 4b67ed2cd 8bc18f34b -Author: Kathryn Baldauf -Date: Tue Apr 13 12:52:42 2021 -0700 - - Merge pull request #1000 from katiewasnothere/fix_ttrpc_status_panic - - Update grpc and genproto library to avoid panic in ttrpc - -commit 442a9aa4cab2b61fbd494fd8ce294550c3362dd5 -Author: Daniel Canter -Date: Tue Apr 13 12:51:12 2021 -0700 - - Get rid of mergemaps functionality for v2 codepaths - - There's not a single place we used to set the uvm.Options `AdditionHCSDocumentJSON` field to - anything so it was as good as not there already. Just skip the calls entirely and remove the copying - of the fields for lateclone scenarios. - - Signed-off-by: Daniel Canter - -commit 8bc18f34bf79940fb1e6445fed4ac4bf10a01509 -Author: Kathryn Baldauf -Date: Tue Apr 13 12:46:33 2021 -0700 - - Update grpc and genproto library to avoid panic in ttrpc - - Signed-off-by: Kathryn Baldauf - -commit 4b67ed2cdb5355b30cf572ec17d5ffe648a85b0e -Merge: da33ecd60 bab6498e1 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Apr 12 13:06:51 2021 -0700 - - Merge pull request #996 from thaJeztah/use_the_build - - Use osversion.Build() utility, and add a sync.Once - -commit daa2c785680ada661fb4284a50073d21c652a8a1 -Merge: a72614fb7 1b5fcfe14 -Author: Maksim An -Date: Thu Apr 8 16:54:37 2021 -0700 - - Merge pull request #399 from anmaxvl/maksiman/dm-verity-target - - add support for dm verity target when mounting VPMem devices - -commit a72614fb7dd03b828484fb943ae63dd4fbe85d99 -Merge: 6c9e795d2 01a276740 -Author: Kathryn Baldauf -Date: Thu Apr 8 14:00:42 2021 -0700 - - Merge pull request #398 from katiewasnothere/fix_propagation_scsi - - Support passing through arbitrary options and propagation flags for scsi mounts - -commit 01a276740d18e2f1c51f6bfe86894ebfd7854efe -Author: Kathryn Baldauf -Date: Thu Mar 25 17:08:29 2021 -0700 - - Support passing through arbitrary options and propagation flags for scsi mounts - - Signed-off-by: Kathryn Baldauf - -commit da33ecd607e170385eb03eaba5e6834633f9fe17 -Merge: 2b139f628 8a22e26c5 -Author: Kathryn Baldauf -Date: Thu Apr 8 13:54:31 2021 -0700 - - Merge pull request #992 from katiewasnothere/test_execinhost_utility - - Add a utility function to exec in shimdiag for cri-containerd tests - -commit 8a22e26c53bcf0ca71ebdfcf6ca19a7ef7e81a3f -Author: Kathryn Baldauf -Date: Wed Apr 7 20:23:12 2021 -0700 - - Add a utility function to exec in shimdiag for cri-containerd tests - - Signed-off-by: Kathryn Baldauf - -commit 2b139f6283e643928dc358f02f7a126036a5accd -Merge: d5dd5179d b68de0515 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 8 10:52:53 2021 -0700 - - Merge pull request #995 from dcantah/fix-stderr-comment - - Fix stderr comment in containerd-shim serve command - -commit d5dd5179dd5634e0480c9d865abf2db2d3e724e4 -Merge: 2f0b9f3d0 6e2f5995b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 8 10:11:30 2021 -0700 - - Merge pull request #997 from dcantah/fix-ncproxy-comment - - Remove incorrect comment from ncproxy grpc service struct - -commit 6e2f5995bcc4a5e79d1aed073a2827a519dabb01 -Author: Daniel Canter -Date: Thu Apr 8 07:46:36 2021 -0700 - - Remove incorrect comment from ncproxy grpc service struct - - The GRPC service doesn't hold a mutex. This was left in from an older iteration - where the client map would get updated in the grpc service. - - Signed-off-by: Daniel Canter - -commit bab6498e1a1246c6735a2e7e785e4770f3c8a317 -Author: Sebastiaan van Stijn -Date: Thu Apr 8 14:42:58 2021 +0200 - - osversion.Get(): use sync.Once - - Given that it's _very_ unlikely that the Windows version changes at runtime, - we can use a sync.Once to not repeatedly call windows.GetVersion() - - Signed-off-by: Sebastiaan van Stijn - -commit d3cbd1d90ef16e46a11b7dae7fd6c18496bc9d4e -Author: Sebastiaan van Stijn -Date: Thu Apr 8 12:49:31 2021 +0200 - - Use osversion.Build() utility where possible - - Signed-off-by: Sebastiaan van Stijn - -commit b68de0515391790db646dd6980d26030aaaeba11 -Author: Daniel Canter -Date: Tue Apr 6 15:19:27 2021 -0700 - - Fix stderr comment in containerd-shim serve command - - In a comment in the serve command for the containerd-shim it says that to signify that we're - successfully serving the ttrpc endpoint we should close stderr, but we actually close stdout - to signify this. The write end of the pipe is hooked up to stdout on the "serve" command invocation - of the shim and we simply forward stderr to the read side until close. Stderr for the serve - invocation is hooked up to the panic.log file in case the shim panics. - - Signed-off-by: Daniel Canter - -commit 2f0b9f3d0ea07b79006be8a173b66b0a4a20c7d3 -Merge: e811ee705 7289451f5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 8 02:40:30 2021 -0700 - - Merge pull request #993 from hex0punk/goroutine-leak-fix - - prevents a goroutine from being leaked if binary cmd fails to finish - -commit 7289451f52c08330c4dc320b382130a875852fff -Author: hex0punk -Date: Thu Apr 8 01:05:27 2021 -0700 - - prevents a goroutine from being leaked if binary cmd fails to finish - -commit e811ee705ec77df2ae28857ade553043fb564d91 (tag: v0.8.16) -Merge: 7fa8bda4e f731440f5 -Author: Kathryn Baldauf -Date: Wed Apr 7 13:57:52 2021 -0700 - - Merge pull request #991 from katiewasnothere/remove_extra_info - - Remove extra info from error logs - -commit f731440f562046527c8a470acb18c3a357402655 -Author: Kathryn Baldauf -Date: Wed Apr 7 13:34:53 2021 -0700 - - Remove extra info from error logs - - these logs create noise and are no longer useful - - Signed-off-by: Kathryn Baldauf - -commit 1b5fcfe142a50dd9c9f83aaf0ef7ccae1ec188fd -Author: Maksim An -Date: Wed Mar 31 00:28:05 2021 -0700 - - add support for dm verity target when mounting VPMem devices - - Update VPMem mount APIs to support passing dm verity information - in addition to VPMem multi-mapping. - - Hash device is expected to be the same as the data device with - hash tree appended right after the ext4 file system data, block - sizes for data and hash devices are expected to be the same as - well. - - Additionally handle a case when both multi-mapping and verity - are enabled, in that case, first create dm-linear target and use - that target as a data and hash device for dm-verity target. - - Signed-off-by: Maksim An - -commit 7fa8bda4e6ba503caf0d53d0a4ee99b9a64ceed8 -Merge: b5d7f5129 012856b73 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Apr 2 01:47:12 2021 -0700 - - Merge pull request #979 from dcantah/hostprocess-stats - - Add stats support for job containers - -commit b5d7f5129cac9babd1035384b3d7270ecd308f5b -Merge: 628db61b9 66e564129 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu Apr 1 14:48:30 2021 -0700 - - Merge pull request #990 from ambarve/tar2ext_expansion_test - - Add test for tar2ext layer expansion - -commit 66e564129aaa16e18b87ef6bf691d82e12806c6d -Author: Amit Barve -Date: Thu Apr 1 13:05:41 2021 -0700 - - Add test for tar2ext layer expansion - - tar2ext layer expansion had a bug where during a tar expansion if a file showed up before - its parent directory then the expansion would fail with path not found error. This was - fixed in #972. This commit just a adds a test for that fix. - - Signed-off-by: Amit Barve - -commit 628db61b9f871a7fc32a6c57257187dbc34669e3 -Merge: 65090e5b3 557915e0f -Author: Kathryn Baldauf -Date: Thu Apr 1 12:20:48 2021 -0700 - - Merge pull request #964 from katiewasnothere/ncproxy-iov - - Add support for modifying iov settings in ncproxy - -commit 557915e0f24367dd2f0e4905c2bb3d24b1f741d3 -Author: Kathryn Baldauf -Date: Tue Mar 9 14:37:52 2021 -0800 - - Add support for modifying iov settings in ncproxy - - Signed-off-by: Kathryn Baldauf - -commit 012856b73109e9eccbff67429a85efec49121238 -Author: Daniel Canter -Date: Fri Mar 19 16:44:12 2021 -0700 - - Add stats support for host process containers - - * Add PropertiesV2 and Properties calls for host process containers. The only supported queries for them are - PropertiesV2: Statistics - Properties: ProcessList - * Add NtQuerySystemInformation and SYSTEM_PROCESS_INFORMATION binds. - - This work will be utilized in the containerd shim just as the PropertiesV2 and Properties calls - are today for process and hv isolated containers. - - Signed-off-by: Daniel Canter - -commit 65090e5b3e45723e2d579b701a29eb8ed9826915 -Merge: f496574ac 2d2c19c14 -Author: Kathryn Baldauf -Date: Fri Mar 26 11:30:24 2021 -0700 - - Merge pull request #975 from slonopotamus/golangci-lint-action - - Switch from deprecated gometalinter to golangci/golangci-lint-action - -commit 2d2c19c143e916a5fab0ea743fce7fca01a02cbe -Author: Marat Radchenko -Date: Wed Mar 17 21:43:35 2021 +0300 - - Switch from deprecated gometalinter to golangci/golangci-lint-action - -commit f496574ac80359b554360d57c3370c81f7977b5f -Merge: 64000d5a6 58f7ef4c7 -Author: Kathryn Baldauf -Date: Thu Mar 25 14:49:34 2021 -0700 - - Merge pull request #977 from katiewasnothere/linter_fixes - - Fix various golangci linter issues - -commit 64000d5a68982266245a1db50f426f49187b4b2c -Merge: 10f84228c 37ab22eb5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Mar 25 13:41:41 2021 -0700 - - Merge pull request #984 from thaJeztah/remove_k8s_k8s - - test: remove k8s.io/kubernetes dependency by using containerd copy - -commit 37ab22eb5d25fec015a38c106c642976ea4ce88f -Author: Sebastiaan van Stijn -Date: Thu Mar 25 10:37:52 2021 +0100 - - test: go.mod: remove replace rule, which is no longer needed - - Now that k8s.io/kubernetes is no longer used, this replace rule should - no longer be needed (`go mod tidy` and `go mod vendor` worked without - problem). - - Signed-off-by: Sebastiaan van Stijn - -commit 75abc2e83808a0cfff3a92a7cd5e4b711bb9ade8 -Author: Sebastiaan van Stijn -Date: Thu Mar 25 10:29:58 2021 +0100 - - test: remove k8s.io/kubernetes dependency by using containerd copy - - The k8s.io/kubernetes dependency is only needed for a single function - (GetAddressAndDialer), which doesn't seem to be in any module, other than - k8s.io/k8s itself. - - Containerd created a copy of this utility for that reason, so let's use that - copy to get rid of the dependency on k8s.io/k8s. - - Perhaps we should try to have that utils package included in one of the - smaller k8s.io moduless. - - Signed-off-by: Sebastiaan van Stijn - -commit 10f84228cc6f17b15dcebb4437ef62367bb0a35c -Merge: 77f39d64f a83893ceb -Author: Maksim An -Date: Wed Mar 24 21:45:35 2021 -0700 - - Merge pull request #981 from anmaxvl/maksiman/tests/scale-cpu-limits - - Add test for ScaleCPULimitsToSandbox runtime config - -commit 77f39d64f725e888c095125c43f8d0a79ead2670 -Merge: 29393c59d bb94c3575 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Mar 24 17:30:16 2021 -0700 - - Merge pull request #983 from dcantah/breakway-job - - Set CREATE_BREAKAWAY_FROM_JOB flag for job container processes - -commit bb94c3575c0ee3eee68da896d824a1c0ee750d90 -Author: Daniel Canter -Date: Wed Mar 24 17:02:57 2021 -0700 - - Set CREATE_BREAKAWAY_FROM_JOB flag for job container processes - - We don't want to inherit the job object of whatever process is running the job container code (the containerd-shim - generally but this would apply for any process). Set the CREATE_BREAKAWAY_FROM_JOB flag on job container processes - to prevent this from happening. The job object itself will also need to have the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit - set for this to take affect. - - Signed-off-by: Daniel Canter - -commit 29393c59d8fd30b84070519c7d66490315fae863 -Merge: bc6f3d31e 8640c6465 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Mar 24 16:47:01 2021 -0700 - - Merge pull request #982 from dcantah/update-xsyswindows - - Update/revendor x/sys/windows to pull in ProcThreadAttributeList changes - -commit 8640c64651c090611a084de63d05629b7e4a227e -Author: Daniel Canter -Date: Wed Mar 24 16:09:12 2021 -0700 - - Vendor in x/sys/windows to pull in ProcThreadAttributeList changes - - https://github.com/golang/sys/commit/f36f78243c0c784c12079479984ffb57e9eb5792 added similar functionality - that I had been working on to manage a PROC_THREAD_ATTRIBUTE_LIST structure. Pull this in to avoid - re-inventing the wheel. - - Signed-off-by: Daniel Canter - -commit bc6f3d31eb88f5770bda20449b68e6847cfb1a5c -Merge: af6877f9e e746a523e -Author: Maksim An -Date: Tue Mar 23 18:45:38 2021 -0700 - - Merge pull request #978 from anmaxvl/maksiman/binary-io-debug-cleanup - - use cmd.String() when logging binary_io command - -commit af6877f9e2a505453d02f265acc95f948fddfb44 -Merge: 8a843926f fcc18548d -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Mar 23 16:00:17 2021 -0700 - - Merge pull request #969 from dcantah/jobcontainer-tests - - Add new job container tests - -commit e746a523e8b9ba7843a75e7ff7e96c954badb8b5 -Author: Maksim An -Date: Fri Mar 19 13:22:56 2021 -0700 - - use cmd.String() when logging binary_io command - - additionally clean up potential linter errors - - Signed-off-by: Maksim An - -commit a83893ceb1d18f61084b09baa5eda0c13e203ad6 -Author: Maksim An -Date: Mon Mar 22 09:47:10 2021 -0700 - - Add a test for ScaleCPULimitsToSandbox runtime config - - Test does the following: - - calculate 1 core equivalent cpu limit based on the number of cores - the host has, i.e. 10,000/hostNumCPU - - set container CPU limit to the above value. - NOTE: There won't be any difference if the host has only 2 cores - (which is the default for a UVM), but this is unlikely to happen - - make 2 stats request with a 5 second interval and calculate - the CPU usage - - the CPU usage should be around 100% with acceptable error set to 10% - - Add `requireBinary` wrapper to check if a binary with a given - name exists in the same directory as the test executable and - conditionally skips the tests if the binary doesn't exist - - Signed-off-by: Maksim An - -commit 6c9e795d2b8a359bd4b5679b848beab94027ee15 -Merge: 221178af9 99173928f -Author: Kathryn Baldauf -Date: Tue Mar 23 10:17:26 2021 -0700 - - Merge pull request #388 from katiewasnothere/generic_hook - - Add a new generic hook for use in device setup - -commit 99173928fc1d47bcacff9f31b0842cd64620682f -Author: Kathryn Baldauf -Date: Wed Jan 6 13:06:16 2021 -0800 - - Add a new generic hook for use in device setup - - Signed-off-by: Kathryn Baldauf - -commit 58f7ef4c7bb7926454e301b0c0b35f66bbd9c5cf -Author: Kathryn Baldauf -Date: Wed Mar 17 18:41:22 2021 -0700 - - Fix various golangci linter issues - - Signed-off-by: Kathryn Baldauf - -commit 221178af90fc5e458ca70b9be52a9e176a8165fe -Merge: b72a02232 fd3663278 -Author: Kathryn Baldauf -Date: Mon Mar 22 14:11:05 2021 -0700 - - Merge pull request #397 from katiewasnothere/fix_containerd_update - - Update to new package location for containerd/sys/reaper - -commit fd3663278af4b11a7082b01eaf6326fd2215a6e6 -Author: Kathryn Baldauf -Date: Mon Mar 22 14:03:49 2021 -0700 - - Update to new package location for containerd/sys/reaper - - Signed-off-by: Kathryn Baldauf - -commit 8a843926faab47403c769e7def9b753e1e5f956d -Merge: 885f896c5 555806735 -Author: Kathryn Baldauf -Date: Mon Mar 22 11:12:06 2021 -0700 - - Merge pull request #980 from dcantah/document-shimdiag-list - - Update ArgsUsage for shimdiag commands to add flags - -commit 555806735c045718186fa8cf417cd4242eb6bbad -Author: Daniel Canter -Date: Mon Mar 22 06:02:40 2021 -0700 - - Update ArgsUsage for shimdiag commands to add flags - - None of the ArgsUsage's for any of the commands listed flags so add this. - - Signed-off-by: Daniel Canter - -commit b72a022324c3b3f4ed74d96c08415a5662eaa3e2 -Merge: d39f8763d c0ed29070 -Author: Kathryn Baldauf -Date: Thu Mar 18 16:01:43 2021 -0700 - - Merge pull request #396 from thaJeztah/bump_deps - - go.mod: github.com/containerd/containerd v1.5.0-beta.4 - -commit c0ed29070880bd2130bedd8e15077c683e9505cf -Author: Sebastiaan van Stijn -Date: Thu Mar 18 14:02:06 2021 +0100 - - go.mod: github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3 - - full diff: https://github.com/linuxkit/virtsock/compare/8e79449dea07...f8cee7dfc7a3 - - Signed-off-by: Sebastiaan van Stijn - -commit 59148dadb42a15dacf0e479882fe2b61a8f7c7cd -Author: Sebastiaan van Stijn -Date: Thu Mar 18 13:34:28 2021 +0100 - - go.mod: github.com/containerd/containerd v1.5.0-beta.4 - - Signed-off-by: Sebastiaan van Stijn - -commit 885f896c5a8548ca36c88c4b87fd2208c8d16543 -Merge: ae2494ce2 cd57213fb -Author: Kathryn Baldauf -Date: Wed Mar 17 18:39:25 2021 -0700 - - Merge pull request #976 from dcantah/linter-fix - - Fix golangci linter issues - -commit cd57213fb88522c492c8e2097b425595365b72e6 -Author: Daniel Canter -Date: Wed Mar 17 15:35:59 2021 -0700 - - Fix golangci linter issues - - * Remove unused mutex for the grpc service in ncproxy - * Remove unneccessary os.Stat call that didn't even check the return value - *facepalm* - - Signed-off-by: Daniel Canter - -commit ae2494ce2a05596d0269d8322a7b06c85c4c1e55 -Merge: f86d0cc3c e3bde0e6f -Author: Kathryn Baldauf -Date: Wed Mar 17 14:26:29 2021 -0700 - - Merge pull request #968 from thaJeztah/bump_test_deps - - test: go.mod: github/containerd/containerd v1.5.0-beta.4 - -commit e3bde0e6f9f9c77d2d4c00ce2e1e5d67bea841ad -Author: Sebastiaan van Stijn -Date: Fri Mar 12 17:54:30 2021 +0100 - - test: go.mod: github/containerd/containerd v1.5.0-beta.4 - - Signed-off-by: Sebastiaan van Stijn - -commit f86d0cc3c4f0292376b8d4acaeb2fa89975a17db -Merge: 9e1ba4d0e 326d5022a -Author: Kathryn Baldauf -Date: Wed Mar 17 14:13:46 2021 -0700 - - Merge pull request #967 from thaJeztah/bump_deps2 - - go.mod: github.com/containerd/containerd v1.5.0-beta.4 - -commit 326d5022a16fdcf9bd302e2c92318f38a6a464db -Author: Sebastiaan van Stijn -Date: Fri Mar 12 17:47:37 2021 +0100 - - go.mod: github.com/containerd/containerd v1.5.0-beta.4 - - Signed-off-by: Sebastiaan van Stijn - -commit 9e1ba4d0e438c45acc13f962612da1eb0728cf42 -Merge: ac95fba4a 282a5037c -Author: Kathryn Baldauf -Date: Wed Mar 17 11:43:07 2021 -0700 - - Merge pull request #974 from slonopotamus/patch-1 - - Fix CI badge in README - -commit 282a5037cac31c4a128a5c40b775a2f7ea830c8d -Author: Marat Radchenko -Date: Wed Mar 17 21:31:56 2021 +0300 - - Fix CI badge in README - - This is a follow-up to #970 - -commit fcc18548da0562ab57feb895f5d1892e824853d1 -Author: Daniel Canter -Date: Thu Mar 11 11:04:17 2021 -0800 - - Add new job container tests - - Add tests to excercise the scenarios we care about and expect to work. - - This includes: - 1. HNS access. Validate we can create a dead simple network and remove after. - 2. Look at disks/volumes/partitions on the host. - 3. Create a vhd from in the container. - 4. Check hostname at beginning of test -> exec in job container and check hostname -> compare to validate that they're the same. - 4. Manipulating/generating etw file. - 5. Install (and uninstall on success) a program. - - Signed-off-by: Daniel Canter - -commit ac95fba4a1eba45c9e3c0c7f0487483fd47230d3 -Merge: 7f2254953 d77c1c4f6 -Author: Kathryn Baldauf -Date: Wed Mar 17 11:24:10 2021 -0700 - - Merge pull request #970 from slonopotamus/gh-actions - - Switch CI to GitHub Actions - -commit d77c1c4f6486a366a33e8dae0c1777ae311e6a08 -Author: Marat Radchenko -Date: Tue Mar 2 22:27:43 2021 +0300 - - Switch CI to GitHub Actions - - Signed-off-by: Marat Radchenko - -commit 7f2254953b47afd30f1ea94a2665a5e258da7dc3 -Merge: 5d9980ceb bdddc24a5 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Tue Mar 16 16:31:37 2021 -0700 - - Merge pull request #972 from ambarve/tar2ext4-dir-fix - - Fix tar extraction issue where parent directories don't exist. - -commit bdddc24a55e56e64cbc135ec8f4c27c8b1a15708 -Author: Amit Barve -Date: Tue Mar 16 13:38:42 2021 -0700 - - Fix tar extraction issue where parent directories don't exist. - - Extracting LCOW layers to vhd fails when a file shows up in the - tar list before the parent directory of that file shows up. This change fixes that by - always creating any non existing parent directories and then updating their permissions - later when actual directory entry shows up. - - Signed-off-by: Amit Barve - -commit 5d9980cebb1dc5f23d61d860116e7015e9dfd692 -Merge: 5281188fe 11cc3a2fa -Author: Maksim An -Date: Tue Mar 16 16:24:58 2021 -0500 - - Merge pull request #971 from anmaxvl/maksiman/read-ext4-superblock - - add utility method to read ext4 superblock from a VHD - -commit 11cc3a2fa9b4a2ccf233b0ac1616a14b1d39186d -Author: Maksim An -Date: Thu Mar 11 21:10:00 2021 -0800 - - add utility method to read ext4 superblock from a VHD - - The change enables getting accurate information about ext4 fs on - a given VHD, rather than doing os.Stat or temp mounting the VHD. - - Signed-off-by: Maksim An - -commit 5281188fe242eb225b10491d108091cc8f50685c -Merge: 57cae1d60 d0a87add5 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Mar 12 16:12:20 2021 -0800 - - Merge pull request #966 from dcantah/ncproxy-oc - - Add open census spans for ncproxy + go mod vendor - -commit d0a87add5a107bf071f5332ec0bf47a9d9c17e0c -Author: Daniel Canter -Date: Thu Mar 11 13:56:40 2021 -0800 - - Add open census spans for ncproxy + go mod vendor - - * Give ncproxy its own etw provider - * Add open census spans around all of the ncproxy calls - * Go mod vendor + tidy to bring in go.opencensus.io/plugin and go.opencensus.io/stats - - Signed-off-by: Daniel Canter - -commit 57cae1d6044b60425edf753e91e71fcfe596e996 -Merge: 8a04f284a f71abf34e -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Mar 11 11:22:38 2021 -0800 - - Merge pull request #965 from dcantah/change-timestamp-image - - Change image used for Test_PullImageTimestamps - -commit f71abf34e916a73050e98854b2a9e91f803fd207 -Author: Daniel Canter -Date: Thu Mar 11 11:06:29 2021 -0800 - - Change image used for Test_PullImageTimestamps - - Swap the image we used to use for the Test_PullImageTimestamps test to one hosted on an - ACR registry. - - Signed-off-by: Daniel Canter - -commit 8a04f284aab56bbfc71bc1168c1a53e67d3c08e2 -Merge: 5b2c8a709 061a180eb -Author: Kevin Parsons -Date: Tue Mar 9 16:35:47 2021 -0800 - - Merge pull request #963 from kevpar/test-cri-address - - Add -endpoint-address flag to cri-containerd tests - -commit 061a180eb8fae6ac97e7db7efc13b7a85464b7e2 -Author: Kevin Parsons -Date: Fri Mar 5 12:41:39 2021 -0800 - - Add -endpoint-address flag to cri-containerd tests - - This test flag allows control over what address we use to talk to CRI. - Using this allows testing with upstream containerd that only supports - named pipe. - - This change also takes a dependency on a Kubernetes utility function to - resolve the address to a dialer of the appropriate type. This brings in - some grossness in test/go.mod due to the way k8s handles their modules, - but I don't think it's a big deal given this is test code. - - Signed-off-by: Kevin Parsons - -commit d39f8763d066526e3d8f0e5e94e16af03052ae4d -Merge: 039c267e8 2b24f2fb7 -Author: Maksim An -Date: Mon Mar 8 21:53:21 2021 -0800 - - Merge pull request #395 from dmitsh/ds-typo - - Fixed typo in README - -commit 2b24f2fb7ee72653a47a174b664c6722144bbb36 -Author: Dmitry Shmulevich -Date: Mon Mar 8 19:37:01 2021 -0800 - - Fixed typo in README - - Signed-off-by: Dmitry Shmulevich - -commit 5b2c8a709fadfa327ef90cc8e90051b0919d4bb0 -Merge: 60a28f35d 6321a7ae9 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Mar 8 12:25:57 2021 -0800 - - Merge pull request #903 from dcantah/jobcontainers - - Add job containers package - -commit 6321a7ae93db4e3249ae7c64714327e34b2b493f -Author: Daniel Canter -Date: Fri Dec 4 17:29:35 2020 -0800 - - Add job containers package - - * Add `JobContainer` and `JobProcess` types as the two types to represent a job container - and a process in a job container. - * Add logic to find the executable being asked to run for a job container. - * Logic to launch the container as specific user. - * Logic to mount the containers scratch space on the host to a directory. - * Small subset of tests added to jobobject package - - Signed-off-by: Daniel Canter - -commit 60a28f35d505bf2904c2e91dd8bcf89726b3afeb -Merge: 081ab2f5d 153ef5e62 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Mar 8 10:52:53 2021 -0800 - - Merge pull request #958 from estebanreyl/esrey/exceededMaxSizeBugfix - - Corrected usedGdBlocks calculation - -commit 153ef5e62a6b15567163b6b2a3e5dbb4164c1cc9 -Merge: 30bb0c0ba 8b297c49b -Author: Esteban Rey -Date: Mon Mar 8 10:17:03 2021 -0800 - - Merge branch 'esrey/exceededMaxSizeBugfix' of https://github.com/estebanreyl/hcsshim into esrey/exceededMaxSizeBugfix - -commit 30bb0c0baafde77363293125ef92a3fcb568379a -Author: Esteban Rey -Date: Fri Mar 5 17:25:21 2021 -0800 - - Corrected usedGdBlocks calculation - - Signed-off-by: Esteban Rey - -commit 081ab2f5da5382e713a073852b90cba6ddb5c77f -Merge: 8f44f311b 2af0cd6c7 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Sun Mar 7 22:52:11 2021 -0800 - - Merge pull request #959 from dcantah/mod-and-tidy-ci - - Run go mod vendor+tidy to fix ci break - -commit 2af0cd6c70bf7956e88e0b366b42cfe9a5a4f4ec -Author: Daniel Canter -Date: Fri Mar 5 18:25:00 2021 -0800 - - Run go mod vendor+tidy to fix ci break - - * Somehow our vendored google.golang.org dependency doesn't have any files in the - root directory. Building ncproxy currently fails because of this. Believe this was - uncovered after this PR landed: https://github.com/microsoft/hcsshim/pull/956 - - Signed-off-by: Daniel Canter - -commit 8b297c49baf0f6ed8b232a8514a7164e27e853ae -Author: Esteban Rey -Date: Fri Mar 5 17:25:21 2021 -0800 - - Corrected usedGdBlocks calculation - - Signed-off-by: Esteban Rey - -commit 039c267e8fcd925f37d39b53ea232b8a74f97fd5 -Merge: 4db65a8ad 80883eeae -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Mar 4 12:21:52 2021 -0800 - - Merge pull request #393 from dcantah/removenetnscfg - - Remove netnscfg gcstools utility - -commit 8f44f311bfa8238227caba9c441bfc1f23055465 -Merge: 70a08f989 88e182c04 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Mar 4 09:59:21 2021 -0800 - - Merge pull request #915 from dcantah/ncproxy-newdesign - - Add implementation of network configuration proxy - -commit 70a08f9895c9b17a6e581368e0197f679d778063 -Merge: 75535b904 ac45669c0 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Wed Mar 3 12:42:54 2021 -0800 - - Merge pull request #957 from ambarve/late_clone_test_fix - - ping localhost in tests - -commit ac45669c094cc1201f22ea63128c2dbfce087a30 -Author: Amit Barve -Date: Wed Mar 3 12:35:19 2021 -0800 - - ping localhost in tests - - This fixes an issue when running tests on VMs which don't have network access. If we ping - something like microsoft on such VMs then test fails when it really shouldn't. - - Signed-off-by: Amit Barve - -commit 75535b904555dad23b8d51cf9f58302d9babe242 (tag: v0.8.15) -Merge: 43a75bb4e af84d88bd -Author: Kevin Parsons -Date: Tue Mar 2 14:51:55 2021 -0800 - - Merge pull request #956 from kevpar/ci-fix - - Improve CI reliability by forcing vendor use - -commit af84d88bd8cc2b59a3170333b8586308909cb48d -Author: Kevin Parsons -Date: Tue Mar 2 14:43:19 2021 -0800 - - Improve CI reliability by forcing vendor use - - Signed-off-by: Kevin Parsons - -commit 88e182c049ac7b5a99e72d778248b518e765f8e9 -Author: Daniel Canter -Date: Fri May 15 15:21:39 2020 -0700 - - Add implementation of network configuration proxy - - * Ncproxy (abbreviation of network configuration proxy) is a proxy used to facilitate - external configuration of a pods network through a set of TTRPC and GRPC services. - Ncproxy relies on other TTRPC/GRPC services to get the information it needs to perform - its actions. - - The full set of services are as follows: - - ------------------------------------------------------------------------------------------------------ - - NetworkConfigProxy (TTRPC) - This service is exposed by Ncproxy and is used by the shim. - - NodeNetworkService (GRPC) - This service is exposed by any application implementing the interface - to the service (/cmd/ncproxy/sdn_nodenetsvc/nodenetsvc.proto). - - NetworkConfigProxy (GRPC) - This service is exposed by Ncproxy and is used by a service implementing - the NodeNetworkService GRPC interface. - - ComputeAgent (TTRPC) - This service is exposed by the shim and is called by ncproxy. - - --------------------------------------------------------------------------------------------------------- - - This is an optional feature that can be enabled by setting the annotation "io.microsoft.network.ncproxy" - and providing an address to a TTRPC service that implements the NetworkConfigProxy TTRPC service defined in - /internal/ncproxyttrpc. - - Signed-off-by: Daniel Canter - -commit 4db65a8ad759b7a2dc7b74744c971cd49b50011c -Merge: 5f390c4c1 d32b51284 -Author: Kathryn Baldauf -Date: Mon Mar 1 15:41:47 2021 -0800 - - Merge pull request #394 from katiewasnothere/proc_cmdline_logs - - Ignore error when container process has exited between queries in /proc - -commit d32b512840021b298cd5c3c4fa9101d9ef2ab892 -Author: Kathryn Baldauf -Date: Wed Feb 24 17:06:58 2021 -0800 - - Ignore error if container process dies between queries - * Add additional logs and error messages around this scenario - - Signed-off-by: Kathryn Baldauf - -commit 5f390c4c16ea339907a6527af7fd032f33b97085 -Merge: 1e3104ecf 3a54e77a1 -Author: Maksim An -Date: Mon Mar 1 10:22:18 2021 -0800 - - Merge pull request #389 from anmaxvl/maksiman/device-mapper-support - - Use device mapper to create and mount linear block devices that correspond to container layers - that were mapped onto a single VPMEM device. - The device offset and size are expected to be in bytes and properly aligned - - Signed-off-by: Maksim An maksiman@microsoft.com - -commit 43a75bb4edd3722bdbc0cb6830c2439c72d62ea4 -Merge: 70015668f 11ec1d1eb -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri Feb 26 17:33:16 2021 -0800 - - Merge pull request #951 from ambarve/shim_panic_logs - - Log shim panic logs in containerd. - -commit 11ec1d1eb51a12dc5187c2f12a1cddac8634c9ed -Author: Amit Barve -Date: Tue Feb 23 12:09:08 2021 -0800 - - Log shim panic logs in containerd. - - Currently hcsshim writes the shim panic logs in a file named panic.log inside the sandbox - directory. However, those logs are never logged in containerd and they get lost when the - sandbox container is removed. This change allows the shim to log these panic logs to - containerd before deleting them. - - Signed-off-by: Amit Barve - -commit 70015668f742e252f17d809a8108b1f913990ff8 -Merge: 360f61dc8 4c55e4cca -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Feb 26 10:43:54 2021 -0800 - - Merge pull request #954 from dcantah/fix-nilderef-jobs - - Fix nil dereference in jobobject.Create and Open - -commit 4c55e4cca794ed4eb3642ff791dd2c3b6ad1a7a1 -Author: Daniel Canter -Date: Fri Feb 26 02:44:15 2021 -0800 - - Fix nil dereference in jobobject.Create and Open - - If nil options were passed for `Create` or `Open` both methods would run into a - nil dereference even though for `Create` it states that it will just use default options. - - For `Open` you can't open without a name so if nil options are passed just return an error. - - Signed-off-by: Daniel Canter - -commit 360f61dc8c4a0bc4f00f8a7055612f7c1b9d1efc -Merge: 0a9e81bdd 1f8111fd1 -Author: Kathryn Baldauf -Date: Thu Feb 25 17:00:03 2021 -0800 - - Merge pull request #952 from katiewasnothere/vb_gpu_tests - - Update gpu tests with Vb build number - -commit 1f8111fd18598a470bea9870b76283ac9c6a5f63 -Author: Kathryn Baldauf -Date: Thu Feb 25 11:03:54 2021 -0800 - - Update gpu tests with Vb build number - - Signed-off-by: Kathryn Baldauf - -commit 80883eeae70e72c072fdcb55356c130e8ceeb49d -Author: Daniel Canter -Date: Thu Feb 18 16:58:08 2021 -0800 - - Remove netnscfg gcstools utility - - This utility only existed because go used to not play well with network namespaces - due to it's nature of goroutine thread multiplexing. This poor behavior was remedied/solved in go - 1.10 due to some changes in how runtime.LockOSThread works with regards to scheduling new goroutines - and spawning new threads. - - Great article on the problem: https://www.weave.works/blog/linux-namespaces-and-go-don-t-mix - - and the eventual resolution: https://www.weave.works/blog/linux-namespaces-golang-followup - - * Add DoInNetNS function to perform a function in a specific network namespace. - * Convert netnscfg to a function to be used in tandem with DoInNetNS - - Signed-off-by: Daniel Canter - -commit 0a9e81bdd4ef1d08da4510cc8729148c3d04555e -Merge: ae4dec96d f9fa0e6f2 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Mon Feb 22 12:13:45 2021 -0800 - - Merge pull request #949 from microsoft/late_clone_test_to_master - - Add end to end tests for late cloning. (to master) - -commit f9fa0e6f221bba8e581bc1919db14bcc2031dc7b -Author: Amit Barve -Date: Tue Aug 18 12:01:24 2020 -0700 - - Add end to end tests for late cloning. - - This is one of the many small PRs that enable the support for late - cloning. This commit adds several end to end tests for the late cloning - feature. - - Signed-off-by: Amit Barve - -commit 3a54e77a193e57a42a5b8156c88a9dfeee004c4c -Author: Maksim An -Date: Wed Jan 20 14:07:34 2021 -0800 - - enable device-mapper for mounting container layers - - Signed-off-by: Maksim An - -commit ae4dec96de0b303db68e8ea76bc5d60de827184e -Merge: 1287a2c40 3bae952b5 -Author: Kathryn Baldauf -Date: Fri Feb 19 14:59:35 2021 -0800 - - Merge pull request #947 from TBBle/update-to-latest-go-winio - - Update go-winio to 6eac466e5fa3 for GetFileStandardInfo - -commit 3bae952b5e96ed0385dbd6e9cb6d6215ac8665f3 -Author: Paul "TBBle" Hampson -Date: Wed Feb 17 18:49:19 2021 +1100 - - Update go-winio to 6eac466e5fa3 for GetFileStandardInfo - - See https://github.com/microsoft/go-winio/pull/185; this also pulls in a - newer golang.org/x/sys release and some generated syscall cleanups. - - Signed-off-by: Paul "TBBle" Hampson - -commit 1287a2c4080d11822384ddd9622db209103c12c9 -Merge: e49e19b6e bd140d72d -Author: Kathryn Baldauf -Date: Tue Feb 16 13:37:44 2021 -0800 - - Merge pull request #946 from TBBle/update-containerd-to-v1.5.0-beta1 - - Update containerd to v1.5.0-beta1 and revendor - -commit bd140d72d8cae9e513ac1f9a3d5ae2f273b12de9 -Author: Paul "TBBle" Hampson -Date: Fri Feb 12 21:24:24 2021 +1100 - - Update containerd to v1.5.0-beta1 and revendor - - containerd has an extensive dependency tree, and this is a large jump - from v1.3.2, so this single-line change leads to a lot of churn in both - go.mod and vendoring, particularly for the 'test' submodule. - - Signed-off-by: Paul "TBBle" Hampson - -commit e49e19b6ef6694fe6b91653320d0f189fdda7439 -Merge: 122ec5aad 80ed7470c -Author: Kathryn Baldauf -Date: Thu Feb 11 10:49:11 2021 -0800 - - Merge pull request #942 from thaJeztah/test_fix_vendor - - test/go.mod: go mod tidy and go mod vendor - -commit 122ec5aade493b997cdf8f8cf527cc7e2d94d22b -Merge: 7bf6ec3b3 45104de93 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Feb 11 10:14:52 2021 -0800 - - Merge pull request #945 from SeanTAllen/patch-2 - - Remove non-determinism in hard link handling - -commit 45104de930d21d67ae364f09341c0d26aa4dd244 -Author: Sean T Allen -Date: Thu Feb 11 12:41:14 2021 -0500 - - Remove non-determinism in hard link handling - - Hard links share the same inode number leading to a lack of determinism when they are layed out. - - This change sorts by inode and then if they are the same, by name thereby introducing determinism. - -commit 7bf6ec3b31718a15a16c8ad6575f3b104867a69b -Merge: 45b02f18e ac15a31b4 -Author: Kevin Parsons -Date: Tue Feb 9 01:06:06 2021 -0800 - - Merge pull request #943 from SeanTAllen/deterministic-directories - - Make directory creation deterministic - -commit ac15a31b43ee2ee181708f8d484d69cc2a5f1ada -Author: Sean T. Allen -Date: Mon Feb 8 12:47:08 2021 -0500 - - Make directory creation deterministic - - Prior to this commit, the layout of created ext4 filesystems created using tar2ext4 wasn't - deterministic. Recursive directory creation would change from run to run due to the usage - of a map as temporary storage for items from the tar stream. - - This commit changes recursive directory creation to follow the same deterministic pattern - as writeDirectory. - - At this point, the only possible source of non-determinism in a create file system is the - UUID in the VHD footer. If no VHD footer is included, then the results are deterministic. - -commit 80ed7470c2bb1ca2f8888abded0307f7b675c7da -Author: Sebastiaan van Stijn -Date: Mon Feb 8 15:21:02 2021 +0100 - - test/go.mod: go mod tidy and go mod vendor - - Signed-off-by: Sebastiaan van Stijn - -commit 1e3104ecf3b0098cab73ae2a3406898e3e7021c9 -Merge: 60b645507 642f7826d -Author: Kathryn Baldauf -Date: Fri Feb 5 11:35:58 2021 -0800 - - Merge pull request #391 from katiewasnothere/update_to_modify_call - - Change the update container bridge call to use the modify call instead - -commit 642f7826db99a41582b2ea1cd875857f50bf6e48 -Author: Kathryn Baldauf -Date: Fri Jan 22 18:29:37 2021 -0800 - - Change the update container bridge call to use the modify call instead - - Signed-off-by: Kathryn Baldauf - -commit 45b02f18efced56b5bd0793cf6d4158d0265e729 -Merge: 486694feb fccadc615 -Author: Kevin Parsons -Date: Fri Feb 5 10:10:20 2021 -0800 - - Merge pull request #939 from kevpar/fix-symlink-mount - - Resolve mount source path before passing it to HCS - -commit fccadc615f0fcc5e99979cf49a251356ac2d69b1 -Author: Kevin Parsons -Date: Thu Feb 4 18:33:55 2021 -0800 - - Resolve mount source path before passing it to HCS - -commit 60b645507ce3f54dda0f4df35b2c0a6b6a912874 -Merge: 5ea360ef3 e972b276e -Author: Kathryn Baldauf -Date: Thu Feb 4 15:07:56 2021 -0800 - - Merge pull request #390 from katiewasnothere/remove_v1_additional - - Remove the v1 gcs - -commit 486694feb17cfb62e1dd699ddb60cafe090ba96d -Merge: d6f73e1cd de43bd9fe -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Feb 4 14:24:52 2021 -0800 - - Merge pull request #938 from dcantah/fix-mounts - - Fix duplicated credential spec/devices setup in allocateWindowsResources - -commit de43bd9fe63820312a9235bbc9a95e353e28e569 -Author: Daniel Canter -Date: Thu Feb 4 14:08:12 2021 -0800 - - Fix duplicated credential spec/devices setup in allocateWindowsResources - - Recent rebase from my PR: https://github.com/microsoft/hcsshim/commit/61e1b43691874280f053a7af75bcb69fe35be117 - duplicated the credential spec and devices setup. - - Signed-off-by: Daniel Canter - -commit d6f73e1cdfce00fa6989e7d821983f7db0ea3e1b -Author: Maksim An -Date: Thu Feb 4 13:59:15 2021 -0800 - - Add better handling of windows-style paths for io_binary (#923) - - Signed-off-by: Maksim An - -commit 251b969e31699d4b72750d5855dc3403e85a300a -Merge: c22b7009a 2acb93cb6 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jan 28 13:55:37 2021 -0800 - - Merge pull request #934 from jsturtevant/containerd-stats-update - - Add Check for access denied when looking for stats in Containerd - -commit 2acb93cb65d08daffec95066f764e408ede51c35 -Author: James Sturtevant -Date: Thu Jan 28 13:15:55 2021 -0800 - - Add Check for access denied when looking for stats - - Signed-off-by: James Sturtevant - -commit c22b7009a014b94d21b390f6d5c947a84aff3c5f -Merge: 6103d69d1 1e6897238 -Author: Kevin Parsons -Date: Thu Jan 28 13:06:04 2021 -0800 - - Merge pull request #933 from jsturtevant/error-messages - - Expose more internal errors via hscshim api - -commit 1e6897238b57b70be623231d839558e682e30e90 -Author: James Sturtevant -Date: Thu Jan 28 12:05:20 2021 -0800 - - Expose internal errors via hscshim - - Signed-off-by: James Sturtevant - -commit 6103d69d1f2604098781c8e848ab196239bb9aa6 -Merge: e7d50a70e 61e1b4369 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jan 27 17:40:07 2021 -0800 - - Merge pull request #932 from dcantah/special-case-scratch - - Skip unmounting layers for sandbox container. - -commit 61e1b43691874280f053a7af75bcb69fe35be117 -Author: Daniel Canter -Date: Mon Jan 25 15:57:09 2021 -0800 - - Skip unmount layers for sandbox container. - - * Skip unmounting the layers for the sandbox container as we know the UVM - gets torn down shortly afterwards. - - Signed-off-by: Daniel Canter - -commit e7d50a70e2c60a410ca5a4b24c2f159eea82aa75 -Merge: 47a44bda7 be4c8e19e -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Wed Jan 27 15:02:21 2021 -0800 - - Merge pull request #839 from microsoft/user/ambarve/lcpr1_vmcompute - - Add support for saving hcs compute system. - -commit be4c8e19ebff1f202d44c1a90a41506473c52601 (hcsshim/user/ambarve/lcpr1_vmcompute) -Author: Amit Barve -Date: Mon Aug 17 21:37:02 2020 -0700 - - Add support for creating late clones via hcsshim - - This is one of the many small PRs that enable the support for late - cloning.This commit adds the set of functions that expose the late cloning - functionality from hcsshim and adds new annotations for clients to use - the late cloning feature. - - Signed-off-by: Amit Barve - -commit 97ca218702b6bb447cfc2697def6b89d2289e1ed -Author: Amit Barve -Date: Thu Jun 11 00:03:50 2020 -0700 - - Add support for creating network namespaces inside cloned uvms. - - This is one of the many small PRs that enable the support for late cloning. - This commit adds the set of functions required for adding network namespace and - network endpoints to cloned UVMs. - - Signed-off-by: Amit Barve - -commit 50112c71fc64c8e1694eec121a90423673efc528 -Author: Amit Barve -Date: Thu Jun 11 00:03:50 2020 -0700 - - Add support for creating cloned UVMs. - - This is one of the many small PRs that enable the support for late cloning. - This commit adds the template and clone creation support in the uvm module. - - Signed-off-by: Amit Barve - -commit e37a4dc0402b1090427f4b07908710b923e039f4 -Author: Amit Barve -Date: Wed Jun 10 20:00:47 2020 -0700 - - Add support for saving hcs compute system. - - This is one of the many small PRs that enable the support for late cloning. - This PR simply adds the go wrappers required for saving a HCS compute system - which is used during template creation. - - Signed-off-by: Amit Barve - -commit 47a44bda751fabb1a19c54a3d8fca144074e62de -Merge: c19ef4bd0 9c9b92a53 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jan 27 14:43:39 2021 -0800 - - Merge pull request #929 from dcantah/new-overlay-path - - Create upper and work directories in new locations if sharing scratch - -commit 9c9b92a537dfe5c7e1b1dacfc598c433f8e7d797 -Author: Daniel Canter -Date: Sun Jan 24 10:01:28 2021 -0800 - - Create upper and work directories in new locations if sharing scratch - - Signed-off-by: Daniel Canter - -commit e972b276edcc73be63c6f05a53e623bf38e5332a -Author: Justin Terry (VM) -Date: Wed Nov 6 12:25:11 2019 -0800 - - Remove the v1 gcs - - LCOW is only supported RS5+ which already had LCOW v2. We no longer need to - keep the v1 gcs impl. - - Signed-off-by: Justin Terry (VM) - Signed-off-by: Kathryn Baldauf - -commit c19ef4bd03a74f4ab40484963ad1d271a1820a0f -Merge: 4490e2e6b 0bb6d5c3c -Author: Kathryn Baldauf -Date: Thu Jan 21 16:24:16 2021 -0800 - - Merge pull request #926 from TBBle/convert-pointer-to-slice-without-failing-checkptr - - Create a correctly-sized slice to proxy *uint16 - -commit 0bb6d5c3c3a6f01a96e8bebe5a796ff3d47fa2d1 -Author: Paul "TBBle" Hampson -Date: Wed Jan 13 04:50:54 2021 +1100 - - Create a correctly-sized slice to proxy *uint16 - - Fixes the below issue seen in the containerd test suite. - ``` - fatal error: checkptr: converted pointer straddles multiple allocations - ``` - - Also adds `-gcflags=all=-d=checkptr` to all the test runs on CI, to - avoid this regressing in future. This requires testing with Go 1.14 or - newer, so CI now runs on Go 1.15, as Go 1.14 did not recommend using - checkptr on Windows. - - And _that_ requires the Visual Studio 2019 build image on AppVeyor. - - Signed-off-by: Paul "TBBle" Hampson - -commit 4490e2e6b67ea2197f233bd821463e7c3199ccc0 -Merge: 7c492d64f e081f3e5b -Author: Kathryn Baldauf -Date: Thu Jan 21 13:12:12 2021 -0800 - - Merge pull request #918 from katiewasnothere/job_object_limits_tool - - Create tool to get/set job object resource limits - -commit 7c492d64f4ea44054fc0886bf4e5cb84d7372835 -Merge: 99c7fb3d1 c1ea4f550 -Author: Kathryn Baldauf -Date: Thu Jan 21 13:10:21 2021 -0800 - - Merge pull request #928 from katiewasnothere/fix_stats_not_found - - Ignore NotFound errors when getting task stats - -commit e081f3e5b99a9c3bc959a91b22ac248ee27cb229 -Author: Kathryn Baldauf -Date: Mon Dec 21 22:26:30 2020 -0800 - - Create tool to get/set job object resource limits - - Signed-off-by: Kathryn Baldauf - -commit c1ea4f550eba2d7f54d7a0d748aef4f20d08a25c -Author: Kathryn Baldauf -Date: Tue Jan 12 16:24:23 2021 -0800 - - Ignore NotFound errors when getting task stats - - Signed-off-by: Kathryn Baldauf - -commit 99c7fb3d1140c02c2d2a7c879c69e23b477f824b -Merge: 3d9501067 e6272dea4 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Jan 19 17:03:53 2021 -0800 - - Merge pull request #912 from dcantah/improve-shimdiag - - Add shimdiag flag to find shim process ID for shims - -commit e6272dea4f708b7a4fcb3f320a4dd22dfbbd0836 -Author: Daniel Canter -Date: Tue Dec 15 22:06:10 2020 -0800 - - Add shimdiag flag to find shim process ID for shims - - * Adds a new -pids flag to the `shimdiag list` command that will print out the - process ID of the shim executable. - - Sample output: - - PS C:\> shimdiag.exe list -pids - Shim Pid - k8s.io-3719754aab39925924b0beb27d2a195a4a6784c6ebe3690b81b2e7274a7021af 65892 - k8s.io-908ea3697874891fd5814b1967515d3214257b65fc1974bdafd17276ee8ba3e5 69444 - - Signed-off-by: Daniel Canter - -commit 3d95010677b276a8fdba30a17b632e4bb7387882 -Merge: d25785cb2 9bb70a316 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri Jan 15 11:18:34 2021 -0800 - - Merge pull request #916 from TBBle/make_ociwclayer_a_public_api - - Make internal/ociwclayer a public API: pkg/ociwclayer, with Context for cancellation - -commit d25785cb231377c9290c18c4585fb4abbe1c51ee -Merge: fd21b8d19 f69cfc41a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Jan 14 17:53:13 2021 -0800 - - Merge pull request #925 from dcantah/wrap-computestorage-err - - Wrap errors from computestorage package - -commit f69cfc41a2f1212182af8f2e239d11ef3ac03dac -Author: Daniel Canter -Date: Thu Jan 14 08:20:22 2021 -0800 - - Wrap errors from computestorage package - - * Change from stringifying errors with fmt.Errorf to errors.Wrap everywhere - - Fixes: https://github.com/microsoft/hcsshim/issues/924 - - Signed-off-by: Daniel Canter - -commit 9bb70a316fec35cc74dd2979e10301273dcd900b -Author: Paul "TBBle" Hampson -Date: Sun Dec 20 00:25:15 2020 +1100 - - New APIs for streaming layers as tar streams - - This (re-)introduces ImportLayerFromTar and ExportLayerToTar into - pkg/ociwclayer. - - Before #173, these APIS were exposed from oci/wclayer as ImportLayer and - ExportLayer, but those names are too generic and already overloaded for - similar but different meanings in this project. - - See eb0cc25755569ca6fcb06f1ef54edd9c976cce82 - - Signed-off-by: Paul "TBBle" Hampson - -commit 96d33e93d0f09ea649995594423d2f56939f3763 -Author: Paul "TBBle" Hampson -Date: Sun Dec 20 00:15:47 2020 +1100 - - Add Context to ociwclayer's ImportLayer and ExportLayer - - This is to support callers cancelling these operations, or setting a - deadline. - - Based on the same behaviour seen in the containerd implementations of - these same functions. - - Signed-off-by: Paul "TBBle" Hampson - -commit fd21b8d1922c7fb8b4a50c76d048fe1a69b7e7dc -Author: Maksim An -Date: Thu Jan 7 12:34:06 2021 -0800 - - Add support for logging binary (#896) - - Logging binary support and integration tests - - Signed-off-by: Maksim An - -commit bf55dadfbdf10cc0bccfaf0ca6a481e5bf28ea68 -Merge: d3e5debf7 6e87c0c4f -Author: Kathryn Baldauf -Date: Tue Dec 22 11:35:24 2020 -0800 - - Merge pull request #905 from katiewasnothere/gcs_update_container - - Add support for issuing a container update to gcs - -commit d3e5debf77dab8cd35ce1a842065358469f4b7ea (tag: v0.8.14) -Merge: e18ab3e70 00c108e73 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Dec 18 14:35:36 2020 -0800 - - Merge pull request #914 from dcantah/gitattributes - - Add .gitattributes to force LF line endings - -commit 6e87c0c4f534a9d5be868d050f8850da6d92f1d7 -Author: Kathryn Baldauf -Date: Mon Dec 7 16:39:54 2020 -0800 - - Add support for issuing a container update to gcs - - Signed-off-by: Kathryn Baldauf - -commit e18ab3e70ef67cbb3d3e76db101c95f750f438ff -Merge: fae98bb85 020897b2e -Author: Kathryn Baldauf -Date: Fri Dec 18 11:19:11 2020 -0800 - - Merge pull request #907 from katiewasnothere/uvm_share - - Add utility function for sharing files into UVMs from the host - -commit 020897b2e959de8d772e4de82e602ab28e24c5e2 -Author: Kathryn Baldauf -Date: Wed Dec 9 17:52:07 2020 -0800 - - Add utility function for sharing files into UVMs from the host - - Signed-off-by: Kathryn Baldauf - -commit 00c108e731e0a31ed116102756a77f1a2654a8c6 -Author: Daniel Canter -Date: Thu Dec 17 14:31:53 2020 -0800 - - Add .gitattributes to force LF line endings - - Signed-off-by: Daniel Canter - -commit fae98bb85072e1cadf765126e89f0d5a324bf4a4 (tag: v0.8.13) -Merge: f5ee97de0 307217720 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Dec 17 12:11:19 2020 -0800 - - Merge pull request #913 from dcantah/fix-nil-deref - - Fix nil dereference in `newHcsTask` if no shim options were passed - -commit 307217720beb750f5be4fec797b53244def8fd92 -Author: Daniel Canter -Date: Thu Dec 17 12:03:07 2020 -0800 - - Fix nil dereference in `newHcsTask` if no shim options were passed - - Signed-off-by: Daniel Canter - -commit f5ee97de032438b87812962213d8664daaa7efa5 -Merge: ae33b435c bac648084 -Author: Kathryn Baldauf -Date: Tue Dec 15 13:55:58 2020 -0800 - - Merge pull request #888 from katiewasnothere/cpugroup_vm_create_on_start - - Support assigning cpugroup immediately after UVM start - -commit bac648084a868235ca7d17f1fc3164abda805a78 -Author: Kathryn Baldauf -Date: Mon Oct 26 17:55:04 2020 -0700 - - Support assigning cpugroup immediately after UVM start - - Signed-off-by: Kathryn Baldauf - -commit ae33b435ce9518e56ed5b01cf9638cd3290bdaac -Merge: e8a2e45c6 e0f4dafe1 -Author: Kathryn Baldauf -Date: Tue Dec 15 12:21:34 2020 -0800 - - Merge pull request #906 from katiewasnothere/uvm_update_cpu_limits - - Add uvm call for updating cpu limits - -commit e8a2e45c60de542b8a92bc481c5fb9c6bb5cb2f2[m (tag: v0.8.12) -Merge: d7fea3716 410f893ad -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Dec 15 11:43:37 2020 -0800 - - Merge pull request #910 from elweb9858/l4wfpproxy_portupdate - - Updating L4WfpProxyPolicy struct - -commit 410f893adc499374d532d12d191637be7f5bbecd -Author: elweb9858 -Date: Mon Dec 14 17:07:00 2020 -0800 - - Updating L4WfpProxyPolicy struct - - Signed-off-by: elweb9858 - -commit d7fea371629954e33e1ca195de003c45ba179db0 -Merge: 1286fcd6c 26bcb7255 -Author: Kathryn Baldauf -Date: Thu Dec 10 10:25:46 2020 -0800 - - Merge pull request #908 from katiewasnothere/fix_create_lcow_spec - - Fix potential panic in createLCOWSpec when no network ns is set - -commit 26bcb7255cf245638a9162ab66c46b64387ef49d -Author: Kathryn Baldauf -Date: Wed Dec 9 18:09:20 2020 -0800 - - Fix potential panic in createLCOWSpec when no network ns is set - - Signed-off-by: Kathryn Baldauf - -commit e0f4dafe13a5f72868f7a280de87f2a52524d5da -Author: Kathryn Baldauf -Date: Wed Dec 9 17:41:53 2020 -0800 - - Add uvm call for updating cpu limits - - Signed-off-by: Kathryn Baldauf - -commit 1286fcd6c97490c14ce152e8e7cac62ef5d1b38c -Author: Maksim An -Date: Wed Dec 9 17:00:24 2020 -0800 - - add test for running container as non-default user that is missing (#904) - - * refactor tests to use getRunPodSandboxRequest - - * add integration test for running lcow as non-default username and uid - - Signed-off-by: Maksim An - -commit 11f327c43c16594f9163254c6ccb247dfba35920 -Merge: 2010d9a3e b0ed708f6 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Dec 8 08:56:00 2020 -0800 - - Merge pull request #902 from dcantah/computestorage-helpers - - Add base layer/uvm helpers to computestorage package - -commit b0ed708f641aed4ee7883faf4c40f46de4354ca5 -Author: Daniel Canter -Date: Wed Dec 2 17:40:15 2020 -0800 - - Add base layer/uvm helpers to computestorage package - - * Add helper functions to setup the disks for a base WCOW layer. - - Signed-off-by: Daniel Canter - -commit 5ea360ef3d618f48f8d13c7ec89e00dce0ead678 -Merge: d84eb8a91 b9c7fc484 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu Dec 3 20:07:08 2020 -0800 - - Merge pull request #386 from ambarve/fix_uid_bug - - Allow passing any uid for container processes. - -commit b9c7fc484b96af3b4a664db614a92919a36f05aa -Author: Amit Barve -Date: Thu Dec 3 14:40:24 2020 -0800 - - Allow passing any uid for container processes. - - Usually if a username is provided when starting a process inside the container - we look inside the /etc/passwd file of the container to find the uid and gid for that - user. However, if a uid is provided instead of a username there is no need to look into - the /etc/passwd file to see if that user exists. - - Signed-off-by: Amit Barve - -commit 2010d9a3eeb0a93b64faac63c39eff76fb12082c (tag: v0.8.11) -Merge: 53828ca2b a27eac224 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Dec 2 15:22:27 2020 -0800 - - Merge pull request #900 from dcantah/revendor-winio - - Revendor go-winio at d1ffc52c73318019ce58aaa5282588c52df029b7 - -commit d84eb8a912ec703060587178b7ed613ffee333c6 -Merge: db3851c72 48a6b710c -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Wed Dec 2 14:46:30 2020 -0800 - - Merge pull request #385 from ambarve/cleanup_container_process - - Cleanup process directory after process exits. - -commit 48a6b710cb8173453a59a17f33fb68c7bca444ec -Author: Amit Barve -Date: Wed Dec 2 12:28:31 2020 -0800 - - Cleanup process directory after process exits. - - Whenever a new process is started inside a container we create a temporary directory for - that process at path `/run/gcsrunc//` to store some process related - information. However, the v2 workflow of execProcess didn't cleanup these directories when - the process exited. This can cause the tmpfs mounted at the /run to get full for long - running containers. This change adds the change for cleaning up the directories after - process exits. - - Signed-off-by: Amit Barve - -commit 53828ca2b5dc186693463b0b77af5e444e905383 -Merge: de74fe8b9 bdbc1542c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Dec 2 12:19:18 2020 -0800 - - Merge pull request #877 from dcantah/jobwrapper - - Add high level job object wrapper - -commit a27eac224c5a5060dcd3afc9004de820df88a7d8 -Author: Daniel Canter -Date: Tue Dec 1 12:35:53 2020 -0800 - - Revendor go-winio at d1ffc52c73318019ce58aaa5282588c52df029b7 - - Signed-off-by: Daniel Canter - -commit de74fe8b94ae4eee0d92d59d51b8190c1ac9b6b0 -Merge: 966bebae1 9910dd14a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Nov 24 15:19:31 2020 -0800 - - Merge pull request #899 from dcantah/remove-automanage - - Remove automanaged vhd functionality - -commit 9910dd14aa91cada262a9ea94cce796884da7b93 -Author: Daniel Canter -Date: Tue Nov 24 14:53:36 2020 -0800 - - Remove automanaged vhd functionality - - Signed-off-by: Daniel Canter - -commit bdbc1542cf6f0df1c0c25c4ceb500d693d287070 -Author: Daniel Canter -Date: Wed Sep 16 09:23:03 2020 -0700 - - Add high level job object wrapper - - * Add high level job object wrapper. - * Add extra job object bindings for stats usage. - - Signed-off-by: Daniel Canter - -commit 966bebae11b480a7bb1112f65c7131df9728d456 -Merge: f14fc666e aff39ed2c -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Nov 19 09:46:02 2020 -0800 - - Merge pull request #886 from dcantah/lcow-scratch-work - - Set default scratch size for containers/UVMs and reuse LCOW scratch - -commit f14fc666e78f55768b3c34d940209e25fffc0b89 -Merge: 3cc00bc91 4987a057b -Author: Kevin Parsons -Date: Wed Nov 11 10:16:59 2020 -0800 - - Merge pull request #894 from kevpar/vsmb-directmap - - Force disable VSMB direct map when the volume does not support it - -commit 4987a057b4c4741e6a79eaa40ff38528f05b48e0 -Author: Kevin Parsons -Date: Tue Nov 10 23:43:22 2020 -0800 - - Force disable VSMB direct map when the volume does not support it - - VSMB direct map requires support for querying FileIdInfo from the - backing volume. There is a bug in certain Windows versions where instead - of falling back to non-direct map when FileIdInfo is not supported, VSMB - instead causes errors whenever files on the share are accessed. - - To work around this until the issue is fixed, we will query FileIdInfo - ourselves when setting up a VSMB share, and force disable direct map if - the query fails. - - Signed-off-by: Kevin Parsons - -commit 3cc00bc91358a30282adc44f98488615f6f08000 -Merge: 1432f9c05 36c772f44 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Nov 9 15:10:05 2020 -0800 - - Merge pull request #893 from dcantah/use-computestorage - - Change CreateNTFSVHD to use computestorage call - -commit 36c772f4405f63a0bd90a0d5c37885d211919446 -Author: Daniel Canter -Date: Mon Nov 9 13:05:48 2020 -0800 - - Change CreateNTFSVHD to use computestorage call - - * Previously CreateNTFSVHD would call a local (/internal/hcs) binding of hcsFormatWritableLayerVhd. - As the computestorage calls are all present now, just use the exported calls from the - computestorage package instead. - - Signed-off-by: Daniel Canter - -commit 1432f9c05649e85644bdb8c592d7b423ec23b2da -Merge: ff4402aa8 04779e800 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Nov 6 15:15:11 2020 -0800 - - Merge pull request #881 from dcantah/hcs-storage - - Add HCS storage APIs - -commit 04779e80073f86641420860ed93832e1a4f5083a -Author: Daniel Canter -Date: Tue Oct 6 04:46:07 2020 -0700 - - Add HCS storage APIs - - * Add bindings for the HCS storage APIs from computestorage.dll - - Signed-off-by: Daniel Canter - -commit ff4402aa838c9692d6166a52dcc2b422b01e84c4 -Merge: d672bc1c5 f77f51722 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Nov 6 10:39:22 2020 -0800 - - Merge pull request #890 from netal/user/negup/NetworkL4Proxy_Version_Update - - Updating the Supported version ranges for Network L4proxy policy - -commit d672bc1c54bfdab46b71814e48f93a3418e95a62 -Merge: 6e6b6ce98 5acb8e61f -Author: Maksim An -Date: Fri Nov 6 00:16:38 2020 -0800 - - Merge pull request #887 from anmaxvl/tests-for-pod-removal-without-pod-stop - - Add tests for removing sandbox pod, without stopping it - -commit 5acb8e61f28f097476c095b564b7e1b01435c48e -Author: Maksim An -Date: Mon Oct 26 13:24:30 2020 -0700 - - Add tests for removing sandbox pod, without stopping it - - Signed-off-by: Maksim An - -commit f77f51722962e44314cb65cfedab20d9c40d2675 -Author: netal -Date: Thu Nov 5 15:23:01 2020 -0800 - - Updating the Supported version ranges for Network L4proxy policy - - Signed-off-by: netal - -commit aff39ed2cadf8c2513b886e3931c3b7a3fd19972 -Author: Daniel Canter -Date: Wed Oct 14 14:39:28 2020 -0700 - - Add ability to set default scratch size for containers/UVM and re-use LCOW container scratch - - * Add containerd.toml options to be able to set the default scratch space size for containers and - the UVMs scratch size for WCOW. - - * Add containerd.toml option to be able to specify that we'd like to share the sandbox containers - scratch space for workload containers for LCOW. - - * Evaluate symlinks for the sandbox.vhd in the scratch layer as that's what is expected to be - set up by the LCOW snapshotter instead of an absolute path to a previous containers sandbox.vhd. - - Signed-off-by: Daniel Canter - -commit 6e6b6ce98037df0ea4d9389c4c9462a166463565 -Merge: 0af9b9dc6 13f64b4e6 -Author: Kathryn Baldauf -Date: Fri Oct 30 14:20:21 2020 -0700 - - Merge pull request #889 from katiewasnothere/argon_execinhost - - Add new function to exec cmds in host for process isolated containers - -commit 13f64b4e66f9040e90c8867c00ab0800585df446 -Author: Kathryn Baldauf -Date: Tue Oct 27 13:57:08 2020 -0700 - - Add new diag function to exec a command on the host system - - Signed-off-by: Kathryn Baldauf - -commit 0af9b9dc6b39c4643046bc188af3561b7013b253 -Merge: 0ab229b35 c7253df57 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Oct 27 12:05:15 2020 -0700 - - Merge pull request #856 from dcantah/hyperv-gmsa - - Add GMSA support for V2 HCS schema xenon containers - -commit c7253df57b2bb272b7acedf34958adcfbdfa0d67 -Author: Daniel Canter -Date: Mon Jun 22 14:01:43 2020 -0700 - - Add GMSA support for V2 HCS schema xenon containers - - * Add new UVM function 'UpdateHvSocketService' to be able to hot add - Hvsocket service table entries. - * Add new UVM function 'RemoveHvSocketService' to be able to hot remove - an Hvsocket service. - * Add disabled field to HvSocketServiceConfig (used to be private in the schema) - * Remove hardcoded error if supplying a cred spec and the client asked for a - hypervisor isolated container. - * Misc refactors (comments, style) - - Signed-off-by: Daniel Canter - -commit db3851c72aded9fb854e95a43c6b66625bcd234c -Merge: 9787141bf 1a6b13cbf -Author: Kathryn Baldauf -Date: Mon Oct 19 13:42:53 2020 -0700 - - Merge pull request #382 from katiewasnothere/revert_init_kill_all - - Revert previous change that issues a kill all on container stop for LCOW - -commit 0ab229b358c7b9345736c545627ed1b9d114b4a5 -Merge: e8b45bc11 56191cc34 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Fri Oct 16 18:59:37 2020 -0700 - - Merge pull request #882 from dcantah/reg-changes - - Add regkey to WCOW to deal with containment for GNS compartment changes - -commit 56191cc34687edfbf1625049fd0379c1cdbca419 -Author: Daniel Canter -Date: Thu Oct 8 03:14:56 2020 -0700 - - Add regkey to WCOW to deal with containment for GNS compartment changes - - * A change was added recently to GNS that will be backported to Vb and possibly - 19H1 and RS5 that changes how network compartments are created to fix an issue - with accessing smb shares in hypervisor isolated containers. To ease the worries - of this breaking anything the change will be put behind a registry key (that is only set by us) - so that the change won't impact docker and can be optionally toggled off by us through - this annotation. - - Signed-off-by: Daniel Canter - -commit e8b45bc11a8b78cc7c0bb8062639cb9d6795fed3 -Merge: 6feb77486 c91b39de7 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Oct 15 09:29:29 2020 -0700 - - Merge pull request #885 from dcantah/fix-compartment - - Change SetJobCompartmentId to use win32 error code semantics - -commit c91b39de715815e653647cee32f6ab09a664804e -Author: Daniel Canter -Date: Thu Oct 15 06:47:49 2020 -0700 - - Change SetJobCompartmentId to use win32 error code semantics - - * Binding currently has the return value checked against HRESULT semantics when - this shouldn't be the case. - - Signed-off-by: Daniel Canter - -commit 6feb774860a73f43daf05758377dbc413a6909fa -Merge: e529bb33c 688da9024 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Oct 14 18:41:13 2020 -0700 - - Merge pull request #883 from dcantah/setjobcompartment - - Add SetJobCompartmentId function from iphlpapi.dll - -commit 688da9024c6d261ad036d895bbb8745f733d9e3b -Author: Daniel Canter -Date: Mon Oct 12 15:09:58 2020 -0700 - - Add SetJobCompartmentId function from iphlpapi.dll - - * For future work to be able to run a job container in a network namespace - that isn't the hosts, added the SetJobCompartmentId function from iphlpapi. - - Signed-off-by: Daniel Canter - -commit 1a6b13cbf15ac0e61afb4dc7ec99315862b64857 -Author: Kathryn Baldauf -Date: Wed Oct 14 18:07:14 2020 -0700 - - Revert previous change that issues a kill all on container stop for LCOW - - Signed-off-by: Kathryn Baldauf - -commit e529bb33c9c6466c72fa2d38f3082edd679e1684 -Merge: 936eeeb28 127715ce6 -Author: Kevin Parsons -Date: Wed Oct 14 17:54:19 2020 -0700 - - Merge pull request #884 from kevpar/lcow-layer-logging - - Improve logging for LCOW layer operations - -commit 127715ce662cd68f3d2e8858e75a300e28d84b7f -Author: Kevin Parsons -Date: Wed Oct 14 02:07:37 2020 -0700 - - Improve logging for LCOW layer operations - - Signed-off-by: Kevin Parsons - -commit 9787141bf586cbefb59309d5787fde58126229cd -Merge: eaba4b742 deb2d17ee -Author: Kathryn Baldauf -Date: Tue Oct 13 12:22:08 2020 -0700 - - Merge pull request #380 from katiewasnothere/update_container - - Add new bridge call to update runc container - -commit eaba4b7429d790052139d0c3cf3413f2fe33c64f -Merge: 3c959b72f c5204274b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Oct 6 11:23:14 2020 -0700 - - Merge pull request #381 from dcantah/use_hierarchy - - Write 1 to memory.use_hierarchy to enable hierarchy support - -commit c5204274b734aa740ed612a75720ba5401ed2fcd -Author: Daniel Canter -Date: Sat Oct 3 02:59:41 2020 -0700 - - Write 1 to memory.use_hierarchy to enable hierarchy support - - `Created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future. - cgroup: "memory" requires setting use_hierarchy to 1 on the root.` - - After booting the UVM, this is present in dmesg. There's numerous threads on this over the years from docker, lxc and many others. This should enable the hierarchy support we (believe) we're using for our nested container cgroups so the resource consumptions are properly propagated upwards to their parent cgroup (/containers).` - - * Enable hierarchy support so memory usage and limits can flow upwards to the parent cgroup like we'd expect for the /container and its nested cgroups. It's not necessary to set this on any nested cgroups, only the root. - - Signed-off-by: Daniel Canter - -commit 936eeeb286fd1197f107acfc4c3c82e4a9afc2c8 -Merge: 380508768 dfb862d42 -Author: Kevin Parsons -Date: Thu Oct 1 16:42:39 2020 -0700 - - Merge pull request #880 from kevpar/rescale-cpu-limit - - Add option to scale Windows container CPU limit based on UVM CPUs - -commit dfb862d4211be24a084ac7b5e8a0ff87917aba87 -Author: Kevin Parsons -Date: Thu Oct 1 03:09:55 2020 -0700 - - Add option to scale Windows container CPU limit based on UVM CPUs - - Previously we would always use the CPU limit given without any change. - However, there is an issue with kubelet where it calculates that value - based on the number of host CPUs, which causes an incorrect value to be - computed when the container runs in a UVM. - - We now provide a config option to enable adjusting the CPU limit value - based on the UVM's number of processors, so that the resulting amount - of CPU will be what the kubelet expects. - - As this path is a fix to address specific behavior in the kubelet, and - there could be other users who don't want this change, we lock the new - behavior behind a config option. - - In the future, if kubelet becomes more aware of VM sandboxes for - containers, we could adjust this behavior, or remove it entirely. - - Signed-off-by: Kevin Parsons - -commit 380508768ed2619a4777f268c6443017bb76b04e (tag: v0.8.10) -Merge: bfd1217cb 0d64dfa64 -Author: Kathryn Baldauf -Date: Wed Sep 23 10:48:57 2020 -0700 - - Merge pull request #875 from katiewasnothere/modify_memory - - Add calls to modify UVM memory size and tests - -commit bfd1217cb9f75fa1cd0ddce44e924aeb7157bc39 -Merge: 016dbfd1e 0baeb83a9 -Author: Kevin Parsons -Date: Wed Sep 23 10:20:19 2020 -0700 - - Merge pull request #876 from TBBle/revendor-gowinio-for-updated-tar - - Revendor Microsoft/go-winio for 8gB file fix in `wclayer` - -commit 0d64dfa648b10e4fdf952bbe1483d44a88240c49 -Author: Kathryn Baldauf -Date: Tue Sep 8 18:48:04 2020 -0700 - - Add calls to modify UVM memory size and tests - - Signed-off-by: Kathryn Baldauf - -commit deb2d17eec18b8916b124e9b30c2ec454b11192f -Author: Kathryn Baldauf -Date: Thu Sep 17 14:17:46 2020 -0700 - - Add new bridge call to update runc container - - Signed-off-by: Kathryn Baldauf - -commit 016dbfd1ef01c234b1cb09760b4262ce9c148fdc -Merge: 6dd55e705 592d4f8fc -Author: Kathryn Baldauf -Date: Thu Sep 17 13:38:48 2020 -0700 - - Merge pull request #878 from katiewasnothere/fix_memory_schema - - Fix schema memory size field type - -commit 592d4f8fcbff1a786355cdd88f8cf0bd354e2189 -Author: Kathryn Baldauf -Date: Thu Sep 17 13:32:27 2020 -0700 - - Fix schema memory size field type - - Signed-off-by: Kathryn Baldauf - -commit 6dd55e70584bdf9eb6c632cb293cc3962db79898 -Merge: 1a9588fd6 12eee6e44 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Sep 14 13:18:25 2020 -0700 - - Merge pull request #874 from dcantah/expand-winapi - - Add new winapi bindings for job containers - -commit 12eee6e44ec39e3627c2974b8baf98694ef423cd -Author: Daniel Canter -Date: Fri Sep 4 12:54:54 2020 -0700 - - Add new winapi bindings for job containers - - * Add windows bindings needed for job containers work - - Signed-off-by: Daniel Canter - -commit 0baeb83a97ba502ae6b729a22eee354104f21a67 -Author: Paul "TBBle" Hampson -Date: Wed Sep 9 22:30:16 2020 +1000 - - Revendor Microsoft/go-winio to v0.4.15-0.20200908182639-5b44b70ab3ab - - This pulls in the migration of go-winio/backuptar from the bundled fork - of archive/tar from Go 1.6 to using Go's current archive/tar. - - Currently only affects the wclayer utility, but resolves a problem - creating OCI layers containing files larger than 8gB. - - Signed-off-by: Paul "TBBle" Hampson - -commit 1a9588fd692bcf7e7e8df6c0344e1f04cc5a2544 -Merge: a24031cfe 0bbf25b0a -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Tue Sep 8 14:41:13 2020 -0700 - - Merge pull request #873 from elweb9858/l4wfpproxy_versioncheck - - Adding version check for L4WfpProxy endpoint policy - -commit 0bbf25b0a739cfff840719a19924f7f7147b6959 -Author: elweb9858 -Date: Fri Sep 4 12:16:48 2020 -0700 - - Adding version check for L4WfpProxy endpoint policy - - Signed-off-by: elweb9858 - -commit a24031cfee7b62cbe025ce60de9add8947c9bc24 -Merge: d2cba219a 23d02c871 -Author: Kevin Parsons -Date: Fri Sep 4 16:01:30 2020 -0700 - - Merge pull request #872 from kk-src/format-disk - - Add prepare-disk command. - -commit 23d02c871bb904a25ca6b5001a3d7682dd08d92b -Author: Krishnakumar R(KK) <65895020+kk-src@users.noreply.github.com> -Date: Fri Sep 4 14:05:58 2020 -0700 - - Add prepare-disk command - - Prepare-disk command formats a given disk with ext4. This is required for a disk(as passthrough) to be made available within a container. Here is an excerpt from a configuration for such a scenario. - - "mounts": [ - { - "host_path": "\\.\PHYSICALDRIVE2", - "container_path": "/disk" - } - ] - - The gcs/runc combo expects the pass-through disk to be formatted and tries to mount it on a local path within the uvm. Prepare-disk ensures that this restriction is met. - - Note: Full disk is formatted with ext4 without any partitioning. TODO: add options to allow partitioning and then formatting. - - Signed-off-by: Krishnakumar R(KK) <65895020+kk-src@users.noreply.github.com> - -commit 3c959b72f069ae352757caf5c752996d847bde5a -Merge: ed1730c2b 968870061 -Author: Kevin Parsons -Date: Thu Sep 3 10:00:32 2020 -0700 - - Merge pull request #379 from kevpar/fix-resolvconf - - Fix resolv.conf generation - -commit 9688700614ec94c5bc740db56081993f520bfea4 -Author: Kevin Parsons -Date: Thu Sep 3 01:28:33 2020 -0700 - - Fix resolv.conf generation - - This change fixes two issues in the resolv.conf generation code: - - If DNSSuffix or DNSServerList are empty strings, the resulting slice - would contain a single empty string instead of being an empty slice. - This is due to strings.Split("", ",") returning [""] rather than []. - - The code in standalone_container.go was accidentally not passing a - value for searches to network.GenerateResolvConfContent. - - Signed-off-by: Kevin Parsons - -commit d2cba219a8d746362bdd75753492c1dfd217f435 -Merge: 301c83a30 9f824883e -Author: Kathryn Baldauf -Date: Mon Aug 31 13:51:10 2020 -0700 - - Merge pull request #842 from katiewasnothere/hyperv_assigned_devices_split - - Support hyper-v assigned devices - -commit ed1730c2b917da8d532dc5403a9c6e44da0040e1 -Merge: 60d84e92d ef66283a3 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Mon Aug 31 01:16:08 2020 -0700 - - Merge pull request #378 from dcantah/cgroups-fix - - Touchup OOM/memory limit logging events - -commit 9f824883e0640fc3b5c190b6f67fe64e321dc289 -Author: Kathryn Baldauf -Date: Tue Jun 16 13:30:55 2020 -0700 - - Add e2e tests for assigned devices in WCOW - - Signed-off-by: Kathryn Baldauf - -commit 9ffc90a28f709d40badcf3d76cef7f62f31594fe -Author: Kathryn Baldauf -Date: Tue Jun 16 13:18:43 2020 -0700 - - Use previously defined functions to allow device assignment - * Extend parsing of assigned devices on the hcsv2 doc to include xenon - * Use functions that handle assigned devices when allocating - windows container resources - - Signed-off-by: Kathryn Baldauf - -commit 1f2256d5d9ed72e74cce82cc450c315867eb576b -Author: Kathryn Baldauf -Date: Tue Jun 16 13:13:53 2020 -0700 - - Add ability to handle assigned devices for WCOW - * Add ability to parse assigned devices - * Add function to query UVM for location paths of child devices assigned - * Add new prefix for container spec specified devices in vpci - * Remove block on assigning devices in WCOW - - Signed-off-by: Kathryn Baldauf - -commit ae426175f1380a324154bceee6bc9113d05fe51b -Author: Kathryn Baldauf -Date: Tue Jun 16 13:09:44 2020 -0700 - - Add commands for pnp device querying/management - * Add new comma separated annotation "io.microsoft.assigneddevice.kerneldrivers" - for path to device drivers - * Add commands to install kernel drivers - * Add command to query UVM for pnp device information - - Signed-off-by: Kathryn Baldauf - -commit 3fde72426aa83126fdb4cc9dbd4b4a8d7f7e9ce5 -Author: Kathryn Baldauf -Date: Tue Jun 16 13:07:00 2020 -0700 - - Create new utility 'device-util' for querying pnp information of devices - * Add a new shim option for the `device-util` path - - Signed-off-by: Kathryn Baldauf - -commit ea4a3ab6d5fe9ecac0b6e6e7d90261c0a378620c -Author: Kathryn Baldauf -Date: Tue Jun 16 12:40:57 2020 -0700 - - Add ability to query NT obj directories - * create new pkg `winapi` that contains the low level syscall bindings - for windows dll api calls - * add device querying code with CM* api to new package `windevice` - * add code to enumerate NT object directories in pkg `winobjdir` - - Signed-off-by: Kathryn Baldauf - -commit 301c83a30e7cade283b2afd5dc4e4068181662c3 -Author: Daniel Canter -Date: Tue Aug 25 20:17:06 2020 -0700 - - Fix LpIndex JSON annotation - - * Fix the LpIndex JSON annotation in the LogicalProcessor v2 HCS schema - from being the wrong value. - - Signed-off-by: Daniel Canter - -commit ef66283a384518835cc39df784ac393f3170269b -Author: Daniel Canter -Date: Fri Aug 21 20:04:58 2020 -0700 - - Touchup OOM/memory limit logging events - - * An event gets sent during cgroup teardown so avoid logging an event for this case. - - * Fix returning nil stats if the LCOW kernel doesn't have CONFIG_MEMCG_SWAP - (no memsw cgroup entries). - - * Add additional gcs start timestamp and current timestamp fields to logs. - - Signed-off-by: Daniel Canter - -commit 94556e86d3db0e9e09390ea36e8aaf608fcbc9e8 -Author: Daniel Canter -Date: Tue Aug 18 14:56:22 2020 -0700 - - Fix flaky cri-containerd LCOW events test - - * Move the context.WithTimeout after the setup/launch of the sandbox/uvm - to avoid hitting the timeout and failing the test. - - Signed-off-by: Daniel Canter - -commit 6735787a4e853b8ca9144d3da29cd210aa435c11 -Merge: 1869133ca 6e13016b7 -Author: Kathryn Baldauf -Date: Fri Aug 14 17:55:29 2020 -0700 - - Merge pull request #865 from katiewasnothere/refactor_hcsoci - - Refactor code in hcsoci into logical packages - -commit 6e13016b72f2808eb255d46e34e6d9d960898d33 -Author: Kathryn Baldauf -Date: Mon Aug 10 15:41:31 2020 -0700 - - Refactor code in hcsoci into logical packages - * Created a new package `cmd` that contains code for running processes in a compute system - * Created a new package `resources` that contains code for creating, updating, releasing container resources - * Created a new package `credentials` which handles container credential guard instances needed for gmsa - * Created a new package `layers` that contains code for creating container image layers - - Signed-off-by: Kathryn Baldauf - -commit 1869133ca498cb7f27813514c3e6642cb1d8e5fe (adoshim/kevpar/ingest-public) -Merge: e24759cb1 556e84706 -Author: Kevin Parsons -Date: Wed Aug 5 12:36:50 2020 -0700 - - Merge pull request #862 from kevpar/update-test-vendor - - Update test module vendoring - -commit 556e84706cb057e21eda8dd8988baf4307f56034 -Author: Kevin Parsons -Date: Wed Aug 5 12:31:50 2020 -0700 - - Update test module vendoring - - The vendoring for the test module was out of date, which caused build - failures. Ran `go mod vendor` to update the vendoring. - - Signed-off-by: Kevin Parsons - -commit e24759cb1f31ffc497761d195ff1f9984b830190 -Author: vidushv -Date: Fri Jul 31 15:58:52 2020 -0700 - - Update AclSupportForProtocol252Version to support versions > 11.0 - - Signed-off-by: vidushv - -commit d80bc7196cb0025723d5fc8dc33796d0a3d0ebfb -Author: netal -Date: Mon Aug 3 12:13:15 2020 -0700 - - L4 proxy policy - - Signed-off-by: netal - -commit d06a1265d776f12fd4c7a628e23d4807a8285f52 -Merge: 06bbb5c92 3c9cf4236 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Sat Aug 1 11:18:57 2020 -0700 - - Merge pull request #852 from TBBle/wclayer_actually_mounts - - Teach wclayer to mount volumes at mountpoints - -commit 3c9cf4236a0192221f21822c4db25e14477248b7 -Author: Paul "TBBle" Hampson -Date: Thu Jul 23 17:29:45 2020 +1000 - - Teach wclayer to mount volumes at mountpoints - - This just makes life slightly easier when debugging or inspecting - wclayer behaviours. - - Signed-off-by: Paul "TBBle" Hampson - -commit 06bbb5c920aee2f3c825af789e8f92daa0109fac -Merge: ec90316d4 ad690807d -Author: Kevin Parsons -Date: Fri Jul 31 10:31:05 2020 -0700 - - Merge pull request #859 from kevpar/vsmb-readonly-reuse - - Fix VSMB to not mix up rw/ro shares - -commit ec90316d4d8526f22d0352654309eb5393295260 -Merge: 5345ae94f 44ac5c1ac -Author: Kathryn Baldauf -Date: Fri Jul 31 10:08:26 2020 -0700 - - Merge pull request #849 from katiewasnothere/sandbox_devices_test - - Add tests for sharing devices from the sandbox into a lcow container - -commit 5345ae94fade229beabf906dc60fc562492a76b0 -Author: Paul "TBBle" Hampson -Date: Sat Jul 25 18:12:52 2020 +1000 - - Fix comment on CreateScratchLayer - - CreateScratchLayer doesn't take a parent id anymore, just the list of parent layer paths, since #183 in 0.7.0 - - Signed-off-by: Paul "TBBle" Hampson - -commit ad690807d94c9ef1ec6151d0c9536dd3f717e311 -Author: Kevin Parsons -Date: Thu Jul 30 11:14:31 2020 -0700 - - Add test for reusing ro VSMB share as rw - - Signed-off-by: Kevin Parsons - -commit 50df2843fc0976a4fb4d334b513941d4a20ce50e -Author: Kevin Parsons -Date: Thu Jul 30 03:05:24 2020 -0700 - - Fix VSMB to not mix up rw/ro shares - - The VSMB code attempts to create as few actual shares as possible. This - is done by ref-counting existing shares so that if the same directory is - shared again, the old share is used instead. However, the mechanism for - looking up an existing share currently only keys off of the share path. - This has the unfortunate affect that a read-only share can be repurposed - as a read-write share. - - I first looked at fixing this by more broadly refactoring the VSMB code, - with the aim of not only fixing this bug, but also removing some of the - hacks that were put in place to support single-file mapping. However, - that work ended up complicating things a lot, so I think other cleanup - work will need to be done first before that broader refactoring can - be merged. - - As a more immediate and tactical fix, I have now simply changed the way - we create keys to look for an existing VSMB share. The key now includes - both the host path and the rw/ro state of the share. This should allow - for read-only and read-write shares of the same directory to coexist. - - One consequence of this change is that operations like RemoveVSMB and - GetVSMBUvmPath now need to know the rw/ro state of the share, so they - can operate on the correct share. To resolve this, I have added a - readOnly parameter to the signatures of these functions, and updated the - callers to pass the correct value in. - - Signed-off-by: Kevin Parsons - -commit 44ac5c1acbf1db8abf88837de21d011e4ed4cf1a -Author: Kathryn Baldauf -Date: Wed Jul 15 23:41:59 2020 -0700 - - Add tests for sharing devices from the sandbox into a lcow container - - Signed-off-by: Kathryn Baldauf - -commit 60d84e92d10a23a5822dca0ce0a67d952edb10c4 -Merge: ac9ffdaa4 146fa3f4e -Author: Kathryn Baldauf -Date: Thu Jul 30 18:48:28 2020 -0700 - - Merge pull request #377 from katiewasnothere/sandbox_devices - - Add support for parsing linux devices into workload containers - -commit 15ff992334f9bcdd4083fc6beeaed845e34ab56c -Merge: fc27c5026 1ac4b0237 -Author: Kevin Parsons -Date: Tue Jul 28 10:09:44 2020 -0700 - - Merge pull request #857 from TBBle/windows_1909_osversion - - Add Windows V19H2 (1909) to builds list - -commit 1ac4b023746040c0a6d89b77ae3cd002f8e6d006 -Author: Paul "TBBle" Hampson -Date: Wed Jul 29 03:02:18 2020 +1000 - - Add Windows V19H2 (1909) to builds list - - It's not "semi-annual" if you're 12 months apart. - - Mainly useful for vendoring, no tests currently distinguish V19H2 - behaviour. - - Signed-off-by: Paul "TBBle" Hampson - -commit fc27c5026e6ff001dc1b171b99bda7bb3dcf6e78 -Merge: 09453f7b6 da7633bde -Author: Kevin Parsons -Date: Fri Jul 24 12:28:55 2020 -0700 - - Merge pull request #854 from kevpar/test-2004 - - Add support for Windows 2004 release to test suite - -commit da7633bde58e1a14490afc6d6b798b72ffcf8062 -Author: Kevin Parsons -Date: Fri Jul 24 11:25:39 2020 -0700 - - Add support for Windows 2004 release to test suite - - Also ran `go mod tidy` to clean up test modules file. - - Signed-off-by: Kevin Parsons - -commit 09453f7b6cebf99f992bc5b785b9ba3a996f5d66 -Merge: 5eafd1556 3a05609b6 -Author: Kevin Parsons -Date: Thu Jul 23 10:19:41 2020 -0700 - - Merge pull request #851 from kevpar/empty-dir-test - - Add test for WCOW kubernetes.io~empty-dir support - -commit 3a05609b60100b6f3cfbf21a5c05ad25ca3859c4 -Author: Kevin Parsons -Date: Wed Jul 22 16:19:56 2020 -0700 - - Add test for WCOW kubernetes.io~empty-dir support - -commit 146fa3f4ecd09a869972d810d82695a54eb39d21 -Author: Kathryn Baldauf -Date: Wed Jul 15 23:43:01 2020 -0700 - - Add support for parsing linux devices into workload containers - - Signed-off-by: Kathryn Baldauf - -commit 5eafd1556990abd5e7390ff4b5abc9a14a5e16ed -Author: elweb9858 -Date: Wed Jul 15 14:07:06 2020 -0700 - - Updating DSR version check to 9.3-9.max, 10.2+ - -commit 23becc456facc06c292c5d9c2bed33ba0f64ec21 -Merge: 0ab38ee75 9d8593590 -Author: Kevin Parsons -Date: Sun Jul 12 11:38:36 2020 -0700 - - Merge pull request #847 from microsoft/fix-test-rs5 - - Change image timestamp test to use 19H1 runtime class - -commit 9d859359013d45eaead2e6b52abc71ed2d545acd (hcsshim/fix-test-rs5) -Author: Kevin Parsons -Date: Sun Jul 12 00:47:46 2020 -0700 - - Change image timestamp test to use 19H1 runtime class - - This test involves running a 19H1-based image, and previously used - the wcow-hypervisor runtime class which uses the host OS version. This - caused the test to fail to run on RS5. This change fixes this by - explicitly using the 19H1 runtime class. - - Signed-off-by: Kevin Parsons - -commit 0ab38ee751bd995672b12624a5a63d9ece4af789 -Merge: e50252db8 298804bba -Author: Kevin Parsons -Date: Wed Jun 24 11:50:51 2020 -0700 - - Merge pull request #845 from kevpar/processor-qos-block - - Remove block on processor weight/maximum for WCOW process-isolated - -commit 298804bbafaaeab3681d832990614cbb5c598c1d -Author: Kevin Parsons -Date: Wed Jun 24 10:00:39 2020 -0700 - - Remove block on processor weight/maximum for WCOW process-isolated - - Previously there was an OS bug that prevented processor weight/maximum - from working properly. This has now been fixed and backported to 1809+, - so it is safe to remove this block. - - Signed-off-by: Kevin Parsons - -commit ac9ffdaa4b9774e47beec5999aa521ac0b917d26 -Merge: bff689ff5 200301a20 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Sun Jun 14 16:27:52 2020 -0700 - - Merge pull request #376 from dcantah/pmem-fix - - Fix pmem build error - -commit 200301a209296d53afc3abc162d91c629da5eea2 -Author: Daniel Canter -Date: Sun Jun 14 16:15:04 2020 -0700 - - Fix pmem build error - - * Fix 'pmem declared and not used' build error introduced with https://github.com/microsoft/opengcs/pull/375. - When testing things to solve the 5.4 kernel build failure I had been doing all of - the work on a '54-kernel-failure' branch, so when we discovered the dax issue I - added the fix to this branch and built off of it to verify. When seeing that this - resolved the issue I created a new branch and just added the removing of dax changes - and forgot to add what is in this commit before pushing. - - Signed-off-by: Daniel Canter - -commit e50252db8f09e897e5c2a5d5d071bffb163c4637 -Merge: 27a858bf1 945b22014 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Mon Jun 8 22:53:34 2020 -0700 - - Merge pull request #832 from microsoft/user/ambarve/bug26547010 - - Fix the timestamp bug in pulling a multi layer image. - -commit 945b2201480db3e4836bb819a9b4e9cb94b550d9 -Author: Amit Barve -Date: Wed Jun 3 14:02:16 2020 -0700 - - Fix the timestamp bug in pulling a multi layer image. - - When pulling a multilayer image, the delta layers can delete some files or create new hard links. We have to do this file deletion or hard link creation after we are done with the ImportLayer call. However, these operations alter the last modification timestamps of the parent directories of these files. Some container applications depend on these timestamps and these applications don't work as expected when we delete the files or create hardlinks. This change reverts the timestamps after doing the delete or hard link creation operation so that the container applications depending on them aren't affected. - Also, until now we only did this for files that aren't symlinks, with this change we will do it for files that are symlinks too. This had to be done because while exporting a layer we sometimes incorrectly adds the symlink attribute to a directory that isn't actually a symlink. - - Signed-off-by: Amit Barve - -commit 27a858bf1651e8204c64b5e6f9979f6c51a0f943 -Author: JocelynBerrendonner -Date: Thu Jun 4 18:05:15 2020 -0700 - - Exposing VXLAN ports configuration - - Signed-off-by: JocelynBerrendonner - -commit 4e0d8b8d830a02822eacc84675ebf93e8c0b4866 -Author: Daniel Canter -Date: Tue May 19 03:17:59 2020 -0700 - - Add share file/directory command to shimdiag - - * Add command to shimdiag to be able to share an arbitrary directory/file - from the host into the UVM. - * Export new GuestRequest method on UVM to be able to issue arbitrary guest requests. - * Some misc comment/code fixes. - - Signed-off-by: Daniel Canter - -commit 971423bf8469a26e82720df9c72ab51a3e945a64 -Merge: 00b7a8be8 25885de49 -Author: Kathryn Baldauf -Date: Fri Jun 5 14:19:06 2020 -0700 - - Merge pull request #828 from kolyshkin/bump-cgroups - - go.mod: bump containerd/cgroups - -commit 00b7a8be8940f9001771de242ed9f88672deddbc -Merge: 70248d045 fa92bb595 -Author: Kathryn Baldauf -Date: Wed Jun 3 16:42:45 2020 -0700 - - Merge pull request #833 from microsoft/remove_vsmb_guestpath_func - - Remove VSMB GuestPath func - -commit fa92bb595ff34e20c7a234564a4af970edb5151a -Author: Kathryn Baldauf -Date: Wed Jun 3 16:20:45 2020 -0700 - - Remove VSMB GuestPath func - - Signed-off-by: Kathryn Baldauf - -commit bff689ff535ca94cac2e85beae25f3d9bf0c8406 -Merge: 5e5e32fa2 a66c6ad69 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Jun 3 13:59:03 2020 -0700 - - Merge pull request #375 from dcantah/remove-dax - - Remove dax mount option to avoid 5.4 kernel hard failure - -commit a66c6ad69c4a5415e7aa64689457f172125c9215 -Author: Daniel Canter -Date: Wed Jun 3 12:57:25 2020 -0700 - - Remove dax mount option to avoid 5.4 kernel hard failure - - * Removed dax mount option to circumvent the 5.4 kernel hard failure on - unsupported dax devices. Previously if the block device wasn't supported - the kernel would simply silently fail. This behavior was changed with this patch - https://patchwork.kernel.org/patch/10631361/. - - This change should be reverted whenever dax is properly supported for our - pmem devices. - - Signed-off-by: Daniel Canter - -commit 25885de4952703d3207701fce71c92ac4c277066 -Author: Kir Kolyshkin -Date: Mon Jun 1 13:40:05 2020 -0700 - - go.mod: bump containerd/cgroups etc - - This is mostly to update dependencies. - - Since we have updated x/sys/windows, make cmd/containerd-shim-runhcs-v1 - use the new windows.SecurityDescriptorFromString(), removing the ugly - unsafe cast. - - Signed-off-by: Kir Kolyshkin - -commit 70248d045a858ae21b83a043fa80ee6b1a47a84a -Author: Daniel Canter -Date: Mon Jun 1 18:50:10 2020 -0700 - - Add DefaultVSMBOptions function and remove guestrequest parameter - - * As we use almost the same set of VSMB options throughout the codebase, - this consolidates the settings into a single function instead of having to - set them manually each time. - * Remove guestrequest object from VSMBShare struct and AddVSMB as it isnt used - anywhere. - - Signed-off-by: Daniel Canter - -commit 2ba2cb51c5da57bbdbcaf827ef0ed3469bda3697 -Merge: 3a4267ffd 81278f5cb -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Thu May 21 13:35:55 2020 -0700 - - Merge pull request #820 from microsoft/user/ambarve/external_gcs_wcow - - Enable external GCS connection for WCOW. - -commit 81278f5cb754cf8944d1db5dda88a2693664ec34 -Author: Amit Barve -Date: Wed May 20 13:26:12 2020 -0700 - - Enable external GCS connection for all of WCOW. - - Signed-off-by: Amit Barve - -commit 3a4267ffd198f62e7dfef31e7eabe9be5f60fa78 -Author: Daniel Canter -Date: Wed May 20 13:55:01 2020 -0700 - - Fix RootVpIndex type mistake - - * In a minroot configuration, everything assigned to the VM > the hosts - logical processors will return -1 for RootVpIndex, so unmarshalling into a - unsigned integer will fail if the virtual processor count assigned to the UVM is - greater than the hosts amount. This was an oversight as our schema generates - uints as regular ints and when manually changing them I missed that RootVpIndex - was not also a uint. - - Signed-off-by: Daniel Canter - -commit c681474851789041027f8728b1e3c98e6ba67b2a -Merge: 9e1106260 5490249c6 -Author: Kevin Parsons -Date: Thu May 14 18:16:30 2020 -0700 - - Merge pull request #823 from netal/user/negup/hcsshim_setpolicy - - Updating the supported HNS minor and major version for SetPolicy - -commit 5490249c646a08a766fa147f4a69bad822991768 -Author: netal -Date: Wed May 13 13:15:00 2020 -0700 - - updated formatting of files - - Signed-off-by: netal - -commit 314a1f660463552c82c3d0e34a230b4c66087ea6 -Author: netal -Date: Wed May 13 12:16:22 2020 -0700 - - Updating HNS Minor and Major version for SetPOlicy - - Signed-off-by: netal - -commit 9e1106260eb69a6b777624f2ca092e684e4e7835 -Author: Daniel Canter -Date: Fri May 8 13:19:12 2020 -0700 - - Change to use GetActiveProcessorCount for logical processor count - - * Change to use GetActiveProcessorCount instead of GetMaximumProcessorCount - as the latter takes into account hot addable CPUs. - - Signed-off-by: Daniel Canter - -commit 495a5f8e4e02db9060897393136a0cf7f99ffa91 -Author: Daniel Canter -Date: Mon Apr 20 20:42:36 2020 -0700 - - Fix 'WorkingSetBytes' memory metric for PA backed VMs - - * Added a field (physicallyBacked) to UtilityVM - struct. - * Fix behavior of querying the UVMs vmmem process to get the working set - size for physically backed UVMs. Instead we assign the total memory assigned - to the UVM by using AssignedMemory * 4096 (is returned as number of 4kb pages) - * Add tests to verify working set size for physically backed WCOW AND LCOW. - * Refactor how we check for unsupported/incorrect configurations for the UVM settings. - - Signed-off-by: Daniel Canter - -commit 92534ef560742021a43fd45bc98b71b5869c0a39 -Author: Daniel Canter -Date: Wed May 6 21:02:09 2020 -0700 - - Fix UVM processor cap with processor groups. - - * Fix bug where we were incorrectly capping a users requested - CPU count in multiple processor group scenarios. This was due to - the fact that we used runtime.NumCPU() to get the logical processor - count of the system and this does not take into account multiple - processor groups. Instead use the processor topology information from HCS - to cap the UVMs amount and the win32 API function GetMaximumProcessorCount - to cap a process isolated containers requested amount. - * Add HCS schema files necessary to retrieve the processor topology information. - - Signed-off-by: Daniel Canter - -commit 222e9efadbe02a056b6ad4e7160ba5a035aa2c6a -Merge: 1eb324a5b 950fb8388 -Author: Kathryn Baldauf -Date: Wed May 6 11:10:21 2020 -0700 - - Merge pull request #811 from katiewasnothere/process_assigned_devices - - add support for assigned devices in process isolated containers - -commit 950fb838837e50472cd60d127b48a95774290369 -Author: Kathryn Baldauf -Date: Tue Apr 21 10:33:11 2020 -0700 - - Add support for assigned devices in process isolated containers - - Signed-off-by: Kathryn Baldauf - -commit 1eb324a5b689e1b780af28742575ca0cd7751df7 -Merge: f722e88bb 7ac8354b1 -Author: Kathryn Baldauf -Date: Tue May 5 19:31:51 2020 -0700 - - Merge pull request #805 from katiewasnothere/assigned_devices_multiple - - Add ref counting of assigned devices - -commit 7ac8354b16af94f5e04e896ce600d2420b1f8ac1 -Author: Kathryn Baldauf -Date: Wed Apr 29 12:07:05 2020 -0700 - - Add support for ref counting assigned devices - - Signed-off-by: Kathryn Baldauf - -commit f722e88bb2a3313f4ad62f920e52e4bd545c68c9 -Merge: 5249f66ac 4f577aca8 -Author: Kevin Parsons -Date: Tue May 5 16:59:59 2020 -0700 - - Merge pull request #819 from kumarvin123/master - - Added the IPV6PrefixLength field - -commit 5249f66ac927b445b245a954206f43120ddd48ec -Merge: 72489c472 1d988b27c -Author: Kathryn Baldauf -Date: Tue May 5 10:29:20 2020 -0700 - - Merge pull request #806 from katiewasnothere/device_backing_annotation - - Add annotation for UVMs to be fully physically backed - -commit 4f577aca8da64bbe8b8f327ed5f942e58b298ea9 -Author: Vinod K L Swamy -Date: Mon May 4 14:53:09 2020 -0700 - - Added the IPV6PrefixLength field - - Signed-off-by: Vinod K L Swamy - -commit 72489c472437d3c83e3e3c4be216be0fa1f8fe97 -Merge: d3a8d6f67 9a98f2c9c -Author: Kathryn Baldauf -Date: Mon May 4 11:43:32 2020 -0700 - - Merge pull request #818 from kumarvin123/master - - Add the IPV6 EndPoint Address and Gateway Field to HnsEndPoint. - -commit 9a98f2c9c7f91369a2f926263592d8a9cf1682ee -Author: Vinod K L Swamy -Date: Sun May 3 11:50:52 2020 -0700 - - Add the IPV6 EndPoint Address and Gateway Field to HnsEndPoint. - - Signed-off-by: Vinod K L Swamy - -commit 1d988b27c58f92657572adb7461d3709a86d08b5 -Author: Kathryn Baldauf -Date: Mon Apr 13 15:19:08 2020 -0700 - - Add annotation for uvm's to be fully physically backed - * add functions to handle annotations that imply other annotations - * handle new annotation for both wcow and lcow - - Signed-off-by: Kathryn Baldauf - -commit d3a8d6f6753578ebff745989b6f5949d33408dbb -Author: Daniel Canter -Date: Fri Mar 27 14:00:33 2020 -0700 - - Add GMSA support for V2 process isolated containers - - * Add generated V2 schema files for Container Credential Guard - * Add new hcs calls that are necessary to setup container credential guard - instances. - * Add new resource type CCGInstance that implements ResourceCloser so a containers - ccg instance will be cleaned up on container close. - * Add tests to validate gmsa - * Remove logging from resource Release methods and just return an error. - Forego returning immediately on an error in ReleaseResources and return - afterwards if any of the releases failed. - - Signed-off-by: Daniel Canter - -commit 5bc557dd210ff2caf615e6e22d398123de77fc11 (tag: v0.8.9) -Author: Vinod K L Swamy -Date: Mon Apr 27 15:30:37 2020 -0700 - - Added Version support for IPv6 Dual stack support in HNS - - Signed-off-by: Vinod K L Swamy - -commit eec8eb1acde5cbe0b32a69819b8153a8fab50613 -Merge: ffb46c5b1 698268f47 -Author: Kathryn Baldauf -Date: Thu Apr 23 13:27:50 2020 -0700 - - Merge pull request #798 from katiewasnothere/export_execinuvm - - Export execInUVM to allow for access to the tool outside cmd - -commit ffb46c5b1ed3068aee80c8d1aafde3be2323041e -Merge: c3e488f0d 1421f3c53 -Author: Kevin Parsons -Date: Tue Apr 21 23:14:49 2020 -0700 - - Merge pull request #812 from kevpar/test-feature-flags - - Add feature flags to cri-containerd tests - -commit 1421f3c53c7fa5937617212a43d3f78693a48c55 -Author: Kevin Parsons -Date: Tue Apr 21 16:34:27 2020 -0700 - - Add feature flags to cri-containerd tests - - This change adds support to the cri-containerd test suite to pass - feature flags on the command line to control what sets of functionality - are tested. The flags are passed as "-feature ", and multiple - flags can be passed to a single invocation. This change also adds a - helper function that can be used to test if a given set of features are - enabled. If any of the required features are not enabled, the current - test is skipped. If no feature flags were passed, the helper function - treats all features as enabled. - - This change is needed to support environments where we only want to run - subsets of the tests. For instance, in some cases we don't want to test - LCOW at all. - - The -run test command parameter offers similar functionality through - specifying a regex to filter tests. However, it does not seem feasible - to write a regex that could detect the presence of e.g. "LCOW" in both - a top-level test name, or a subtest name. Therefore, this approach is - unsuitable. - - Signed-off-by: Kevin Parsons - -commit c3e488f0d815e9e90815779a3e79df509c43a6d5 -Merge: 7ffb5b16a 16766c929 -Author: Kevin Parsons -Date: Tue Apr 21 11:28:05 2020 -0700 - - Merge pull request #810 from kevpar/fix-test-rs5 - - Skip test on Windows before 19H1 - -commit 16766c92922acfd2e89ad6ff4e6ba9b92e0fb183 -Author: Kevin Parsons -Date: Tue Apr 21 10:49:12 2020 -0700 - - Skip test on Windows before 19H1 - - The Test_RunPodSandbox_MultipleContainersSameVhd_WCOW test does not work - prior to 19H1. In those versions, HcsFormatWritableLayerVhd requires the - VHD to be mounted prior to calling, which we don't do currently. Because - of this, we are unable to create a VHD to use for the test. - - This fixes the issue by simply skipping the test on the affected OS - versions. We could potentially resolve this in the future by adding - more code to do the VHD mount ourselves, but this is a quick fix for - moment. - - We will still have test coverage of this functionality on 19H1, so this - shouldn't be a big issue. - - Signed-off-by: Kevin Parsons - -commit 7ffb5b16a3ea3b2d96e9757e9769cc90e57318bd -Author: elweb9858 -Date: Thu Apr 16 12:09:47 2020 -0700 - - Updating session affinity version check - -commit 5e5e32fa27c3e5082fdfdd59787180f210050739 -Merge: 096d842c8 53d8b674a -Author: Kathryn Baldauf -Date: Thu Apr 16 11:00:08 2020 -0700 - - Merge pull request #374 from microsoft/readme_with_signing - - Update readme with information on commit signing - -commit 53d8b674a7b92babb854f5fe5013e176b6d76b10 -Author: Kathryn Baldauf -Date: Thu Apr 16 10:53:52 2020 -0700 - - Update readme with information on commit signing - - Signed-off-by: Kathryn Baldauf - -commit 46c4dff8bb17f8044207cab82043cd3ddf297d85 -Merge: b1a692569 afbdc5709 -Author: Kathryn Baldauf -Date: Thu Apr 16 10:51:43 2020 -0700 - - Merge pull request #808 from katiewasnothere/update_readme_with_signing - - Update the readme to include information on signing commits - -commit afbdc5709ee632bca17890543dc2e6892e29569f -Author: Kathryn Baldauf -Date: Thu Apr 16 10:31:19 2020 -0700 - - Update the readme to include information on signing commits - - Signed-off-by: Kathryn Baldauf - -commit b1a692569e58876ea6920c347349fb629a688217 -Merge: 237a7c972 6ad064280 -Author: Kathryn Baldauf -Date: Wed Apr 15 14:33:22 2020 -0700 - - Merge pull request #804 from microsoft/scsi_layer_fix - - Update scsi layer's uvmPath - -commit 6ad064280b2c5b5de5d405dcc24f69937d5cbd78 (hcsshim/scsi_layer_fix) -Author: Kathryn Baldauf -Date: Wed Apr 15 14:04:51 2020 -0700 - - Update scsi layer's uvmPath - - Signed-off-by: Kathryn Baldauf - -commit 237a7c9720bfa35af16bb54b2734bed19c67eee5 (tag: v0.8.8) -Merge: 5c42905ff 9ed612aba -Author: Kathryn Baldauf -Date: Fri Apr 10 14:25:30 2020 -0700 - - Merge pull request #799 from microsoft/fix_test_go_mods - - Update test vendor with up to date hcsshim and containerd/containerd/log - -commit 9ed612abad8af9a598bb2db009e4adca53cbdad0 (hcsshim/fix_test_go_mods) -Author: Kathryn Baldauf -Date: Fri Apr 10 14:09:48 2020 -0700 - - Update test vendor with up to date hcsshim and containerd/containerd/log - - Signed-off-by: Kathryn Baldauf - -commit 698268f47a027496e9fd687b38777c6f8c633572 -Author: Kathryn Baldauf -Date: Thu Apr 9 15:36:53 2020 -0700 - - Export execInUVM to allow for access to the tool outside cmd - - Signed-off-by: Kathryn Baldauf - -commit 5c42905ff6ceaacb7cb8bbbfd03db53b1c22a51c -Merge: 1cc6d5fcf 8cf116b99 -Author: Kathryn Baldauf -Date: Thu Apr 9 15:48:47 2020 -0700 - - Merge pull request #792 from katiewasnothere/scsi_grant_vm_access - - Refactor scsi layer addition - -commit 8cf116b9967d830ca2009b3fe2250930037544df -Author: Kathryn Baldauf -Date: Mon Apr 6 12:40:57 2020 -0700 - - Refactor scsi layer addition - * move mount location of scsi layers - * add option for customizing vm granted access to scsi functions - - Signed-off-by: Kathryn Baldauf - -commit 096d842c8b5f51257deaf4a2c8f3b7095873090b -Merge: 4906aa78d 043c67b3b -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 9 13:44:56 2020 -0700 - - Merge pull request #372 from dcantah/gcs_cgroup - - Improve low memory detection - -commit 1cc6d5fcfaec531f0e3d78bd531d8fc1077db6b7 -Merge: 4c0b06bf8 d587e1aca -Author: Kevin Parsons -Date: Wed Apr 8 19:18:10 2020 -0700 - - Merge pull request #796 from kevpar/fix-ro-vsmb - - Fix read-only VSMB mounts - -commit 043c67b3bbc8b4e353c762292efcaea316b64e05 -Author: Daniel Canter -Date: Tue Apr 7 13:17:14 2020 -0700 - - Vendor new version of containerd/cgroups - - * Vendor new version of containerd/cgroups that has the functionality to - register for other memory events besides oom. - * Remove cgrouputils package in favor of using the cgroups methods. - - Signed-off-by: Daniel Canter - -commit d587e1aca3d8967d3babb453fa49839c9116e6cd -Author: Kevin Parsons -Date: Tue Apr 7 23:32:15 2020 -0700 - - Fix read-only VSMB mounts - - Previously, an errant break statement caused the presence of a read-only - VSMB mount on a container to cause the container activation to fail. - This fixes the issue by removing the break statement. This commit also - adds test cases for read-only mounts (for both LCOW and WCOW, even - though VSMB is only used for WCOW). - - Signed-off-by: Kevin Parsons - -commit 4c0b06bf850ae6bf66d894c414fdb0e53994b270 -Author: Daniel Canter -Date: Mon Apr 6 23:41:44 2020 -0700 - - Add zero vpmem (no gpu) test case - - * Add a non gpu zero vpmem test case to test lcow scsi layer additions. - - Signed-off-by: Daniel Canter - -commit e2e2a26589aec99e098877d36d31f07c8296e427 -Merge: 298b1378a 581feb580 -Author: Kevin Parsons -Date: Tue Apr 7 11:54:03 2020 -0700 - - Merge pull request #795 from kevpar/fix-missing-err - - Fix wrapped error missing when failing to add scratch VHD - -commit 581feb5804485a6c96c7bcae9f28e99030f77baa -Author: Kevin Parsons -Date: Tue Apr 7 11:45:18 2020 -0700 - - Fix wrapped error missing when failing to add scratch VHD - - Fixes an issue introduced in 298b1378aa39919c4a103c1e450c95bdace16d05. - - Signed-off-by: Kevin Parsons - -commit 298b1378aa39919c4a103c1e450c95bdace16d05 -Merge: bb7f17505 e3614297a -Author: Kevin Parsons -Date: Tue Apr 7 11:16:43 2020 -0700 - - Merge pull request #793 from kevpar/fix-scsi-layer-mounting - - Fix LCOW SCSI layer mounting - -commit e3614297ab5a97adae982530b1652d7ad515acc2 -Author: Kevin Parsons -Date: Mon Apr 6 21:46:21 2020 -0700 - - Fix LCOW SCSI layer mounting - - Fixes an issue that broke mounting of SCSI layers. Due to changing the - assignment of the return values from `AddSCSILayer` from `:=` to `=`, - the error value became scoped to the inner if block, which caused the - later return statement to pick up the previous error value instead of - the new one. - - This change also improves some error values and adds additional logging. - - Signed-off-by: Kevin Parsons - -commit 91822c7df1cd83951f6789da4f820ec44b9d9cbc -Author: Daniel Canter -Date: Mon Apr 6 13:11:45 2020 -0700 - - Remove opengcs:: prefix from main log statements - - Signed-off-by: Daniel Canter - -commit 7a9e7fa7ebba6d0f45db6ca46bbb1ad1610d67b2 -Author: Daniel Canter -Date: Sun Mar 22 23:03:25 2020 -0700 - - Improve low memory detection - - * Remove 50 MB default hard limit on the gcs cgroup. - * Register an eventfd to get notified when the cgroup the gcs is in - goes over 50 MB memory threshold. - * Register for oom notification on the containers cgroup. - - Signed-off-by: Daniel Canter - -commit bb7f1750551ea9ec174decf84554a8b5a34cae91 -Author: Daniel Canter -Date: Mon Mar 2 17:49:45 2020 -0800 - - Refactor how resources are cleaned up - * Changed all resources that were originally just a slice of strings(paths mostly) to be actual structs with the paths as fields. This allows the structs to implement how they are cleaned up/released now. - * Moved the logic of resource cleanup out of ReleaseResources and into the corresponding Release methods of the structs. - * New interface to have all resources implement so they can all be generically closed without worrying about what the resource is. - * Move scsiInfo fields into SCSIMount so we can track the lifetime of a scsi mount from one object instead of two. - * Exported vsmbShare - * Added new resource type AutoManagedVHD - - Signed-off-by: Daniel Canter - -commit 4906aa78d08a8bf4160661211864c8c466d5dde9 -Merge: 24ef46429 cc00831f4 -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Thu Apr 2 14:29:51 2020 -0700 - - Merge pull request #373 from dcantah/logkmsg - - Continuously log /dev/kmsg - -commit cc00831f4cf24350c82fbf54ac85c4c61f79fc80 -Author: Daniel Canter -Date: Tue Mar 17 18:33:26 2020 -0700 - - Continuously log /dev/kmsg - - * Added new internal package kmsg - * Continuously log all /dev/kmsg entries <= the priority level chosen - * Added new flag 'kmsgLogLevel' to be able to set the priority of entries we would - like to have logged (default is 4). - - Signed-off-by: Daniel Canter - -commit 8def383c2b18438ba3e4a38567aec1570f40a3d6 -Author: Davanum Srinivas -Date: Sat Mar 28 10:50:01 2020 -0400 - - adjust how we run tests - - - run the schema version test - - Signed-off-by: Davanum Srinivas - -commit eba98948d7ee0e0b214ee6f96e3ac203c5a7af0b -Author: Davanum Srinivas -Date: Sat Mar 28 10:37:18 2020 -0400 - - Add a separate go.mod for test/ directory to avoid dependency creep in root go.mod - - Signed-off-by: Davanum Srinivas - -commit 04ee9e63a4ed5eb78614447c1ead6e7f1482b394 -Merge: fd0797d76 76286f99b -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Fri Mar 27 10:49:16 2020 -0700 - - Merge pull request #780 from microsoft/user/ambarve/fix_multivhd_wcow_bug - - Allow a VHD to be mounted into multiple WCOW containers in the same pod - -commit 76286f99b6e34e4a680fbb34f4849db64ae31df9 (hcsshim/user/ambarve/fix_multivhd_wcow_bug) -Author: Amit Barve -Date: Tue Mar 3 11:57:54 2020 -0800 - - Allow mounting the VHD inside multiple WCOW containers - - In order to mount a VHD to a container first it needs to be mounted - inside the UVM. We generate a unique mount point (inside UVM) for - every such mount that is requested by a container. However, this - breaks when two container try to mount the same VHD because then we - generate two unique paths for the same VHD and try to mount it at two - different locations inside the UVM. This change fixes that issue for - WCOW containers. - -commit fd0797d766b1933ade4b9f6c12c341ddc9c9f95f -Author: Daniel Canter -Date: Wed Mar 4 11:12:41 2020 -0800 - - Test for starting/stopping container and reusing pod - - * The test case covers starting and stopping two containers in the same pod. - - Signed-off-by: Daniel Canter - -commit af6d13f3d4335e2ed1687348ae4b854079359345 -Merge: 432e537ac ddc3095db -Author: Danny Canter <36526702+dcantah@users.noreply.github.com> -Date: Wed Mar 11 16:27:24 2020 -0700 - - Merge pull request #783 from dcantah/removek8s - - Remove k8s dependency to circumvent recursive import - -commit ddc3095dba49c60ce9b5b85de18c2f45e57e4bcb -Author: Daniel Canter -Date: Fri Mar 6 17:41:46 2020 -0800 - - Remove k8s dependency to circumvent recursive import - - * https://github.com/kubernetes/kubernetes/issues/87420 - * This is to fix the above issue regarding the recursive dependency of kubernetes importing the shim and the shim importing - kubernetes when all we used it for was the cri package (and the fact it's only used for tests). - * Use k8s.io/cri-api for tests instead of k8s.io/kubernetes/pkg/kubelet/apis/cri - * Bump gogo/protobuf version to 1.3.1 and grpc to 1.23.1 - - Signed-off-by: Daniel Canter - -commit 432e537acbeb74fed644b5b34a781b2675cae9ab (adoshim/kevpar/wiki-ncproxy) -Merge: ed6547b67 beac03266 -Author: Kevin Parsons -Date: Thu Mar 5 11:18:58 2020 -0800 - - Merge pull request #778 from microsoft/container-init-fork-test - - Add test case where container init forks then exits - -commit 24ef464298ff1b6a104702a40abb0b3766f1535a -Merge: d5b0dea80 e6dd8c68b -Author: Kevin Parsons -Date: Thu Mar 5 10:05:21 2020 -0800 - - Merge pull request #371 from kevpar/init-fork-exit - - Terminate all other container processes when the init exits - -commit e6dd8c68bab163c32e116624e19cfd7af3bf7d85 -Author: Kevin Parsons -Date: Tue Mar 3 00:43:15 2020 -0800 - - Terminate all other container processes when the init exits - - Previously, if the container init spawned a child process which - inherited its stdio, then exited, gcs would continue waiting until all - child processes terminated. This only occurs when the container does not - have its own pid namespace, as otherwise the kernel terminates all - processes in the namespace automatically. To preserve this semantic even - when the namespace is shared, we now explicitly kill all other container - processes when its init exits. - - Signed-off-by: Kevin Parsons - -commit ed6547b672c860886c826ccfa15414ea885420a9 -Merge: b400e4ffe e43bf1ba1 -Author: ambarve <57150885+ambarve@users.noreply.github.com> -Date: Sun Mar 1 22:26:15 2020 -0800 - - Merge pull request #779 from microsoft/user/ambarve/fix_multivhd_lcow_bug - - Fix multiple VHD overlapping mount bug for LCOW - -commit e43bf1ba16f10f6b6092989c50fe7210e356d719 -Author: Amit Barve -Date: Fri Feb 28 14:15:45 2020 -0800 - - Every VHD that is mounted inside a container must be mounted in the UVM first. When different containers - mount the different VHDs, a unique mount path (inside UVM) should be generated for each such VHD. Existing mount - code generates such unique paths but those paths are unique only acorss the container. Hence, two different VHDs - mounted by two different containers will have unique path inside the container but can have the same path inside - the UVM. Due to this the second mount will end up mounting over the existing mount of the first container. - This change fixes the bug to generate such unique mount paths across the UVM instead of just keeping them unique to the - container. This change only handles this bug for LCOW containers, for WCOW this is fixed in a seprate PR. - -commit beac03266c7aca3c915423a5217497c00eadcea8 (hcsshim/container-init-fork-test) -Author: Kevin Parsons -Date: Fri Feb 28 01:58:48 2020 -0800 - - Add test case where container init forks then exits - - This adds a new test in the cri-containerd suite. The test runs an LCOW - container with a command line that causes the init process to fork - a background process (which runs forever) then exit. The test then - ensures that the container status is reported as exited, since the init - process has terminated. - - Signed-off-by: Kevin Parsons - -commit d5b0dea80f2800cb35ada72ad62f49da78d0de08 -Merge: dbf8a63ec 1abf9dbf1 -Author: Justin -Date: Wed Feb 26 10:38:49 2020 -0800 - - Merge pull request #370 from jstarks/no_timeout - - gcs: Handle infinite wait timeouts - -commit 1abf9dbf1631500e3eb2a98edfa7bc58ffb14d3e -Author: John Starks -Date: Wed Feb 26 08:34:52 2020 -0800 - - gcs: Handle infinite wait timeouts - - The timeout value passed in the wait message is supposed to treat - 0xffffffff as meaning no timeout (as in the Win32 API - WaitForSingleObject). Without this special handling, process waits - will expire after 49 days. - -commit b400e4ffecccc16f2a916e7e61ac61ffd185a091 -Merge: 501663707 19db0901e -Author: Kathryn Baldauf -Date: Mon Feb 24 22:42:21 2020 -0800 - - Merge pull request #777 from microsoft/mmio_test_fix - - only run MMIO tests on OS builds with schema support - -commit 19db0901e33d0318a9a24ee5250ea8b65abc1d00 (hcsshim/mmio_test_fix) -Author: Kathryn Baldauf -Date: Mon Feb 24 22:00:36 2020 -0800 - - update MMIO annotation tests to only run on OS builds that support the schema - - Signed-off-by: Kathryn Baldauf - -commit 501663707d60afb88ea97870274f8bde93759b7a -Merge: 09292e220 fc41ae544 -Author: Kathryn Baldauf -Date: Mon Feb 24 16:22:31 2020 -0800 - - Merge pull request #775 from microsoft/fix_gpu_scsi_path - - fix scsimount path for gpu vhd addition to allow proper clean up - -commit fc41ae544f18553883726d62909e4e737bbd9040 (hcsshim/fix_gpu_scsi_path) -Author: Kathryn Baldauf -Date: Mon Feb 24 11:50:19 2020 -0800 - - fix scsimount path for gpu vhd addition to allow proper clean up on removal - - * add necessary annotation to previous gpu test for linux boot files - * add additional check that after container has exited, gpu vhd is removed from uvm - - Signed-off-by: Kathryn Baldauf - -commit 09292e220f0b45e63308f735ece9bba1fa4b3359 -Merge: d73252d80 74f927441 -Author: Kathryn Baldauf -Date: Mon Feb 24 12:47:05 2020 -0800 - - Merge pull request #774 from microsoft/fix_scsi_ref_count - - always set newly allocated scsi device's ref count to 1 - -commit 74f927441afe5a71d84c90f797d8a23cd979ede7 (hcsshim/fix_scsi_ref_count) -Author: Kathryn Baldauf -Date: Sun Feb 23 23:04:37 2020 -0800 - - always set newly allocated scsi device's ref count to 1 - - * previously in the work to support adding the same scsi device to - multiple containers, ref count was only set to 1 if the device - was a layer. This caused allocated non-layer scsi devices to never - be removed as decrementing the ref count on removal would cause - uint underflow. - - Signed-off-by: Kathryn Baldauf - -commit d73252d80b2080d58119cc7b9009fe82bd353f0e -Merge: 0e20cd814 0cea5a2f9 -Author: Kevin Parsons -Date: Thu Feb 20 12:50:45 2020 -0800 - - Merge pull request #773 from kevpar/multi-container-vhd - - Allow a VHD to be mounted into multiple LCOW containers in the same pod - -commit 0cea5a2f955dc5b1c4a0bb16582b381941745cea -Author: Kevin Parsons -Date: Thu Feb 20 11:07:34 2020 -0800 - - Allow a VHD to be mounted into multiple LCOW containers in the same pod - - This is a re-visiting of the change made by abwah previously in commit - 7f17353012eda1dbd8367135642ec24ebc88bd1d. That work was reverted due to - test failures with WCOW. With this new change, we no longer attempt to - support WCOW (we can look into that later if needed). - - This change also differs from the original in that we now generate the - VHD dynamically at test time, rather than checking in a static VHD file. - - Signed-off-by: Kevin Parsons - -commit dbf8a63ec6c340ae13c1d4262c2b5ca75470d4ad -Merge: a7ebf6256 372535f8e -Author: Kathryn Baldauf -Date: Thu Feb 20 11:33:52 2020 -0800 - - Merge pull request #369 from microsoft/gpu_support - - Guest GPU assigned device support - -commit 0e20cd81408a773a3f06c14829a7383d3b2171b8 -Merge: 016605082 aeb12df87 -Author: Kathryn Baldauf -Date: Thu Feb 20 10:39:45 2020 -0800 - - Merge pull request #765 from microsoft/assigned_device_support - - GPU Assigned Device Support - -commit 372535f8ecc91bca9687c46eb561635472e27ae5 -Author: Kathryn Baldauf -Date: Mon Jan 13 12:40:52 2020 -0800 - - add gpu support for lcow - - * use vmbus path for find pci bus location of gpu - * add new pci and vmbus packages - * add new storage utility to wait for files of a given pattern - * add nvidiaPrestartHook command - * setup nvidia-container-cli arguments - * dump nvidia-container-cli debug file on error - * add new modify option for vpci devices - * add tests for new storage packages and utilities - - Signed-off-by: Kathryn Baldauf - -commit aeb12df873c031c32d4b12fa9584b00f0ab16d48 (hcsshim/assigned_device_support) -Author: Justin Terry (VM) -Date: Tue Nov 12 13:49:33 2019 -0800 - - add nvidia gpu support for lcow - - * add ability to assign hyperv pci devices - * hot add gpu vhd when container requests gpu - * add lopt for kernel pci arg - * use configurable path to nvidia gpu vhd - * add tests for additional annotations - * add test for assigning & removing vpci devices - * add e2e test for nvidia gpu scenario - - Signed-off-by: Kathryn Baldauf - -commit 016605082a968b26595cb554918bd8d14bd0a98c -Merge: 7aa61c085 0c93d0c25 -Author: Kevin Parsons -Date: Fri Feb 14 13:45:13 2020 -0800 - - Merge pull request #771 from kevpar/revert-multiple-vhds - - Revert "Mount Same SCSI Vhd in multiple containers" - -commit 0c93d0c2555c673d63770949cf233f6009ca379e -Author: Kevin Parsons -Date: Fri Feb 14 13:30:04 2020 -0800 - - Revert "Mount Same SCSI Vhd in multiple containers" - - This reverts commit 7f17353012eda1dbd8367135642ec24ebc88bd1d. - - The new VHD test fails intermittently on WCOW. Reverting for now until - we can fully investigate and fix. - -commit 7aa61c085020f83adfc228f08ebaf3e3cea423fd -Merge: 8ed402d31 b16a30d17 -Author: Justin -Date: Wed Feb 12 10:28:36 2020 -0800 - - Merge pull request #770 from jterry75/resource_paths - - Add all supported UVM resource modification paths - -commit b16a30d17151964419b4bc804cc9c1c5a97d9d23 -Author: Justin Terry (SF) -Date: Tue Feb 11 15:24:44 2020 -0800 - - Add all supported UVM resource modification paths - - Signed-off-by: Justin Terry (SF) - -commit 8ed402d318d1ec85524aee62bb8faa33a7e846bb -Merge: 1207ac98d df3fca3fb -Author: Justin -Date: Thu Feb 6 10:08:52 2020 -0800 - - Merge pull request #768 from bhaskardeep/ExposeProxyPolicy - - Expose the Proxy policy types for Endpoint - -commit df3fca3fb4cd8f4475c8d5019ca6719a46f39ce1 -Author: Bhaskardeep Khaund -Date: Wed Feb 5 17:22:56 2020 -0800 - - Expose the Proxy policy types for Endpoint - -commit 1207ac98da64295bd61753c9de3a93580a1f419c -Merge: 2207b7067 a529e65c9 -Author: Justin -Date: Wed Feb 5 10:27:14 2020 -0800 - - Merge pull request #766 from bhaskardeep/AddProxyPolicyToV1 - - V1 Api: Add Proxy Policy type for Endpoints - -commit a529e65c9ad76400f2a32a752e1cc2a208574887 -Author: Bhaskardeep Khaund -Date: Tue Feb 4 10:47:56 2020 -0800 - - V1 Api: Add Proxy Policy type for Endpoints - -commit a7ebf625668c705ff63ef4bc968dbbcf3f2978b0 -Merge: 7794bd147 63d626e3d -Author: Kevin Parsons -Date: Tue Feb 4 14:07:50 2020 -0800 - - Merge pull request #368 from microsoft/rlimit - - init: Set RLIMIT_NOFILE hard limit to 1M - -commit 2207b70678253b4cf6c03e7e4afa69d4790d429e -Merge: 99f064b70 7f1735301 -Author: Kathryn Baldauf -Date: Mon Feb 3 13:40:06 2020 -0800 - - Merge pull request #745 from abwah/vdiskmultcontainers - - Mount Same SCSI Vhd in multiple containers - -commit 7f17353012eda1dbd8367135642ec24ebc88bd1d -Author: Abdul Waheed -Date: Mon Dec 9 18:15:03 2019 -0800 - - Mount Same SCSI Vhd in multiple containers - - Fix broken build - - CR Feedback - - go fmt -s -w - - Move physical disks to global path as well - - Bug - -commit 99f064b70e88824d6653da19160d4ae02fd35a72 -Merge: 1d618e383 076bd2ea2 -Author: Justin -Date: Thu Jan 30 21:46:56 2020 -0800 - - Merge pull request #762 from bhaskardeep/FixSdnUnitTests - - Fix bugs in the UT files for SDN route - -commit 076bd2ea203747aaeecf23ebcb391e623f79888f -Author: Bhaskardeep Khaund -Date: Thu Jan 30 15:30:37 2020 -0800 - - Fix UT files for SDN Route - -commit 63d626e3d24bbcef4c9afeb76c133a169ffb1ce1 -Author: John Starks -Date: Thu Jan 30 13:21:03 2020 -0800 - - init: Set RLIMIT_NOFILE hard limit to 1M - - Many containers expect an rlimit hard limit greater than the kernel - default of 4096. On Debian systems, the default hard limit is 1M. - In 2018, systemd set the default hard limit to 512K for all processes it - launces. Apparently modern kernel versions can handle large limits - without disadvantage: large limits are efficient, and large fd memory use - is correctly accounted in cgroups. - - Therefore, unconditionally set a large hard limit. Keep the soft - limit small for compatibility (an unprivileged process can update - the soft limit up to the hard limit). - -commit 1d618e3830359550ce41c25beb34c5b30a1a7180 -Merge: 9e8f20c02 105e1bf12 -Author: Justin -Date: Wed Jan 22 17:10:44 2020 -0800 - - Merge pull request #759 from bhaskardeep/AddSdnRoute - - Add sdn route - -commit 105e1bf124504fc719ff9959ea1476f7d226eef7 -Author: Bhaskardeep Khaund -Date: Wed Jan 22 16:52:12 2020 -0800 - - Add shim implementation to support SDN Routes - -commit 9e8f20c0266cb35d63c187e2ad67148da37b81ac -Merge: b807fc313 bbccfb110 -Author: Justin -Date: Fri Jan 17 13:04:23 2020 -0800 - - Merge pull request #651 from jterry75/wclayer_logging - - Improve wclayer context logging - -commit b807fc313b9a18785dee67a6b324a2c533e26667 -Merge: 8081a2ff1 254c9105c -Author: Justin -Date: Fri Jan 17 11:05:50 2020 -0800 - - Merge pull request #756 from jterry75/clean_shim_internal_spans - - Cleanup usage of internal spans in shim - -commit 254c9105c8033730663dc072eb902c19f8dc0cb0 -Author: Justin Terry (VM) -Date: Wed Jan 15 16:25:07 2020 -0800 - - Cleanup usage of internal spans in shim - - We decided long ago that only entry and exit methods should have spans - associated. Since the caller of all context methods will always have a span - removing these child spans makes it significantly easier to see a full log - chain. - - Signed-off-by: Justin Terry (VM) - -commit 8081a2ff10918af6e8f52c761e517061f7e68ee8 -Merge: 7e472fd5a 0570fb18b -Author: Kathryn Baldauf -Date: Thu Jan 16 14:56:14 2020 -0800 - - Merge pull request #692 from microsoft/eventstesting - - Add tests that we receive expected events from the shim for pod/container - -commit 0570fb18b6f290af0e54d2659147a2153f1255b9 -Author: Kathryn Baldauf -Date: Tue Sep 10 16:54:57 2019 -0700 - - Add tests that we recieve expected events from the shim - - Signed-off-by: Kathryn Baldauf - -commit bbccfb110ddc6ca56ade233e3bc9c90387418a33 -Author: Justin Terry (VM) -Date: Mon Jul 22 12:24:45 2019 -0700 - - Improve wclayer context logging - - 1. Add span support for all wclayer operations. - 2. Remove excess storage logging since it is all logged at the wclayer - interface now. - - Signed-off-by: Justin Terry (VM) - -commit 7e472fd5a67cf0f337f8857b12e85575d8ca14d3 -Merge: 87af63272 cc01cb9a9 -Author: Justin -Date: Wed Jan 15 17:14:58 2020 -0800 - - Merge pull request #758 from jterry75/copy_file_span - - Add span around CopyFileW win32 call - -commit cc01cb9a97414f88e0f4419e9da378e0518e0e59 -Author: Justin Terry (VM) -Date: Wed Jan 15 16:50:17 2020 -0800 - - Add span around CopyFileW win32 call - - CopyFileW is an external call from the shim and thus should have a span for - tracking reliability and duration. - - Signed-off-by: Justin Terry (VM) - -commit 87af6327261fb0e5f77b061ad8fa0c976f192964 -Merge: cb32db615 476af080c -Author: Justin -Date: Wed Jan 15 16:41:32 2020 -0800 - - Merge pull request #757 from jterry75/use_dial_pipe_context - - Use winio.DialPipeContext for upstream IO - -commit 476af080ccc01672ada00aaa3a9e0051cedc38fc -Author: Justin Terry (VM) -Date: Wed Jan 15 16:30:27 2020 -0800 - - Use winio.DialPipeContext for upstream IO - - In order for the shim to support true cancellation we need to use contextual - pipe dial's when opening in/out/err pipes for container upstream IO. - - Signed-off-by: Justin Terry (VM) - -commit cb32db61583c09cbd8f3b3133b5951154bb600c0 -Merge: ec54bf8f6 9f97d9c9c -Author: Justin -Date: Wed Jan 15 16:13:20 2020 -0800 - - Merge pull request #755 from jterry75/trace_context_exec_uvm - - Fix trace context forwarding for UVM exec's - -commit 9f97d9c9ce48b35e24fb605ddf7ff15ae5131bd7 -Author: Justin Terry (VM) -Date: Wed Jan 15 15:49:06 2020 -0800 - - Fix trace context forwarding for UVM exec's - - Signed-off-by: Justin Terry (VM) - -commit ec54bf8f6cb2633af9127e7b0cfa82a3b895fc02 -Merge: 0b571ac85 ef1656169 -Author: Justin -Date: Wed Jan 15 14:59:07 2020 -0800 - - Merge pull request #754 from jterry75/fallback_logging - - Log when we fallback to SCSI for vPMEM LCOW Layers - -commit ef1656169a680d52e6dfa5ad9bad27fb32857c56 -Author: Justin Terry (VM) -Date: Wed Jan 15 14:53:14 2020 -0800 - - Log when we fallback to SCSI for vPMEM LCOW Layers - - Signed-off-by: Justin Terry (VM) - -commit 0b571ac85d7c5842b26d2571de4868634a4c39d7 -Merge: 1f9b057ba 5613e3d98 -Author: Justin -Date: Wed Jan 8 16:06:40 2020 -0800 - - Merge pull request #749 from steffengy/patch-1 - - HCS: Remove not anymore needed CGO dependency - -commit 5613e3d980a4fc78e045c8c78c6aee4f4e3151bb -Author: Steffen Butzer -Date: Tue Jan 7 22:53:47 2020 +0100 - - Remove now unused mingw from appveyor.yml - -commit 1f9b057baceff3d8b78e2ddd768030bb74ffddc4 -Merge: 1364039ae 5a8d86e37 -Author: Justin -Date: Tue Jan 7 11:35:18 2020 -0800 - - Merge pull request #752 from TBBle/fix_crash_in_process_isolated_containers - - Fix shim crash when cleaning up process-isolated containers - -commit 5a8d86e375e3a4ddea652477dc071a0e047deb8a -Author: Paul "TBBle" Hampson -Date: Wed Jan 8 06:23:42 2020 +1100 - - Fix shim crash when cleaning up process-isolated containers - - Signed-off-by: Paul "TBBle" Hampson - -commit 1364039ae29b220a1e57e9afc22ebf0c173b3f07 -Merge: e355f1cd6 a2d75b4da -Author: Kathryn Baldauf -Date: Tue Jan 7 10:17:43 2020 -0800 - - Merge pull request #751 from TBBle/patch-1 - - Updated link to Host Compute Service blog post - -commit a2d75b4da8919381a1c3c2b18cfaf09f5a31fdff -Author: Paul "TBBle" Hampson -Date: Wed Jan 8 00:56:21 2020 +1100 - - Updated link to Host Compute Service blog post - - The previous link now redirects to the top of the Virtualization team blog. - -commit 0981fba75cc27b842950636eb469e940b4d3ebe3 -Author: Steffen Butzer -Date: Mon Dec 30 20:50:37 2019 +0100 - - HCS: Remove not anymore needed CGO dependency - - With https://github.com/golang/go/commit/bb0fae603bd19e096e38c3321d95bf114f40dcff this also - works without CGO (>=Go 1.11). - -commit 7794bd147350611897a64a81ccdf4ac5aad5bf0b -Merge: b57744415 7b9296d4a -Author: Justin -Date: Tue Dec 10 15:24:42 2019 -0800 - - Merge pull request #363 from jterry75/owners - - Set default reviewers for PR's - -commit 7b9296d4a1ed4ef472f25605546a6a95ec59eb1f -Author: Justin Terry (VM) -Date: Tue Dec 10 15:23:48 2019 -0800 - - Set default reviewers for PR's - - Signed-off-by: Justin Terry (VM) - -commit e355f1cd68bed1168a87cdd5332e6ca2345f0401 -Merge: 852530648 e4f92b8ca -Author: Justin -Date: Tue Dec 10 15:19:34 2019 -0800 - - Merge pull request #746 from jterry75/owners - - Set default reviewers for PR's - -commit e4f92b8cac4dfaac191fee295d953203fd687dfc -Author: Justin Terry (VM) -Date: Tue Dec 10 15:18:02 2019 -0800 - - Set default reviewers for PR's - - Signed-off-by: Justin Terry (VM) - -commit 852530648bb5e5ce402861b52fb72b45c9c20c3b -Merge: f4e291da8 6cc79fbe1 -Author: Justin -Date: Mon Dec 9 09:24:44 2019 -0800 - - Merge pull request #744 from nagiesek/addHcnErrors - - Adds HcnError, and some error codes to use - -commit 6cc79fbe10018d922712eba836660bd6efd8d7cb -Author: Nathan Gieseker -Date: Fri Dec 6 17:19:27 2019 -0800 - - Adds HcnError, and some error codes to use - -commit f4e291da8c52608262710f1622f19539c179c40c -Merge: bd5800270 2fbf00d9a -Author: Justin -Date: Wed Dec 4 14:39:57 2019 -0800 - - Merge pull request #741 from veerun14/proto_defaults_cpu_mem - - Override default processor and memorysize with values from shim options - -commit bd5800270abad8006e7c71ed83beb9cf39966144 -Merge: 0c2a856c8 b1a87aadf -Author: Justin -Date: Wed Dec 4 14:37:07 2019 -0800 - - Merge pull request #742 from jterry75/regression_fix - - Fix regression in LCOW cpuset tests - -commit 2fbf00d9a4677f28cb4fd2e0b075f595556f92b5 -Author: Veeraiah Chowdary Nuvvula -Date: Wed Dec 4 14:20:02 2019 -0800 - - Change to better naming scheme for tests - -commit b1a87aadf186437acb7c0e22612e6e09af2e116d -Author: Justin Terry (VM) -Date: Wed Dec 4 13:39:53 2019 -0800 - - Fix regression in LCOW cpuset tests - - See original commit: 0bc510b4c5259af4f852ff8be7421ced2c8d92a5 - - Signed-off-by: Justin Terry (VM) - -commit 0c2a856c85c614d7b526cdf73b1595134c7403d6 -Merge: faaee83ac 6bda4cfb1 -Author: Justin -Date: Wed Dec 4 12:46:26 2019 -0800 - - Merge pull request #740 from benmoss/master - - Fix NetworkNotFoundError and EndpointNotFoundError message strings - -commit 6bab563beee344242141d4b16e54d65d8c055b1d -Author: Veeraiah Chowdary Nuvvula -Date: Wed Dec 4 12:23:33 2019 -0800 - - Override default processor and memorySize with values from runhcsOptions - -commit 6bda4cfb15a831d9fa3ca45283be4c8d28dd6c1d -Author: Ben Moss -Date: Mon Mar 11 15:34:38 2019 -0400 - - Fix NetworkNotFoundError and EndpointNotFoundError message strings - - It looks like it had its logic backwards. Added some test coverage and - tried to make the test failures more helpful as well. - -commit c8e8204a2a507b1c823f9444b65c4286b6784492 -Author: Justin Terry (VM) -Date: Tue Dec 3 13:04:18 2019 -0800 - - Add support for UVM processor and memory override via toml - - Adds support to the options struct for shim creation to override the default - memory size and processor count at the config level rather than per activation - via annotations. - - Signed-off-by: Justin Terry (VM) - -commit faaee83ac4fc987a0d6e28c58d201e5ee0f93617 -Merge: bd6bd2b09 5dfb30923 -Author: Justin -Date: Tue Dec 3 10:02:32 2019 -0800 - - Merge pull request #735 from jterry75/limit_max_start - - Remove support for limiting max parallel starts - -commit bd6bd2b09bd4dbec6198c74ee1af6ebc2bfb45b5 -Merge: 5f244acdd e87b24576 -Author: Kathryn Baldauf -Date: Mon Dec 2 12:45:43 2019 -0800 - - Merge pull request #734 from microsoft/delete_container_state - - add ability to call opengcs delete container state - -commit b57744415e916cdda199418ff8058691660c6d0f -Merge: 6bf813c4b 8e258af15 -Author: Kathryn Baldauf -Date: Mon Dec 2 12:39:41 2019 -0800 - - Merge pull request #360 from microsoft/delete_container_state - - add new delete container state bridge call - -commit 6bf813c4bab9138d2ae7a9dad24aee7d68db1c75 -Merge: bc080b5d4 19af99ede -Author: Justin -Date: Tue Nov 26 14:31:45 2019 -0800 - - Merge pull request #362 from kevpar/increase-gcs-mem-limit - - Increase GCS memory limit to 50MB - -commit 19af99edebf2618143e1323675714c6ae219d04a -Author: Kevin Parsons -Date: Tue Nov 26 14:15:33 2019 -0800 - - Increase GCS memory limit to 50MB - - We are currently seeing cases where we hit the GCS 10MB memory limit, - especially when invoking runc. This change increases the limit to give - some additional breathing room. - - At a later point, we will make another change to revamp the GCS limits - more drastically, as we probably just want to monitor the GCS usage, - rather than limiting it. - - Signed-off-by: Kevin Parsons - -commit 5f244acddde81b579e80e475b5e5afe59a0c2cdc -Merge: bcedae6b5 b3f49c06f -Author: Kevin Parsons -Date: Fri Nov 15 10:26:30 2019 -0800 - - Merge pull request #737 from kevpar/fix-legacy-stdio - - Fix race condition in legacy process stdio code - -commit b3f49c06ffaeef24d09c6c08ec8ec8425a0303e2 (tag: v0.8.7) -Author: Kevin Parsons -Date: Thu Nov 14 10:46:01 2019 -0800 - - Fix race condition in legacy process stdio code - - HcsCreateProcess returns a set of stdio handles for the newly created - process. A while ago, we used to cache these handles and return them - the first time stdio handles were requested for the process, and then - get new handles via HcsGetProcessInfo for each subsequent request. At - some point, this code was cleaned up to instead always return the - original set of handles as non-closable (for new callers) and always get - new handles via HcsGetProcessInfo (for legacy callers, who required - closable handles). - - However, this change introduced a race condition for legacy callers, - where in the case of a short lived container process, the container - could have terminated between when it was started and when the - orchestrator requested stdio handles. This led to ERROR_NOT_FOUND - being returned from HcsGetProcessInfo. - - This change addresses this by returning the original handles the first - time stdio handles are requested, and then calling HcsGetProcessInfo for - every subsequent request (just as it used to work a while ago). - - Signed-off-by: Kevin Parsons - -commit bcedae6b5ebc18e581392fb735c466eaf0e30664 -Merge: 32862ca34 9d18e86f9 -Author: Kathryn Baldauf -Date: Tue Nov 12 16:57:54 2019 -0800 - - Merge pull request #736 from microsoft/golang1.13.4 - - update to golang 1.13.4 - -commit bc080b5d461a08f2c0cf95ce4a66406799965ba9 -Merge: 15d8e38fe 34c95b0f9 -Author: Kathryn Baldauf -Date: Tue Nov 12 16:52:30 2019 -0800 - - Merge pull request #361 from microsoft/golang1.13.4 - - update to golang 1.13.4 - -commit 34c95b0f98799c1c970e812149e657315ad9de59 -Author: Kathryn Baldauf -Date: Tue Nov 12 15:33:24 2019 -0800 - - update to golang 1.13.4 - - Signed-off-by: Kathryn Baldauf - -commit 9d18e86f91a5521e04a668a7a7a7671255f2fd9a -Author: Kathryn Baldauf -Date: Tue Nov 12 15:34:55 2019 -0800 - - update to golang 1.13.4 - - Signed-off-by: Kathryn Baldauf - -commit 5dfb309236923a6cae1439c7fda3e0e9696211a6 -Author: Justin Terry (VM) -Date: Mon Nov 11 11:32:24 2019 -0800 - - Remove support for limiting max parallel starts - - 1. Docker already supports limiting max parallel starts at its level and we - no longer need support for limiting this at our level through an environment - variable. - - Signed-off-by: Justin Terry (VM) - -commit e87b245765f10b464bd0321be15d285a9208f6e6 -Author: Kathryn Baldauf -Date: Fri Nov 8 15:05:49 2019 -0800 - - add ability to call opengcs delete container state - - Signed-off-by: Kathryn Baldauf - -commit 8e258af158b7169d7147efdf5cb76cd288bf4833 -Author: Kathryn Baldauf -Date: Fri Nov 8 14:27:36 2019 -0800 - - add new delete container state bridge call - * add delete container state capability for opengcs - * delete container state bridge call calls runc delete for container - * delete container state bridge call unmounts user mounts on sandbox - mounts - * add new function to unmount all paths under a given path - * add tests for new unmount function - - Signed-off-by: Kathryn Baldauf - -commit 32862ca3495e8a6925d167ec163b43563cb75971 -Merge: 1b27b03e4 2274977a4 -Author: Justin -Date: Fri Nov 8 12:49:03 2019 -0800 - - Merge pull request #732 from jterry75/pod_id_correlation - - Add 'pod-id' correlation to all shim entry RPC's - -commit 1b27b03e429f360daf6bbe8710e92115b94d6ddc -Merge: 1e9909969 63e87042a -Author: Justin -Date: Fri Nov 8 08:25:18 2019 -0800 - - Merge pull request #733 from lowenna/typo - - Typo: 'Sever' --> 'Server' - -commit 63e87042a55512d36a192fca37dabef2153814c5 -Author: John Howard -Date: Fri Nov 8 07:03:55 2019 -0800 - - Typo: 'Sever' --> 'Server' - - Signed-off-by: John Howard - -commit 15d8e38fe5a180c4015120b4bf34c618bde01d1e -Merge: 675a6c4e4 15fb66d27 -Author: Justin -Date: Thu Nov 7 16:18:02 2019 -0800 - - Merge pull request #359 from jterry75/lcow_v1_readme - - Formally deprecate LCOW v1 - -commit 15fb66d27e4c793b375b8314ae6f849a49f00898 -Author: Justin Terry (VM) -Date: Thu Nov 7 10:39:19 2019 -0800 - - Formally deprecate LCOW v1 - - Signed-off-by: Justin Terry (VM) - -commit 675a6c4e443ef66eb2a92898ad79716a230114fb -Merge: 05314b091 5bf3e8146 -Author: Justin -Date: Thu Nov 7 10:14:23 2019 -0800 - - Merge pull request #358 from jterry75/run_external_v2 - - Remove v2 dependency on v1 for host processes - -commit 5bf3e814649c9a1506fdc8617517d9b10edbce14 -Author: Justin Terry (VM) -Date: Wed Nov 6 12:57:51 2019 -0800 - - Remove v2 dependency on v1 for host processes - - When activating host processes (ie: processes in the uvm namespace) the - v2 code still used the old v1 execution. This change removes that - dependency in preparation on removing v1 entirely. - - Signed-off-by: Justin Terry (VM) - -commit 1e9909969aed4731e9d28995381d55fdc443ce5d -Merge: b3f977fd1 b342a0ead -Author: Kathryn Baldauf -Date: Wed Nov 6 16:12:14 2019 -0800 - - Merge pull request #731 from microsoft/move_container_files - - move container files to be backed by writeable storage - -commit b342a0eadce8dcb93faa6befc906ea8360019b79 -Author: Kathryn Baldauf -Date: Tue Nov 5 12:25:35 2019 -0800 - - move container files to be backed by writeable storage - * move layer files to /run/layers - * move container specific files to /run/gcs/c/ - - Signed-off-by: Kathryn Baldauf - -commit b3f977fd1ecba769cab117934029880fe2cbd312 -Merge: d9dd88b42 d1bab04b8 -Author: Justin -Date: Wed Nov 6 13:13:02 2019 -0800 - - Merge pull request #727 from veerun14/fix-19h1-tests - - fix 19h1 tests - -commit d1bab04b8b537fc102f79668668f808f50f7d0b2 -Author: Veeraiah Chowdary Nuvvula -Date: Wed Nov 6 13:09:26 2019 -0800 - - Restricted downlevel container test to run on host builds >= 19H1 - -commit 05314b091d457955adc160d4980de962bf384d4a -Merge: 9ae39472d 57a1d0af8 -Author: Kathryn Baldauf -Date: Wed Nov 6 12:45:30 2019 -0800 - - Merge pull request #357 from microsoft/move_container_files - - move container files under /run writeable storaage - -commit 57a1d0af8b41253a2fecc0b8b50c6efa88d5f069 -Author: Kathryn Baldauf -Date: Tue Nov 5 15:03:31 2019 -0800 - - move container files under /run writeable storaage - - Signed-off-by: Kathryn Baldauf - -commit 2274977a4b4df68b7939435e7407433d8a845c5b -Author: Justin Terry (VM) -Date: Wed Nov 6 08:56:47 2019 -0800 - - Add 'pod-id' correlation to all shim entry RPC's - - To improve the ability to understand what is when the shim is managing a pod we - now include the 'pod-id' on the entry span as well as the existing 'task id' - and 'exec id'. - - Signed-off-by: Justin Terry (VM) - -commit adadfdc0d6f1e989302c30407f783347a025cb47 -Author: Veeraiah Chowdary Nuvvula -Date: Fri Oct 25 09:17:58 2019 -0700 - - Fixed functional tests for 19h1 - parent d9dd88b422ca6cbea0444772f4894614635b1553 - author Veeraiah Chowdary Nuvvula 1572020278 -0700 - committer Veeraiah Chowdary Nuvvula 1572978271 -0800 - - parent d9dd88b422ca6cbea0444772f4894614635b1553 - author Veeraiah Chowdary Nuvvula 1572020278 -0700 - committer Veeraiah Chowdary Nuvvula 1572978153 -0800 - - fix 19h1 tests - - performed a go fmt for one of the files - - updated windows images based on PR comments - - performed a go fmt for one of the files - - performed a go fmt for one of the files - - updated windows images based on PR comments - - using switch instead of if/else - -commit d9dd88b422ca6cbea0444772f4894614635b1553 -Merge: 65519b622 c5f869264 -Author: Justin -Date: Mon Nov 4 15:24:13 2019 -0800 - - Merge pull request #730 from elweb9858/distributiontype - - Adding session affinity support through loadbalancer distribution type - -commit c5f86926405619899930c2cbf17da41c89b8601a -Author: elweb9858 -Date: Mon Oct 28 10:33:23 2019 -0700 - - Added distribution type option to loadbalancer - -commit 9ae39472daef1ab85068e276bf88b12c1445d773 -Merge: f4d93b53d 212cece39 -Author: Kathryn Baldauf -Date: Mon Nov 4 13:07:43 2019 -0800 - - Merge pull request #355 from microsoft/runc_log_read - - add ability to read runc log for errors in runc commands - -commit f4d93b53dc57f86dd1ba771613bf7a5e26857567 -Merge: 53acb41fd 2a2ea96ee -Author: Justin -Date: Mon Nov 4 11:32:53 2019 -0800 - - Merge pull request #356 from jterry75/fix_scsi_devicelen - - Fix issue causing SCSI hot add to find no matching device - -commit 2a2ea96ee2c1b2abf2c7624ffdd759caa6fbfe15 -Author: Justin Terry (VM) -Date: Fri Nov 1 15:50:17 2019 -0700 - - Fix issue causing SCSI hot add to find no matching device - - It appears there is a timing issue in the current code that checks for the - SCSI device to be added. We were waiting for the /block folder to show up but - then immediately read the device entries. There is some amount of time that it - can take for that to show up as well. So this change now waits for both the - /block and /block/sd* entry under the same context timeout. - - Signed-off-by: Justin Terry (VM) - -commit 212cece39875e60cb03944c978fc4b6e5e330afb -Author: Kathryn Baldauf -Date: Tue Oct 29 13:26:07 2019 -0700 - - add ability to read runc log for errors in runc commands - - Signed-off-by: Kathryn Baldauf - -commit 65519b62243cf523857241e80fe4debef765e434 -Merge: 3cb5e370c 1341b1fb1 -Author: Justin -Date: Fri Nov 1 10:31:18 2019 -0700 - - Merge pull request #729 from jterry75/uvm_combine_layers - - Remove external references to uvm.Modify - -commit 1341b1fb1adc769e252065a09cf0c1083631a7d5 -Author: Justin Terry (VM) -Date: Fri Oct 25 10:53:16 2019 -0700 - - Remove external references to uvm.Modify - - 1. Cleanup hcsoci package to use new CombineLayers*COW method rather than - call uvm.Modify itself. - 2. Remove unused hcsoci tests. - 3. Simplify hcsoci.MountContainerLayers and UnmountContainerLayers logic. - - Signed-off-by: Justin Terry (VM) - -commit 3cb5e370cf5905d7601ee2e8f08175a074ddb47e -Merge: c558106bb 9a999e597 -Author: Justin -Date: Fri Oct 25 09:15:59 2019 -0700 - - Merge pull request #726 from jterry75/simplify_hcsoci_mountlayers_cleanup - - Simplify hcsoci.MountContainerLayers cleanup logic - -commit 9a999e59714a3d5e9e147cafff4abcd7165c9dc3 -Author: Justin Terry (VM) -Date: Thu Oct 24 11:57:18 2019 -0700 - - Simplify hcsoci.MountContainerLayers cleanup logic - - 1. Simplifies the hcsoci.MountContainerLayers logic on failure to use defer - statements to avoid duplicate code. - 2. Modified the uvm.AddSCSILayer to return the uvmpath since all callers - assumed its location. - 3. Modified the uvm.AddPMEM to stop returning device number since all callers - ignored its response. - - Signed-off-by: Justin Terry (VM) - -commit c558106bb75c3da0a45485b0872541946bb7fc67 -Merge: 6c7177eae 2fb0ff4ab -Author: Justin -Date: Thu Oct 24 10:44:31 2019 -0700 - - Merge pull request #725 from jterry75/fix_layers - - Fix a race condition in vPMEM layer addition fallback - -commit 2fb0ff4abf8211614da44c1251647d2b76ac4e6e -Author: Justin Terry (VM) -Date: Wed Oct 23 16:06:50 2019 -0700 - - Fix a race condition in vPMEM layer addition fallback - - 1. Fixes a race condition between when the check for vPMEM layer space and the - actual addition takes place for parallel creates/removals. - 2. Simplifies the fallback logic for LCOW when adding layers first to vPMEM and - if there is no space or the file is too large based on max vpmem layer size - settings falls back to SCSI. - 3. Fixes a bug in vPMEM allocation where the refcount add/remove was updated by - value rather than by reference causing it to fail to deallocate the attachment. - - Signed-off-by: Justin Terry (VM) - -commit 6c7177eae8be632af2e15e44b62d69ab18389ddb -Merge: 86b946e54 997572ce7 -Author: Justin -Date: Wed Oct 23 11:28:39 2019 -0700 - - Merge pull request #723 from JocelynBerrendonner/master - - Adding Slash32EndpointPrefixes and AclSupportForProtocol252 feature detection logic - -commit 86b946e5465ae90e7665850ebc1002f027e6b7a6 -Merge: d2849cbdb 0bc510b4c -Author: Justin -Date: Wed Oct 23 10:56:16 2019 -0700 - - Merge pull request #724 from jterry75/fix_test_regression - - Fix issue in LCOW test with CPU set limit - -commit 0bc510b4c5259af4f852ff8be7421ced2c8d92a5 -Author: Justin Terry (VM) -Date: Wed Oct 23 10:50:28 2019 -0700 - - Fix issue in LCOW test with CPU set limit - - Now that we properly honor the CPU set limits the test starting failing because - it uses an invalid set of processors for a default 2 vCPU UVM. - - Signed-off-by: Justin Terry (VM) - -commit 997572ce7a67abae8d43cdda199e7a09ccb1486e -Author: JocelynBerrendonner -Date: Tue Oct 22 15:46:23 2019 -0700 - - Adding Slash32EndpointPrefixes and AclSupportForProtocol252 feature detection logic - -commit d2849cbdb9dfe5f513292a9610ca2eb734cdd1e7 -Merge: 725d456df d2042e6c9 -Author: Justin -Date: Mon Oct 21 10:02:33 2019 -0700 - - Merge pull request #718 from jstarks/workaround_expandlayer - - wclayer: Work around Windows bug when expanding sandbox size - -commit 725d456df1b17f7306aa15a7b21a00967106b290 -Merge: e3ec4b139 a04eb60e6 -Author: Justin -Date: Fri Oct 18 14:01:30 2019 -0700 - - Merge pull request #722 from jterry75/ignore_pty_failure - - Ignore ResizePty failure in non-running state - -commit a04eb60e677b5389e843fbd8aa2dfd916c6de998 -Author: Justin Terry (VM) -Date: Fri Oct 18 12:17:52 2019 -0700 - - Ignore ResizePty failure in non-running state - - Signed-off-by: Justin Terry (VM) - -commit 53acb41fd91441fa3d772b1f51e725c8a617d042 -Merge: 0aebdc405 368522955 -Author: Justin -Date: Fri Oct 18 11:22:34 2019 -0700 - - Merge pull request #353 from dariopb/rule_fix - - Correctly setting the table rule to include only packets from the interface. - -commit e3ec4b139e6f75dd465bb60c268a0021a11cb227 -Merge: a3e8dfa71 fd7da3d94 -Author: Kathryn Baldauf -Date: Fri Oct 18 10:55:12 2019 -0700 - - Merge pull request #719 from katiewasnothere/finish_container_stats - - Container Stats for LCOW/WCOW - -commit 0aebdc4058ae5b8999bb76e7140b99eede9bb954 -Merge: ed49d576f 58ef35edc -Author: Kathryn Baldauf -Date: Fri Oct 18 10:50:24 2019 -0700 - - Merge pull request #352 from microsoft/container_stats - - update getPropertiesV2 with ability to get container stats for LCOW - -commit fd7da3d9461ef7a1772f2f7da101a9d44a24ccb7 -Author: Justin Terry (VM) -Date: Wed Oct 9 11:14:06 2019 -0700 - - finish container stats work - * update hcs api with correct field types - * refactor stats retrieval - * add tests for container stats - - Signed-off-by: Kathryn Baldauf - -commit 368522955614bc20356e21a30766f0abc8c30e5c -Author: Dario Bazan -Date: Fri Oct 18 10:41:04 2019 -0700 - - Correctly setting the table rule to include only packets from the interface - -commit a3e8dfa71c634a5bdcdd5e3804949a78f680d8ff -Merge: 2a08d6fcd 01cc3c6ed -Author: Justin -Date: Fri Oct 18 09:37:24 2019 -0700 - - Merge pull request #720 from jterry75/runtime_id - - Log runtime id GUID as string - -commit 2a08d6fcd23883573a39ba32ab7ed2b197a9a9eb -Merge: 4635e5098 63c947070 -Author: Justin -Date: Fri Oct 18 07:14:44 2019 -0700 - - Merge pull request #717 from nagiesek/addDestinations - - Adds Destinations to OutboundNat policies - -commit 01cc3c6edd2b06c6a6c9cb184b43e0a88f4a2d4f -Author: Justin Terry (VM) -Date: Thu Oct 17 16:09:32 2019 -0700 - - Log runtime id GUID as string - - Signed-off-by: Justin Terry (VM) - -commit 63c94707059e7a7ded91b00447869471d32f2d50 -Author: Nathan Gieseker -Date: Thu Oct 17 15:06:12 2019 -0700 - - Adds Destinations to OutboundNat policies - -commit ed49d576fe343f768f7c1be84f7da44df5eb89a4 -Merge: c79cd34fe 08a7e6d3b -Author: Justin -Date: Thu Oct 17 12:10:16 2019 -0700 - - Merge pull request #351 from jterry75/fix_panic_in_relay - - Fix nil dereference race in Pipe/TtyRelay Wait - -commit 08a7e6d3b5b96c0bbc20936c933d8b6b8faf668b -Author: Justin Terry (VM) -Date: Thu Oct 17 11:38:09 2019 -0700 - - Fix nil dereference race in Pipe/TtyRelay Wait - - The process for creating a V2 container is separated into a few different - steps. First a CreateContainer is called which creates the actual runc - container process with a standard pipe relay but no upstream IO. Next the HCS - sends an ExecProcess call passing in the upstream IO to relay to. If that call - fails, when the HCS calls Kill on the container the relay wait code would panic - because the upstream IO had never been assigned. - - Signed-off-by: Justin Terry (VM) - -commit d2042e6c90c526638eb5ef665eeed7a7199ed4d9 -Author: John Starks -Date: Thu Oct 17 09:52:06 2019 -0700 - - wclayer: Work around Windows bug when expanding sandbox size - - This change works around a bug in Windows where a sandbox VHDX that has - been resized cannot be successfully mounted. This is due to a failure in - the path that resizes the NTFS volume inside the VHDX during the sandbox - mount process. To work around this, manually expand the volume in the - wclayer package just after making the call to expand the VHDX. - - This change hurts the performance of the resize operation on affected - Windows hosts (19H1 and prerelease versions of Vb) and should be - reverted once the Windows bug has been fixed and is widely deployed. - -commit 58ef35edcb98eac07c221ae4d83374b162b8bf8e -Author: Kathryn Baldauf -Date: Fri Oct 11 15:53:21 2019 -0700 - - update getPropertiesV2 with ability to get container stats for LCOW - - Signed-off-by: Kathryn Baldauf - -commit 4635e50987a9514eaa2f53984a584f3f5de41818 -Merge: c49a72008 8320476f2 -Author: Justin -Date: Wed Oct 16 09:40:27 2019 -0700 - - Merge pull request #714 from erfrimod/erfrimod/hcn-adding-to-endpoint - - HNS Adding SharedContainers to HostComputeEndpoint - -commit 8320476f2a39958621b044288b5f703be54c5b46 -Author: Erik Frimodig -Date: Mon Oct 14 17:08:53 2019 -0700 - - Removing proxytype from policy - -commit c49a720085d4252c2cedfa251683210403aef74b -Merge: 61f1b4b16 78fcdceae -Author: Kevin Parsons -Date: Mon Oct 14 11:00:37 2019 -0700 - - Merge pull request #713 from kevpar/wcow-pipes - - Support forwarding named pipes to WCOW hypervisor container - -commit 78fcdceae3ccad9532d5f03a369a060093b748da -Author: Kevin Parsons -Date: Sun Oct 13 23:29:07 2019 -0700 - - Support forwarding named pipes to WCOW hypervisor container - - Adds support for forwarding a named pipe from the host into a WCOW - hypervisor container (forwarding to a process container appears to - already have been supported). To forward a pipe into a hypervisor - container, the pipe must first be mapped into the UVM via the - MappedPipes resource type. The MappedPipes resource actually just sets - up a VSMB share for the pipes, so in the future we could choose to - manage this concept directly as a VSMB share rather than via the - MappedPipes resource. - - Signed-off-by: Kevin Parsons - -commit 61f1b4b16f766e32cc7984f9c16969c62c4bda55 -Merge: 01067183a dde739972 -Author: Justin -Date: Thu Oct 10 19:30:40 2019 -0700 - - Merge pull request #712 from jterry75/clear_cgroup_lcow - - Clear Linux.CgroupsPath in LCOW activation - -commit dde73997246ebf5906fa3502129e697756e55677 -Author: Justin Terry (VM) -Date: Thu Oct 10 15:56:45 2019 -0700 - - Clear Linux.CgroupsPath in LCOW activation - - The GCS itself sets the cgroup parent based on its internal layout. Disallow - users to set this themselves. - - Signed-off-by: Justin Terry (VM) - -commit c79cd34fecb56869d0699aa80110ee1aecf4e0af -Merge: f2cb33a1f 01d040a33 -Author: Justin -Date: Thu Oct 10 13:49:53 2019 -0700 - - Merge pull request #350 from jterry75/parent_cgroup - - Create Containers and GCS cgroups on GCS startup - -commit 01d040a33add42aa2e0904d4b1f32d8f668cfc7b -Author: Justin Terry (VM) -Date: Thu Oct 10 10:46:29 2019 -0700 - - Create Containers and GCS cgroups on GCS startup - - Setup the UVM cgroups to protect against a workload taking all available - memory and causing the GCS to malfunction we create two cgroups: gcs, - containers. - - The containers cgroup is limited only by {Totalram - 75 MB (reservation)}. - - The gcs cgroup is limited to 10 MB to prevent unknown memory leaks over time - from affecting workload memory. - - Signed-off-by: Justin Terry (VM) - -commit 01067183ac4a73f427917c39e352a82bb877cefe -Merge: c81bb6b07 50949ce32 -Author: Justin -Date: Tue Oct 8 12:04:53 2019 -0700 - - Merge pull request #705 from erfrimod/erfrimod/hns-proxy-updates - - Updating HCN LoadBalancer and Proxy code. - -commit c81bb6b077cbf137262fa84e13bb25786e1421ac -Merge: 0b6a23aa5 586f4f953 -Author: Justin -Date: Mon Oct 7 15:22:09 2019 -0700 - - Merge pull request #709 from jterry75/update_shutdown_timeout - - Shorten Shutdown and Terminate timeout to 30 seconds - -commit f2cb33a1ffe827d278631bd97625a0130547fe00 -Merge: 6c7630fc0 3b6b46c1e -Author: Justin -Date: Mon Oct 7 15:21:49 2019 -0700 - - Merge pull request #348 from jterry75/stop_waiting_for_exec_exit - - Do not wait for outstanding execs on container exit - -commit 6c7630fc0c48fcf199d14aec748a77ee412499cb -Merge: ee915ce26 2df21164d -Author: Justin -Date: Mon Oct 7 12:37:50 2019 -0700 - - Merge pull request #349 from microsoft/mount_propagation - - Support mount propagation for sandbox mounts - -commit 0b6a23aa5e067cc1cf419d28e6089f075fd76650 -Merge: cf76d8132 2ff40af2c -Author: Justin -Date: Mon Oct 7 12:37:18 2019 -0700 - - Merge pull request #711 from microsoft/cold_discard_hints_annotation - - Pass through cold discard hint annotation to hcs - -commit 2df21164dca6835a6d8b425cab5d1eb2004c8d49 -Author: Kathryn Baldauf -Date: Fri Oct 4 15:11:45 2019 -0700 - - Support mount propagation for sandbox mounts - * This change creates a new dedicated directory path in the uvm for all - sandbox mounts at /tmp/gcs/cri//sandboxMounts. - * The above path will be marked as rshared - * OpenGCS now expects sandbox mounts to be given with a source prefix - of 'sandbox://' - * OpenGCS will also create any files or directories in the resulting - source sandbox mount path. - - Signed-off-by: Kathryn Baldauf - -commit 2ff40af2c6e4608c08140abb43d0fe14c8261f04 -Author: Kathryn Baldauf -Date: Thu Sep 26 14:46:31 2019 -0700 - - Pass through cold discard hint annotation to hcs - - Signed-off-by: Kathryn Baldauf - -commit cf76d8132ece001f18046aefdfd51599d1a9069d -Merge: d0766c752 9e97ddc96 -Author: Kathryn Baldauf -Date: Mon Oct 7 10:11:58 2019 -0700 - - Merge pull request #710 from microsoft/mount_propagation - - Do not remove sandbox prefix for sandbox mount before passing to opengcs - -commit d0766c75207682356a1babb7686510b43e8909c5 -Merge: 04f60b98e 5d1beef3c -Author: Kevin Parsons -Date: Fri Oct 4 15:57:06 2019 -0700 - - Merge pull request #707 from kevpar/wcow-single-file-map - - Support WCOW single-file mounts - -commit 9e97ddc96e72d1a259a74baff1c62604f19fe84b -Author: Kathryn Baldauf -Date: Fri Oct 4 15:08:38 2019 -0700 - - Do not remove sandbox prefix for sandbox mount before passing to opengcs - - Signed-off-by: Kathryn Baldauf - -commit 586f4f953489b594bcbb316e0d721b2f34d7f061 -Author: Justin Terry (VM) -Date: Fri Oct 4 15:02:59 2019 -0700 - - Shorten Shutdown and Terminate timeout to 30 seconds - - 1. When issuing a Shutdown/Terminate over external bridge shorten the timeout - window to 30 seconds to protect against a misbehaving guest. - 2. When waiting for a Shutdown to complete and the container to exit shorten - the timeout to 30 seconds to protect against a misbehaving guest. - - Signed-off-by: Justin Terry (VM) - -commit 3b6b46c1edbe5abbc4b5c7cb8f9601da963da305 -Author: Justin Terry (VM) -Date: Fri Oct 4 10:24:41 2019 -0700 - - Do not wait for outstanding execs on container exit - - 1. The expectation of containerd is that when a process exits the exit - notification is sent. But it is also possible in the api to signal a container - exit without using all=true thus outstanding execs may be running when the exit - should fire. This enables the caller to receive the notification and then - handle the shutdown properly. - - Signed-off-by: Justin Terry (VM) - -commit 5d1beef3c4194408b5af824985d5ba1d70118952 -Author: Kevin Parsons -Date: Wed Oct 2 15:08:36 2019 -0700 - - Support WCOW single-file mounts - - We currently support a temporary fix here to allow WCOW single-file - mounts to function. VSMB does not support directly mapping a single file - into a UVM, but rather supports an `AllowedFileList` along with options - `RestrictFileAccess` and `SingleFileMapping`, which are together used to - ensure that the share only presents a subset of the actual present - files. We map the file into the UVM using this approach, and then use - bindflt in the UVM to present the file in the share at the desired - location in the container file system. - - However, naively implementing this introduces some problems. Notably, - the VSMB share map tracks shares by the host path, leading to problems - if you try to map an additional single file from the same directory, or - map a directory as both a set of single files, as well as in another - location as the entire directory. - - To fully resolve this issue, we require broader changes to how resources - are managed in hcsshim. But for now we introduce a temporary fix. We now - separately track VSMB shares that present an unrestricted directory, and - those that allow only specific file access. When the VSMB functions - receive a host path, they take the appropriate action based on if that - path points to a file (map its directory as a share restricted to only - the desired files), or if it points to a directory (map the directory - without restriction). - - Signed-off-by: Kevin Parsons - -commit ee915ce269cf10789d7870352e188298d1bd877b -Merge: 8cadd9c85 b2d9d4bfa -Author: Justin -Date: Wed Oct 2 13:03:32 2019 -0700 - - Merge pull request #347 from microsoft/plan9_mount_perf - - Add sock options and set payload size for plan 9 mounts - -commit b2d9d4bfafb972aa24dc989eecc468c769833e0f -Author: Kathryn Baldauf -Date: Wed Sep 25 17:11:39 2019 -0700 - - Add sock options and explicitly set payload size for plan 9 mounts - - Signed-off-by: Kathryn Baldauf - -commit 04f60b98e7cbdab8aa2703e54a8ecb19f813ef1d -Merge: 82c7525d9 efbf2f7e0 -Author: Justin -Date: Mon Sep 30 14:05:41 2019 -0700 - - Merge pull request #706 from jterry75/force_terminate - - Force terminate UVM if any container ignores SIGKILL - -commit 8cadd9c853d28c9c7c245856d3e473bc23f6b55d -Merge: cd6add313 9581e44c6 -Author: Justin -Date: Fri Sep 27 15:14:25 2019 -0700 - - Merge pull request #346 from jterry75/update_cd_1_3_0 - - Update to containerd 1.3.0 vendor - -commit 9581e44c66d155d00cb60238d50e1d65fb645a6a -Author: Justin Terry (VM) -Date: Fri Sep 27 13:58:29 2019 -0700 - - Update to containerd 1.3.0 vendor - - Signed-off-by: Justin Terry (VM) - -commit efbf2f7e0e5ced6e70ff207c157664a1ae95735b -Author: Justin Terry (VM) -Date: Fri Sep 27 10:31:02 2019 -0700 - - Force terminate UVM if any container ignores SIGKILL - - If any hypervisor container running in a UVM ignores the SIGKILL for longer - than 30 seconds forcibly terminate the UVM. This is a mitigation against a - misbehaving guest that could potentially cause stop failures if it doesn't - respond with the proper exit. - - Signed-off-by: Justin Terry (VM) - -commit 50949ce32706ea6019cd27b71d778dcf79a1fefe -Author: Erik Frimodig -Date: Thu Sep 26 14:23:35 2019 -0700 - - Updating LoadBalancer tests to create SDNNetworks so LBPolicy will work. Updating Proxy Policy with latest Schema changes. - -commit 82c7525d98c8990d0ceb533322bc9c72fbddaf70 -Merge: 7a7dcfb26 d64e060d0 -Author: Kevin Parsons -Date: Thu Sep 26 11:10:21 2019 -0700 - - Merge pull request #704 from kevpar/stats-fixes - - Reliability and logging improvements to UVM stats - -commit d64e060d0493fa015a68f2842caaa0d6ac6ea857 -Author: Kevin Parsons -Date: Thu Sep 26 10:45:19 2019 -0700 - - Reliability and logging improvements to UVM stats - - This change does several things to make querying UVM stats more robust: - - Regardless of the error encountered when checking a process to see if - it is the correct vmmem instance, log the error and skip to the next - process. Previously we only skipped if the error was - ERROR_ACCESS_DENIED. One case this will handle better now is if the - process has exited by the time we try to open it, we will now continue - looking at the other processes. - - The error returned by the vmmem lookup is now saved and returned every - time we retrieve the saved vmmem process. This will make it easier to - understand what the original error was even if we only have logs from - the Nth time querying for stats. - - Added additional logging during vmmem lookup: - - Every time we fail to check a process - - Every vmmem process right before we check its user identity. - - Signed-off-by: Kevin Parsons - -commit 7a7dcfb26c32e84ad16430c0fa9e8581500e7092 -Merge: 9a7a24526 fc97d61af -Author: Kevin Parsons -Date: Wed Sep 25 14:48:50 2019 -0700 - - Merge pull request #703 from Random-Liu/update-ttrpc - - Update ttrpc to fix status check error. - -commit 9a7a24526c32826098d0349db3886bcb709dd5f7 -Merge: 10079297f 0b41bc250 -Author: Justin -Date: Wed Sep 25 10:02:35 2019 -0700 - - Merge pull request #702 from Random-Liu/fix-live-restore-for-shim-log - - Fix live restore for shim log. - -commit fc97d61af2b59fb38f6670cd86dd6201e0de5a6d -Author: Lantao Liu -Date: Tue Sep 24 22:25:35 2019 -0700 - - Update ttrpc to fix status check error. - - Signed-off-by: Lantao Liu - -commit 0b41bc2500cf068e066d5ce5f991fa0ce6d8a387 -Author: Lantao Liu -Date: Tue Sep 24 21:13:49 2019 -0700 - - Fix live restore for shim log. - - Signed-off-by: Lantao Liu - -commit 10079297f84d15d34549527f2290c1148ce450b3 -Merge: 3f5164479 bd326c948 -Author: Justin -Date: Tue Sep 24 15:35:42 2019 -0700 - - Merge pull request #701 from jterry75/hostname_tests - - Add cri-containerd hostname tests - -commit bd326c948763b5c9ccb0338153a158c916ed5ce6 -Author: Justin Terry (VM) -Date: Tue Sep 24 10:55:20 2019 -0700 - - Add cri-containerd hostname tests - - 1. Adds a hostname test for a workload container in each of: - runhcs-wcow-process, runhcs-wcow-hypervisor, runhcs-lcow runtimes. - - Signed-off-by: Justin Terry (VM) - -commit 3f5164479a9fb775c51d0959bb2be04bbdb49ad9 -Merge: db47838f9 274c77292 -Author: Justin -Date: Fri Sep 20 07:11:53 2019 -0700 - - Merge pull request #699 from jterry75/fix_test_defer_order - - Fix test bug in defer order - -commit 274c772921dba94aaccb500e7ccb165ca52173c3 -Author: Justin Terry (VM) -Date: Fri Sep 20 07:10:56 2019 -0700 - - Fix test bug in defer order - - Signed-off-by: Justin Terry (VM) - -commit db47838f9af74df1a17c2da9dacdc922d6a2f697 -Merge: 079e6c8fa d3d1ef23a -Author: Justin -Date: Fri Sep 20 07:07:19 2019 -0700 - - Merge pull request #698 from kevpar/uvm-metrics - - Add tests for UVM stats - -commit d3d1ef23ac2142deb73684ee35573f0a7f8bdf34 -Author: Kevin Parsons -Date: Thu Sep 19 12:35:51 2019 -0700 - - Add tests for UVM stats - - Signed-off-by: Kevin Parsons - -commit 079e6c8fa2c3b641844e7f217d58a5a57b3a6440 -Merge: 72930876e 1e4afe9fd -Author: Justin -Date: Thu Sep 19 05:38:31 2019 -0700 - - Merge pull request #697 from kevpar/uvm-metrics - - LCOW UVM metrics support - -commit 1e4afe9fdf8f3210e7631d1f21ae3c40d5ad87ae -Author: Kevin Parsons -Date: Wed Sep 18 21:08:53 2019 -0700 - - LCOW UVM metrics support - - This change adds the ability to query an LCOW UVM for metrics. The - currently supported metrics are CPU usage in nanoseconds, and working - set size in bytes. Because containerd does not understand the concept of - a UVM, we return a Statistics protobuf that has both a section for - container stats, as well as a section for UVM stats. When the task that - owns the UVM is queried for stats, it will fill out the VM section. In - the future when container stats are supported as well, the container - stats section will also be filled out. - - Signed-off-by: Kevin Parsons - -commit 72930876e40877e275cc4b87479a325040e27f77 -Merge: bd9b25532 2150d49d8 -Author: Justin -Date: Wed Sep 18 14:18:41 2019 -0700 - - Merge pull request #694 from jterry75/fix_exec - - Fix an issue where un-exited exec's can stop container kill - -commit 2150d49d82f7700491c9c1ddf27c28d9fec67df0 -Author: Justin Terry (VM) -Date: Wed Sep 18 12:41:21 2019 -0700 - - Add Stop tests with Timeout and running Exec - - 1. Cleans up and extracts some common test methods for reuse. - 2. Adds StopContainer test for LCOW with a Timeout. - 3. Adds StopContainer test for LCOW with a running Exec. - - Signed-off-by: Justin Terry (VM) - -commit 74797621272dcdb86962d7b6b29d3b9ed2cf902a -Author: Justin Terry (VM) -Date: Mon Sep 16 15:53:00 2019 -0700 - - Fix an issue where un-exited exec's can stop container kill - - 1. When issuing a Kill we know log any error from outstanding execs but do not - stop iterating to all other execs. We finally always send that signal to the - init exec. - 2. We no longer verify that when sending a signal to the init exec that all - other execs are in the exited state. This was allowing a non-exited exec to - prevent the container from stopping. - 3. When issuing a delete on the init exec we now forcibly exit all outstanding - execs. - - Signed-off-by: Justin Terry (VM) - -commit bd9b2553245043e79a1037b13afb0091d970a93d -Merge: e6890e6c3 cc1fcb6d9 -Author: Kathryn Baldauf -Date: Mon Sep 16 11:10:05 2019 -0700 - - Merge pull request #693 from microsoft/vpmemfix - - add lock around check for uvm vpmem limits exceeding - -commit cd6add313b0a6211971015545b17aed1f936be17 -Merge: 5cfb937d0 3c0a9adb4 -Author: Justin -Date: Mon Sep 16 11:03:44 2019 -0700 - - Merge pull request #345 from microsoft/fix_344 - - Fix bug in json.Unmarshal on OpenCensus TraceState entries - -commit 3c0a9adb4d76e21fceb606c45947a5821a84ff0a -Author: Justin Terry (VM) -Date: Mon Sep 16 10:49:54 2019 -0700 - - Fix bug in json.Unmarshal on OpenCensus TraceState entries - - Fixes: 344 - - Signed-off-by: Justin Terry (VM) - -commit cc1fcb6d9dcf36f47fc2f50abb9b53da5f71e68a -Author: Kathryn Baldauf -Date: Mon Sep 16 09:59:26 2019 -0700 - - add lock around check for uvm vpmem limits exceeding - - Signed-off-by: Kathryn Baldauf - -commit e6890e6c30ebf9ce517c96ca1b6ba8ebb2a4d2cc -Merge: 559a1cf5a 639e9861a -Author: Kathryn Baldauf -Date: Mon Sep 9 13:46:26 2019 -0700 - - Merge pull request #691 from microsoft/vpmem - - Add check for number of vpmem devices on uvm - -commit 639e9861a941facad960ba23ce47eba4b43242b2 -Author: Kathryn Baldauf -Date: Fri Sep 6 15:40:48 2019 -0700 - - Add check for number of vpmem devices on uvm - - Signed-off-by: Kathryn Baldauf - -commit 5cfb937d00bd4e0aec6a5adafdb07c0c8bba2378 -Merge: 7ab470012 33a702547 -Author: Kevin Parsons -Date: Fri Sep 6 16:28:44 2019 -0700 - - Merge pull request #342 from jstarks/entropy_fix - - init: Close entropy-related fds - -commit 559a1cf5a26cfd2b1c467c446ad83b91745c4a06 -Merge: 26ed62201 cec87f358 -Author: Kevin Parsons -Date: Fri Sep 6 16:19:33 2019 -0700 - - Merge pull request #690 from kevpar/fix-runas-test - - Fix LCOW run-as-user test to use own PID namespace - -commit cec87f3581d471650819c744c17e2ba1916d442d -Author: Kevin Parsons -Date: Fri Sep 6 16:06:01 2019 -0700 - - Fix LCOW run-as-user test to use own PID namespace - - Previously execcontainer_test.go was marked with a failing_tests build - tag which caused it to not actually be built. At some point after we - added support for run-as-user to LCOW, the build tag was removed. - However, it appears the test actually didn't work. The CRI default is to - put all containers in the same pod PID namespace, but the test assumed - the workload container's init would be PID 1 (PID 1 was actually the - sandbox container's init). - - To fix this, we now specify the container PID namespace mode for the - workload container, so that it won't share a namespace with other - containers. - - Signed-off-by: Kevin Parsons - -commit 33a702547f6dba2e6970653c83dcd087eaadd35d -Author: John Starks -Date: Fri Sep 6 15:48:44 2019 -0700 - - init: Close entropy-related fds - -commit 26ed62201ba21ec4815bacc0ab09406dbcbf45c0 -Merge: c088f411a ca6711998 -Author: Kevin Parsons -Date: Thu Sep 5 12:26:06 2019 -0700 - - Merge pull request #688 from jstarks/entropy - - uvm: Send entropy to Linux UVMs during boot - -commit c088f411aaf3585d8dffc9deb4289ffa32854497 -Merge: 84b0c364e 472381b52 -Author: Kevin Parsons -Date: Thu Sep 5 10:21:10 2019 -0700 - - Merge pull request #689 from kevpar/fix-event-namespace - - Explicitly set namespace when publishing an event - -commit ca6711998dafdac392699e0f50b155fe926ea5eb -Author: John Starks -Date: Wed Sep 4 09:33:29 2019 -0700 - - uvm: Send entropy to Linux UVMs during boot - - This change updates the Linux UVM boot sequence to open a vsock - connection to send entropy data to seed the kernel RNG. This is - necessary so that early uses of the kernel RNG reliably get - unpredictable data. - - This depends on the corresponding change to init in the opengcs repo. - -commit 472381b52744432c9564886ed2ab776955ae0d1b -Author: Kevin Parsons -Date: Wed Sep 4 21:53:41 2019 -0700 - - Explicitly set namespace when publishing an event - - This fixes a regression introduced when we switched to TTRPC for - publishing events to containerd. Previously we explicitly passed the - namespace for each event as a command line parameter to containerd.exe, - which was invoked to publish the event. Now that TTRPC is used, the - context passed to Publish is expected to include the namespace as a - stored value. - - Signed-off-by: Kevin Parsons - -commit 7ab4700121e4158a0156061b15c5392c17f16020 -Merge: 53f496fcd 39c13e68f -Author: Kevin Parsons -Date: Wed Sep 4 15:56:13 2019 -0700 - - Merge pull request #341 from microsoft/fix-randomh - - init: Add workaround for musl-gcc missing linux/random.h - -commit 39c13e68f4e3583f0dbd702e2fe0c7cb37772501 -Author: Kevin Parsons -Date: Wed Sep 4 15:50:55 2019 -0700 - - init: Add workaround for musl-gcc missing linux/random.h - - Signed-off-by: Kevin Parsons - -commit 53f496fcd11e56ccdb7bfd6260579fc62c37004f -Merge: 26b56e5b2 a33866838 -Author: Justin -Date: Wed Sep 4 14:05:20 2019 -0700 - - Merge pull request #339 from jstarks/entropy - - init: Add option to initialize entropy from vsock - -commit 26b56e5b253c19d01f554475b9b8681ea6c95867 -Merge: 5838adbdd 49026a11d -Author: Justin -Date: Wed Sep 4 14:04:47 2019 -0700 - - Merge pull request #340 from jstarks/pmem_error - - gcs: Improve error message on pmem mount failure - -commit 49026a11db901ea42331aa533e2995cfb5f51e58 -Author: John Starks -Date: Wed Sep 4 13:24:44 2019 -0700 - - gcs: Improve error message on pmem mount failure - -commit a33866838cc21875c1423e3ee5945c84c566f094 -Author: John Starks -Date: Wed Sep 4 08:17:47 2019 -0700 - - init: Add option to initialize entropy from vsock - - This change adds a command line option, -e, that specifies a vsock port - to read initial RNG entropy. init reads all data written to the - connection by the host, adds this data to the kernel RNG, and increments - the available entropy count. The host is trusted to write - cryptographically random data to this port. - - Without this, the available entropy at LCOW boot is very low, and data - read from /dev/urandom is likely to be highly predicable. - -commit 84b0c364e1e3bb91e43b85bf20d72e7948666817 -Merge: e458edf24 8aaa5037e -Author: Justin -Date: Wed Sep 4 07:17:38 2019 -0700 - - Merge pull request #685 from jterry75/abwah_carry - - Enable container mounts to refer to host path on the UVM - -commit 8aaa5037edf71d347d1f8299995b43ea184efe35 -Author: Abdul Waheed -Date: Fri Aug 30 17:31:11 2019 -0700 - - Enable container mounts to refer to host path on the UVM - - Signed-off-by: Abdul Waheed - Signed-off-by: Justin Terry (VM) - -commit e458edf240e8702dcf0a1718d76cdb3fed906d28 -Merge: 1354cb2e8 df8f88fef -Author: Justin -Date: Fri Aug 30 15:18:43 2019 -0700 - - Merge pull request #684 from abwah/customscratchtests - - Add Tests for create containers with custom size scratch vhd - -commit df8f88feffb2b3149d998040fb8b5d677cce7c74 -Author: Abdul Waheed -Date: Fri Aug 30 14:48:13 2019 -0700 - - CR Feedback - -commit 3616f7ca0c72ae0847bdcddb20c630ab0e0a8d7f -Author: Abdul Waheed -Date: Fri Aug 30 12:37:52 2019 -0700 - - Add Tests for create containers with custom size scratch vhd - -commit 1354cb2e878d37d2f5c11595634290ea9e2600a1 -Merge: c5aeac863 f2dbb0cdf -Author: Justin -Date: Thu Aug 29 12:49:16 2019 -0700 - - Merge pull request #682 from Random-Liu/hcn-namespace-error - - Namespace not found error. - -commit f2dbb0cdfd46a786f979e355c38df75daf97ce92 -Author: Lantao Liu -Date: Wed Aug 28 17:46:04 2019 -0700 - - Namespace not found error. - - Signed-off-by: Lantao Liu - -commit c5aeac86373c6b87df28c73209881df06133c631 -Merge: e14161022 9f2d4ade2 -Author: Kathryn Baldauf -Date: Wed Aug 28 12:58:52 2019 -0700 - - Merge pull request #681 from microsoft/katiewasnothere/ttrpcevents - - Use ttrpc for event publishing to containerd - -commit 9f2d4ade26609ae12b13f021e85737a55b71a87f -Author: Kathryn Baldauf -Date: Mon Aug 19 11:25:16 2019 -0700 - - Use ttrpc for event publishing to containerd - - Signed-off-by: Kathryn Baldauf - -commit 5838adbddd1b1486531e879096b2c4512682e6ee -Merge: e08da9b89 a978dc15a -Author: Justin -Date: Mon Aug 26 12:36:36 2019 -0700 - - Merge pull request #336 from dariopb/two_interfaces - - Adding support for 2 ethernet interfaces (ingress/egress on secondary interface) - -commit a978dc15a599b6c69df81dd180d1bc20bddf2e9b -Author: Dario Bazan -Date: Sun Aug 25 22:24:53 2019 -0700 - - Adding support for 2 ethernet interfaces (ingress/egress on secondary - interface) - -commit e141610227250972242dbeb8e9bb8f1bef304045 -Merge: d64a16fba 36ef098e6 -Author: Justin -Date: Mon Aug 26 10:46:44 2019 -0700 - - Merge pull request #679 from microsoft/update-ttrpc - - Revendor containerd/ttrpc - -commit 36ef098e617784e169af705e48fae8e6daa37fd4 -Author: Kevin Parsons -Date: Mon Aug 26 10:13:19 2019 -0700 - - Revendor containerd/ttrpc - - This is just to bring in the fix to TTRPC service names as seen by - interceptors. - - Signed-off-by: Kevin Parsons - -commit d64a16fba14c833a539fcff9a2eabc3191d5db30 -Merge: 7e6c52e1c 34ec02362 -Author: Kevin Parsons -Date: Sat Aug 24 21:58:20 2019 -0700 - - Merge pull request #678 from microsoft/octtrpc - - Support forwarding OpenCensus spans over TTRPC for shim task service - -commit 34ec02362051a8c7a265bc9cf34d0d13a68ec4d8 -Author: Kevin Parsons -Date: Sat Aug 24 12:10:30 2019 -0700 - - Use octtrpc interceptor for shim task service - - Signed-off-by: Kevin Parsons - -commit 3379c1f22cf3f98e06824834e41ae2a8f5853457 -Author: Kevin Parsons -Date: Sat Aug 24 12:09:55 2019 -0700 - - Add octtrpc package - - Signed-off-by: Kevin Parsons - -commit 41e170c49e55e09017849a26465cd04042c4265d -Author: Kevin Parsons -Date: Sat Aug 24 12:09:03 2019 -0700 - - Update containerd/ttrpc - - Signed-off-by: Kevin Parsons - -commit 7e6c52e1cc1c375b6a307d8a9a414bfe7b5d9d12 -Merge: 0f4e8c34d 040b1ec72 -Author: Justin -Date: Sat Aug 24 09:02:33 2019 -0700 - - Merge pull request #677 from jterry75/enable_stacks_for_standalone_lcow - - Include context identifiers on DumpStacks requests - -commit 040b1ec72ca9f3ce786ed4e5af180b3e67b5c52e -Author: Justin Terry (VM) -Date: Fri Aug 23 11:26:17 2019 -0700 - - Include context identifiers on DumpStacks requests - - 1. Adds context to the dump stack trace so that it can be correlated. - 2. Adds support for guet DumpStacks on standalone LCOW/WCOW as well. - 3. Limits the guest timeout from 5 minutes to 5 seconds for a guest stack trace. - - Signed-off-by: Justin Terry (VM) - -commit 0f4e8c34dad9446c2f5ec837bce5bdfd54b6623d -Merge: a03d139f7 33f1ffa7f -Author: Justin -Date: Thu Aug 22 19:42:17 2019 -0700 - - Merge pull request #676 from jterry75/fix_9pfs_test - - Only enable single-file 9pfs test on 19H1+ - -commit 33f1ffa7fcb6f558f3bd69ab13ead773e1df08f2 -Author: Justin Terry (VM) -Date: Thu Aug 22 19:36:20 2019 -0700 - - Only enable single-file 9pfs test on 19H1+ - - Signed-off-by: Justin Terry (VM) - -commit e08da9b89a07f056555eb339318afb3a9cb66abd -Merge: 2b2cc6bba 8641aef54 -Author: Justin -Date: Thu Aug 22 16:18:44 2019 -0700 - - Merge pull request #334 from jterry75/update_golang - - Update to golang 1.12.9 - -commit a03d139f7c688c2b0b475f0ffb6d9be2f86bca46 -Merge: 08c4feeed 7840cafba -Author: Justin -Date: Thu Aug 22 16:16:14 2019 -0700 - - Merge pull request #669 from jterry75/cleanup_uvm_logs - - Cleanup excess or duplicate internal/uvm package logs - -commit 08c4feeedeb061e52f68d0c40aa6001e2bc1e507 -Merge: 52e7c177c 01465311e -Author: Justin -Date: Thu Aug 22 16:15:55 2019 -0700 - - Merge pull request #667 from jterry75/update_appveyor - - Update AppVeyor to golang 1.12.9 - -commit 52e7c177caf0601927b5a84a30b1d01876e7b8bf -Merge: c2ea5d025 2dc2a7dee -Author: Justin -Date: Thu Aug 22 15:57:52 2019 -0700 - - Merge pull request #672 from jterry75/automanage_vhd - - Add support for automanage-virtual-disk targets - -commit 2dc2a7dee3aa61f5ce58867f11ff4109245f0653 -Author: Justin Terry (VM) -Date: Tue Aug 20 15:57:50 2019 -0700 - - Add support for automanage-virtual-disk targets - - Signed-off-by: Justin Terry (VM) - -commit 8641aef549b0693c3d445253eb43ad719e76a48e -Author: Justin Terry (VM) -Date: Wed Aug 14 09:25:27 2019 -0700 - - Update to golang 1.12.9 - - Signed-off-by: Justin Terry (VM) - -commit 7840cafba45c29fa2a09eac7368e26d0d27e3590 -Author: Justin Terry (VM) -Date: Thu Aug 1 12:26:38 2019 -0700 - - Cleanup excess or duplicate internal/uvm package logs - - Almost all logs at this level are duplicate as they translate to a message that - is sent to either the gcs or hcs package which logs all RPC messages already. - - Signed-off-by: Justin Terry (VM) - -commit 01465311e75f4a2f3c0bd5dbf4d36a4d49780cd7 -Author: Justin Terry (VM) -Date: Wed Aug 14 09:21:27 2019 -0700 - - Update AppVeyor to golang 1.12.9 - - Signed-off-by: Justin Terry (VM) - -commit c2ea5d0256e63409bf3d6b1e131a4001bd22ca59 -Merge: 9e921883a 27b8d9834 -Author: Justin -Date: Wed Aug 21 12:47:58 2019 -0700 - - Merge pull request #673 from sprt/compartmentid - - Use the right field name in L4ProxyPolicySetting - -commit 27b8d9834a17f9cd64b4b75c90a5c227ff6e8133 -Author: Aurélien Bombo -Date: Tue Aug 20 17:36:25 2019 -0700 - - Use the right field name in L4ProxyPolicySetting - - WFP expects the field "CompartmentID", not "NetworkCompartmentID". - Passing the wrong field causes it to be silently ignored, but the proxy - would be misconfigured. - -commit 9e921883ac929bbe515b39793ece99ce3a9d7706 -Merge: ff1cc0be6 421312b7c -Author: Justin -Date: Tue Aug 20 13:37:02 2019 -0700 - - Merge pull request #671 from microsoft/katiewasnothere/plan9hostpath - - Change parsing of hostpath string for plan9 file mounting - -commit 421312b7cbb27d9ff0d80fbb1db83766f4b43bb4 -Author: Kathryn Baldauf -Date: Mon Aug 19 15:53:18 2019 -0700 - - Change parsing of hostpath string to work on windows - - Signed-off-by: Kathryn Baldauf - -commit 2b2cc6bba61ba979acd7156a8bab8a2006ea11cb -Merge: 84850a659 73b7ba6cc -Author: Kathryn Baldauf -Date: Fri Aug 16 12:33:31 2019 -0700 - - Merge pull request #335 from microsoft/katiewasnothere/dumpstacks - - Add ability to dump stacks in OpenGCS - -commit ff1cc0be6aa069ea838264de1e671b8b463eeef1 -Merge: f3a709278 c4c3be440 -Author: Kathryn Baldauf -Date: Fri Aug 16 12:33:25 2019 -0700 - - Merge pull request #668 from microsoft/katiewasnothere/dumpstacks - - Call gcs dump stacks on etw callback - -commit c4c3be440b2be039f7a5950a6b5ad5cae11ff4b1 -Author: Kathryn Baldauf -Date: Wed Aug 14 13:39:27 2019 -0700 - - Add call to opengcs bridge to get guest stacks - - Signed-off-by: Kathryn Baldauf - -commit 73b7ba6cc7c6ba06d8f0a52d96eacd34e848e4ee -Author: Kathryn Baldauf -Date: Wed Aug 14 13:14:26 2019 -0700 - - Add bridge command to retrieve stacks - - Signed-off-by: Kathryn Baldauf - -commit f3a709278302553a13f3076369160103d274276c -Merge: e38a39c07 9d912f335 -Author: Justin -Date: Thu Aug 15 16:46:07 2019 -0700 - - Merge pull request #670 from jterry75/tmp_vhd_mount - - Support LCOW /tmp backed by temporary vhdx - -commit 9d912f335652f21e5d763268e45ff9de9f842a38 -Author: Justin Terry (VM) -Date: Thu Aug 15 09:54:06 2019 -0700 - - Support LCOW /tmp backed by temporary vhdx - - This is a temporary workaround for adding a writable section mapped to /tmp - backed by a vhdx on the host without requiring the orchestrator to create and - managed the vhd. Long term this should be removed. - - Signed-off-by: Justin Terry (VM) - -commit e38a39c0716c28df758f4a8afadc76ec5ceaa165 -Merge: c8c5bd49a ad79e4599 -Author: Justin -Date: Fri Aug 9 11:37:51 2019 -0700 - - Merge pull request #666 from jterry75/fix_cri-tests - - Fix VM processor.limit in tests - -commit ad79e4599b24ff55445c6ae817efc86d7f098b6f -Author: Justin Terry (VM) -Date: Thu Aug 8 23:58:59 2019 -0700 - - Fix VM processor.limit in tests - - The setting for VM processor limit is out of 100,000 not 10,000 so previously - only 9% CPU limit was being applied for the entire UVM. - - Signed-off-by: Justin Terry (VM) - -commit c8c5bd49a8b963219e493bb1eab37a81a1bef520 -Merge: 3b852ccdc 2ab18974e -Author: Justin -Date: Wed Aug 7 16:13:28 2019 -0700 - - Merge pull request #665 from jterry75/revendor_go-winio - - Update Microsoft/go-winio v0.4.14 - -commit 3b852ccdcea5dbd2427adf7d00d4194a2b4128c8 -Merge: 8694eade7 f837c1b86 -Author: Justin -Date: Wed Aug 7 15:37:13 2019 -0700 - - Merge pull request #664 from jterry75/vmcompute_pkg - - Introduce the vmcompute package - -commit 2ab18974ee30e628cf9f4da5b73820450183a811 -Author: Justin Terry (VM) -Date: Tue Aug 6 13:49:58 2019 -0700 - - Update Microsoft/go-winio v0.4.14 - - Signed-off-by: Justin Terry (VM) - -commit f837c1b86aa9b003c791db67faea7df695e5856a -Author: Justin Terry (VM) -Date: Thu Aug 1 15:04:04 2019 -0700 - - Introduce the vmcompute package - - 1. Seperates the internal/hcs from internal/vmcompute packages. This is because - the HCS has multiple entry API's now and the internal/hcs package can handle - them all. - 2. Improves the entry/exit logging of the vmcompute syscall interface request, - response json. - - Signed-off-by: Justin Terry (VM) - -commit 8694eade7dd3d05d90042682459d4f1d0ab83e62 -Merge: 56febed20 0e84e4129 -Author: Justin -Date: Wed Jul 31 20:52:47 2019 -0700 - - Merge pull request #663 from jterry75/hcs_span_support - - Cleanup internal/hcs logging with Span support - -commit 84850a65901a17ae2424c4eb8f73c59998fd915c -Merge: f21f430f4 ed3f68b94 -Author: Justin -Date: Wed Jul 31 20:51:09 2019 -0700 - - Merge pull request #331 from jterry75/cleanup_spans - - Cleanup duplicate spans and add context - -commit f21f430f448c18a894a0533ae1e5dfc1b9924ecb -Merge: 9d1842e1f 0ad60cee2 -Author: Justin -Date: Wed Jul 31 15:51:57 2019 -0700 - - Merge pull request #332 from jterry75/network_wait_context - - Use context wait patterns - -commit 0ad60cee292b2372b350713b715fdba75c79bd39 -Author: Justin Terry (VM) -Date: Tue Jul 30 23:20:47 2019 -0700 - - Use context wait patterns - - Signed-off-by: Justin Terry (VM) - -commit ed3f68b945b621efda883e899c81818541046b94 -Author: Justin Terry (VM) -Date: Tue Jul 30 17:31:17 2019 -0700 - - Cleanup duplicate spans and add context - - Signed-off-by: Justin Terry (VM) - -commit 9d1842e1f9be9acdfc19830501e0d868eafb2308 -Merge: 4062fc9ce e6ee10bca -Author: Justin -Date: Wed Jul 31 15:29:25 2019 -0700 - - Merge pull request #333 from jterry75/seperate_uvm_modify - - Break apart hcsv2.Host ModifySettings methods - -commit e6ee10bca38736be3a15d291e3954cbc16fe5ad8 -Author: Justin Terry (VM) -Date: Wed Jul 31 11:23:49 2019 -0700 - - Break apart hcsv2.Host ModifySettings methods - - Seperates all hvsv2.Host ModifySettings calls into seperate functions to make - growth easier when adding new entries. - - Signed-off-by: Justin Terry (VM) - -commit 4062fc9cedc5164b14c601d39130902c5287a392 -Merge: 9c65c894f b4d5ba02f -Author: Justin -Date: Tue Jul 30 16:36:33 2019 -0700 - - Merge pull request #330 from jterry75/parent_ctx - - Accept OpenCensus SpanContext on requests - -commit 56febed2020589f593236b238f8b9eb6684f6aca -Merge: 7eb1fb6ac 830f5f630 -Author: Justin -Date: Tue Jul 30 16:36:12 2019 -0700 - - Merge pull request #662 from jterry75/gcs_span_support - - Add external bridge OpenCensus span support - -commit 0e84e4129e0e7b7098f339647041d7d1a23d1940 -Author: Justin Terry (VM) -Date: Tue Jul 30 16:03:15 2019 -0700 - - Cleanup internal/hcs logging with Span support - - Signed-off-by: Justin Terry (VM) - -commit 830f5f630d562f37e955511d328b1826570e8f2a -Author: Justin Terry (VM) -Date: Mon Jul 29 12:58:22 2019 -0700 - - Add external bridge OpenCensus span support - - Signed-off-by: Justin Terry (VM) - -commit 7eb1fb6ac2daeb5a44c8b5952533c0c56b79d780 -Merge: 0291ac21d 38e85eca2 -Author: Justin -Date: Tue Jul 30 15:35:38 2019 -0700 - - Merge pull request #660 from sprt/master - - Add tests for the L4 proxy policy - -commit b4d5ba02fdb331ef8365d36ec25bdf5115c2e858 -Author: Justin Terry (VM) -Date: Tue Jul 30 13:38:45 2019 -0700 - - Accept OpenCensus SpanContext on requests - - Signed-off-by: Justin Terry (VM) - -commit 38e85eca2085ebe770b73744ac32a42446f8cf89 -Author: Aurélien Bombo -Date: Mon Jul 29 12:46:08 2019 -0700 - - Remove the ID field from L4ProxyPolicySetting - -commit 0291ac21db715cc43d6068dc18f78b7abed6ab9d -Merge: 45c1c5fb9 013514e7f -Author: Kevin Parsons -Date: Mon Jul 29 11:23:35 2019 -0700 - - Merge pull request #661 from microsoft/shim-opts-2 - - Add support for different log output modes - -commit 013514e7f7a86eba1bded1dc32633f002f2e227a -Author: Kevin Parsons -Date: Thu Jul 25 18:07:45 2019 -0700 - - Add support for different log output modes - - Log output modes determine where logging output is sent from the serve - shim: - - - NPIPE, the default, causes log output to be sent over the log pipe - that containerd provides. - - FILE, is unsupported and causes the shim to panic. - - ETW, causes log output to be sent only to ETW via the Logrus hook. - - Log output mode can be set via the DebugType enumeration on the shim - options struct. - - Signed-off-by: Kevin Parsons - -commit 9c65c894f5dc49d69455af130fd549e48e81c196 -Merge: 9dbdb559c 6cb62de84 -Author: Justin -Date: Fri Jul 26 11:14:04 2019 -0700 - - Merge pull request #329 from jterry75/signal_init_all - - Send SignalProcess to initpid to all pids in ns - -commit 6cb62de84bccebdae6d1876e59216b2f2d319fe8 -Author: Justin Terry (VM) -Date: Thu Jul 25 07:45:43 2019 -0700 - - Send SignalProcess to initpid to all pids in ns - - Signed-off-by: Justin Terry (VM) - -commit daa7b2bf6194c7c72d11230bfc9de7c57f379d7a -Author: Aurélien Bombo -Date: Thu Jul 25 18:22:04 2019 -0700 - - Delete the TestUpdateL4ProxyPolicyOnEndpoint test - - One test is enough to prove that the shim is able to program HNS, we'll - test edge cases in HNS directly. - -commit 45c1c5fb95bb3d8fbfd45b9aa397bda5f137de49 -Merge: d3edaf5e6 40ed75e2e -Author: Justin -Date: Thu Jul 25 10:37:40 2019 -0700 - - Merge pull request #657 from JocelynBerrendonner/vm - - Fixing an issue with NAT network type and omitempty using the V2 schema - -commit 40ed75e2e4ee4a0efd16f03f6a58e335f43c963b -Author: JocelynBerrendonner -Date: Tue Jul 23 19:05:08 2019 -0700 - - Fixed a regression in formatting - -commit d9324b8f5cf4bb04162ff22969748c7bc416a73b -Author: JocelynBerrendonner -Date: Fri Jul 12 13:15:03 2019 -0700 - - Fixing an issue with NAT network type and omitempty using the V2 schema - -commit 68d8003dcf45dcf54e5d6e62646c3b26d0decb8c -Author: Aurélien Bombo -Date: Wed Jul 24 16:22:20 2019 -0700 - - Add tests for the L4 proxy policy - - This tests that HNS doesn't spit back errors in case we send either an - Add or Create request to it for a detached endpoint. - - In addition, I added some fields to the L4ProxyPolicySetting struct to - support the WFP proxy. I also added the ability to specify the request - type when calling HostComputeEndpoint.ApplyPolicy(). - -commit d3edaf5e605e418ff37b1dd12c13481507506c2d -Merge: 87b250933 0f5002a11 -Author: Kevin Parsons -Date: Wed Jul 24 15:43:16 2019 -0700 - - Merge pull request #659 from microsoft/shim-opts - - Receive shim options via stdin - -commit 0f5002a11e92163dcfb6fd1ed65d2288de12e6a5 -Author: Kevin Parsons -Date: Wed Jul 24 13:52:32 2019 -0700 - - Receive shim options via stdin - - containerd has an option struct for our shim which contains both - shim-wide options (e.g. logging level) and task specific options (e.g. - sandbox image to use). Previously containerd only passed these options - in as part of the task creation call, but recently also added support - to pass them in directly to the shim via a protobuf message in stdin. - - Now that containerd supports passing the options directly to the shim, - we can use that as the source for shim-wide options, instead of doing - that only when a task is created. This will also make it easier to add - more shim-wide options in the future, as their affect can be applied - immediately on shim start. - - Signed-off-by: Kevin Parsons - -commit 87b2509333c514bbc643a8195ee3a2ee84898f0f -Merge: ae5748b26 e5b723643 -Author: Justin -Date: Tue Jul 23 08:18:14 2019 -0700 - - Merge pull request #655 from jterry75/more_context - - Forward Span context to all methods. - -commit ae5748b260f99b2332c5cb6fbaa4ef31ec91d3f1 -Merge: 0e75f08c2 d1aa4fb8c -Author: Justin -Date: Tue Jul 23 08:11:59 2019 -0700 - - Merge pull request #656 from jterry75/filter_shutdown - - Filter OperationPending logs SystemShutdown - -commit d1aa4fb8ccfbaf08e5fe5166a7fe16936d2ca171 -Author: Justin Terry (VM) -Date: Tue Jul 23 07:58:29 2019 -0700 - - Filter OperationPending logs SystemShutdown - - We do not need to log the OperationPending error code because this is an - expected case. - - Signed-off-by: Justin Terry (VM) - -commit 0e75f08c21280dc36758f99f3c925284abb6b3ca -Merge: 30ebd3d8c fbb9befe5 -Author: Justin -Date: Mon Jul 22 23:41:47 2019 -0700 - - Merge pull request #654 from jterry75/remove_unused - - Remove unused code - -commit e5b723643dfd557162e739159b0bed3a6177296c -Author: Justin Terry (VM) -Date: Mon Jul 22 23:00:57 2019 -0700 - - Forward Span context to all methods. - - 1. Forwards the entry Span context to all methods from the shim. - 2. Updates most logrus. messages to log.G(ctx). messages so that span - information will be forwarded as well. - 3. Updates the various tests/infra to the new calling patterns. - -commit fbb9befe5d98b0536a65a0ab9ca8c7080d3114ea -Author: Justin Terry (VM) -Date: Mon Jul 22 21:20:29 2019 -0700 - - Remove unused code - - Signed-off-by: Justin Terry (VM) - -commit 30ebd3d8c14b59fc0f7589c6afb8ce0da771e9a5 -Merge: ae5995d61 442a58fc4 -Author: Justin -Date: Mon Jul 22 16:05:14 2019 -0700 - - Merge pull request #653 from jterry75/revert_oc_error_response - - Revert OpenCensus Span Filtering - -commit 442a58fc43b4f49fe7c975f983bf20ba082fd768 -Author: Justin Terry (VM) -Date: Mon Jul 22 15:50:08 2019 -0700 - - Revert OpenCensus Span Filtering - - After talking more about this it is incorrect to revert this at the span level - this needs to be a client side filter as the span truly should represent the - status of the function or unit of work being executed. - - Signed-off-by: Justin Terry (VM) - -commit ae5995d61ccbeef1df818a963ac6dfa048d63733 -Merge: 593dfadf0 805178493 -Author: Justin -Date: Mon Jul 22 15:24:15 2019 -0700 - - Merge pull request #650 from jterry75/limit_errors - - Stop logging expected error values - -commit 8051784930b57da9b70c9253f4d0d72e209bad2b -Author: Justin Terry (VM) -Date: Mon Jul 22 11:55:34 2019 -0700 - - Stop logging expected error values - - Some HCS* functions return errors to signify a success with additional - information. In these cases we need to skip logging the error because the use - cases is expected and this isn't an error for the client who handles it. - - Signed-off-by: Justin Terry (VM) - -commit 593dfadf010b176483380d2b3f0a79cb22327ccb -Merge: 74cbcc173 6f84fff91 -Author: Justin -Date: Thu Jul 18 12:22:47 2019 -0700 - - Merge pull request #648 from jterry75/process_exitcode - - Capture ExitCode at process exit - -commit 6f84fff91a503c1a41faf6d0c7b53f90da0ab34e -Author: Justin Terry (VM) -Date: Thu Jul 18 10:53:07 2019 -0700 - - Capture ExitCode at process exit - - Signed-off-by: Justin Terry (VM) - -commit 74cbcc173d05441792bc951b0b65cf1f6443deb5 -Merge: 5edad5dad 7da7ba8a0 -Author: Justin -Date: Wed Jul 17 21:32:50 2019 -0700 - - Merge pull request #646 from microsoft/syscall_ctx - - Add context to vmcompute syscalls - -commit 5edad5dad7fa8c1dff525a424997ce3ea35df4f6 -Merge: d3efc4729 85d3fcf0e -Author: Justin -Date: Wed Jul 17 21:32:17 2019 -0700 - - Merge pull request #647 from nagiesek/hcnTestFixes - - Test fixes, removing an obsolete tests - -commit 7da7ba8a04429da9fc5e9232089cad0aedb283d2 -Author: Justin Terry (VM) -Date: Wed Jul 17 11:45:56 2019 -0700 - - Add context to vmcompute syscalls - - Signed-off-by: Justin Terry (VM) - -commit 85d3fcf0e03c67cf08a3ef843a34137a5c8144a1 -Author: Nathan Gieseker -Date: Wed Jul 17 21:16:46 2019 -0700 - - Test fixes, removing an obsolete tests - -commit 9dbdb559c37d8e3b8da6ca1bacd5b5cbf5f02c2c -Merge: 2e5055dc4 d40aa6457 -Author: Justin -Date: Wed Jul 17 14:49:48 2019 -0700 - - Merge pull request #326 from rhdedgar/master - - Typo fix - -commit d40aa645766d59c7689960ff4addf613e9d168cd -Author: Doug Edgar -Date: Tue Jul 16 14:51:39 2019 -0800 - - Typo fix - -commit d3efc47299c81d63099c593adde816cc8aefdbad -Merge: 40275baa2 438d2ef9f -Author: Justin -Date: Tue Jul 16 09:59:53 2019 -0700 - - Merge pull request #643 from microsoft/publish-event-logging - - Improve logging for event publishing - -commit 2e5055dc4c08665470f26321a5994c915c1b4fdf -Merge: 98047cd05 7defe2362 -Author: Justin -Date: Tue Jul 16 00:16:37 2019 -0700 - - Merge pull request #325 from jterry75/exit_code_fix - - ExitStatus should contain a signaled offset - -commit 438d2ef9f3fadee7a2ed52cecf66cb390738bb8c -Author: Kevin Parsons -Date: Mon Jul 15 14:10:27 2019 -0700 - - Improve logging for event publishing - - Signed-off-by: Kevin Parsons - -commit 7defe2362f377c56e53cc89c30c71281407249ce -Author: Justin Terry (VM) -Date: Mon Jul 15 16:11:26 2019 -0700 - - ExitStatus should contain a signaled offset - - Signed-off-by: Justin Terry (VM) - -commit 40275baa29f3dd7effb4dd8307b688e56418a00f -Merge: 60251c25c b6855b64e -Author: Justin -Date: Mon Jul 15 15:18:14 2019 -0700 - - Merge pull request #640 from nagiesek/policyFlag - - Adds NatFlags to portmappings - -commit 60251c25cd7b73c0349070bc7806c0f8f06af6d1 -Merge: f6382aa89 7b26e63b1 -Author: Justin -Date: Mon Jul 15 15:04:04 2019 -0700 - - Merge pull request #644 from microsoft/lcow_external_bridge - - uvm: Enable external guest connection for LCOW - -commit 7b26e63b12c66d3eec19aebe8d8ea73b8a7e805e -Author: John Starks -Date: Fri Jul 5 14:01:26 2019 -0700 - - uvm: Enable external guest connection for LCOW - -commit f6382aa89263eb773c96e4f01ff740fd9074cd7f -Merge: afccc7086 4124c0e65 -Author: Justin -Date: Mon Jul 15 10:30:24 2019 -0700 - - Merge pull request #641 from microsoft/nrcpus - - lcow: Explicitly pass CPU count to UVM via kernel command line - -commit 4124c0e659930be95625b5cfec1f51c363341e59 -Author: Kevin Parsons -Date: Thu Jul 11 16:43:45 2019 -0700 - - lcow: Explicitly pass CPU count to UVM via kernel command line - - Signed-off-by: Kevin Parsons - -commit b6855b64ea4a015d9fdf1f9ba739da484f57708f -Author: Nathan Gieseker -Date: Tue Jul 9 15:03:54 2019 -0700 - - Adds NatFlags to portmappings - -commit 98047cd05becb8ee189089709f0adc24bbe32999 -Merge: feafeff55 38167a9a5 -Author: Justin -Date: Sat Jul 6 09:43:20 2019 -0700 - - Merge pull request #324 from jterry75/etc_hosts - - Generate /etc/hosts on sandbox/standalone activation - -commit 38167a9a584eb702cfd02ed3da9de1fa39032491 -Author: Justin Terry (VM) -Date: Fri Jul 5 15:39:01 2019 -0700 - - Generate /etc/hosts on sandbox/standalone activation - - Signed-off-by: Justin Terry (VM) - -commit afccc7086fd30f0a13423319289cf569f92770e0 -Merge: 0703ee5e8 5b848eba1 -Author: Justin -Date: Fri Jul 5 09:30:21 2019 -0700 - - Merge pull request #639 from microsoft/update_lcow_memorytest - - Update minimum memory size for LCOW Memory test - -commit 5b848eba1577239c98b7983941a69bd5db227acd -Author: Justin Terry (VM) -Date: Fri Jul 5 09:28:26 2019 -0700 - - Update minimum memory size for LCOW Memory test - - Signed-off-by: Justin Terry (VM) - -commit feafeff55b2ac0bcbc3d12383efd187145d5af17 -Merge: 9bf5f376c 95f3e6181 -Author: Justin -Date: Wed Jul 3 00:16:08 2019 -0700 - - Merge pull request #323 from jterry75/runas_user - - Honor userstr override to uid/gid for runc activation - -commit 95f3e6181e35d953ecc2271e6d79631888dda949 -Author: Justin Terry (VM) -Date: Wed Jul 3 00:11:28 2019 -0700 - - Honor userstr override to uid/gid for runc activation - - Signed-off-by: Justin Terry (VM) - -commit 0703ee5e81cafe696c8851e3ee41f4a1edad23b3 -Merge: c6f98528d a404fe56c -Author: Justin -Date: Tue Jul 2 23:21:05 2019 -0700 - - Merge pull request #638 from jterry75/lcow_namespaces - - Forward all OCI Linux.Namespaces - -commit a404fe56c34f8cac92873e0543d8f991dac9c389 -Author: Justin Terry (VM) -Date: Tue Jul 2 23:17:55 2019 -0700 - - Forward all OCI Linux.Namespaces - - Signed-off-by: Justin Terry (VM) - -commit c6f98528dede8abc293dc90029c95e7436397134 -Merge: 852a61e54 381a14a5b -Author: Justin -Date: Thu Jun 27 14:10:51 2019 -0700 - - Merge pull request #634 from jterry75/cleanup_lcow_package - - Cleanup internal lcow package - -commit 852a61e54abdedc13babd7edce0b49c31000f6b6 -Merge: dc2a1837b 2d65022c4 -Author: Justin -Date: Thu Jun 27 14:10:36 2019 -0700 - - Merge pull request #635 from jterry75/cleanup_deallocatescsi - - Cleanup UVM RemoveSCSI workflow - -commit dc2a1837b7c71c309c941129a4531c2175276e1b -Merge: e7b99e120 951cfd164 -Author: Justin -Date: Thu Jun 27 14:10:23 2019 -0700 - - Merge pull request #636 from jterry75/cleanup_removevpmem - - Cleanup UVM RemoveVPMEM - -commit e7b99e120c9d2d16a86f1cfcf457af50f5cc0022 -Merge: 009b3782b 4dafc1203 -Author: Justin -Date: Thu Jun 27 14:04:12 2019 -0700 - - Merge pull request #637 from jterry75/cleanup_uvmwait - - Cleanup UVM Wait - -commit 4dafc1203a141de3bba0094b9da49bd164bf216f -Author: Justin Terry (VM) -Date: Thu Jun 27 11:14:38 2019 -0700 - - Cleanup UVM Wait - - Signed-off-by: Justin Terry (VM) - -commit 951cfd1648f310e65d943dff8dd8bdcae1dac3b9 -Author: Justin Terry (VM) -Date: Thu Jun 27 10:59:15 2019 -0700 - - Cleanup UVM RemoveVPMEM - - Signed-off-by: Justin Terry (VM) - -commit 2d65022c4f61e0ca49e1f7e92d6f3fb0c0006afc -Author: Justin Terry (VM) -Date: Thu Jun 27 10:56:00 2019 -0700 - - Cleanup UVM RemoveSCSI workflow - - Signed-off-by: Justin Terry (VM) - -commit 381a14a5b9af9b03397e4237566417d90566e476 -Author: Justin Terry (VM) -Date: Thu Jun 27 10:44:09 2019 -0700 - - Cleanup internal lcow package - - Signed-off-by: Justin Terry (VM) - -commit 009b3782b7699e013d517ae149c8161e0a4428f3 -Merge: 7a5bf6f90 2f2db50db -Author: Justin -Date: Thu Jun 27 10:01:06 2019 -0700 - - Merge pull request #633 from veerun14/add-container-network-test - - Added a simple network ping test on container start - -commit 2f2db50db2d46fd35ea60d0eed9cef51da268609 -Author: Veeraiah Chowdary Nuvvula -Date: Wed Jun 26 08:39:45 2019 -0700 - - Added a simple network ping test on container start - -commit 9bf5f376cf792133d54ee864944a1063ecbf2b0b -Merge: 205d179d2 a79395def -Author: Justin -Date: Tue Jun 25 16:30:04 2019 -0700 - - Merge pull request #322 from jterry75/duration_to_string - - Force span duration to pretty print - -commit 7a5bf6f90c7bdfe087f9590eb4fe32a9d9780a0f -Merge: 20f132925 387aa9155 -Author: Justin -Date: Tue Jun 25 16:27:31 2019 -0700 - - Merge pull request #631 from jterry75/support_oc - - Add OpenCensus support to containerd runhcs shim - -commit a79395def0385069542e56578fb0251074696f33 -Author: Justin Terry (VM) -Date: Tue Jun 25 16:26:32 2019 -0700 - - Force span duration to pretty print - - Signed-off-by: Justin Terry (VM) - -commit 387aa91550a7a1a91d3e36d18454265f5e70763f -Author: Justin Terry (VM) -Date: Fri Jun 21 15:00:45 2019 -0700 - - Add OpenCensus support to containerd runhcs shim - - Signed-off-by: Justin Terry (VM) - -commit 20f132925185ba8de972deb1feffded3d8ec0e91 -Merge: 7c0c2589d ef775b6a9 -Author: Justin -Date: Tue Jun 25 13:54:17 2019 -0700 - - Merge pull request #582 from thaJeztah/fix_version_typo - - Fix Windows Server version for RS4 in comment - -commit 7c0c2589d86d5b4cff5781362d45fd2e28647b90 -Merge: 3eedef742 d1649af66 -Author: Justin -Date: Tue Jun 25 10:55:29 2019 -0700 - - Merge pull request #632 from microsoft/vendor-winio - - Revendor go-winio - -commit d1649af6616716c9a943a3b0e605b370495ff561 -Author: Kevin Parsons -Date: Tue Jun 25 10:47:55 2019 -0700 - - Revendor go-winio - - Signed-off-by: Kevin Parsons - -commit 3eedef742624f3d8884f2c0a554a5d1f496245d0 -Merge: 70518867a ad4db9818 -Author: Justin -Date: Tue Jun 25 10:34:30 2019 -0700 - - Merge pull request #626 from microsoft/jjh/panic21355099 - - Avoid panic: argon with VHD - -commit 205d179d2af6fb6a9d2b7622ebeeaabf6f5a190a -Merge: 7b0368e38 b75c62cf3 -Author: Justin -Date: Tue Jun 25 10:33:39 2019 -0700 - - Merge pull request #321 from jterry75/span_name - - Export all OC span's with name key - -commit b75c62cf3e80ee45a088ef8ec649782d769f8ecc -Author: Justin Terry (VM) -Date: Tue Jun 25 10:26:20 2019 -0700 - - Export all OC span's with name key - - Signed-off-by: Justin Terry (VM) - -commit ad4db98187effd387587740933d8575b5a0707c3 -Author: John Howard -Date: Tue Jun 11 16:09:00 2019 -0700 - - Avoid panic:argon with VHD - - Signed-off-by: John Howard - -commit 70518867aaffe97576db2854a7b7eee6543db93d -Merge: 115e45533 23b674df7 -Author: Kevin Parsons -Date: Fri Jun 21 15:12:30 2019 -0700 - - Merge pull request #629 from microsoft/log-rotate - - Add test for container log rotation - -commit 7b0368e385a319a5021404c7cf9d064216199e6b -Merge: dfc46977d d15938c03 -Author: Justin -Date: Thu Jun 20 17:17:15 2019 -0700 - - Merge pull request #318 from jterry75/add_ctx - - Forward context logging for all requests/responses - -commit d15938c03e854de4f119a18b6df58cdf03cc7aa5 -Author: Justin Terry (VM) -Date: Fri May 31 16:14:03 2019 -0700 - - Add OpenCensus support for all V2 requests/responses - - Creates a context chain on all requests and forwards it to all calls for the - duration of the context. - - Signed-off-by: Justin Terry (VM) - -commit 115e455336c0a9adf2ff64ab6064156ef24ae348 -Merge: 16602123e 6e9db1e87 -Author: Kevin Parsons -Date: Thu Jun 20 14:17:52 2019 -0700 - - Merge pull request #622 from microsoft/process-stdio - - Add new create process API to not save stdio pipes - -commit dfc46977d7710ef9c31d74bbde3197532f46179d -Merge: b788199fa afadb5087 -Author: Justin -Date: Thu Jun 20 11:14:52 2019 -0700 - - Merge pull request #320 from jterry75/non_ptr_basetype - - MessageBase should not be including as ptr type - -commit afadb508764889e8c46063f4c2f16d8c61b9cc75 -Author: Justin Terry (VM) -Date: Thu Jun 20 09:59:59 2019 -0700 - - MessageBase should not be including as ptr type - - Signed-off-by: Justin Terry (VM) - -commit b788199fa3c08887ca94050d84e76a919fec44bb -Merge: f516a03c0 456e8a83a -Author: Justin -Date: Wed Jun 19 16:44:28 2019 -0700 - - Merge pull request #319 from jterry75/etc_hosts - - Maps /etc/hosts and /etc/hostname to sandbox/workload containers - -commit 456e8a83a06061d54f291cd7859202cf774f0a5d -Author: Justin Terry (VM) -Date: Thu May 30 16:47:26 2019 -0700 - - Maps /etc/hosts and /etc/hostname to sandbox/workload containers - - 1. Modifies the existing networking model to properly allocate namespaces only - for standalone or sandbox containers. - 2. Modifies the existing /etc/resolv.conf handling to properly create for - standalone or sandbox containers but bind mount for workload containers. - 3. Adds support for mapping the sandbox containers /etc/hostname to the - workload container. - 4. Adds support for mapping the sandbox containers /etc/hosts file to the - workload container. - 5. Adds support to standalone containers for /etc/hostname and /etc/hosts - files. - -commit 6e9db1e87e4f5996dd61b6a522b451633c62f7a7 -Author: Kevin Parsons -Date: Mon Jun 3 14:20:57 2019 -0700 - - Add new create process API to not save stdio pipes - - CreateIoCompletionPort (used by makeOpenFiles) can only be called once - successfully for a given underlying object, regardless of how many - handles we have to the object. - - The previous behavior of process stdio was to call - HcsGetProcessInfo when Stdio was called, then call makeOpenFiles and - return the resulting handles[1]. - - As part of a recent change, CreateProcess was changed to call - makeOpenFiles on the stdio handles at process creation time, and save - the new handles on the process struct. These saved handles are now - returned directly by Stdio. In an effort to preserve legacy compat, a - new function, StdioLegacy, was added which preserved the old Stdio - behavior, and the legacy caller was changed to use StdioLegacy instead - of Stdio. - - However, because CreateIoCompletionPort can only be called once for a - single object, and it has already been called on a handle for the stdio - pipe object at process creation time, StdioLegacy now fails. - - This change addresses this issue by creating a new CreateProcessNoStdio - function which preserves the old process creation behavior, and just - closes the initial stdio handles received at process creation time. This - function is now used by the legacy caller, which should allow projects - like Docker to work properly. - - [1] This actually means that although the comment on the old Stdio - implementation stated it could be called multiple times to receive - multiple sets of handles, it would actually fail after being called the - first time. This change does not fix this issue, but does remove the - incorrect comment. - - Signed-off-by: Kevin Parsons - -commit 23b674df7f7bf719300ccbe4ceadf04883057690 -Author: Kevin Parsons -Date: Tue Jun 18 16:27:20 2019 -0700 - - Add test for container log rotation - - This test runs a container that outputs incrementing integers every 0.1 - seconds. The container output goes to a log file. After 3 seconds of - execution, the log file is rotated by first renaming the existing file - (which will cause output to continue to go to the renamed file), and - then calling CRI's ReopenContainerLog. ReopenContainerLog causes - containerd to close the old log file handle, and open a new handle to - the original file path. After waiting 3 more seconds, we then stop the - container, and validate to make sure no numbers were skipped in the - combined two log files. - - Signed-off-by: Kevin Parsons - -commit 16602123eae47600eca7a569aee0a1af88c58d08 -Merge: 079f257e9 9e70581d7 -Author: Justin -Date: Wed Jun 12 11:36:09 2019 -0700 - - Merge pull request #625 from jterry75/create_scratch_size - - Add support for custom scratch sizes - -commit 9e70581d7cd4165cf5c1f30aba37a0e71206f965 -Author: Justin Terry (VM) -Date: Mon Jun 10 14:28:52 2019 -0700 - - Add support for custom scratch sizes - - Signed-off-by: Justin Terry (VM) - -commit f516a03c01b82fcc45fec792b5dfd792f9e06a83 -Merge: 517472ccc 379e9f634 -Author: Justin -Date: Thu Jun 6 15:51:05 2019 -0700 - - Merge pull request #317 from jterry75/simplify_request_return - - Simplify the bridge request/return pattern - -commit 379e9f63454781bf7cc9900de0dca47a118b23eb -Author: Justin Terry (VM) -Date: Wed Jun 5 10:09:35 2019 -0700 - - Simplify the bridge request/return pattern - - This change makes it easier for the rquest/response pattern to return a result - or error. This is perferred over the w.Write and w.Error pattern where a - response must be written and then an early return. This makes the code easier - to read and control flow easier to understand. - -commit 517472ccc15549bf0f7332b83f3fa3baeea82a0f -Merge: 7977f11b2 dc5fc6e61 -Author: Justin -Date: Wed Jun 5 14:52:26 2019 -0700 - - Merge pull request #315 from jterry75/regression_on_stop - - Fix regression in external process wait on V2 - -commit 7977f11b2f5d33c83201899ec4ae65340801751f -Merge: a613c5742 4d73321a5 -Author: Justin -Date: Wed Jun 5 14:52:10 2019 -0700 - - Merge pull request #316 from jstarks/fix_rootfs_hard_links - - rootfs: Convert from initrd by extracting and archiving - -commit 4d73321a52c390506bae3e257ed49daa4c7c9c17 -Author: John Starks -Date: Wed Jun 5 14:33:53 2019 -0700 - - rootfs: Convert from initrd by extracting and archiving - - This fixes files that are hard linked in the root file system. - - Before this change, bsdtar was used to convert the cpio initrd archive - to a tar file, but this failed for mkfs* files that are hard linked to - each other. This is arguably a bug in bsdtar, but it is complicated - because tar and cpio store hard linked files in reverse order from each - other (tar stores the payload in the first hard link, while cpio stores - the payload in the last link). - -commit dc5fc6e61ba1dbb0dd7bcc26dc548cbf25fe0244 -Author: Justin Terry (VM) -Date: Wed Jun 5 14:15:49 2019 -0700 - - Fix regression in external process wait on V2 - - Signed-off-by: Justin Terry (VM) - -commit 079f257e900ec9086f9f8476e6ded645458b70e2 -Merge: f5d95a7b5 9e237ca76 -Author: Justin -Date: Wed Jun 5 11:19:13 2019 -0700 - - Merge pull request #623 from jterry75/lcow_create_scratch - - Fix regressions in lcow.CreateScratch - -commit 9e237ca766197bbe1b5dfa63a91ad62d5ceeada4 -Author: Justin Terry (VM) -Date: Wed Jun 5 08:43:05 2019 -0700 - - CreateScratch should test for /block dir - - Signed-off-by: Justin Terry (VM) - -commit ddc409701d979c376fc66d94c095f52e9fe4cf03 -Author: Justin Terry (VM) -Date: Wed Jun 5 08:11:28 2019 -0700 - - Print valid err in type assertion failure - - Signed-off-by: Justin Terry (VM) - -commit 4f32c6df9d0b0d99f1e6610062dbd91a86dcc9e7 -Author: Justin Terry (VM) -Date: Wed Jun 5 08:10:28 2019 -0700 - - Context cancel should only run on success - - Signed-off-by: Justin Terry (VM) - -commit f5d95a7b528dd83bbd8dc8530617dcc12f40d934 -Merge: 09706d16c 81545fb32 -Author: Kevin Parsons -Date: Mon Jun 3 10:04:20 2019 -0700 - - Merge pull request #618 from microsoft/fix-nametoguid - - Replace guid-to-array with APIs from guid package - -commit 09706d16c3c7791bdb1b0e5cbd1003d083ed6eeb -Merge: 1085c8f56 7f121e3de -Author: Justin -Date: Mon Jun 3 09:03:52 2019 -0700 - - Merge pull request #621 from jterry75/619 - - Fixing malformed JSON tag - -commit 7f121e3de130c11532f4f58668f2288bbf2c8e5a -Author: Justin Terry (VM) -Date: Mon Jun 3 08:56:54 2019 -0700 - - Fixes a malformed JSON tag - - Resolves: #620 - - Signed-off-by: Justin Terry (VM) - -commit 04f79a53058cf411e3c326ee34b460b73daaee37 -Author: Justin Terry (VM) -Date: Mon Jun 3 08:54:40 2019 -0700 - - Fixing malformed JSON tag - - Resolves: #619 - - Signed-off-by: Justin Terry (VM) - -commit 81545fb3221f1bec7558004d5124f904cc69e741 -Author: Kevin Parsons -Date: Fri May 31 18:05:29 2019 -0700 - - Replace guid-to-array with APIs from guid package - - This is part of fixing the guid-to-array functions in layer.go which - were using the wrong array indices. The best way to fix this now is to - use the functionality in the go-winio guid package. - - Signed-off-by: Kevin Parsons - -commit 6bb25550e5f2a7ef6b0cb603587787b9aec8f4b8 -Author: Kevin Parsons -Date: Fri May 31 18:04:58 2019 -0700 - - Revendor go-winio - - Signed-off-by: Kevin Parsons - -commit 1085c8f569e1e3a07ce2ebcc921a952aa4b1af50 -Merge: 6ed005e99 d1fa7950e -Author: Justin -Date: Fri May 31 11:37:25 2019 -0700 - - Merge pull request #617 from microsoft/state_log - - Improve shim entry/exit logging - -commit d1fa7950e0f8326a149ac866796f873cc60f3e10 -Author: Justin Terry (VM) -Date: Thu May 30 07:07:36 2019 -0700 - - Improve shim entry/exit logging - - 1. Improves the fields logged on exit to include important values from the - response. - 2. Returns the logrus.Entry from beginActivity to avoid another alloc on - endActivity. - - Signed-off-by: Justin Terry (VM) - -commit 6ed005e99491cf14fa05b713de4b2f35e20b2f36 -Merge: 68b466dde da320e6c7 -Author: Justin -Date: Thu May 30 11:24:37 2019 -0700 - - Merge pull request #611 from jstarks/dead_code - - lcow: Remove process creation and copywithtimeout - -commit 68b466ddec9f9ddb13301e701e23e485b38801fa -Merge: 92f72af61 a9f15356e -Author: Justin -Date: Wed May 22 15:51:03 2019 -0700 - - Merge pull request #614 from jstarks/shimdiag_hang - - shimdiag: Do not hang exec -t on Ctrl-Z - -commit 92f72af6168070f9f9e7a45a02f1d1c313286f7a -Merge: 829b0d81e 679e476e1 -Author: Justin -Date: Wed May 22 15:49:13 2019 -0700 - - Merge pull request #616 from microsoft/update_grpc - - Update grpc to 1.20.1 - -commit 679e476e1c9c526f79dea55be84623673509a59d -Author: Justin Terry (VM) -Date: Wed May 22 14:24:15 2019 -0700 - - Update grpc to 1.20.1 - - Signed-off-by: Justin Terry (VM) - -commit 829b0d81ecf9b897c16f597e104381cba9217264 -Merge: 0a2ec9674 2f1cea06b -Author: Justin -Date: Mon May 20 10:28:44 2019 -0700 - - Merge pull request #613 from jstarks/no_lazy_init - - lcow: Eagerly initialize the ext4 inode tables - -commit 0a2ec9674a9dff02c35e1aca1ae0e659dd9b930f -Merge: 0fdb38f3e f377f4ff4 -Author: Justin -Date: Mon May 20 10:27:50 2019 -0700 - - Merge pull request #615 from jstarks/uvmboot_console - - uvmboot: Add tty option - -commit f377f4ff4a74a588898c120ed96076ae853ee62d -Author: John Starks -Date: Fri May 17 10:24:36 2019 -0700 - - uvmboot: Add tty option - - This option enables uvmboot to be used to create an interactive process - in the utility VM. - -commit 2f1cea06b6eae42d0fc991fcf703ae3d1fc946dc -Author: John Starks -Date: Thu May 16 10:58:35 2019 -0700 - - lcow: Eagerly initialize the ext4 inode tables - - This change disables lazily initialization of the sandbox VHDX's inode - tables. This prevents the kernel from subsequently zeroing them in the - background at each container start. - -commit da320e6c75b291753e16d053b67efc94c1cc7f32 -Author: John Starks -Date: Wed May 8 16:39:19 2019 -0700 - - lcow: Remove process creation and copywithtimeout - -commit 0fdb38f3e9bb59932c943ed5503d284bbccf7fa0 -Merge: c809de488 5075adbfa -Author: Justin -Date: Wed May 15 15:46:44 2019 -0700 - - Merge pull request #612 from microsoft/disallow_v2_lcow - - Enable bridge v4 on all v2 LCOW activations - -commit 5075adbfaa68a0a30402c386f76297a09ddcd080 -Author: Justin Terry (VM) -Date: Wed May 15 15:34:58 2019 -0700 - - Enable bridge v4 on all v2 LCOW activations - - Signed-off-by: Justin Terry (VM) - -commit a613c574224782ae10f5dfe9eced6003dead997e -Merge: bde2cc172 a2bc40a2c -Author: Justin -Date: Wed May 15 13:57:07 2019 -0700 - - Merge pull request #314 from jterry75/fix_resize_on_exited - - Separate v1 and v2 bridge interfaces - -commit a2bc40a2c426282eb42609f9185d9c50bffc81ad -Author: Justin Terry (VM) -Date: Wed May 15 10:46:37 2019 -0700 - - Separate v1 and v2 bridge interfaces - - This change breaks apart the v1 and v2 schema interfaces as well as the v3 and - v4+ bridge protocols. It makes the v4+ protocol opt in so that downlevel - clients running v1 Xenons will stay on v3. This allows us to iterate and change - the model for v4+ without risking breaking downlevel. - - Signed-off-by: Justin Terry (VM) - -commit c809de48827f94d52fcc982a9920eac9d11eedd5 -Merge: 547f2201b 70b6c8416 -Author: John Starks -Date: Wed May 15 12:09:20 2019 -0700 - - Merge pull request #609 from jstarks/errors - - gcs: Add ErrorMessage field to RPC response - -commit bde2cc1726750070c3e18079b28effcbf21266bc -Merge: 0a61924c8 1e2df3733 -Author: Justin -Date: Wed May 15 11:45:59 2019 -0700 - - Merge pull request #313 from microsoft/unknown_message_regression - - UnknownMessage for v1 requires E_NOTIMPL - -commit 1e2df3733f8b24cf8dbc6b5cf646456f8eaa05d4 -Author: Justin Terry (VM) -Date: Wed May 15 11:09:50 2019 -0700 - - UnknownMessage for v1 requires E_NOTIMPL - - Signed-off-by: Justin Terry (VM) - -commit 0a61924c8c154ffb4ec98478439aafe0399bd2ae -Merge: 97a5777da 4d3d9c1e7 -Author: Justin -Date: Wed May 15 11:34:44 2019 -0700 - - Merge pull request #312 from jstarks/error - - gcs: Fill out ErrorMessage string for HCS external bridge - -commit 547f2201bce6c61f2af59085f01901300ffc3444 -Merge: 0382e67c8 a79b6216f -Author: John Starks -Date: Wed May 15 10:03:56 2019 -0700 - - Merge pull request #610 from jstarks/external_wcow - - gcs: Add WCOW support - -commit 70b6c8416c76a1d86727046df41ce11cd066b2b0 -Author: John Starks -Date: Wed May 15 09:05:35 2019 -0700 - - gcs: Add ErrorMessage field to RPC response - - The existing RPC protocol's error response is an HRESULT, which loses - information and does not work well for the Linux GCS. The response also - has error records, which can have richer error strings, but it is - ambiguous which of these strings are meant to be user facing and which - are for debugging. - - This change adds an ErrorMessage field that Windows HCS and GCS will - ignore but Linux GCS will fill out with the underlying error string. - This makes it unambiguous which string should be returned to the user. - -commit a79b6216f585a5ec7b4d3514dcbb984804607162 -Author: John Starks -Date: Wed May 15 09:18:26 2019 -0700 - - gcs: Add WCOW support - - This change fixes various bugs to unblock WCOW support for UVMs that - support the RS5+ GCS protocol. - -commit 4d3d9c1e74f12d324f46c597d73955800e2bb1c1 -Author: John Starks -Date: Wed May 15 09:10:08 2019 -0700 - - gcs: Fill out ErrorMessage string for HCS external bridge - - To make it unambiguous which string represents the user-actionable - error, return it in a new field in the bridge response. - -commit 0382e67c84a78dc5abc40172b47e1aadc6405ff4 -Merge: 57bf1ad56 3c9297345 -Author: John Starks -Date: Wed May 15 08:28:39 2019 -0700 - - Merge pull request #608 from jstarks/uvmboot_wcow - - uvmboot: Add WCOW support - -commit 3c9297345421ffa77a4a5492b5237bd442f0f522 -Author: John Starks -Date: Tue May 14 14:26:08 2019 -0700 - - uvmboot: Add WCOW support - -commit 97a5777da139ecce3a1d71d55f963403770e0fcb -Merge: 291ac98c3 630b35470 -Author: Justin -Date: Mon May 13 16:34:43 2019 -0700 - - Merge pull request #311 from jterry75/fix_resize_on_exited - - Ignore ResizeConsole of init process after exit - -commit 630b354703f2bcc5472821d7c8f0c66e0f28a045 -Author: Justin Terry (VM) -Date: Mon May 13 15:37:56 2019 -0700 - - Ignore ResizeConsole of closed tty - - Signed-off-by: Justin Terry (VM) - -commit 57bf1ad56e62ca2c2e097c295c2f6041c2e9640f -Merge: 082bdf52e 5f7954236 -Author: Kevin Parsons -Date: Mon May 13 14:07:23 2019 -0700 - - Merge pull request #603 from microsoft/replace-guid - - Replace hcsshim guid package with the one from go-winio - -commit 5f79542362e1143b7c90089ea4949e559d487555 -Author: Kevin Parsons -Date: Fri May 10 00:25:58 2019 -0700 - - Replace hcsshim guid package with the one from go-winio - - Signed-off-by: Kevin Parsons - -commit 082bdf52e06aa269636ae3a6b025048143b72343 -Merge: 66a6e17a6 954d3d1d2 -Author: Justin -Date: Mon May 13 13:04:05 2019 -0700 - - Merge pull request #607 from jstarks/wcow_shimdiag - - shim: Run diag exec processes on Windows as SYSTEM - -commit 66a6e17a6c9595db8f283177714191b38157a092 -Merge: 1362434f9 2125cb605 -Author: John Starks -Date: Mon May 13 13:02:58 2019 -0700 - - Merge pull request #601 from jstarks/external_bridge - - External bridge - -commit 954d3d1d2f73e885d201bd5ac4fc7627776cf7a1 -Author: John Starks -Date: Mon May 13 12:55:45 2019 -0700 - - shim: Run diag exec processes on Windows as SYSTEM - - The default user for container processes does not exist for the utility - VM. Explicitly set the user to SYSTEM. - -commit 1362434f9841783d4a6d66dbeccccf126314c3b0 -Merge: c7ff2530b b1dcba88d -Author: John Starks -Date: Mon May 13 12:17:30 2019 -0700 - - Merge pull request #606 from jstarks/disable_failing_test - - test: Disable failing RunAsUser test until functionality is enabled - -commit b1dcba88dba12b0547faa029a16b90a371a060f5 -Author: John Starks -Date: Mon May 13 12:11:02 2019 -0700 - - test: Disable failing RunAsUser test until functionality is enabled - -commit 291ac98c3f49514edd3833caf711e5b93282bdef -Merge: f812e6a49 6582bd26f -Author: John Starks -Date: Mon May 13 10:26:05 2019 -0700 - - Merge pull request #310 from jstarks/fix_stretch - - Makefile: Fixes to run in Debian stretch - -commit 6582bd26f1e1506ef57904c14e9246e78b742ce3 -Author: John Starks -Date: Mon May 13 10:04:17 2019 -0700 - - Makefile: Fixes to run in Debian stretch - - This fixes a few limitations that prevent the Makefile from being used - in a Debian stretch environment. It also fixes uses of non-standard Go - paths. - -commit c7ff2530b13cc14e8ab001e93e1cb8a89c927445 -Merge: 21ae840c3 42f683c2b -Author: Justin -Date: Mon May 13 06:43:37 2019 -0700 - - Merge pull request #587 from veerun14/add_RunAs_Test - - Added a test for RunAsUser option for LCOW container - -commit 21ae840c32a642dd3cdb5e263a12825d426434e9 -Merge: b9bc8c6ac 8f86d76de -Author: Justin -Date: Mon May 13 06:08:14 2019 -0700 - - Merge pull request #605 from jstarks/use_cmd - - Use hcsoci.Cmd everywhere - -commit 2125cb605c09d7b775c950f68c0f848d9d950692 -Author: John Starks -Date: Sat May 11 21:25:18 2019 -0700 - - uvm: Use external bridge when requested - - This change hooks the external bridge (gcs package) up to the uvm - package when requested. - -commit ebd08130aff066f5ebc59595fc07e86b0e0e20aa -Author: John Starks -Date: Wed May 8 04:18:03 2019 +0000 - - gcs: Add external bridge implementation - - This change provides a package that implements the external bridge, - which communicates with the GCS in order to create containers and - processes. - - Currently the bridge only supports LCOW, not WCOW. - -commit 8f86d76defc5facf5a57bbf96b004265499f178b -Author: John Starks -Date: Wed May 8 15:05:03 2019 -0700 - - lcow: Convert to use hcsoci.Cmd - -commit 98f2f15e0765f0d91a1dd4d6426ef544e38af965 -Author: John Starks -Date: Wed May 8 15:04:05 2019 -0700 - - shim: Convert to use hcsoci.Cmd - -commit 98284d031c64acc9f2b48d1a018079c440adb3bb -Author: John Starks -Date: Wed May 8 15:03:30 2019 -0700 - - runhcs: Convert to use hcsoci.Cmd - -commit b9bc8c6acd4acab34976e0e70ee7e3320a67a8b8 -Merge: 024c344c8 0d281e0e8 -Author: John Starks -Date: Sat May 11 20:20:33 2019 -0700 - - Merge pull request #604 from thaJeztah/gofmt_all_the_things - - gofmt internal/schema2 package - -commit 0d281e0e887312663fc108b65e795bb48f473b9f -Author: Sebastiaan van Stijn -Date: Fri May 10 14:14:46 2019 -0700 - - gofmt internal/schema2 package - - Signed-off-by: Sebastiaan van Stijn - -commit 024c344c848dfcdb70be4ae9e0981e7f12b22478 -Merge: 1c60725a8 e96782d4a -Author: Justin -Date: Thu May 9 23:37:33 2019 -0700 - - Merge pull request #602 from microsoft/update-vendor-guid - - Update to new go-winio and passing GUID by value - -commit e96782d4af6cfb9df82637f7ee5f1781f8d7d1c5 -Author: Kevin Parsons -Date: Thu May 9 23:13:10 2019 -0700 - - Update code to pass GUID by value - - Signed-off-by: Kevin Parsons - -commit aa52e645636c42172062ca7d87bf139eea4e11df -Author: Kevin Parsons -Date: Thu May 9 23:10:42 2019 -0700 - - Update go-winio and re-vendor - - Signed-off-by: Kevin Parsons - -commit 1c60725a8ee38f5a51f4207e25372a3f218fbada -Merge: ef434c79d ed0490185 -Author: John Starks -Date: Thu May 9 15:27:04 2019 -0700 - - Merge pull request #599 from jstarks/stdio - - hcsoci: Add Cmd type for simplifying process launches - -commit ed0490185e0e3d6403725016583308a689c204b8 -Author: John Starks -Date: Wed May 8 15:03:43 2019 -0700 - - uvmboot: Convert to use hcsoci.Cmd - -commit cd396399bef4ee4c98de86f97eff7b9039551296 -Author: John Starks -Date: Wed May 8 15:00:27 2019 -0700 - - hcsoci: Add Cmd type for simplifying process launches - - Cmd is modeled after os/exec.Cmd, which makes it easy to launch - and wait for processes and relay their stdio. This version of Cmd is - designed to take in an OCI process specification, and it can launch a - process on anything that implements cow.ProcessHost. - -commit a9f15356e3e1f40a414f00a31bbb92c58cdaccef -Author: John Starks -Date: Thu May 9 15:43:54 2019 +0000 - - shimdiag: Do not hang exec -t on Ctrl-Z - - os.Stdin.Read() returns EOF if the user presses Ctrl-Z. This makes sense - for non-terminal execs, where we can close stdin for the process and the - process will generally exit. But it does not make sense for terminal - execs, where Ctrl-Z will just cause the process to hang. - - When using exec in terminal mode, read raw bytes from the stdin - descriptor to avoid this Ctrl-Z translation. - -commit f812e6a491d4b38e3b9ecb46f7dc744b072895f4 -Merge: add1ce4a6 67b5c1768 -Author: Justin -Date: Wed May 8 16:57:02 2019 -0700 - - Merge pull request #301 from microsoft/fix_result - - Return proper ContainerExit result - -commit ef434c79ddb3d5563385a2d4918bcd82fbc81387 -Merge: 4abe7d42e eb84497f7 -Author: Justin -Date: Wed May 8 16:56:41 2019 -0700 - - Merge pull request #600 from jstarks/no_tar2vhd - - lcow: Remove unused tar2vhd code - -commit eb84497f7d76ee01fe3a5785863b1474dda008db -Author: John Starks -Date: Wed May 8 15:04:33 2019 -0700 - - lcow: Remove unused tar2vhd code - -commit 4abe7d42ec0cc21c390430e1f2d15afa2f0121de -Merge: e957390a4 8e4728af8 -Author: John Starks -Date: Wed May 8 16:32:06 2019 -0700 - - Merge pull request #594 from jstarks/container_iface - - cow: Add and use interfaces for containers and processes - -commit 8e4728af846ee8b4531fb1e1a0738c44f4a2c2b6 -Author: John Starks -Date: Wed May 8 16:04:47 2019 -0700 - - cow: Add and use interfaces for containers and processes - - The external bridge will provide an alternate implementation of these - interfaces. - - Note that the external bridge will not be compatible with clients that - call OpenProcess or OpenComputeSystem (since the bridge will run - in-proc). So runhcs, which relies on OpenComputeSystem, does not use - these types and will use a type assertion to get back to an hcs.System. - -commit 67b5c1768df06051b07c23123167cdeac91e97b1 -Author: Justin Terry (VM) -Date: Wed May 1 12:58:26 2019 -0700 - - Return proper ContainerExit result - - 1. Fixes a bug where we were returning an exit code in the ContainerExit.Result - field which was incorrect. This is an HRESULT value of the Wait Result not the - exit code which is returned at Process.Wait. - - 2. Implements v2 to handle Graceful/Forced exit instead of just Unexpected when - the client is responsible for the SIGTERM/SIGKILL that stops the container. - - Signed-off-by: Justin Terry (VM) - -commit e957390a469e0fc5b8bef7523229c1ace1c7e982 -Merge: 54679ca43 fe533edf0 -Author: Justin -Date: Wed May 8 15:43:06 2019 -0700 - - Merge pull request #592 from jstarks/create_container - - uvm: Add UtilityVM.CreateContainer method - -commit 54679ca4397b6caaba7f3c66d7bddf4f0b8a2f15 -Merge: 4e2c99c71 830d954cf -Author: John Starks -Date: Wed May 8 09:02:37 2019 -0700 - - Merge pull request #593 from jstarks/process_cleanup - - hcs: Make Process.Properties private - -commit add1ce4a638f9850353f78af346e4fec2346be1e -Merge: e87221527 dbe114809 -Author: Kevin Parsons -Date: Tue May 7 21:30:45 2019 -0700 - - Merge pull request #308 from microsoft/modules - - Transition to Go modules - -commit 4e2c99c71043b436f25897474afeaa4e5e4b5031 -Merge: 95ef8b986 797e3f6d9 -Author: Kevin Parsons -Date: Tue May 7 21:30:37 2019 -0700 - - Merge pull request #595 from microsoft/modules - - Transition to Go modules - -commit dbe114809a3ce89ade39822599f362f13960e75c -Author: Kevin Parsons -Date: Tue May 7 19:36:51 2019 -0700 - - Run go mod tidy - - Signed-off-by: Kevin Parsons - -commit a1d9046bfb0aac36fcef80e379bac40d4ba7117f -Author: Kevin Parsons -Date: Tue May 7 19:36:05 2019 -0700 - - Transition to Go modules - - Signed-off-by: Kevin Parsons - -commit 797e3f6d9c9cf24ff7dc1524f76a12565b51ee50 -Author: Kevin Parsons -Date: Tue May 7 16:11:16 2019 -0700 - - Run go mod tidy - - Signed-off-by: Kevin Parsons - -commit f4679980a6e6d3b49822d10a73aeca5f24a5844a -Author: Kevin Parsons -Date: Tue May 7 12:44:51 2019 -0700 - - Transition to Go modules - - Signed-off-by: Kevin Parsons - -commit e87221527445903a4324db7042d751ba05681463 -Author: John Starks -Date: Tue May 7 14:40:26 2019 -0700 - - Update Travis CI path - -commit 6218f811c06a33339034300197c2ff2f8f403ba3 -Merge: dcc6ef81a db8d6af96 -Author: John Starks -Date: Tue May 7 13:52:33 2019 -0700 - - Merge pull request #306 from jstarks/godeps - - Makefile: Only rebuild Go targets if a dependency has changed - -commit 830d954cf9595e2f017185500b201d2601a26746 -Author: John Starks -Date: Tue May 7 20:50:48 2019 +0000 - - hcs: Make Process.Properties private - - This function and its associated type are not used outside the package - and are an implementation detail. - -commit fe533edf0170e101569f51a75b5b1f348ebd963e -Author: John Starks -Date: Tue May 7 08:52:01 2019 -0700 - - uvm: Add UtilityVM.CreateContainer method - - This change adds a CreateContainer method to UtilityVM and updates - hcsoci to use it. This change is necessary because if the external - bridge is in use, container creation goes through that instead of - through the HCS. - -commit 95ef8b9865e72a72213f05ab55b0740b45597b10 -Merge: bc65cf167 2443f5f98 -Author: John Starks -Date: Tue May 7 13:40:54 2019 -0700 - - Merge pull request #590 from jstarks/nocs - - uvm: Reduce binding between hcs and uvm interfaces - -commit dcc6ef81a09ebea3df353ba173324ca6ab367a76 -Merge: 036154367 f9edcb475 -Author: Justin -Date: Tue May 7 10:34:16 2019 -0700 - - Merge pull request #304 from jstarks/catcpio_fixes - - hack/catcpio.sh: Pass appropriate flags to cpio -i - -commit 03615436788d566f8fb1ad22d500f432e86ee378 -Merge: 334aff83e 6b38ecb00 -Author: Justin -Date: Tue May 7 10:33:24 2019 -0700 - - Merge pull request #305 from jstarks/nano_time - - gcs: Include nano seconds in JSON log output - -commit db8d6af96e82ae1060fdb3239dc88292aac03ed9 -Author: John Starks -Date: Sat May 4 23:18:51 2019 +0000 - - Makefile: Only rebuild Go targets if a dependency has changed - - This works by retrieving the list of dependencies from Go after building - a Go binary. - -commit 2443f5f9887cef049a82afa9e8f0f5b0c75b83a3 -Author: John Starks -Date: Tue May 7 09:07:49 2019 -0700 - - uvm: Reduce binding between hcs and uvm interfaces - - This change removes the ComputeSystem() call from uvm.UtilityVM and - provides wrapper functions for the few places that needed to get the - underlying compute system. This is necessary because these functions - (such as CreateProcess) will have different implementations depending on - whether the internal or external bridge is in use. - - Also pre-cache some of the properties queries, caching the result of - such queries early rather than querying at each use. - -commit bc65cf167656b14f3115ba543d803b0cf5d8195f -Merge: 10611e616 c69ddac83 -Author: Justin -Date: Tue May 7 09:52:34 2019 -0700 - - Merge pull request #588 from jstarks/unique_messages - - Use constant logrus messages everywhere - -commit 10611e616786c00ed5d986017d0dcfea54bd1662 -Merge: 5a7443890 f92b63313 -Author: Justin -Date: Tue May 7 09:48:44 2019 -0700 - - Merge pull request #589 from jstarks/round_2mb - - uvm: Round requested memory size to 2MB - -commit c69ddac83e608946ced4d8d8946005f78c55106c -Author: John Starks -Date: Sun May 5 05:07:40 2019 +0000 - - Use constant logrus messages everywhere - - This change (intends to) replace all dynamically generated logrus - messages with constant values and to include dynamic data via separate - logrus fields. It does so for all non-test packages except HCN and HNS. - - This makes it easier to extract data from log messages in post - processing, especially when the logrus ETW tracelogging hook is enabled. - - With few exceptions, this change does not change the number of logged - events, nor does it add additional context to existing messages. There - are still many instances where events are redundant, and there are still - many events missing the necessary context to associate the message with - a container, VM, or request. These shortcomings should be addressed in - separate changes. - -commit f92b63313952e44609fd38b8c4b001db7bdf2be0 -Author: John Starks -Date: Sat May 4 14:22:28 2019 +0000 - - uvm: Round requested memory size to 2MB - - Hyper-V only supports 2MB aligned memory sizes (presumably to avoid - splitting large pages). Rather than fail with a cryptic error from the - platform, round the requested memory size up to the next 2MB boundary. - -commit 6b38ecb0090369a0e693bce57b1f18ac12763ae3 -Author: John Starks -Date: Sat May 4 23:21:13 2019 +0000 - - gcs: Include nano seconds in JSON log output - - The logrus JSON output defaults to only second granularity in the - timestamp field. Nano seconds are necessary to accurately measure - guest-side event durations when the host is not keeping up with log - output. - -commit f9edcb475365cb1c83a3cf90e701b16db5e2b61b -Author: John Starks -Date: Sat May 4 23:20:05 2019 +0000 - - hack/catcpio.sh: Pass appropriate flags to cpio -i - - The additional flags overwrite files that already exist, preserve - modification times, and create directories as necessary. - -commit 42f683c2b20b0b578242bf1ebbea34372f1fed24 -Author: Veeraiah Chowdary Nuvvula -Date: Thu May 2 09:25:58 2019 -0700 - - fixed gofmt issue by running gofmt.exe -w execcontainer_test.go - -commit 9399cf1c6b8633e7380b8d89b247536ccf3eced6 -Author: Veeraiah Chowdary Nuvvula -Date: Thu May 2 09:06:55 2019 -0700 - - moved exec tests to a separate file - -commit 698e87d6c13c1432ade721604e3576fa11f2415a -Merge: 2c7780253 8941106ab -Author: Veeraiah Chowdary Nuvvula -Date: Thu May 2 08:50:57 2019 -0700 - - Merge branch 'master' into add_RunAs_Test - -commit 5a7443890943600c562e1f2390ab3fef8c56a45f -Merge: 8941106ab c0fe2176e -Author: John Starks -Date: Thu May 2 08:49:42 2019 -0700 - - Merge pull request #577 from jstarks/wait_context - - hcs: Improve Process and System wait-related interfaces - -commit 8941106abedbc5aa3708266f0dd65f8a49344724 -Merge: 1dcf37ac5 c853b9ac5 -Author: Justin -Date: Wed May 1 17:20:24 2019 -0700 - - Merge pull request #586 from jstarks/hcs_service_crash - - hcs: Fail operations when the HCS service crashes - -commit 1dcf37ac5854bb7733366d78a37582ab74da7dfa -Merge: 41f3a0988 6d67a3085 -Author: Justin -Date: Wed May 1 16:52:39 2019 -0700 - - Merge pull request #573 from nagiesek/ignoreDuplicateHotAttachDetach - - Check whether we are already attached/detached before hot attach/deta… - -commit 6d67a3085946ac311d0b6d382332ce9da487f405 -Author: Nathan Gieseker -Date: Wed May 1 16:28:37 2019 -0700 - - Check whether we are already attached/detached before hot attach/detach - -commit 334aff83eced2534181d2ab47aae1de44719d717 -Merge: 40bf352b6 87c71eb74 -Author: John Starks -Date: Wed May 1 15:36:40 2019 -0700 - - Merge pull request #299 from jstarks/makefile2 - - Makefile: append to archive manually - -commit 87c71eb74fef33d5332116105d1b41e3908d81be -Author: John Starks -Date: Wed May 1 15:17:02 2019 -0700 - - Makefile: append to archive manually - - The bsdtar append step do not interoperate well with some archives or - with our tar2ext4 tool. Extract and rearchive files rather than trying - to append or convert in place. - - This strips any ownership information from the initrd image, so all - files will be owned by root. This should be acceptable because /dev is - always mounted as devtmpfs, and no other files should need special - owners. - -commit 40bf352b62652288ce4ff281a54606766805f504 -Merge: d78556966 9721a2046 -Author: Justin -Date: Wed May 1 15:07:28 2019 -0700 - - Merge pull request #302 from Microsoft/fix_build - - Fix build remove stale test - -commit 9721a204622e75609fe7383061c22297367874c0 -Author: Justin Terry (VM) -Date: Wed May 1 14:51:03 2019 -0700 - - Fix Wrapf format issue missing container id - - Signed-off-by: Justin Terry (VM) - -commit 24abed4f005a17ef34fed95d25eea64bccb8c45f -Author: Justin Terry (VM) -Date: Wed May 1 14:46:01 2019 -0700 - - Fix build remove stale test - - Signed-off-by: Justin Terry (VM) - -commit d785569661c017bf6cda5eb9d19955cb927c39a3 -Merge: 1a87c072f 2742a48fe -Author: Justin -Date: Wed May 1 14:12:48 2019 -0700 - - Merge pull request #300 from jstarks/no_linux_headers - - vsockexec: Remove dependency on Linux headers - -commit 2742a48fe46b112e24decc4a923f0fcf016760c3 -Author: John Starks -Date: Wed May 1 13:23:49 2019 -0700 - - vsockexec: Remove dependency on Linux headers - - This makes it possible to build easily with musl-gcc. - -commit c0fe2176e6f7ebbda9c30eb37d8cd5a90870c807 -Author: John Starks -Date: Wed May 1 08:37:01 2019 -0700 - - hcs: Improve Process and System wait-related interfaces - - This updates Terminate, Shutdown, Kill, and Signal to avoid returning - errors in expected cases, and removes WaitTimeout. - -commit 2c778025318f3ce6e7c8063f127c86d37381dfac -Author: Veeraiah Chowdary Nuvvula -Date: Tue Apr 30 12:41:25 2019 -0700 - - updated with comments from code review - -commit 22e72c72d13ab3f6c6fcd4d42a2c5ac161304c7f -Author: Veeraiah Chowdary Nuvvula -Date: Tue Apr 30 10:59:07 2019 -0700 - - Added a test for RunAsUser option for LCOW container - -commit c853b9ac561f8a4620ae69713bbbbc86d28c0260 -Author: John Starks -Date: Tue Apr 23 15:28:01 2019 -0700 - - hcs: Fail operations when the HCS service crashes - - If the HCS service crashes, then all processes and compute systems get - notified of this. The code was previously ignoring this notification, - meaning outstanding waits would never be satisfied. Now the notification - causes all pending waits to complete with an error. - -commit 41f3a0988b5e2321658612e19301c60a4d895bf0 -Merge: 965235930 6fc80f50d -Author: Justin -Date: Mon Apr 29 16:08:39 2019 -0700 - - Merge pull request #584 from Microsoft/processor_limit_doc_fix - - Fix bug in documentation for UVM processor.limit - -commit 1a87c072f499535ad9537705ac85af8c2af02f2f -Merge: 92d537f8b dfed0c997 -Author: Justin -Date: Mon Apr 29 16:08:29 2019 -0700 - - Merge pull request #298 from Microsoft/golang_1_12_4 - - Update to golang 1.12.4 - -commit dfed0c99798cc08e273c34ac96199693ff2de77e -Author: Justin Terry (VM) -Date: Mon Apr 29 13:47:34 2019 -0700 - - Update to golang 1.12.4 - - Signed-off-by: Justin Terry (VM) - -commit 965235930020a817a95c5bc76ef51fe9c71c84a7 -Merge: 58f8f4bd4 76d1d3a4d -Author: Justin -Date: Mon Apr 29 13:42:25 2019 -0700 - - Merge pull request #585 from Microsoft/golang_1_12_4 - - Move to golang 1.12.4 - -commit 76d1d3a4dec488088c437c5b98f4916d1fa4e641 -Author: Justin Terry (VM) -Date: Mon Apr 29 13:37:54 2019 -0700 - - Move to golang 1.12.4 - - Signed-off-by: Justin Terry (VM) - -commit 6fc80f50d764c1a621900d54f6eaeb298a75473f -Author: Justin Terry (VM) -Date: Mon Apr 29 13:34:16 2019 -0700 - - Fix bug in documentation for UVM processor.limit - - Signed-off-by: Justin Terry (VM) - -commit ef775b6a90143374b7d5d99ed8e44a512e3cd162 -Author: Sebastiaan van Stijn -Date: Fri Apr 26 10:26:41 2019 -0700 - - Fix Windows Server version for RS4 in comment - - Signed-off-by: Sebastiaan van Stijn - -commit 58f8f4bd40f183ca7697fc978e9f3b4cac9a7a8c -Merge: 0d86597ce ad87c9209 -Author: Justin -Date: Tue Apr 23 15:52:35 2019 -0700 - - Merge pull request #578 from jstarks/shimdiag_stacks - - shimdiag: Add stacks command to dump stacks - -commit 0d86597ce55f24b735815d0152362ef33f7985ec -Merge: e38f6590a 20158f49b -Author: Justin -Date: Tue Apr 23 15:51:11 2019 -0700 - - Merge pull request #580 from Microsoft/shimdiag_fix - - Fix shimdiag - -commit ad87c9209ca3465af1cf59c399a31d228b8d7558 -Author: John Starks -Date: Mon Apr 22 12:14:21 2019 -0700 - - shimdiag: Add stacks command to dump stacks - -commit 20158f49bf79623d48228d82a093e8c447a58f84 -Author: Justin Terry (VM) -Date: Tue Apr 23 14:50:02 2019 -0700 - - Fix shimdiag - - Signed-off-by: Justin Terry (VM) - -commit e38f6590af69e45ff38af046b7bf4d395e3e1142 -Merge: 8c442edd4 f2a4e6f63 -Author: John Starks -Date: Tue Apr 23 14:50:30 2019 -0700 - - Merge pull request #579 from jstarks/fix_build - - shim: Fix build break - -commit f2a4e6f63ac499a3518df5ab2fc6b00259564fd8 -Author: John Starks -Date: Tue Apr 23 14:46:16 2019 -0700 - - shim: Fix build break - -commit 8c442edd4f71f556f7cd6c1b346c36fd57354b61 -Merge: f072d47a5 0dcdb44b8 -Author: John Starks -Date: Tue Apr 23 14:14:02 2019 -0700 - - Merge pull request #575 from jstarks/shimdiag - - shimdiag: New tool to diagnose runhcs shims - -commit f072d47a533cf2dcdc8aedd12d415206e775ef3c -Merge: c5f1ca9ee 741b914f1 -Author: John Starks -Date: Mon Apr 22 12:17:36 2019 -0700 - - Merge pull request #572 from jstarks/stdio - - internal/hcs: Improve process stdio lifetime - -commit c5f1ca9ee8bd64317296ff0ce30002dfe013baa1 -Merge: 2226e083f 40e0b86ac -Author: John Starks -Date: Mon Apr 22 12:15:17 2019 -0700 - - Merge pull request #576 from jstarks/hvsock - - Replace linuxkit's hvsock support with go-winio's - -commit 40e0b86ace8a904c599158c97f7a0870103716ff -Author: John Starks -Date: Wed Apr 17 15:29:38 2019 -0700 - - Replace linuxkit's hvsock support with go-winio's - - This fixes some race conditions when Close is called concurrently with - other operations. - -commit 92d537f8bdb3deec5ae1a8fe66fc55f6acb2cdbf -Merge: e979295b7 7009c9ee3 -Author: John Starks -Date: Mon Apr 22 09:31:00 2019 -0700 - - Merge pull request #297 from jstarks/ctty - - gcs: Prevent GCS crashing when external process exits - -commit 0dcdb44b887a6a528ca916a8eac85104efca39ff -Author: John Starks -Date: Sun Apr 21 16:49:19 2019 -0700 - - shimdiag: New tool to diagnose runhcs shims - - Currently this tool allows listing running shims and execing a process - in the shim's associated utility VM. - -commit 741b914f1849708bf7fd9a3c0a4cf729597b8503 -Author: John Starks -Date: Sun Apr 21 15:43:45 2019 -0700 - - internal/hcs: Improve process stdio lifetime - - To better support the external bridge, associate the stdio handles with - the owning process and close them when the process object is closed. - -commit 7009c9ee3a39777135831d7ef6de7ff31e7ac0eb -Author: John Starks -Date: Sun Apr 21 14:42:08 2019 -0700 - - gcs: Prevent GCS crashing when external process exits - - Currently, when the GCS launches an external process with a pty, that - pty becomes the controlling terminal for the GCS. This causes the kernel - to deliver a SIGHUP signal when the pty is torn down, which causes the - GCS to exit. - - To resolve this, the GCS explicitly opens the terminal with O_NOCTTY so - to avoid making it the controlling terminal. It also now marks the child - as the leader of a new session and has the child make the new pty the - controlling terminal of the child process. - -commit e979295b7e7340a6d855faf371e3f328c68f42bb -Merge: ae778f0c0 c66c35bb8 -Author: Justin -Date: Fri Apr 19 15:05:22 2019 -0700 - - Merge pull request #296 from Microsoft/exit_status - - Upgrade to cmd.ProcessState.ExitCode() with golang 1.12 - -commit c66c35bb8ef3ba16183b0b042caa084cad2bd765 -Author: Justin Terry (VM) -Date: Fri Apr 19 14:20:06 2019 -0700 - - Upgrade to cmd.ProcessState.ExitCode() with golang 1.12 - - Signed-off-by: Justin Terry (VM) - -commit 2226e083fc390003ae5aa8325c3c92789afa0e7a -Merge: 672e52e92 92cb5b697 -Author: John Howard -Date: Fri Apr 19 09:18:50 2019 -0700 - - Merge pull request #569 from thaJeztah/add_build_function - - Enhancement: add osversion.Build() utility - -commit ae778f0c05216ef4a0cef00c2acf88fb8dd2f682 -Merge: fefd0ad73 97d538429 -Author: Justin -Date: Thu Apr 18 14:10:13 2019 -0700 - - Merge pull request #295 from jstarks/clean_close_sockets - - gcs: Cleanly shut down stdio sockets to avoid missing data - -commit 97d5384298d150ffbdabe30828466f695dd3adbd -Author: John Starks -Date: Thu Apr 18 08:38:02 2019 -0700 - - gcs: Cleanly shut down stdio sockets to avoid missing data - - Without this change, data written by a process is sometimes discarded - due to vsock timeouts. - -commit 92cb5b6976045984f6f746ca62c37ba952d37cae -Author: Sebastiaan van Stijn -Date: Wed Apr 17 11:39:39 2019 +0200 - - Enhancement: add osversion.Build() utility - - Signed-off-by: Sebastiaan van Stijn - -commit 672e52e9209d1e53718c1b6a7d68cc9272654ab5 -Merge: 2de31e668 d26c179aa -Author: Justin -Date: Wed Apr 17 14:10:21 2019 -0700 - - Merge pull request #571 from Microsoft/shim_mitigations - - Handle Process/Container not found errors and force exits - -commit d26c179aaf72ab2222f1b4a15e533e062b73a7df -Author: Justin Terry (VM) -Date: Wed Apr 17 12:59:08 2019 -0700 - - Force UVM exit after 30 seconds of issuing SIGKILL - - 1. When a SIGKILL is sent to the init process we force the UVM exit after 30 - seconds in order to make sure that whatever state the guest is in the exit is - honored. - - Signed-off-by: Justin Terry (VM) - -commit ac05b8e8289e8406c8b14ea04b336d6201f90fe0 -Author: Justin Terry (VM) -Date: Wed Apr 17 12:58:05 2019 -0700 - - Force HCS process exit on ERROR_NOT_FOUND - - Signed-off-by: Justin Terry (VM) - -commit fefd0ad73f6bfa33b8cce597be303e134fddc408 -Merge: 74a636ccd 9cdd8fa77 -Author: Justin -Date: Wed Apr 17 12:53:21 2019 -0700 - - Merge pull request #294 from Microsoft/fix_errors - - Fix errors returned by GCS to align with expectations in the HCS - -commit 9cdd8fa778ca8d289794655b08bf76cd16e75cb4 -Author: Justin Terry (VM) -Date: Wed Apr 17 12:16:24 2019 -0700 - - Return ERROR_VMCOMPUTE_SYSTEM_ALREADY_EXISTS on CreateContainer with existing ID - - Signed-off-by: Justin Terry (VM) - -commit 0a590cc016959494be0aa75056211215f3e1fffc -Author: Justin Terry (VM) -Date: Tue Apr 16 14:46:01 2019 -0700 - - Return ERROR_VMCOMPUTE_SYSTEM_NOT_FOUND on runc kill error - - 1. When a container is not found the HCS expects a GCS to return an HRESULT - error ERROR_VMCOMPUTE_SYSTEM_NOT_FOUND to indicate this condition. - - Signed-off-by: Justin Terry (VM) - -commit a25d497014a31e86a08bfd47b432a2ea269c6351 -Author: Justin Terry (VM) -Date: Tue Apr 16 14:39:16 2019 -0700 - - Return HR ERROR_NOT_FOUND after process exit - - Signed-off-by: Justin Terry (VM) - -commit a30d1c40be12f2ce533acd66f7c26330781c6d2e -Author: Justin Terry (VM) -Date: Wed Apr 17 12:33:53 2019 -0700 - - Fix panic on hcs/process.Close() with nil error - - Signed-off-by: Justin Terry (VM) - -commit 2de31e66884b1ca0d34b02050c3f17a30483d67e -Merge: 65cc4d08a e0408a63d -Author: John Howard -Date: Wed Apr 17 10:01:18 2019 -0700 - - Merge pull request #570 from thaJeztah/make_linux_compat - - osversion: enable using constants on other platforms - -commit 65cc4d08a3eb1f82bb8c43f121f2d96c9a8cd859 -Merge: d626b5ed8 73d28eadd -Author: John Howard -Date: Wed Apr 17 09:49:23 2019 -0700 - - Merge pull request #568 from thaJeztah/add_more_version_details - - Add more information to osversion build numbers - -commit e0408a63d651323e0c1eca5268c65a603d457e9b -Author: Sebastiaan van Stijn -Date: Wed Apr 17 14:22:08 2019 +0200 - - osversion: enable using constants on other platforms - - Signed-off-by: Sebastiaan van Stijn - -commit 73d28eadd65466bcb6dfd92096909ccdf1bd6ee8 -Author: Sebastiaan van Stijn -Date: Wed Apr 17 11:10:07 2019 +0200 - - Add more information to osversion build numbers - - This adds some additional comments to the build-numbers, - to help correlate versions to specific Windows Server - and Windows Client releases. - - Signed-off-by: Sebastiaan van Stijn - -commit 7c24cb2992fcdbcf0f608e3af197d9b6d97be6d7 -Author: Justin Terry (VM) -Date: Tue Apr 16 14:32:02 2019 -0700 - - Remove unused error types - - Signed-off-by: Justin Terry (VM) - -commit 74a636ccd2413c624e76b1e43014f985d69296df -Merge: b44ca09d9 94f619b98 -Author: Justin -Date: Mon Apr 15 16:21:28 2019 -0700 - - Merge pull request #293 from Microsoft/move_v2_runtime - - Refactor the v2 runtime into its own packages - -commit d626b5ed8558681876445a76bd15adf93d88fe52 -Merge: 9b6bfe997 84caab8be -Author: Justin -Date: Mon Apr 15 15:21:58 2019 -0700 - - Merge pull request #566 from Microsoft/jjh/combinedlayers - - Remove combinedlayers: rootfs not scratch - -commit 84caab8be6d75ce0599ac07ec14b39fffac81d5a -Author: John Howard -Date: Mon Apr 15 14:05:43 2019 -0700 - - Remove combinedlayers: rootfs not scratch - - Signed-off-by: John Howard - -commit 9b6bfe997ff9fdfc2fc1652baa0428701fd62361 -Merge: 2ff26cfd6 3cc8994ee -Author: Justin -Date: Mon Apr 15 13:25:57 2019 -0700 - - Merge pull request #565 from Microsoft/hcs_notification_string - - Force log NotificationType to string - -commit 3cc8994eeab9449776a4e6831bbf5c9bdc4620cb -Author: Justin Terry (VM) -Date: Mon Apr 15 12:06:59 2019 -0700 - - Force log NotificationType to string - - Signed-off-by: Justin Terry (VM) - -commit 2ff26cfd637d52367df40cfafdc5a82707a9d245 -Merge: 21d3401b7 dca6e46c0 -Author: John Starks -Date: Mon Apr 15 11:06:44 2019 -0700 - - Merge pull request #564 from jstarks/uvmboot_gcs - - uvmboot: Optionally launch process through GCS - -commit 21d3401b73e708e918afb338cfb191c6cee175ad -Merge: ff9e4e053 c8890a691 -Author: John Starks -Date: Mon Apr 15 11:06:27 2019 -0700 - - Merge pull request #563 from jstarks/opengcs_log_id - - uvm: Include VM ID in opengcs logs - -commit ff9e4e05380872d452f60654dcde6035b39a8651 -Merge: 2cdaeca8c afbc0d927 -Author: Kevin Parsons -Date: Mon Apr 15 10:55:23 2019 -0700 - - Merge pull request #562 from Microsoft/etw-capture-state - - Dump stacks on ETW capture state - -commit 94f619b9886943fc5e8473eba5247fef60de747a -Author: Justin Terry (VM) -Date: Thu Apr 11 10:40:42 2019 -0700 - - Fix issue in storage v1 overlay when readonly==true - - Signed-off-by: Justin Terry (VM) - -commit c8890a6919c732e3124b2ba4503dba8b6986f04f -Author: John Starks -Date: Sat Apr 13 10:47:27 2019 -0700 - - uvm: Include VM ID in opengcs logs - - This also cleans up the opengcs log output a bit. - -commit dca6e46c05cbe4999769ca34fcad05db26563075 -Author: John Starks -Date: Sat Apr 13 14:06:08 2019 -0700 - - uvmboot: Optionally launch process through GCS - -commit afbc0d9278737187b7371390044395c0c562b78e -Author: Kevin Parsons -Date: Fri Apr 12 12:40:57 2019 -0700 - - Dump stacks on ETW capture state - -commit 2d6fc9761345249323b83e969ab853793d783b85 -Author: Justin Terry (VM) -Date: Wed Apr 10 20:02:24 2019 -0700 - - Retry SCSI mount on source ENOENT - - Signed-off-by: Justin Terry (VM) - -commit b43e2805cfded49f20ce24c09fc80eed4d511680 -Author: Justin Terry (VM) -Date: Tue Apr 9 07:48:15 2019 -0700 - - Seperate UVM.go into Host/Container/Process - - Signed-off-by: Justin Terry (VM) - -commit de5eaeff2551d5cecc0590633db835cb14c4f2be -Author: Justin Terry (VM) -Date: Tue Apr 9 07:44:37 2019 -0700 - - Remove v2 runc devices.HostDevices clone to actual runc package - - Signed-off-by: Justin Terry (VM) - -commit 94ff9eb3f04d742921abb60fd44310b398bfcf2e -Author: Justin Terry (VM) -Date: Mon Apr 8 21:23:45 2019 -0700 - - Convert all v2 code to LF - - Signed-off-by: Justin Terry (VM) - -commit a691da48155cd76b351bf1e03269d0a32ae5f2bb -Author: Justin Terry (VM) -Date: Mon Apr 8 21:20:33 2019 -0700 - - Move v2 devicemapper to internal package - - Signed-off-by: Justin Terry (VM) - -commit fb1e76415036162c169ff8f4ef8933b8b12dc20a -Author: Justin Terry (VM) -Date: Mon Apr 8 21:13:32 2019 -0700 - - Move v2 HCS runtime to internal package - - Signed-off-by: Justin Terry (VM) - -commit 259620a62d80d3edfae6ca9b3844881d2d46f4cf -Author: Justin Terry (VM) -Date: Mon Apr 8 21:04:52 2019 -0700 - - Move v2 network calls to golang packages - - Signed-off-by: Justin Terry (VM) - -commit 146630234cbf7dc5db90f22e0be3215b38954ee8 -Author: Justin Terry (VM) -Date: Mon Apr 8 08:41:22 2019 -0700 - - Move v2 storage calls to golang packages - - Signed-off-by: Justin Terry (VM) - -commit b44ca09d9c8990555b282f0cf54509e4bb8c7c67 -Merge: fb92ea943 1edcb065d -Author: Justin -Date: Wed Apr 10 11:25:07 2019 -0700 - - Merge pull request #292 from Microsoft/jjh/go1.12 - - Bump to golang 1.12.2 - -commit 2cdaeca8ccc9d3f1a34933b38e14bd88cafb9b60 -Merge: 9972f06ea f5310758b -Author: John Howard -Date: Wed Apr 10 11:01:48 2019 -0700 - - Merge pull request #561 from Microsoft/process_element_not_found - - Handle ERROR_NOT_FOUND for HcsSignalProcess - -commit f5310758b272932825bcf5693d955cb550f5c21b -Author: Justin Terry (VM) -Date: Tue Apr 9 15:36:01 2019 -0700 - - Handle ERROR_NOT_FOUND for HcsSignalProcess - - Handles ERROR_NOT_FOUND for HcsSignalProcess and properly coverts this to the - containerd errdefs.ErrNotFound so upstream callers handle the exit - appropriately. - - Signed-off-by: Justin Terry (VM) - -commit 9972f06ea8ba09cdddeb5469c2b420c39d402293 -Merge: 3872cadcf 04d6f9d25 -Author: Justin -Date: Tue Apr 9 13:01:23 2019 -0700 - - Merge pull request #558 from Microsoft/jjh/go1.12 - - Bump appveyor to go 1.12.2 - -commit 3872cadcf58544e0828ab66565c57e4a71b3917e -Merge: cb301955a 171ecf14b -Author: Justin -Date: Tue Apr 9 13:00:54 2019 -0700 - - Merge pull request #560 from Microsoft/jjh/containerlogs - - Improvements to Get-ContainerLogs.ps1 - -commit cb301955a09002a2ba89e41de58f8be8eed51644 -Merge: 063ae4a83 7368ff639 -Author: Justin -Date: Tue Apr 9 13:00:02 2019 -0700 - - Merge pull request #557 from Microsoft/jjh/bumpgowinio - - Vendor go-winio@84b4ab48 - -commit 171ecf14b4727b58a691253372372520523998f1 -Author: John Howard -Date: Mon Apr 8 16:04:30 2019 -0700 - - More in Get-ContainerLogs.ps1 - - Signed-off-by: John Howard - -commit 063ae4a83d78bdb93f76b18cc894c6342fa85c15 -Merge: 2164cfd2b d9b0d4eab -Author: Justin -Date: Mon Apr 8 15:16:05 2019 -0700 - - Merge pull request #559 from jstarks/rootwait - - uvm: Add rootwait kernel param to wait for pmem enumeration - -commit d9b0d4eab515062dbdf42ca98b777eebd90abc2b -Author: John Starks -Date: Mon Apr 8 14:48:21 2019 -0700 - - uvm: Add rootwait kernel param to wait for pmem enumeration - -commit 1edcb065d3e3bbe53582acaa3c12c1fb24713381 -Author: John Howard -Date: Mon Apr 8 10:47:37 2019 -0700 - - Bump to golang 1.12.2 - - Signed-off-by: John Howard - -commit 04d6f9d256b0dd21c6c85e078ff70a17315a6113 -Author: John Howard -Date: Mon Apr 8 10:45:57 2019 -0700 - - Bump appveyor to go 1.12.2 - - Signed-off-by: John Howard - -commit 7368ff6398231e05c804df9d8927980805e3b9e9 -Author: John Howard -Date: Mon Apr 8 10:41:03 2019 -0700 - - Vendor go-winio@84b4ab48 - - Signed-off-by: John Howard - -commit 2164cfd2b36485c89c005d62a7775db8ecafa2d5 -Merge: 5cfbffa6f 1aeec512e -Author: John Howard -Date: Fri Apr 5 21:51:37 2019 -0700 - - Merge pull request #553 from Microsoft/nil_exec_io - - Stop setting UpstreamIO to nil on Close - -commit 5cfbffa6fcc820f02db5ac8fd689c3b5eab7a8dd -Merge: 54eefb59e 6efbfe7b6 -Author: John Howard -Date: Fri Apr 5 21:33:02 2019 -0700 - - Merge pull request #554 from Microsoft/jjh/getcontainerlogs - - Get-ContainerLogs.ps1 for later analysis - -commit 54eefb59e631f960b9062bb24921fc6f7dae60cc -Merge: fe65d3a22 07fdeeb6f -Author: Justin -Date: Fri Apr 5 20:43:59 2019 -0700 - - Merge pull request #551 from Microsoft/parallel_scsi - - Always send guest eject for SCSI LCOW HotRemove - -commit 6efbfe7b6f62205f2824f86b7b7d4b50b51a2fd9 -Author: John Howard -Date: Fri Apr 5 20:37:51 2019 -0700 - - Add Get-ContainerLogs.ps1 for later analysis - - Signed-off-by: John Howard - -commit 1aeec512ec7c709bd838e54d6f1f0b7e3f644e5e -Author: Justin Terry (VM) -Date: Fri Apr 5 19:24:43 2019 -0700 - - Stop setting UpstreamIO to nil on Close - - 1. Stops setting UpstreamIO to nil on Close or CloseStdin. This means that the - call will always return a valid non-nil connection even if that connection has - been previously closed. This will stop the shim from panic'ing and instead - return a "connection already closed" error if used. - 2. Adds a check on the invariant state of in, out, serr returned from the - platform and makes sure it matches the requested state on creation. - - Signed-off-by: Justin Terry (VM) - -commit fe65d3a22edb981dd6b43349a4b14eade8877c03 -Merge: ca6ca4a84 69593ae4b -Author: John Howard -Date: Fri Apr 5 19:23:17 2019 -0700 - - Merge pull request #552 from Microsoft/jjh/stack2file - - shim:dump stack to file as well - -commit 69593ae4b5b81ec7798eab1d78cdffe920bfc0e4 -Author: John Howard -Date: Fri Apr 5 19:16:20 2019 -0700 - - shim:dump stack to file as well - - Signed-off-by: John Howard - -commit 07fdeeb6fbcd470c3e108c2cda305d577ec859f9 -Author: Justin Terry (VM) -Date: Fri Apr 5 18:18:53 2019 -0700 - - Always send guest eject for SCSI LCOW HotRemove - - It turns out that the Linux kernel can get very confused if a HotRemove - on the SCSI happens without a guest initiated eject. This change will always - initiate a guest request to eject the SCSI controller/lun before removing the - virtual disk from the host UVM. - - Signed-off-by: Justin Terry (VM) - -commit ca6ca4a843cb116b52999c48991c58e9a2fb8432 -Merge: cf1c2137f 301b57806 -Author: Justin -Date: Fri Apr 5 10:47:08 2019 -0700 - - Merge pull request #549 from Microsoft/jjh/cwd - - Move panic log to bundle dir - -commit 301b57806b2f44d884758c9946f333b21342f664 -Author: John Howard -Date: Fri Apr 5 10:34:43 2019 -0700 - - Move panic log to bundle dir - - Signed-off-by: John Howard - -commit fb92ea943aae21d45b03d8e553f85aabdd7b4332 -Merge: 349ae4363 216a74135 -Author: Justin -Date: Thu Apr 4 15:05:07 2019 -0700 - - Merge pull request #291 from Microsoft/jterry75/revendor - - Change to lk4d4/vndr - -commit 216a7413536343046d89406ceb6464e7113ffba2 -Author: Justin Terry (VM) -Date: Tue Oct 2 12:13:32 2018 -0700 - - Change to lk4d4/vndr - - Does a sweeping update to our vendor system and the vendor files to more - recent versions. - - Signed-off-by: Justin Terry (VM) - -commit cf1c2137fae1541cf405f1e9c5a1aaa0f53dd96a -Merge: 4e93834c8 188324048 -Author: John Howard -Date: Thu Apr 4 13:56:35 2019 -0700 - - Merge pull request #547 from Microsoft/panic_log - - Hook up a panic.log on shim serve - -commit 188324048cd81b5b6d149ebe49fc22e7506e3d0e -Author: Justin Terry (VM) -Date: Thu Apr 4 13:48:14 2019 -0700 - - Hook up a panic.log on shim serve - - Signed-off-by: Justin Terry (VM) - -commit 4e93834c8eda905fd06c8d71e6f982faa84294a9 -Merge: 2e6420689 3014ea00a -Author: Justin -Date: Wed Apr 3 16:02:48 2019 -0700 - - Merge pull request #546 from Microsoft/fix_notification_hang - - Fix real deadlock in notification delivery - -commit 3014ea00aca9d8e664a8fbcb34d4bb5f760d82ab -Author: Justin Terry (VM) -Date: Wed Apr 3 15:00:07 2019 -0700 - - Fix real deadlock in notification delivery - - Signed-off-by: Justin Terry (VM) - -commit 2e6420689588596b88cfd75ec2398b943138c024 -Merge: 5e4b87435 6b1e170c0 -Author: John Howard -Date: Tue Apr 2 11:49:42 2019 -0700 - - Merge pull request #545 from Microsoft/runhcs_test_tag - - Move 'integration' to 'functional' tag for runhcs tests - -commit 5e4b87435fe3edac66b977760e2f1d86a61bc4e4 -Merge: b297343be be79e1d9e -Author: John Howard -Date: Tue Apr 2 11:44:53 2019 -0700 - - Merge pull request #544 from Microsoft/get_properties_log - - Fix system.Properties log message - -commit 6b1e170c08c811f50e4087ed6fdc6661f94722ba -Author: Justin Terry (VM) -Date: Tue Apr 2 11:43:45 2019 -0700 - - Move 'integration' to 'functional' tag for runhcs tests - - Signed-off-by: Justin Terry (VM) - -commit b297343becffcd6b627704a6c41a7c1aaca5894e -Merge: 5f3c4ba7a bc4fd1919 -Author: John Howard -Date: Tue Apr 2 11:42:06 2019 -0700 - - Merge pull request #543 from Microsoft/wait_uvm_stop - - Convert all users of uvm.Terminate to uvm.Close() - -commit be79e1d9e80415f30780138c34c2c72b58a03c5a -Author: Justin Terry (VM) -Date: Tue Apr 2 11:41:11 2019 -0700 - - Fix system.Properties log message - - Signed-off-by: Justin Terry (VM) - -commit bc4fd19197f371cf367228720297436faf67f233 -Author: Justin Terry (VM) -Date: Tue Apr 2 11:33:58 2019 -0700 - - Convert all users of uvm.Terminate to uvm.Close() - - Signed-off-by: Justin Terry (VM) - -commit 349ae436354479669671ad88fda9df48a29b9983 -Merge: a8a6fa155 863e4ec81 -Author: Justin -Date: Tue Apr 2 10:40:35 2019 -0700 - - Merge pull request #290 from Microsoft/jjh/lostandfound - - Exclude lost+found from tar stream - -commit 863e4ec81587b0940d3cc47c703a7d14e0d31a4a -Author: John Howard -Date: Tue Apr 2 10:06:31 2019 -0700 - - Exclude lost+found from tar stream - - Signed-off-by: John Howard - -commit 5f3c4ba7af30b0c3a6aee5b98982b8b2a9886aa1 -Merge: defb34daf e906b8d14 -Author: John Howard -Date: Mon Apr 1 18:47:24 2019 -0700 - - Merge pull request #542 from Microsoft/fix_2nd_kill - - Serialize all shim errors to gRPC known types - -commit e906b8d14d5bccc09c0afedbcf71d94f387914f9 -Author: Justin Terry (VM) -Date: Mon Apr 1 15:47:38 2019 -0700 - - Shims MUST return errdefs.ErrNotFound in process exited state - - Signed-off-by: Justin Terry (VM) - -commit 3d479932af6fd65760672f2ee125adeb4f958634 -Author: Justin Terry (VM) -Date: Mon Apr 1 15:45:41 2019 -0700 - - Serialize all shim errors to gRPC known types - - We should be using errdefs.ToGRPC when sending errors as a return value from - the shim. This converts known error types to a propery serialized chain and - maintains the Causer interface associated with the proper underlying error. - - Signed-off-by: Justin Terry (VM) - -commit defb34daf263bd3f06d369908ff07fd8733e4eec -Merge: 6aaa89c07 0bbe10215 -Author: Justin -Date: Mon Apr 1 15:11:05 2019 -0700 - - Merge pull request #541 from Microsoft/fix_signal_syscall - - Fix signal support for WCOW - -commit 0bbe10215f4c337cd5a404f3fa31da269e26de37 -Author: Justin Terry (VM) -Date: Mon Apr 1 08:19:29 2019 -0700 - - Fix Signal support for WCOW - - Signal support on WCOW based on the HCS API is actually marshalled by string - value rather than integer value. This change makes sure that the signal struct - created for WCOW validates and uses the appropriate Ctrl* string. - - Signed-off-by: Justin Terry (VM) - -commit 9bbcd877c24e80e42f6e5b4c10d7e81bdfef3298 -Author: Justin Terry (VM) -Date: Fri Mar 29 14:20:49 2019 -0700 - - Fix an issue with Signal calling the wrong syscall - - There was a bug in hcs.go where hcsSignalProcess was actually the syscall for - HcsTerminateProcess due to a copy paste bug. - - Signed-off-by: Justin Terry (VM) - -commit 6aaa89c07dd2364377681486e0158414ef1df924 -Merge: ba3d66677 85f41cb97 -Author: John Howard -Date: Thu Mar 28 15:00:33 2019 -0700 - - Merge pull request #540 from Microsoft/exec_created_delete - - Change the state model allow Delete from Created - -commit 85f41cb97de5b86f1c908f475ebc920bb26bfae1 -Author: Justin Terry (VM) -Date: Thu Mar 28 12:35:14 2019 -0700 - - Change the state model allow Delete from Created - - Signed-off-by: Justin Terry (VM) - -commit ba3d6667710fa905116f39a19d059c4c1016be7c -Merge: eb44e6f81 295e58048 -Author: John Howard -Date: Wed Mar 27 14:08:02 2019 -0700 - - Merge pull request #537 from Microsoft/task_exit_for_real - - Fix a bug in Wait when waiting on the init task - -commit 295e580485711cd514fd54bf6fa42beafadef840 -Author: Justin Terry (VM) -Date: Wed Mar 27 13:53:27 2019 -0700 - - Fix panic in WCOW Hypervisor activations - - Signed-off-by: Justin Terry (VM) - -commit 38d2294a57126fab4564ff0a0949161ebc5dded6 -Author: Justin Terry (VM) -Date: Wed Mar 27 11:13:24 2019 -0700 - - Forcibly unblock Waiters when a client closes its HCS Handle - - Code could cause a Wait forever hang if the HCS Handle was closed - without a proper ComputeSystemExit notification. This will forcibly - unblock all Waiters in this case. - - Signed-off-by: Justin Terry (VM) - -commit 7e8e68edc8b3e2f5b8303f26254caed785943541 -Author: Justin Terry (VM) -Date: Wed Mar 27 10:18:46 2019 -0700 - - Fix a bug in Wait when waiting on the init task - - The async event TaskExit is sent post container/UVM shutdown but the actual - caller may have been unblocked on the call to Wait. We now return form Wait - after the container/UVM shutdown and alerting async TaskExit. - - Signed-off-by: Justin Terry (VM) - -commit eb44e6f81a7f48450a06f90578105b4da2a36f0e -Merge: 8abdbb820 c42360e09 -Author: Justin -Date: Tue Mar 26 11:53:38 2019 -0700 - - Merge pull request #535 from Microsoft/jjh/shimopts - - Don't nil deref on no shim options - -commit c42360e090ac16f41e5ce912445653250b21b91f -Author: John Howard -Date: Tue Mar 26 11:36:33 2019 -0700 - - Don't nil deref on no shim options - - Signed-off-by: John Howard - -commit 8abdbb8205e4192c68b5f84c31197156f31be517 -Merge: b849a6eab b672b668a -Author: John Howard -Date: Mon Mar 25 09:49:09 2019 -0700 - - Merge pull request #533 from Microsoft/wait_vm_or_container - - Change HCS TaskExit ownership responsibility - -commit b849a6eabf6b418649f1dbdec4a0382e856bb686 -Merge: a003d6e08 368cb2d5f -Author: Justin -Date: Fri Mar 22 16:01:36 2019 -0700 - - Merge pull request #534 from Microsoft/alphabetical - - G comes before U and Zed - -commit 368cb2d5f834c60b0a8b2f3b7c0f7b4ef541e296 -Author: John Howard -Date: Fri Mar 22 15:58:16 2019 -0700 - - G comes before U and Zed - - Signed-off-by: John Howard - -commit a003d6e089ca301c0ca1eab379cf22aa160c93f6 -Merge: 6fd620859 39389a22e -Author: Justin -Date: Fri Mar 22 15:51:30 2019 -0700 - - Merge pull request #520 from nagiesek/fixDefGWbug - - Fix bug where we error on network creation if no subnet was provided - -commit a8a6fa155cb3f3896813efa50db429c51931fccf -Merge: 92ea373dc aa707760e -Author: Justin -Date: Fri Mar 22 15:50:38 2019 -0700 - - Merge pull request #289 from Microsoft/go1.12.1 - - Bump go to 1.12.1 - -commit 6fd620859db4933bd861491a1d8e639a02ddb6ee -Merge: 5eaaf4090 692f817c5 -Author: John Howard -Date: Fri Mar 22 14:43:15 2019 -0700 - - Merge pull request #532 from Microsoft/jjh/grantvmgroupaccess - - Add grantvmgroupaccess.exe; Move uvmboot/zapdir to internal - -commit b672b668a733ccc1c9752a93d57de066ad098542 -Author: Justin Terry (VM) -Date: Fri Mar 22 13:07:09 2019 -0700 - - Fix deadlock in System/Process Wait - - If more than one thread called Wait* on the same hcs system/process handle the - exit notification would only be sent to one of the callers. This would cause - the other caller to wait for another event to be delivered on the channel that - would never come. - - This makes the model honor a single internal waiter on the platform - notification but allows for multiple Wait* calls from any number of goroutines. - - Signed-off-by: Justin Terry (VM) - -commit aa707760eadd77bd509a0090f058f91957f76085 -Author: John Howard -Date: Fri Mar 22 12:19:19 2019 -0700 - - Bump go to 1.12.1 - - Signed-off-by: John Howard - -commit d6e4ea4871ee8941d7a92119a5bbbac8ab2f05a9 -Author: Justin Terry (VM) -Date: Fri Mar 22 10:49:49 2019 -0700 - - Change HCS TaskExit ownership responsibility - - It turns out that eventing the TaskExit at the end of a process is not the - correct time on Windows. In all cases there is a container Silo seperate from - the init process and in Hypervisor isolated cases there is a parent UtilityVM. - - This change makes the init process TaskExit notification only fire once the - Silo/UtilityVM are successfully torn down making sure there are no resources in - use when the TaskExit is sent. - - Signed-off-by: Justin Terry (VM) - -commit 692f817c56520956834a23c1b9ebc4802d650817 -Author: John Howard -Date: Fri Mar 22 10:31:28 2019 -0700 - - Vendor Microsoft/go-winio@c599b533 - - Signed-off-by: John Howard - -commit 73f530d6f91b3cf16ef6309b5e3c0ef67937a307 -Author: John Howard -Date: Fri Mar 22 10:27:38 2019 -0700 - - Add grantvmgroupaccess.exe; Move uvmboot/zapdir to internal - - Signed-off-by: John Howard - -commit 5eaaf4090cae3203685bf7cc793ed5295b1e7c33 -Merge: e89c9396d 9884e156e -Author: Justin -Date: Thu Mar 21 14:49:13 2019 -0700 - - Merge pull request #531 from Microsoft/remove_grantvmaccess - - Stop setting grantvmaccess per layer.vhd - -commit 9884e156e4b1661202996e1ade1f6616867dbc47 -Author: Justin Terry (VM) -Date: Thu Mar 21 14:41:45 2019 -0700 - - Stop setting grantvmaccess per layer.vhd - - Signed-off-by: Justin Terry (VM) - -commit 39389a22ebda9afe576619ffc49bab3560321c33 -Author: Nathan Gieseker -Date: Wed Mar 20 17:04:20 2019 -0700 - - Fix bug where we error on network creation if no subnet was provided. Add test for case - -commit e89c9396dd628520b19e9bfe9cd9e35a01724dbb -Merge: dd292d70f 8439a2ae6 -Author: Justin -Date: Wed Mar 20 14:23:48 2019 -0700 - - Merge pull request #526 from Microsoft/uvm_qos - - Add support for WCOW/LCOW QoS - -commit 8439a2ae623e346eb1002d96cfe12b9df0291339 -Author: Justin Terry (VM) -Date: Wed Mar 20 13:42:08 2019 -0700 - - Add temporary workaround for Windows Process CPU QoS - - Windows RS5 has a bug in Windows Process Container CPU QoS that if the - Processor structure is passed at all it assumes the Count variable first and - does not allow setting Limit or Weight. For now silently ignore these - additional QoS features and succeed the activation to run the process. - - Signed-off-by: Justin Terry (VM) - -commit ee50c30a22620b5f90d6befc64e6e37c26e19aa9 -Author: Justin Terry (VM) -Date: Wed Mar 20 12:44:32 2019 -0700 - - Verify that Windows Process Container CPU Count, Limit, Weight are mutually exclusive - - Signed-off-by: Justin Terry (VM) - -commit b24f7834147de1e8571fd5065a514c370ec3d885 -Author: Justin Terry (VM) -Date: Mon Mar 18 15:03:26 2019 -0700 - - Add CRI Pod/Container tests for QoS settings - - Signed-off-by: Justin Terry (VM) - -commit a69324df03ad189d775d7410847d6a1b2926980a -Author: Justin Terry (VM) -Date: Mon Mar 18 15:03:07 2019 -0700 - - Add support for LCOW CPU/Memory QoS - - Signed-off-by: Justin Terry (VM) - -commit b97dccccf12999d096e57f7424cdfcfac46fa32a -Author: Justin Terry (VM) -Date: Mon Mar 18 08:45:11 2019 -0700 - - Add support for WCOW Container CPU/Memory/Storage QoS - - Signed-off-by: Justin Terry (VM) - -commit 4bd9a3d7a389e3f75daccdbf1b0ccff56864647b -Author: Justin Terry (VM) -Date: Mon Mar 18 07:35:21 2019 -0700 - - Add support for UVM CPU/Memory/Storage QoS - - Signed-off-by: Justin Terry (VM) - -commit dd292d70f832102200f2051eb1b7cec62d78c373 -Merge: 077e62580 8f652be72 -Author: Justin -Date: Wed Mar 20 12:19:55 2019 -0700 - - Merge pull request #530 from Microsoft/fix_cpu_count_settings - - Automatically verify and downgrade user CPUCount to runtime.NumCPU - -commit 8f652be7202918a51a52098b047746e277d32f8e -Author: Justin Terry (VM) -Date: Wed Mar 20 11:54:53 2019 -0700 - - Automatically verify and downgrade user CPUCount to runtime.NumCPU - - Signed-off-by: Justin Terry (VM) - -commit 077e625804dcda7d01c1f476d66d048ef64e16b4 -Merge: 1ad3514ad ccc74aa1b -Author: Justin -Date: Wed Mar 20 10:59:49 2019 -0700 - - Merge pull request #529 from kevpar/cri-runtime-names - - Update tests to new CRI runtime names - -commit ccc74aa1b59e9ff9fe122ce74a0fa51ca14440e0 -Author: Kevin Parsons -Date: Tue Mar 19 17:34:37 2019 -0700 - - Update tests to new CRI runtime names - -commit 1ad3514ad597919f266cd0a43289a62976110bcf -Merge: cdb2e93ab a3cc970d2 -Author: Kevin Parsons -Date: Tue Mar 19 15:59:52 2019 -0700 - - Merge pull request #527 from kevpar/shim-start-logging - - Log message when shim starts - -commit a3cc970d2e3928a4b6b3c0da3a46b1539cd81731 -Author: Kevin Parsons -Date: Tue Mar 19 15:47:36 2019 -0700 - - Log event at shim launch - -commit 5776786a50f3230a36b8255c9187655b57c26047 -Author: Kevin Parsons -Date: Tue Mar 19 15:27:57 2019 -0700 - - Vendor updated etw package from go-winio - -commit cdb2e93abad1a01ec5034fefbcc470ed0fa95769 -Merge: 49875ffd1 bd87a899f -Author: Kevin Parsons -Date: Tue Mar 19 15:16:55 2019 -0700 - - Merge pull request #528 from Microsoft/vendor - - Update vendor since opengcs cleanups - -commit bd87a899f3997d6c015ec3c065e2f71faa396bcc -Author: Justin Terry (VM) -Date: Tue Mar 19 15:12:29 2019 -0700 - - Update vendor since opengcs cleanups - - Signed-off-by: Justin Terry (VM) - -commit 49875ffd15a5cd2a9c00ab3a3eec2446748542ff -Merge: 6e3bb06e9 12c9a45c4 -Author: Justin -Date: Mon Mar 18 09:39:33 2019 -0700 - - Merge pull request #525 from Microsoft/oci_uvm_memorymb - - Fix bug in UVM activation when using OCI Windows.Resources.Memory.Limit - -commit 6e3bb06e953c6eddd3a34a2d731409365e79843f -Merge: a00fe2fce e8406e5cb -Author: Justin -Date: Mon Mar 18 09:38:55 2019 -0700 - - Merge pull request #524 from Microsoft/wcow_processor_count - - Fix bug setting WCOW UVM processor count overrides - -commit 12c9a45c45cc1f6a4c7458d58deaf0de0f9ccb67 -Author: Justin Terry (VM) -Date: Mon Mar 18 08:49:59 2019 -0700 - - Fix bug in UVM activation when using OCI Windows.Resources.Memory.Limit - - When using the sandbox override annotation: - "io.microsoft.virtualmachine.computetopology.memory.sizeinmb" in CRI the - setting is expected in MB. When using OCI Windows.Resources.Memory.Limit the - setting is expeced in Bytes. The platform expects the setting in MB. So the - resolver now ALWAYS returns MB regardless if using the annotation override or - OCI spec. - - Signed-off-by: Justin Terry (VM) - -commit e8406e5cb535901398582ade05fc5d42e27a6ee9 -Author: Justin Terry (VM) -Date: Mon Mar 18 07:37:58 2019 -0700 - - Fix bug setting WCOW UVM processor count overrides - - Signed-off-by: Justin Terry (VM) - -commit a00fe2fce5d45292943c7915ac94598cc765da88 -Merge: f3a1ac157 a7fbd2054 -Author: Justin -Date: Fri Mar 15 15:56:03 2019 -0700 - - Merge pull request #523 from Microsoft/uvm_logs - - Update UVM package logging to include context - -commit a7fbd2054c48cf1b0dfc1312886a12fb404042f2 -Author: Justin Terry (VM) -Date: Tue Dec 11 14:36:09 2018 -0800 - - Update UVM package logging to include context - - Signed-off-by: Justin Terry (VM) - -commit f3a1ac15727bba581b32c424411c6078f23b0fe5 -Merge: ada9cb39f edb57c501 -Author: Kevin Parsons -Date: Wed Mar 13 16:49:18 2019 -0700 - - Merge pull request #522 from Microsoft/fix_oom_issue - - Fix bug that fails to return error when out of memory - -commit edb57c5018951655883549b587927220ef7fce08 -Author: Justin Terry (VM) -Date: Wed Mar 13 16:32:53 2019 -0700 - - Fix bug that fails to return error when out of memory - - Fixed a bug when UVM activation fails that we fail to return the error message - and continue to process the setup code. - - Fixed an issue where we nil out the hcsSystem on the UVM after a call to Close - that causes any additional calls to the package to panic the shim rather than - returning the hcs.IsAlreadyClosed(err) error. - - Signed-off-by: Justin Terry (VM) - -commit 92ea373dcfec072a7e9a6153bbeb2405eee9792a -Merge: 73c53b9ad 003597a58 -Author: Justin -Date: Tue Mar 12 22:13:40 2019 -0700 - - Merge pull request #287 from Microsoft/jjh/options - - LCOW(v1) Remove kernel/initrd options - -commit 73c53b9ad7a05d2da289911151bb3deb246a47d9 -Merge: ab045a2bc 8e8fdcd07 -Author: Justin -Date: Tue Mar 12 22:11:41 2019 -0700 - - Merge pull request #288 from Microsoft/jjh/kernelstep1 - - Remove Kernel! - -commit 8e8fdcd070470c727231147279792649c533899f -Author: John Howard -Date: Tue Mar 12 19:40:51 2019 -0700 - - Remove Kernel! - - Signed-off-by: John Howard - -commit 003597a58952b61ef04c86bcc8908abe240977d7 -Author: John Howard -Date: Tue Mar 12 19:02:06 2019 -0700 - - LCOW(v1) Remove kernel/initrd options - - Signed-off-by: John Howard - -commit ab045a2bc5fce7f633426c1376146a1a2671df78 -Merge: aff0cdb81 71f3f033c -Author: Justin -Date: Tue Mar 12 16:03:40 2019 -0700 - - Merge pull request #285 from Microsoft/get_properties_v2 - - Implement GetProperties pids for V2 - -commit ada9cb39f715fb568e1030e7613732bb4f1e4aeb -Merge: 7d988c6d1 24eaac223 -Author: John Howard -Date: Tue Mar 12 16:02:10 2019 -0700 - - Merge pull request #505 from Microsoft/v2_shim_pids - - Implement v2 shim pids query - -commit 71f3f033c12201677c87e2b00d291acb30f5f6f3 -Author: Justin Terry (VM) -Date: Mon Mar 11 13:09:20 2019 -0700 - - Implement GetProperties pids for V2 - - Signed-off-by: Justin Terry (VM) - -commit 24eaac223226d5c571d39c9ef942f0599d6aac01 -Author: Justin Terry (VM) -Date: Tue Mar 5 22:32:11 2019 -0800 - - Implement v2 shim pids query - - Signed-off-by: Justin Terry (VM) - -commit 7d988c6d1cba961fc4d7c0d771da4f6d0074ff17 -Merge: bdb1fd454 49cf94393 -Author: Justin -Date: Tue Mar 12 10:26:02 2019 -0700 - - Merge pull request #506 from Microsoft/jjh/createnetworknamespace - - Logging in createNetworkNamespace - -commit 49cf94393f6cadb619c59e81c4e11b1e832cc39b -Author: John Howard -Date: Wed Mar 6 09:44:47 2019 -0800 - - Logging in createNetworkNamespace - - Signed-off-by: John Howard - -commit aff0cdb81b83e6dc8753bd2f3bffa26e442ff17f -Merge: e8850a5d6 b33538897 -Author: Justin -Date: Mon Mar 11 14:02:52 2019 -0700 - - Merge pull request #286 from Microsoft/v2_hotremove_network - - Change HotRemove NIC to warning instead of error - -commit b335388971b3f9d023d4672093d0f6d5017808ee -Author: Justin Terry (VM) -Date: Mon Mar 11 13:36:18 2019 -0700 - - Change HotRemove NIC to warning instead of error - - We don't actually fully support HotRemove NIC from namespace but since - this only happens on teardown we likely don't need it. For now just log - this as a warning rather than returning an error because we do - actually try to safe remove it from the host side on shutdown which is - returning an error that is silently ignored. - - Signed-off-by: Justin Terry (VM) - -commit bdb1fd4543d3c71c04eb4f6c4c26c4cf6cd8b71c -Merge: 35a24d0f3 89fed83f1 -Author: Justin -Date: Fri Mar 8 20:28:13 2019 -0800 - - Merge pull request #517 from Microsoft/argon_activiation - - Revert removal of WCOW pause container activation - -commit 89fed83f178772eac1b3d52c81480f2ea3c4e8ef -Author: Justin Terry (VM) -Date: Fri Mar 8 18:26:44 2019 -0800 - - Forcibly close stdout, stderr relay after timeout - - Implements a safety fallback when the HCS fails to close the stdout, stderr - IO pipes after a process exit. In this case the ioWg would wait forever and - hang the shim and all cleanup logic waiting for the exit event. This code now - forcibly closes the handles if not already closed naturally after the post - process exit timeout. - - Signed-off-by: Justin Terry (VM) - -commit 3d974573138bbccc5177abc2a943462c1fb21ffa -Author: Justin Terry (VM) -Date: Fri Mar 8 15:13:57 2019 -0800 - - Forcibly terminate running process after signal - - There are cases in Windows where a signal to a process may not actually - cause the process to stop. As a best practice when a signal is expected - to cause the process to stop IE: SIGKILL, SIGTERM we now forcibly - terminate the process after a timeout period if the process does not - stop on its own. - - Signed-off-by: Justin Terry (VM) - -commit 2a9b26d6bcd5950ea0748e3bc6291ddbcfea08d6 -Author: Justin Terry (VM) -Date: Fri Mar 8 15:03:30 2019 -0800 - - Force WCOW pause process to stay alive - - For WCOW because there is no pause image we forcibly change the user - command to be a long running command. This behavior matches how ACI - builds their Windows pause images. - - Signed-off-by: Justin Terry (VM) - -commit ed7342accff7089e81233592747c9289f4a73d5e -Author: Justin Terry (VM) -Date: Fri Mar 8 10:51:51 2019 -0800 - - Revert removal of WCOW pause container activation - - As it turns out on RS5 a Windows Process Isolated container actually - does open the network compartment at the activation of the first - container. So we cannot skip creating the pause container when creating - the pod. This is not true for Windows Hypervisor Isolated which is held - open via the GNS. - - Signed-off-by: Justin Terry (VM) - -commit 35a24d0f3d8c6eb73f108c45316efdd05ce5525c -Merge: eba3ac608 1a8e7e91e -Author: Justin -Date: Fri Mar 8 15:05:53 2019 -0800 - - Merge pull request #518 from Microsoft/fix_cri_containerd_test - - Fix bug in pulling LCOW pause image - -commit 1a8e7e91e7a07e1bbcb03f5eacf85baa4f7d9410 -Author: Justin Terry (VM) -Date: Fri Mar 8 12:46:41 2019 -0800 - - Fix bug in pulling LCOW image with wrong annotations - - Signed-off-by: Justin Terry (VM) - -commit a12b8b82c01e09826ad31c58a3b06d2c36cf99cf -Author: Justin Terry (VM) -Date: Fri Mar 8 12:45:02 2019 -0800 - - Fix bug in pulling LCOW pause image - - Signed-off-by: Justin Terry (VM) - -commit eba3ac60839e86e60eae0f64658a25bd3891de0a -Merge: 001c0419a 74080ae0e -Author: John Howard -Date: Wed Mar 6 15:02:52 2019 -0800 - - Merge pull request #508 from Microsoft/panic-recover-debug - - Panic-Recover log to ETW in shim - -commit 001c0419aa572694e4779a47129c6f937cf24629 -Merge: 289c76d66 cc9f79968 -Author: Kevin Parsons -Date: Wed Mar 6 14:28:04 2019 -0800 - - Merge pull request #495 from kevpar/default-lcow-path - - Change default LCOW OS boot files path - -commit 74080ae0ec3c106fb8cca245693ba338a8e48ca9 -Author: John Howard -Date: Wed Mar 6 12:04:00 2019 -0800 - - Panic-Recover log to ETW - - Signed-off-by: John Howard - -commit cc9f7996884d788e4bc324e7547ec1095c82965a -Author: Kevin Parsons -Date: Mon Mar 4 12:52:18 2019 -0800 - - Change default LCOW OS boot files path - - Signed-off-by: Kevin Parsons - -commit 289c76d66de6a38da3a1c6ea98d8481629f72170 -Merge: a9997c3a9 1aa4a4e93 -Author: Justin -Date: Wed Mar 6 11:33:52 2019 -0800 - - Merge pull request #507 from kevpar/create-scratch-pre-rs5 - - Throw an error if create-scratch attempted pre-RS5 - -commit 1aa4a4e9378c3ac0b8cdbc7d97403f8b78bf4d9f -Author: Kevin Parsons -Date: Wed Mar 6 10:50:48 2019 -0800 - - Throw an error if create-scratch attempted pre-RS5 - - Signed-off-by: Kevin Parsons - -commit a9997c3a96d98feed884046867ca520972f56466 -Merge: 0015687a0 08bbfb729 -Author: Justin -Date: Tue Mar 5 22:16:55 2019 -0800 - - Merge pull request #504 from Microsoft/build_uvmboot - - CI build uvmboot.exe - -commit 08bbfb729a5ecc399ce940ebee3683a43746385c -Author: Justin Terry (VM) -Date: Tue Mar 5 22:13:55 2019 -0800 - - Add zapdir to appveyor - - Signed-off-by: Justin Terry (VM) - -commit d63b2e215d7c7f34aa6b1be0276b3b856c5b7708 -Author: Justin Terry (VM) -Date: Thu Jan 24 13:40:54 2019 -0800 - - CI build uvmboot.exe - - Signed-off-by: Justin Terry (VM) - -commit 0015687a01b82c8c24f2ce607da7f9e0c935af5e -Merge: 486cce1f7 18ad36970 -Author: Justin -Date: Tue Mar 5 12:34:03 2019 -0800 - - Merge pull request #502 from Microsoft/cri_privileged - - Add OCI privileged container support - -commit e8850a5d68ec80007eb63cab6f33df62fe3a019f -Merge: f1b2fa8f4 4b6326866 -Author: Justin -Date: Tue Mar 5 12:07:35 2019 -0800 - - Merge pull request #284 from Microsoft/fix_additional_device_append - - Fix additional append in host device list - -commit 4b6326866f61e7dd6c30610ce3f3c6a7b1a3b8b3 -Author: Justin Terry (VM) -Date: Tue Mar 5 11:54:45 2019 -0800 - - Fix additional append in host device list - - Signed-off-by: Justin Terry (VM) - -commit f1b2fa8f4261fa0e2994d7d9f65f5f109fe3da52 -Merge: eec8f895b 954d71280 -Author: John Howard -Date: Tue Mar 5 11:57:20 2019 -0800 - - Merge pull request #283 from Microsoft/fix_log_message - - Fix comment for privileged container detection - -commit 954d712807ccec91e3dc7049dc347817b8148f05 -Author: Justin Terry (VM) -Date: Tue Mar 5 11:54:45 2019 -0800 - - Fix comment for privileged container detection - - Signed-off-by: Justin Terry (VM) - -commit eec8f895b92684abae4222f3aede764f3fe352d2 -Merge: a10967154 87b593341 -Author: John Howard -Date: Tue Mar 5 11:47:19 2019 -0800 - - Merge pull request #282 from Microsoft/privileged_support - - Add OCI Privileged container support - -commit 87b593341c6deb399f92bfc750e185d9ca575bb3 -Author: Justin Terry (VM) -Date: Fri Mar 1 16:07:28 2019 -0800 - - Add OCI Privileged container support - - Signed-off-by: Justin Terry (VM) - -commit 18ad36970bf220c34b137f7cbcfd6e869d3335f4 -Author: Justin Terry (VM) -Date: Fri Mar 1 16:09:32 2019 -0800 - - Add OCI privileged container support - - Signed-off-by: Justin Terry (VM) - -commit 486cce1f7e15368cbbe7242784dd877afff22800 -Merge: 4dd3466fb 0d5e16494 -Author: Justin -Date: Mon Mar 4 18:07:40 2019 -0800 - - Merge pull request #499 from Microsoft/cri_containerd_create_tests - - Add initial CreateContainer tests - -commit a10967154e143a36014584a6f664344e3bb0aa64 -Merge: 6bae68b4c 68357fd00 -Author: Kevin Parsons -Date: Mon Mar 4 15:48:00 2019 -0800 - - Merge pull request #281 from Microsoft/jjh/unixlineendings - - Unix line endings on .c files - -commit 68357fd0018ebafbe4e3b5cb1868cac2ed42e5d8 -Author: John Howard -Date: Mon Mar 4 15:36:15 2019 -0800 - - Unix line endings on .c files - - Signed-off-by: John Howard - -commit 6bae68b4cbc77c1283a555590f288c7811fbc2e5 -Merge: 1ce616605 2d551da2e -Author: Justin -Date: Mon Mar 4 14:07:18 2019 -0800 - - Merge pull request #280 from Microsoft/jjh/lcow.vhdx - - Remove VHDX booting - -commit 2d551da2ed2452ada55a365f53e989ddc3128033 -Author: John Howard -Date: Mon Mar 4 12:47:47 2019 -0800 - - Remove VHDX booting - - Signed-off-by: John Howard - -commit 4dd3466fb47933ff5df526e7751cdf1f6315bfcf -Merge: 567e65d9f 03f38f92c -Author: Justin -Date: Mon Mar 4 11:14:58 2019 -0800 - - Merge pull request #501 from Microsoft/jjh/delete - - Delete rather than nil - -commit 03f38f92ce1cc48e5a2a7f2fa762f67ba22a2b9a -Author: John Howard -Date: Mon Mar 4 11:10:36 2019 -0800 - - Delete rather than nil - - Signed-off-by: John Howard - -commit 567e65d9f69090d3ea89bf5a9fbad4d57ab87b90 -Merge: 046607f53 ebbed9470 -Author: Justin -Date: Mon Mar 4 09:55:50 2019 -0800 - - Merge pull request #473 from nagiesek/subnetValidation - - We throw if address prefix given but no gateway - -commit 046607f53bc6f9a14901ed85d355fbb6faa5306d -Merge: f7ee4ec62 21d92ba49 -Author: Justin -Date: Mon Mar 4 09:54:24 2019 -0800 - - Merge pull request #500 from Microsoft/jjh/typo - - Fix logging typo - -commit 21d92ba49db9cd6a4c0115e2e46ab04118d136d3 -Author: John Howard -Date: Mon Mar 4 09:01:43 2019 -0800 - - Fix logging typo - - Signed-off-by: John Howard - -commit 0d5e1649489b4f3f29a87f2660dfb57b86021c7c -Author: Justin Terry (VM) -Date: Wed Feb 27 14:10:49 2019 -0800 - - Add initial CreateContainer tests - - Signed-off-by: Justin Terry (VM) - -commit f7ee4ec62b1493c53e699ea11c4ebdd8fd07d837 -Merge: 752e1af1f b92f3496a -Author: Justin -Date: Fri Mar 1 12:23:28 2019 -0800 - - Merge pull request #496 from kevpar/zap-error-reporting - - Improve zapdir error reporting - -commit 752e1af1f79d13ed5ebfe9cbfff5f44d42174521 -Merge: d072923cc 134e29d69 -Author: Justin -Date: Fri Mar 1 12:19:11 2019 -0800 - - Merge pull request #498 from Microsoft/fix_exec_tty - - Fix bug in runhcs shim with tty=true on close - -commit 134e29d694967f9e7a910cefb4470b1555a40db7 -Author: Justin Terry (VM) -Date: Fri Mar 1 12:02:09 2019 -0800 - - Fix bug in runhcs shim with tty=true on close - - On close in the case of a tty the caller does not know the close is taking - place and does not have the ability to unblock the upstream pipes. Since the - caller might not be issuing any stdin even though we close the hcs side of the - pipe there is nothing that alerts go to unblock the io.Copy. - - This fix stops waiting for Stdin to finish the io.Copy on hcs process exit. - - Signed-off-by: Justin Terry (VM) - -commit b92f3496aa8607ed7fe533160cb8484947ab3d2b -Author: Kevin Parsons -Date: Fri Mar 1 02:13:01 2019 -0800 - - Improve zapdir error reporting - - Signed-off-by: Kevin Parsons - -commit ebbed947013a755094849ab922778b0753e40912 -Author: Nathan Gieseker -Date: Thu Feb 28 17:12:11 2019 -0800 - - errors if address prefix present but no gateway, errors if no default gateway, errors if endpont is created with namespace - -commit d072923cc3815b8af9d9562c7578e056b81f695d -Merge: 790944b3d 7c9e5bfca -Author: Justin -Date: Wed Feb 27 13:43:04 2019 -0800 - - Merge pull request #494 from kevpar/pass-boot-files-path - - Allow runtime option to override LCOW OS directory - -commit 7c9e5bfcac509537ecdd98e98b7057542ba2131c -Author: Kevin Parsons -Date: Mon Feb 25 20:11:31 2019 -0800 - - Allow runtime option to override LCOW OS directory - - Signed-off-by: Kevin Parsons - -commit 1ce616605f0cc45f5a4cf4d93db18dad4fbaa124 -Merge: 2a70647e9 50d82729b -Author: John Howard -Date: Tue Feb 26 22:12:24 2019 -0800 - - Merge pull request #278 from Microsoft/go1.11.5 - - Bump runc; golang 1.11.5 - -commit 790944b3d17e185930b487555f53c8017ca2b82e -Merge: 2fc684659 0cb1b01ad -Author: Justin -Date: Tue Feb 26 20:19:32 2019 -0800 - - Merge pull request #492 from Microsoft/cri_scenarios - - Implement RunPodSandbox P0 tests for cri-containerd - -commit 0cb1b01ad7fbfe74e78d93f91609210962d29205 -Author: Justin Terry (VM) -Date: Tue Feb 26 08:09:52 2019 -0800 - - Implement RunPodSandbox P0 tests for cri-containerd - - Signed-off-by: Justin Terry (VM) - -commit 50d82729bdb623c1555d861e743d4aef1fc9fb7a -Author: John Howard -Date: Tue Feb 26 14:07:11 2019 -0800 - - Bump runc; golang 1.11.5 - - Signed-off-by: John Howard - -commit 2fc684659425f895b7c06f70bdf95fe1c387a07e -Merge: d15d58dcd 384f3f656 -Author: Justin -Date: Tue Feb 26 14:03:27 2019 -0800 - - Merge pull request #491 from kevpar/add-zap-tool - - Add zapdir utility to delete data directories - -commit 384f3f656d8e4ce33746274f2d45d2564a6166db -Author: Kevin Parsons -Date: Tue Feb 26 10:38:28 2019 -0800 - - Add zapdir utility to delete data directories - - Signed-off-by: Kevin Parsons - -commit d15d58dcd390f5e57a1046b3a8cbcdfcdbfb899f -Merge: 23874b725 60f0c0c06 -Author: John Howard -Date: Mon Feb 25 15:31:18 2019 -0800 - - Merge pull request #490 from Microsoft/v2_delete_timeout - - Fix delete hang when the platfrom does not return - -commit 60f0c0c06cab1c4beab54cdc48678f7865a0d2fa -Author: Justin Terry (VM) -Date: Mon Feb 25 15:26:50 2019 -0800 - - Fix delete hang when the platfrom does not return - - Signed-off-by: Justin Terry (VM) - -commit 23874b72556e811875c99eb734bebe5b321cc71b -Merge: 2af37ca39 fb0c8a35b -Author: Justin -Date: Mon Feb 25 15:27:28 2019 -0800 - - Merge pull request #489 from jterry75/v2_simplify_hcstask_lifetime - - Simplify the hcstask/exec exit state transitions. - -commit fb0c8a35bfa147dd8c9c5248200c6948ea3cf2b8 -Author: Justin Terry (VM) -Date: Mon Feb 25 11:31:03 2019 -0800 - - Simplify the hcstask/exec exit state transitions. - - There are some very subtile ways in which the code could fail to event the - exit and cause an upstream listener to continue to think the shim is still - running even though the task had indeed exited. - - Signed-off-by: Justin Terry (VM) - -commit 2af37ca39404be7b472784aca21fb4da52f2d2de -Merge: 169f005c6 b06744111 -Author: Justin -Date: Sat Feb 23 12:23:29 2019 -0800 - - Merge pull request #488 from Microsoft/v2_simplify_io - - Simplify v2 shim upstream IO handling - -commit b067441113ed088810330f14215ca67dadce2352 -Author: Justin Terry (VM) -Date: Sat Feb 23 10:41:30 2019 -0800 - - Simplify v2 shim upstream IO handling - - Signed-off-by: Justin Terry (VM) - -commit 169f005c6a7ee9ad1bd85fe732c28497504a3252 -Merge: b6fc2762a 420a1c0ae -Author: Justin -Date: Sat Feb 23 09:56:05 2019 -0800 - - Merge pull request #485 from ksubrmnn/v2_version - - Update minor version for HNS V2 support - -commit b6fc2762a5ec3b03b77e6f55618adce8ad082293 -Merge: 404d53605 49d15bfb4 -Author: Justin -Date: Fri Feb 22 21:35:49 2019 -0800 - - Merge pull request #487 from Microsoft/fix_netns_argon - - Fix panic trying to provision guest network on process container - -commit 49d15bfb4954394e7f3c84e43ace3c6572adaa27 -Author: Justin Terry (VM) -Date: Fri Feb 22 19:12:17 2019 -0800 - - Fix panic trying to provision guest network on process container - - When should only be creating the guest network for WCOW when the container is - hypervisor isolated. - - Signed-off-by: Justin Terry (VM) - -commit 420a1c0ae062cc46542502898f67d5270dfd3254 -Author: ksubrmnn -Date: Fri Feb 22 09:43:41 2019 -0800 - - Update minor version for HNS V2 support - -commit 404d53605b037239c92c4e5cc29ab0a4239c8c29 -Merge: 36fdb84dc 69cb2a424 -Author: Justin -Date: Wed Feb 20 23:16:53 2019 -0800 - - Merge pull request #483 from Microsoft/fix_netns_remove - - Fix bugs in provisioning NetNS on UVM - -commit 36fdb84dcfb65d10febe45ac999dac401166005d -Merge: 2fe644a8d 377459776 -Author: Justin -Date: Wed Feb 20 23:15:22 2019 -0800 - - Merge pull request #484 from Microsoft/fix_signals - - Add SignalSupport check and Signal validation to v2 shim - -commit 377459776326342f61f065e327fa7c39bab78ded -Author: Justin Terry (VM) -Date: Wed Feb 20 16:26:31 2019 -0800 - - Add SignalSupport check and Signal validation to v2 shim - - Signed-off-by: Justin Terry (VM) - -commit 69cb2a424e2c1d323ff0fe53a9d79245c16aa382 -Author: Justin Terry (VM) -Date: Wed Feb 20 06:43:07 2019 -0800 - - Fix bugs in provisioning NetNS on UVM - - 1. We should only run the cleanup logic for a standalone or sandbox container - with networking but not for individual workload containers. - - 2. We now provision the guest NetNS in the UVM for WCOW as a seperate step since - we don't actually provision the container in the guest. - - 3. Add begin/end tracing for networking provisioning to measure time on average. - - Signed-off-by: Justin Terry (VM) - -commit 2a70647e92b2e5d4956453880d3872bab9ee815a -Merge: b9fd6dfdb 372e91c9b -Author: Justin -Date: Tue Feb 19 20:57:53 2019 -0800 - - Merge pull request #273 from Microsoft/resolv_config - - Implement /etc/resolv.conf bind mount for sandbox/workload containers - -commit 372e91c9b1e5afed215ea0caa8ad0f829b53eea6 -Author: Justin Terry (VM) -Date: Wed Jan 16 15:31:45 2019 -0800 - - Implement /etc/resolv.conf bind mount for sandbox/workload containers - - Creates an /etc/resolv.conf file per sandbox/standalone container with a - network namespace and bind mounts that into the running container. For a - Kubernetes sandbox container will bind mount the same /etc/resolv.conf file - into all Workload containers with the same shared namespace. - - Signed-off-by: Justin Terry (VM) - -commit 2fe644a8dd6ff5667319b1b10c46a86255512676 -Merge: 66947b2b7 f8a8e771a -Author: Justin -Date: Tue Feb 19 19:51:49 2019 -0800 - - Merge pull request #482 from Microsoft/shim_shutdown - - Only allow Sandbox Task to shutdown a POD shim - -commit b9fd6dfdb0d8d3abf3a4b17a04f79318d74670f4 -Merge: 6aadcbd53 b912f3073 -Author: Justin -Date: Tue Feb 19 19:49:44 2019 -0800 - - Merge pull request #275 from Microsoft/remove_oslayer - - Remove MockOS/RealOS and Oslayer - -commit 6aadcbd53adc21daa407427a1e0617256618bf49 -Merge: dbb941f38 873bc4823 -Author: Justin -Date: Tue Feb 19 19:49:23 2019 -0800 - - Merge pull request #276 from jstarks/dm - - devicemapper: Code to create and destroy dm devices - -commit dbb941f38a950e06e5f11916ecac0bfb8ca5ee17 -Merge: f06b15959 b593f81cd -Author: Justin -Date: Tue Feb 19 19:48:59 2019 -0800 - - Merge pull request #265 from jterry75/tar2ext4 - - Remove tar2vhd from the OpenGCS - -commit f8a8e771a1bd9762fdecc73daf089e65418a7433 -Author: Justin Terry (VM) -Date: Tue Feb 19 16:45:38 2019 -0800 - - Only allow Sandbox Task to shutdown a POD shim - - Signed-off-by: Justin Terry (VM) - -commit 66947b2b74188ce253d909b471ee32a5b215a98d -Merge: 224f4622e 48e0d4aa1 -Author: John Howard -Date: Fri Feb 15 19:34:06 2019 -0800 - - Merge pull request #480 from Microsoft/jjh/debug - - Setup stackdump correctly; add debugger event - -commit 48e0d4aa1fa8a78e69fb62df89481a3ea5eb6644 -Author: John Howard -Date: Fri Feb 15 15:29:55 2019 -0800 - - Setup stackdump correct; debug event - - Signed-off-by: John Howard - -commit 224f4622ef4c6f75fbf0e58324b2c2a5b5c5d5a3 -Merge: 18f48441e d32815b9b -Author: Justin -Date: Fri Feb 15 19:00:38 2019 -0800 - - Merge pull request #481 from Microsoft/shim_owner - - Only use shim binary name for ComputeSystem owner - -commit d32815b9b2ca688bac235667028b940148bad3fe -Author: Justin Terry (VM) -Date: Fri Feb 15 18:18:24 2019 -0800 - - Only use shim binary name for ComputeSystem owner - - Signed-off-by: Justin Terry (VM) - -commit 18f48441ece05fa28868da3106713ac1a038ae9e -Merge: 0bac3090e 8420ac58d -Author: Justin -Date: Fri Feb 15 18:11:01 2019 -0800 - - Merge pull request #479 from Microsoft/shim_exit_logging - - Add better hcsTask exit logging and handling - -commit 8420ac58de8d15d4b71dd7a35e0d3aca84733468 -Author: Justin Terry (VM) -Date: Fri Feb 15 14:45:52 2019 -0800 - - Add better hcsTask exit logging and handling - - Signed-off-by: Justin Terry (VM) - -commit 0bac3090ef2785d90967a524117d502258d549d3 -Merge: 4276f6583 b948989a1 -Author: Justin -Date: Fri Feb 15 12:25:10 2019 -0800 - - Merge pull request #478 from Microsoft/fix_standalone_xenon_rs1 - - Fixes a bug in Xenon activation on RS1-RS4 hosts - -commit b948989a1789e5b278450e4fb3a68c6d00c865d5 -Author: Justin Terry (VM) -Date: Fri Feb 15 12:21:11 2019 -0800 - - Fixes a bug in Xenon activation on RS1-RS4 hosts - - For RS1-RS4 hosts the utility VM was not managed directly but the OCI spec - still used the presence of the HyperV section to determine the isolation level. - This change will only craete the Utility VM if the Host OS is >= RS5. - - Signed-off-by: Justin Terry (VM) - -commit 4276f6583edd79b96441207cf1b61af34060b12c -Merge: 2a3fb4feb 899887866 -Author: Justin -Date: Fri Feb 15 11:44:23 2019 -0800 - - Merge pull request #477 from Microsoft/exec_exit - - Stop resetting Pid to 0 on exec exit - -commit 899887866f7e4c913ca45aa3c906226cd59dbe5b -Author: Justin Terry (VM) -Date: Fri Feb 15 10:43:21 2019 -0800 - - Stop resetting Pid to 0 on exec exit - - Signed-off-by: Justin Terry (VM) - -commit 2a3fb4feb46b8363cf850a7d3eb82add2f736a69 -Merge: e2a4b598a 5a905ed70 -Author: Justin -Date: Thu Feb 14 14:40:26 2019 -0800 - - Merge pull request #475 from jterry75/execid_events - - Add ExecID to TaskDelete and StateResponse - -commit 5a905ed70752d50113d61813f5d71c8e3d62b327 -Author: Justin Terry (VM) -Date: Thu Feb 14 13:30:12 2019 -0800 - - Fix bug calling Kill in the exited state - - Signed-off-by: Justin Terry (VM) - -commit b77dd2c60afa6c62e9fb8d5656a43a7e72fcd900 -Author: Justin Terry (VM) -Date: Thu Feb 14 12:37:32 2019 -0800 - - Fix test error strings - - Signed-off-by: Justin Terry (VM) - -commit 08ea4e772b8e4c4026836e56152a37700e86c02e -Author: Justin Terry (VM) -Date: Thu Feb 14 07:59:03 2019 -0800 - - Add ExecID to TaskDelete and StateResponse - - Signed-off-by: Justin Terry (VM) - -commit e2a4b598a05a864bb19e832521d9d4c740b19bff -Merge: 687dfed69 aa654d43f -Author: John Howard -Date: Thu Feb 14 10:00:33 2019 -0800 - - Merge pull request #474 from Microsoft/jjh/waitfornotificationpanic - - Avoid panic in waitForNotification - -commit aa654d43fa793509a294cdea771d50cc8fca14b6 -Author: John Howard -Date: Thu Feb 14 09:37:18 2019 -0800 - - Avoid panic in waitForNotification - - Signed-off-by: John Howard - -commit 687dfed698c7d9de01ce63ee8b52651f2d8e8f47 -Merge: 94c0bafaf 186722515 -Author: Justin -Date: Wed Feb 13 20:44:35 2019 -0800 - - Merge pull request #472 from jterry75/containerd_shim - - Implements the "out of tree" containerd-shim-runhcs-v1 - -commit 186722515afc70a67a753bbb3e3e6b1443635d37 -Author: Justin Terry (VM) -Date: Wed Feb 13 12:53:47 2019 -0800 - - Return TaskID for StateResponse.ID - - Signed-off-by: Justin Terry (VM) - -commit 98e294432f07e143df9b693e8ba4a5648d4ea4b7 -Author: Justin Terry (VM) -Date: Wed Feb 13 11:12:57 2019 -0800 - - CR Feedback - - Signed-off-by: Justin Terry (VM) - -commit c9c88da8a37a02af6d515cd70e0fcef4f3524136 -Author: Justin Terry (VM) -Date: Wed Feb 13 08:16:39 2019 -0800 - - Pod Kill all should skip exited tasks - - Signed-off-by: Justin Terry (VM) - -commit b0155ea650a635afef6a26da811cbaad0dbd0292 -Author: Justin Terry (VM) -Date: Tue Feb 12 10:53:35 2019 -0800 - - Fix AppVeyor CI format issue - - Signed-off-by: Justin Terry (VM) - -commit 219489c8cd083701c1a23f161b262a34b4bfb993 -Author: Justin Terry (VM) -Date: Tue Feb 12 10:48:29 2019 -0800 - - Fix unit test dereference on fake hcs.System ptr - - Signed-off-by: Justin Terry (VM) - -commit fd44906922588fc55b12add372e10f1374914227 -Author: Justin Terry (VM) -Date: Tue Feb 12 10:41:26 2019 -0800 - - Fix regression in WCOW PodSandbox Exec deadlock - - Signed-off-by: Justin Terry (VM) - -commit 63004f707c6b4bfb12125cef532ba3a70113617a -Author: Justin Terry (VM) -Date: Tue Feb 12 08:13:39 2019 -0800 - - Add containerd-shim-runhcs-v1 to AppVeyor - - Signed-off-by: Justin Terry (VM) - -commit 1f60e91bdb6dbd88f285a79ebfad8826e57da514 -Author: Justin Terry (VM) -Date: Tue Feb 12 09:54:33 2019 -0800 - - Implement containerd async events - - Signed-off-by: Justin Terry (VM) - -commit 03532f1f1b2467dc218272f35212c6179ed695cd -Author: Justin Terry (VM) -Date: Tue Feb 12 00:17:56 2019 -0800 - - Implement CreateExec for *COW - - Signed-off-by: Justin Terry (VM) - -commit 1c08b2b389af30a7a0f693a7e6a6d57728b5a3f8 -Author: Justin Terry (VM) -Date: Mon Feb 11 23:41:42 2019 -0800 - - Implement shim Shutdown when not using 'now' - - Signed-off-by: Justin Terry (VM) - -commit bcd456a263b813679038daf242bb15d1debad6df -Author: Justin Terry (VM) -Date: Mon Feb 11 23:26:21 2019 -0800 - - Fix issue in WCOW isolated activation - - Signed-off-by: Justin Terry (VM) - -commit 0b5a9fa2e40534d1efe50673babf5868c1509100 -Author: Justin Terry (VM) -Date: Mon Feb 11 10:16:27 2019 -0800 - - Change LCOW task/exec to HCS task/exec - - Signed-off-by: Justin Terry (VM) - -commit b912f307310d7273c739d302dd9692a5d5a16241 -Author: Justin Terry (VM) -Date: Mon Feb 11 09:06:16 2019 -0800 - - Remove MockOS/RealOS and Oslayer - - Signed-off-by: Justin Terry (VM) - -commit 7189a1c9c0257878e18c0b1191bb59a01f36ed94 -Author: Justin Terry (VM) -Date: Wed Feb 6 16:28:46 2019 -0800 - - Implement shim Create - - Implements the lcow standalone task and pod creation workflows. - Fixes a bug in the shim serve command where the logs pipe was expecting - a different address. - - Signed-off-by: Justin Terry (VM) - -commit 1df48976fd03ae1b88d61c093f667a1799f53843 -Author: Justin Terry (VM) -Date: Wed Feb 6 14:49:45 2019 -0800 - - Refactor OCI->UVM create logic for reuse - - Signed-off-by: Justin Terry (VM) - -commit 14759043848f19a610777c4e18209b60d530b528 -Author: Justin Terry (VM) -Date: Wed Feb 6 11:03:25 2019 -0800 - - Implement SandboxTask/Exec fakes for WCOW - - On WCOW for various reasons we dont need to actually create a Task/Exec - that is really backed by a container/process in the platform. These - fakes implement the model and manage the lifetime so that we can save - perf on POD creation for WCOW. - - Signed-off-by: Justin Terry (VM) - -commit 83c1452d263a7599c94553755e31f6d53cdcff9d -Author: Justin Terry (VM) -Date: Tue Feb 5 11:03:04 2019 -0800 - - Implement LCOW Exec - - Signed-off-by: Justin Terry (VM) - -commit 0c66b52c96b4d1cf3764e944f5a4730ea6052e07 -Author: Justin Terry (VM) -Date: Tue Feb 5 11:02:11 2019 -0800 - - Implement LCOW Task - - Signed-off-by: Justin Terry (VM) - -commit 9f97fdf1d972b44d1fa77128292e8b66a3effd62 -Author: Justin Terry (VM) -Date: Fri Feb 1 14:29:39 2019 -0800 - - Add ETW logging support - - Signed-off-by: Justin Terry (VM) - -commit 0fd48be0873f43ff1ff21f98f2cc9875083f33e1 -Author: Justin Terry (VM) -Date: Wed Jan 30 15:59:45 2019 -0800 - - Implement the actual pod manager - - Signed-off-by: Justin Terry (VM) - -commit 41c3d231706d3517de911ed1be2f1547ba444ce5 -Author: Justin Terry (VM) -Date: Tue Jan 29 17:15:43 2019 -0800 - - Implement the Pod/Task/Exec interfaces and lifetime model - - Adds the interfaces for Pod's/Task's/Exec's and implements the RuntimeV2 - service calls into these various interfaces. - - Adds unit tests for all RuntimeV2 calls in either a Pod runtime or a Task - runtime model. Implements the Pod/Task/Exec test impls for the UnitTests. - - Signed-off-by: Justin Terry (VM) - -commit e8124fcaee5f043a38c8b15c234aec078af2e3ba -Author: Justin Terry (VM) -Date: Mon Jan 28 22:07:49 2019 -0800 - - Fix bug in error capture - - Signed-off-by: Justin Terry (VM) - -commit 47f195b2654364a6ab056570e411343b6f981794 -Author: Justin Terry (VM) -Date: Mon Jan 28 21:44:39 2019 -0800 - - Implement the task vs sandbox start/serve sequence - - Signed-off-by: Justin Terry (VM) - -commit a9435aaf515a6c6c2bc9527512d3ea00d168781a -Author: Justin Terry (VM) -Date: Tue Dec 18 16:09:45 2018 -0800 - - Implement tests for start/delete commands - - Signed-off-by: Justin Terry (VM) - -commit 9641979cd9a9fc8fffc4222539b5b2a8a785913a -Author: Justin Terry (VM) -Date: Tue Dec 18 09:52:24 2018 -0800 - - Implement shim serve - - Implements the internal serve command that is used when we detect the case that - we should start a new shim. - - Signed-off-by: Justin Terry (VM) - -commit 04e241b1dfcc2df13c50c3867c3178dac10346f5 -Author: Justin Terry (VM) -Date: Tue Dec 18 09:46:54 2018 -0800 - - Add containerd-shim Windows manifest - - Signed-off-by: Justin Terry (VM) - -commit 3a4ef8190dcf8f3d314f0777b27b8ed02f4c6d6b -Author: Justin Terry (VM) -Date: Mon Dec 17 16:28:11 2018 -0800 - - Implement shim start. - - Signed-off-by: Justin Terry (VM) - -commit 7d4150fd170758a6e207defbf73a76d780c69aed -Author: Justin Terry (VM) -Date: Mon Dec 17 14:10:00 2018 -0800 - - Implement shim delete - - Signed-off-by: Justin Terry (VM) - -commit 5f2c3c5ebd0e73a859343ca384c56a96924e3902 -Author: Justin Terry (VM) -Date: Mon Dec 17 13:10:33 2018 -0800 - - Fixing incorrect binary name for containerd shim - - Signed-off-by: Justin Terry (VM) - -commit 445db8ad5105b5929cfe6445fbdb5f5bc8cf5612 -Author: Justin Terry (VM) -Date: Mon Dec 17 13:07:07 2018 -0800 - - Add service begin/end activity tracing - - Signed-off-by: Justin Terry (VM) - -commit 4b8d7864b87cc063382fe529ff1161600252f0db -Author: Justin Terry (VM) -Date: Wed Dec 12 22:20:28 2018 -0800 - - Adding initial shim - - Signed-off-by: Justin Terry (VM) - -commit 873bc482351007d1380815a5fc037e3a18d049b1 -Author: John Starks -Date: Sat Feb 9 14:03:08 2019 -0800 - - devicemapper: Code to create and destroy dm devices - -commit f06b159599df58cb02aa8a8d842edf425a906964 -Merge: 398a7f136 67205db91 -Author: Justin -Date: Fri Feb 8 08:44:08 2019 -0800 - - Merge pull request #274 from Microsoft/jjh/runtimespec - - (Manual)Vendor opencontainers/runtime-spec - -commit 94c0bafafd01e2b330935dd38b7aeb1dadedeee7 -Merge: 3ad134c0f 31fdae303 -Author: John Howard -Date: Thu Feb 7 20:43:18 2019 -0800 - - Merge pull request #467 from Microsoft/jjh/commandline - - WCOW: Use commandline in spec if populated - -commit 3ad134c0fad2f3f84a6b5ce1fc6595aa8ae0757a -Merge: 7226164ef e97e490fa -Author: John Howard -Date: Thu Feb 7 20:37:45 2019 -0800 - - Merge pull request #471 from Microsoft/fix_shutdown_endop - - Stop logging failure for pending shutdown - -commit e97e490fa984c36cc29eadb3eb7b1cb8b51e36f5 -Author: Justin Terry (VM) -Date: Thu Feb 7 20:21:10 2019 -0800 - - Stop logging failure for pending shutdown - - Signed-off-by: Justin Terry (VM) - -commit 67205db91690e5d298a80d12e6b387abe9b2a184 -Author: John Howard -Date: Thu Feb 7 13:12:23 2019 -0800 - - (Manual)Vendor opencontainers/runtime-spec - - Signed-off-by: John Howard - -commit 31fdae303f6fbb0c5d4060d6cedea81468747219 -Author: John Howard -Date: Fri Feb 1 13:12:03 2019 -0800 - - Vendor opencontainers/runtime-spec @ 29686dbc - - Signed-off-by: John Howard - - This is the version with `CommandLine` added. - -commit de2922b3440521abf66dd9ca3663b4f0543e9177 -Author: John Howard -Date: Fri Feb 1 13:18:50 2019 -0800 - - WCOW:Use commandline in spec if populated - - Signed-off-by: John Howard - -commit 7226164ef24d1f2aa2d7efa786aaaf35e355cc2d -Merge: f92b8fb9c e59d820ac -Author: Justin -Date: Mon Feb 4 18:47:26 2019 -0800 - - Merge pull request #463 from jstarks/plan9_single_file_map - - Add single-file mapping support to Plan9 - -commit f92b8fb9c92e17da496af5a69e3ee13fbe9916e1 (tag: v0.8.6) -Merge: f1e23b813 0720cb649 -Author: Justin -Date: Sun Feb 3 13:25:52 2019 -0800 - - Merge pull request #469 from Quasilyte/patch-1 - - internal/safeopen: fix strings.Contains args order - -commit 0720cb6492ac79891cc40a2cc66f2c8f59d84c26 -Author: Iskander (Alex) Sharipov -Date: Sat Feb 2 09:24:00 2019 +0300 - - internal/safeopen: fix strings.Contains args order - - The following (old) code: - - strings.Contains(":", path) - - Only returns true if path is ":" or an empty string. - This is not what was intended. - The proper ":" check is: - - strings.Contains(path, ":") - - Found by using new go-critic linter check. - - Signed-off-by: Iskander Sharipov - -commit f1e23b81346ce74074d0055eb4f6753009c6ee63 -Merge: df9dc97a4 337d9040c -Author: Justin -Date: Fri Feb 1 11:49:56 2019 -0800 - - Merge pull request #466 from Microsoft/fix_log_race - - Fix race in endoperation syscall logging - -commit df9dc97a434b1a8c0a6c9c35063e476a33153b5b -Merge: bc49f75c7 109740e34 -Author: Justin -Date: Fri Feb 1 09:52:56 2019 -0800 - - Merge pull request #461 from Microsoft/create_scratch_uvm_size - - Shrink the size of the create-scratch uvm - -commit 337d9040cd6472ea127443aec0b6d6af47cf4bdb -Author: Justin Terry (VM) -Date: Thu Jan 31 14:15:51 2019 -0800 - - Fix race in endoperation syscall logging - - Signed-off-by: Justin Terry (VM) - -commit 109740e343f2aeefb544201aa29966b6766d00d2 -Author: Justin Terry (VM) -Date: Mon Jan 28 14:30:41 2019 -0800 - - Shrink the size of the create-scratch uvm - - Signed-off-by: Justin Terry (VM) - -commit e59d820acee91f41ab1f6f7f29fd35e452285aca -Author: John Starks -Date: Tue Jan 29 13:15:17 2019 -0800 - - Add single-file mapping support to Plan9 - -commit bc49f75c72216a28ffc7443177f477aae7e61d1f -Merge: ea73c6043 050bc8ab2 -Author: Justin -Date: Tue Jan 29 06:55:42 2019 -0800 - - Merge pull request #462 from Microsoft/9p_regression - - Fix bug in Plan9 case sensitivity - -commit 050bc8ab2d34df5406c7c992a9315c63791745ba -Author: Justin Terry (VM) -Date: Mon Jan 28 19:44:40 2019 -0800 - - Fix bug in Plan9 case sensitivity - - Case sensitivity can only be set on a Plan9 share in the guest if the - source Windows directory supports it. Until we have this detection logic - make all shares case insensitive. - - Signed-off-by: Justin Terry (VM) - -commit ea73c60434fae8d3b1d02fc28391d628b0306ff4 (tag: v0.8.5) -Merge: 79a8f772c 60d6848f7 -Author: Justin -Date: Mon Jan 28 12:29:06 2019 -0800 - - Merge pull request #460 from Microsoft/go_runhcs_path - - Allow relative path match for runhcs.exe - -commit 60d6848f70e29970339cc47e3875cb9267a0613e -Author: Justin Terry (VM) -Date: Mon Jan 28 12:14:13 2019 -0800 - - Allow relative path match for runhcs.exe - - Signed-off-by: Justin Terry (VM) - -commit 79a8f772c4265236cf9da6af7f766b5caf2afb80 (tag: v0.8.4) -Merge: 722afe9f4 466e92f6e -Author: Justin -Date: Thu Jan 24 13:16:28 2019 -0800 - - Merge pull request #459 from Microsoft/vmlinux - - Add decompressed kernel support for LCOW start - -commit 466e92f6ed1b4b24e5aa4c9b7488d1708f02007b -Author: Justin Terry (VM) -Date: Thu Jan 24 12:53:15 2019 -0800 - - Add decompressed kernel support for LCOW start - - Signed-off-by: Justin Terry (VM) - -commit 722afe9f4aaf77358c1344c890f8e538bd1bd69d -Merge: 54042daa2 6fc8f670f -Author: Justin -Date: Wed Jan 23 07:53:15 2019 -0800 - - Merge pull request #458 from Microsoft/signal_support - - Fix support for Docker signal by value - -commit 6fc8f670f1bb3f946554652916ec817951b2bfe5 -Author: Justin Terry (VM) -Date: Tue Jan 22 16:38:22 2019 -0800 - - Fix support for Docker signal by value - - Signed-off-by: Justin Terry (VM) - -commit 54042daa2d15f2d98362667d702357c4f0659b27 -Merge: 6efef912c edea6f2b5 -Author: Justin -Date: Tue Jan 22 14:20:32 2019 -0800 - - Merge pull request #456 from ksubrmnn/mux - - Update DSR flags - -commit edea6f2b558caefab722b8f166a7570b221885e7 -Author: K Subramanian -Date: Fri Jan 18 11:13:01 2019 -0800 - - Add flags - -commit f7b83d7d5668aef1a90c5f52040bfd7dbbfbfd69 -Author: K Subramanian -Date: Fri Jan 18 09:28:53 2019 -0800 - - Update DSR flags - -commit 6efef912cc0ecd8778bab95d105662d4f73f8ccd -Merge: 63fd3694b d539e89ff -Author: Justin -Date: Thu Jan 17 15:03:02 2019 -0800 - - Merge pull request #455 from Microsoft/log_error_cleanup - - Stop logging operation errors when they are expected - -commit 398a7f13647b011fe0bdbc3abac0ba7b62dcc616 -Merge: fe757378b 32e28a183 -Author: Justin -Date: Thu Jan 17 15:01:21 2019 -0800 - - Merge pull request #270 from jstarks/better_init - - init: Replace with C implementation - -commit d539e89ff21ff9ae4abb54daef8f49d5238f4730 -Author: Justin Terry (VM) -Date: Thu Jan 17 14:28:13 2019 -0800 - - Stop logging operation errors when they are expected - - Signed-off-by: Justin Terry (VM) - -commit fe757378bac4414f81cb2ead4b92cfb17640b274 -Merge: 02639f308 9499fd270 -Author: Justin -Date: Thu Jan 17 13:43:48 2019 -0800 - - Merge pull request #272 from Microsoft/resize_console_v2 - - Implement missing ResizeConsole for V2 - -commit 63fd3694b44f6516c03a74430427341bfed2fceb -Merge: 69faf5ffd 43dc4c827 -Author: Justin -Date: Thu Jan 17 13:43:21 2019 -0800 - - Merge pull request #451 from Microsoft/vendor - - Vendor hcsshim dependencies for runhcs - -commit 69faf5ffdd744f172d39881e007a9a7c0c135612 -Merge: 62857588e d4be73454 -Author: Kevin Parsons -Date: Thu Jan 17 13:17:08 2019 -0800 - - Merge pull request #453 from kevpar/uvm-output-hang - - Refactor UVM output handling - -commit 62857588ee45f569e3e0369f3a4a63bbc34d042c -Merge: 8d67cb384 fb6277ba0 -Author: Justin -Date: Thu Jan 17 13:09:32 2019 -0800 - - Merge pull request #454 from Microsoft/support_unix_signal_for_windows - - Fix issue with Docker SignalMap - -commit fb6277ba05d2639b9566068693a8ecd86dda40d6 -Author: Justin Terry (VM) -Date: Thu Jan 17 12:55:56 2019 -0800 - - Fix issue with Docker SignalMap - - The Docker SignalMap for Windows passes the UNIX scheme so TERM and KILL. We - will no longer fail on Windows if a signal query comes in we simply convert it - to the correct Windows signal. - - TERM = CTRLC - KILL = CTRLSHUTDOWN - - Signed-off-by: Justin Terry (VM) - -commit 9499fd270b7cffd45ef06fe6c0fb2081504362a7 -Author: Justin Terry (VM) -Date: Thu Jan 17 12:10:03 2019 -0800 - - Implement missing ResizeConsole for V2 - - Signed-off-by: Justin Terry (VM) - -commit 02639f30849b40b9d48f365d30dcef2315ac3706 -Merge: d6587b1e6 4f682669b -Author: Justin -Date: Thu Jan 17 12:10:54 2019 -0800 - - Merge pull request #271 from Microsoft/logs_withfields - - Add logrus.WithFields for all V2 calls - -commit 4f682669b5f334d2dc00ef3df749e5c3d11fd48d -Author: Justin Terry (VM) -Date: Wed Jan 16 12:48:15 2019 -0800 - - Add logrus.WithFields for all V2 calls - - Signed-off-by: Justin Terry (VM) - -commit 32e28a18357f1f288a8d816bd200866273168ff1 -Author: John Starks -Date: Thu Jan 17 09:34:09 2019 -0800 - - init: Replace with C implementation - -commit d4be73454f597c11f73e3b4450ef7036edec03ab -Author: Kevin Parsons -Date: Wed Jan 16 15:40:42 2019 -0800 - - Fix UVM hang waiting for output when vsockexec failed to run - - Signed-off-by: Kevin Parsons - -commit 43dc4c8275caeada55e7efe8ac88b5cf783f08a8 -Author: Justin Terry (VM) -Date: Wed Jan 16 08:32:25 2019 -0800 - - Vendor hcsshim dependencies for runhcs - - Signed-off-by: Justin Terry (VM) - -commit 8d67cb3847c5817d3aeba79831bde54516790f72 -Merge: 993649bfc 332962ef0 -Author: Justin -Date: Tue Jan 15 21:26:30 2019 -0800 - - Merge pull request #447 from Microsoft/fix_plan9share - - Implement proper Plan9Share support for LCOW - -commit 993649bfc48232d3487b1d94e59b0a063c4dd6ad -Merge: 9715ee2c1 727e9dfff -Author: Kevin Parsons -Date: Tue Jan 15 16:54:07 2019 -0800 - - Merge pull request #450 from kevpar/fix-vhd-stat - - Fix rootfs.vhd check to not be inverted - -commit 727e9dfffba1246bbddd22d2ddc3c4e36ee8ee88 -Author: Kevin Parsons -Date: Tue Jan 15 16:20:24 2019 -0800 - - Fix rootfs.vhd check to not be inverted - - Signed-off-by: Kevin Parsons - -commit 9715ee2c137e80c7f975c59b0513f6f72c9ec32e -Merge: 53d38395f 22bdc2e02 -Author: Justin -Date: Tue Jan 15 15:57:30 2019 -0800 - - Merge pull request #448 from pradipd/NetworkFlags - - Add NetworkFlags to create NonPersistent networks. - -commit 22bdc2e02a460c9e1cda09b90f857f1f9ad15127 -Author: Pradip Dhara -Date: Tue Jan 15 15:28:22 2019 -0800 - - Add NetworkFlags to create NonPersistent networks. - -commit 53d38395f1c31f730f4384b698f1a6eebbe2e37a -Merge: 0ec87e6b5 9b58be8d7 -Author: Justin -Date: Tue Jan 15 12:38:10 2019 -0800 - - Merge pull request #446 from pradipd/master - - Adding HostRoute policy. - -commit 332962ef0274c44a029f59a09c1ae771fdf04cf1 -Author: Justin Terry (VM) -Date: Tue Jan 15 12:05:49 2019 -0800 - - Implement proper Plan9Share support for LCOW - - Signed-off-by: Justin Terry (VM) - -commit 9b58be8d7f36a803de871eca7a22ce8951466b41 -Author: Pradip Dhara -Date: Fri Jan 11 00:28:46 2019 -0800 - - Adding HostRoute policy. - -commit d6587b1e645af2a2e42c01b3e79ef402698a5a31 -Merge: ab42920e3 4ef5b0f48 -Author: Justin -Date: Tue Jan 15 09:47:51 2019 -0800 - - Merge pull request #268 from jterry75/loopback_up - - Set the local loopback interface up on init - -commit 0ec87e6b5263cb154fac39f62b0fafab7d07572a -Merge: 69ac8d3f7 11498c069 -Author: Kevin Parsons -Date: Mon Jan 14 15:25:55 2019 -0800 - - Merge pull request #445 from kevpar/use-etw-hook - - Use ETW Logrus hook in RunHCS - -commit 11498c069a9b67caec84904c62e2f344b2e67987 -Author: Kevin Parsons -Date: Mon Jan 14 12:07:26 2019 -0800 - - Let hook be cleaned up by process exit - - Signed-off-by: Kevin Parsons - -commit 4f42e4098f90c592eb1d187dd5d1dd317faaf038 -Author: Kevin Parsons -Date: Fri Jan 11 15:49:50 2019 -0800 - - Fix provider name - - Signed-off-by: Kevin Parsons - -commit afa1b263107170231b75c9d620f0f8b230b8d4d1 -Author: Kevin Parsons -Date: Fri Jan 11 14:32:27 2019 -0800 - - Use ETW Logrus hook in RunHCS - - Signed-off-by: Kevin Parsons - -commit 4ef5b0f48a84828a44146a2029fa46afc88c3962 -Author: Justin Terry (VM) -Date: Thu Jan 10 09:28:18 2019 -0800 - - Set the local loopback interface up on init - - Signed-off-by: Justin Terry (VM) - -commit 69ac8d3f7fc10a0623f3a2655958a1a5bb71f58f -Merge: 459af24a0 9979663d6 -Author: Justin -Date: Thu Jan 10 12:53:07 2019 -0800 - - Merge pull request #444 from ksubrmnn/dsr_version - - DSR version - -commit 9979663d6d57fc36616c58531aca77fa09d9140d -Author: ksubrmnn -Date: Thu Jan 10 11:12:05 2019 -0800 - - DSR version - -commit 459af24a02d1c9d578dbab8d491ad552e5b4d99c -Merge: eb3cd7b41 a41e5177e -Author: Justin -Date: Wed Jan 9 15:35:51 2019 -0800 - - Merge pull request #442 from jterry75/lcow_networking_v2 - - Implement LCOW V2 NetworkNamespace support - -commit ab42920e3bd507c8c21d7e731b20cf849866415c -Merge: 3b26b4d50 809bd0fd2 -Author: Justin -Date: Wed Jan 9 15:04:52 2019 -0800 - - Merge pull request #267 from jterry75/v2_networking - - Implement V2 Network HotAdd/Remove - -commit eb3cd7b416f554dc17c39f70209f00222372643a -Merge: eeeb8bf47 463bdb6d9 -Author: Justin -Date: Wed Jan 9 10:13:05 2019 -0800 - - Merge pull request #443 from Microsoft/remove_duplicate_write - - Remove duplicate error message write on runhcs failure - -commit a41e5177e465bd2d999a76a95071b1339329446b -Author: Justin Terry (VM) -Date: Wed Dec 12 14:54:33 2018 -0800 - - Implement LCOW V2 NetworkNamespace support - - Signed-off-by: Justin Terry (VM) - -commit 809bd0fd2cbe2f0e59f4998f777c133eb019c5f3 -Author: Justin Terry (VM) -Date: Wed Dec 5 13:58:20 2018 -0800 - - Implement V2 Network HotAdd/Remove - - Adds the ability to do a HotAdd/Remove to either a pre-created container or - to an existing container that already holds a network namespace. - - Signed-off-by: Justin Terry (VM) - -commit 463bdb6d90638a4ab41813a369f76f7772e5627d -Author: Justin Terry (VM) -Date: Mon Dec 17 11:01:58 2018 -0800 - - Remove duplicate error message write on runhcs failure - - Signed-off-by: Justin Terry (VM) - -commit b593f81cd3a91a690cf0352d5a9fbe27fb21728a -Author: Justin Terry (VM) -Date: Wed Dec 5 15:22:06 2018 -0800 - - Remove tar2vhd from the OpenGCS - - tar2vhd is a tool that converted a Docker layer tar to a vhd by use of - streaming the tar to a LCOW UtilityVM and extracting the tar to an ext4 - filesystem and streaming back the vhd. This tool has been replaced by a tool - in github.com/Microsoft/hcsshim/cmd/tar2ext4 that can do all of this locally - on a host without the need of a UtilityVM and is much faster. Use this tool - instead moving forward. - - Signed-off-by: Justin Terry (VM) - -commit eeeb8bf47a171360e5475d42077edb0e02a300ec -Merge: 1028f47e5 92028eb5c -Author: Justin -Date: Fri Jan 4 10:56:44 2019 -0800 - - Merge pull request #441 from Microsoft/fix_outputhandler_regression - - Fix regression in OutputHandler serialization - -commit 1028f47e5f41d65b81f45d6913640f47f8becc7c -Merge: 72cd9b58c 385c76f73 -Author: John Howard -Date: Fri Jan 4 10:34:43 2019 -0800 - - Merge pull request #438 from Microsoft/change_lcow_boot_default - - Enable KernelDirect and VHD boot by default - -commit 92028eb5c26859228ce28d93cd1ce5864ae6be5c -Author: Justin Terry (VM) -Date: Fri Jan 4 10:02:52 2019 -0800 - - Fix regression in OutputHandler serialization - - Signed-off-by: Justin Terry (VM) - -commit 72cd9b58ca71504a8a054bbca6a12fe10fea38b9 -Merge: 3cbb09db6 3bccdb6c8 -Author: Justin -Date: Thu Jan 3 17:05:33 2019 -0800 - - Merge pull request #439 from Microsoft/fliperrout - - Flips ForwardStdout/Err defaults - -commit 385c76f73231d9cabe093caa6a42a51a7e695227 -Author: Justin Terry (VM) -Date: Thu Jan 3 15:49:16 2019 -0800 - - Use const for rootfs.vhd and initrd.img strings - - Signed-off-by: Justin Terry (VM) - -commit 3bccdb6c8a658a996e4df61e85f3a92ee9ffe0ba -Author: John Howard -Date: Thu Jan 3 15:01:45 2019 -0800 - - Flips ForwardStdout/Err defaults - - Signed-off-by: John Howard - -commit e4b5959c70779097f7da59d9fcf92270b4c95ab4 -Author: Justin Terry (VM) -Date: Thu Jan 3 14:25:51 2019 -0800 - - Enable KernelDirect and VHD boot by default - - Signed-off-by: Justin Terry (VM) - -commit 3cbb09db6e047cf6284ab0bbd20618743492273a -Merge: 29678c03d 396eecb82 -Author: Justin -Date: Sat Dec 22 20:23:24 2018 -0800 - - Merge pull request #436 from ksubrmnn/remote_subnet - - Remote Subnet version - -commit 29678c03dd36d1093d0b84519df71f298359b7e3 -Merge: 6ea6731a1 dba5d1f28 -Author: Justin -Date: Fri Dec 21 06:31:50 2018 -0800 - - Merge pull request #433 from zawachte-msft/zawachte/DNS-Suffix-Domain - - DNS Suffix Change for Alignment with Container Network Interface Specification - -commit 396eecb82f2362cfca58af4eab71d5279e16605b -Author: ksubrmnn -Date: Thu Dec 20 15:23:07 2018 -0800 - - Remote Subnet version - -commit 6ea6731a1275ab8ee01920facc942cdd919993d8 -Merge: d0b3bfc2e 607e5df88 -Author: Justin -Date: Wed Dec 19 13:17:48 2018 -0800 - - Merge pull request #434 from jstarks/lcow_no_vsmb - - uvm: Don't use vsmb for LCOW boot files - -commit d0b3bfc2ea9303a6a506da319f67fe827530b91e -Merge: 218ab382f 798d328b9 -Author: Justin -Date: Wed Dec 19 13:09:39 2018 -0800 - - Merge pull request #413 from Microsoft/move_functional - - Move all end-to-end tests to the tests folder - -commit 607e5df881ef9ae4dc34424585a547611ff88384 -Author: John Starks -Date: Wed Dec 19 11:45:09 2018 -0800 - - uvm: Don't use vsmb for LCOW boot files - -commit 218ab382faf7089460168270998f0424c61453fa -Merge: 958687058 6a8ab8313 -Author: Justin -Date: Wed Dec 19 08:53:49 2018 -0800 - - Merge pull request #431 from greenhouse-org/fix-syscall-race - - Fix race in syscallWatcher - -commit 6a8ab8313de358dfbaa6c6b10fb30999450681bf -Author: Yechiel Kalmenson -Date: Wed Dec 19 09:41:07 2018 -0500 - - typo - -commit 798d328b92ae5b0f44d0b318f31ee2b68ad9e261 -Author: Justin Terry (VM) -Date: Wed Dec 5 13:52:07 2018 -0800 - - Move all end-to-end tests to the tests folder - - To better align with the golang project recommended layout moving all non-unit - tests to the /tests folder. These require full e2e running of containers in - various ways. All unit test's should still be written inline with the package - under test as normal. - - Signed-off-by: Justin Terry (VM) - -commit 958687058f7b536aae98ff64120d3d8e33994fbf -Merge: a0817b7c6 b9b5647b4 -Author: Justin -Date: Tue Dec 18 21:30:17 2018 -0800 - - Merge pull request #426 from Microsoft/simplify_uvm_ots - - Simplify WCOW/LCOW opts passing - -commit dba5d1f282a3a0f40260fdc1f1a4f42aafa05727 -Author: Zachary Wachtel -Date: Tue Dec 18 14:31:47 2018 -0800 - - DNS Suffix to Domain for CNCF Alignment - -commit a7b24f460bcdeaaefe35dcfc059113d45a408577 -Author: Sam Smith -Date: Tue Dec 18 14:22:49 2018 -0500 - - Fix race in syscallWatcher - - Signed-off-by: Yechiel Kalmenson - -commit b9b5647b408682e726ef3b8bd25f1cc3af2da263 -Author: Justin Terry (VM) -Date: Mon Dec 17 15:06:26 2018 -0800 - - Make lcow tests explicitly set RootFS - - Signed-off-by: Justin Terry (VM) - -commit 7da07fe161d1699afccf2a353fb329097d3b97ae -Author: Justin Terry (VM) -Date: Mon Dec 17 15:01:11 2018 -0800 - - Cleanup annotations parsing - - Signed-off-by: Justin Terry (VM) - -commit a0817b7c6113f929c90db0abad39a45fa42ec498 -Merge: 056bbe1bd 58eb2ac5a -Author: Justin -Date: Mon Dec 17 13:29:06 2018 -0800 - - Merge pull request #428 from Microsoft/stoponreset - - Forcibly set StopOnReset for all UVM's - -commit 056bbe1bd61d2ebb0e69e733d18a83dc8e647b6f -Merge: a9bf4b1ca a02aabe39 -Author: Justin -Date: Mon Dec 17 13:28:27 2018 -0800 - - Merge pull request #430 from jstarks/uvmboot_cp - - tools/uvmboot: Add --console-pipe argument - -commit a02aabe3912eefa9709142439712f524a9f1083d -Author: John Starks -Date: Mon Dec 17 12:04:31 2018 -0800 - - tools/uvmboot: Add --console-pipe argument - -commit a9bf4b1cab9da8224fdc1346aaaf695191deb64d -Merge: 2bf3a7ac4 35ed63b84 -Author: Justin -Date: Mon Dec 17 11:01:00 2018 -0800 - - Merge pull request #427 from erfrimod/erfrimod/delete-methods-stop-returning-objects - - Removing nil objects from returns of Delete functions. - -commit 35ed63b84ba92a02e281227747307d69e6925124 -Author: Erik Frimodig -Date: Fri Dec 14 15:14:14 2018 -0800 - - Fix tests. - -commit 58eb2ac5aceca7ae272b7cae97c9a4a659cdd29a -Author: Justin Terry (VM) -Date: Fri Dec 14 13:29:49 2018 -0800 - - Forcibly set StopOnReset for all UVM's - - Signed-off-by: Justin Terry (VM) - -commit 68a9cf73b5facf38adee985aa50a954da13edf8a -Author: Erik Frimodig -Date: Fri Dec 14 11:58:03 2018 -0800 - - Removing objects from returns of Delete functions. - -commit d144c3909d961ceda03c8a7fb749968ba4d0d96f -Author: Justin Terry (VM) -Date: Thu Dec 13 15:18:06 2018 -0800 - - Simplify WCOW/LCOW opts passing - - Signed-off-by: Justin Terry (VM) - -commit 2bf3a7ac42318aacfffd0805be705ff2e4d1138f -Merge: f5a45d840 65d14ed38 -Author: Justin -Date: Thu Dec 13 13:28:56 2018 -0800 - - Merge pull request #425 from Microsoft/remove_oci_from_uvm - - Remove OCI usage from UVM activation - -commit 65d14ed384062191624737e7fdbf82650e086546 -Author: Justin Terry (VM) -Date: Thu Dec 13 10:55:38 2018 -0800 - - Remove OCI usage from UVM activation - - Signed-off-by: Justin Terry (VM) - -commit f5a45d8404a2c1aae81be743af26bdbbd87c79d2 -Merge: ea3930ef4 dfade3cec -Author: Kevin Parsons -Date: Thu Dec 13 10:19:40 2018 -0800 - - Merge pull request #420 from kevpar/uvmboot - - Add uvmboot tool - -commit dfade3cecafe6e630f7586e22a4ca88c2cafd8f6 -Author: Kevin Parsons -Date: Tue Dec 11 18:05:32 2018 -0800 - - Address PR feedback - -commit cfc3a00ce0843b1eb6896a8bb352e1f9368c5aa6 -Author: Kevin Parsons -Date: Tue Dec 11 14:48:15 2018 -0800 - - Run gofmt - -commit 72109e2fe35ed969260fb4d6f5cc61eeca5dff7c -Author: Kevin Parsons -Date: Tue Dec 11 10:38:56 2018 -0800 - - Improve output handling for uvmboot case - -commit 2319dd503c8702ae0eee48ff14f7caf04be2cd18 -Author: Kevin Parsons -Date: Fri Dec 7 13:21:47 2018 -0800 - - Clean up logging and add --debug parameter to uvmboot - -commit 020663cc0803a03913f733f4bc7ef7497b38e683 -Author: Kevin Parsons -Date: Fri Dec 7 13:11:41 2018 -0800 - - Add new flags and use flag defaults in create_lcow for unspecified values - -commit 52d6822e7d24929b7acde9a212d65096ed6888e0 -Author: Kevin Parsons -Date: Fri Nov 30 12:09:37 2018 -0800 - - Add uvmboot tool - -commit ea3930ef439f3b023a9d4d474a3878d9555a27b5 -Merge: e1dc7c81e 189f68ca1 -Author: Justin -Date: Wed Dec 12 12:41:24 2018 -0800 - - Merge pull request #423 from kevpar/terminate_terminated_system - - Don't return an error when terminating an already stopped compute system - -commit e1dc7c81eded94c3146eca742dfe51fab240f311 -Merge: c1105fa0a 317478873 -Author: Justin -Date: Wed Dec 12 12:40:53 2018 -0800 - - Merge pull request #424 from kevpar/new_notification_types - - Add new notification types to callback handler - -commit c1105fa0acfa8d43319349092e36c7eaffca6567 -Merge: 4029deb81 bcd9fa332 -Author: Justin -Date: Wed Dec 12 12:40:25 2018 -0800 - - Merge pull request #422 from Microsoft/terminate_on_last_handle - - Use TerminateOnLastHandleClosed for UVM - -commit 317478873f62a5212c329a04cde07cded23d8d98 -Author: Kevin Parsons -Date: Wed Dec 12 12:29:22 2018 -0800 - - Add new notification types to callback handler - -commit 189f68ca1102dc2c3b419fcd98d7bbfb7765561a -Author: Kevin Parsons -Date: Wed Dec 12 12:26:36 2018 -0800 - - Don't return an error when terminating an already stopped compute system - -commit bcd9fa3323e6c5949d4a6a4f745db87d454ec07d -Author: Justin Terry (VM) -Date: Wed Dec 12 09:29:32 2018 -0800 - - Use TerminateOnLastHandleClosed for UVM - - Resolves: #421 - - Signed-off-by: Justin Terry (VM) - -commit 4029deb818d4f98ffd7e01b20990dfceac503843 -Merge: e5a0893d5 e4fe4931d -Author: Justin -Date: Tue Dec 11 14:35:08 2018 -0800 - - Merge pull request #418 from Microsoft/uvm_counter - - Stop using a global container counter for all UVM's - -commit e5a0893d54a2a1c7faf467f700c72c3166547a77 -Merge: 320804d04 44b6ec825 -Author: Justin -Date: Tue Dec 11 14:34:21 2018 -0800 - - Merge pull request #415 from jterry75/passthrough - - Add OCI passthrough mount support for WCOW/LCOW - -commit 320804d049d824e7b5253796413c46dc6ceb605e -Merge: 4dbd1827b 99705983c -Author: Justin -Date: Tue Dec 11 14:33:47 2018 -0800 - - Merge pull request #419 from jstarks/no_ole32 - - interop: Get CoTaskMemAlloc from API set instead of ole32 - -commit 99705983c1fdde6570a7d266140346374109e5b3 -Author: John Starks -Date: Tue Dec 11 13:11:18 2018 -0800 - - interop: Get CoTaskMemAlloc from API set instead of ole32 - - ole32 pulls in several unnecessary DLLs, increasing load time by 5 or 10 - milliseconds. - - This change also updates mksyscall_windows to support API sets. - -commit 2c7fd4c0580e42f2cd790c9ef13ab820a1f18d36 -Author: John Starks -Date: Tue Dec 11 13:19:12 2018 -0800 - - mksyscall_windows: Remove interop dependency - -commit e4fe4931db9533a2ac4aca6d7c0a3a3d44ab8637 -Author: Justin Terry (VM) -Date: Tue Dec 11 12:51:23 2018 -0800 - - Stop using a global container counter for all UVM's - - Signed-off-by: Justin Terry (VM) - -commit 44b6ec825113650b2a5ba1074312c39125cc31a8 -Author: Justin Terry (VM) -Date: Thu Nov 15 23:50:07 2018 -0800 - - Add OCI passthrough mount support for WCOW/LCOW - - This PR adds support for passthrough mounts to the UVM for WCOW/LCOW. This can - be accomplished by passing a mount in the OCI spec as follows: - - { - "type": "physical-disk", - "destination": "", - "source": "\\.\PHYSICALDRIVE", - "options": ["rbind", "rw"] - } - - { - "type": "virtual-disk", - "destination": "", - "source": "C:\\test.vhd", - "options": ["rbind", "rw"] - } - - Signed-off-by: Justin Terry (VM) - -commit 4dbd1827b31ad606a763ecabd8c940b6d6e38d09 -Merge: de207593c d475b3d66 -Author: Justin -Date: Mon Dec 10 09:51:03 2018 -0800 - - Merge pull request #414 from kevpar/defer_operation_fix - - Fix operation-end logging - -commit d475b3d669908593c515c26e7cae1b53a02bedb7 -Author: Kevin Parsons -Date: Fri Dec 7 16:16:37 2018 -0800 - - Fix operation-end logging - -commit de207593c9a568d756b4310644db967edf1624bc -Merge: 21b9ff6ae 460f5d30a -Author: Justin -Date: Thu Dec 6 12:34:08 2018 -0800 - - Merge pull request #412 from Microsoft/remove_rootfs2vhd - - Removing rootfs2vhd use tar2ext4 - -commit 460f5d30a058da4db5503aa0f0bdc035d8444f2d -Author: Justin Terry (VM) -Date: Wed Dec 5 13:25:43 2018 -0800 - - Removing rootfs2vhd use tar2ext4 - - The command rootfs2vhd was used to create a rootfs.vhd from an OpenGCS - rootfs.tar.gz. In order to use this it was necessary to start a UVM on an - actual machine. The tool tar2ext4 creates a better optimized version of - rootfs.vhd and can do so without a UVM creation. Use this tool instead. - - Signed-off-by: Justin Terry (VM) - -commit 21b9ff6ae68cea4aa1326192b44f02b6925cb57a -Merge: 504c18040 0fa0ccfef -Author: Justin -Date: Tue Dec 4 22:21:42 2018 -0800 - - Merge pull request #410 from Microsoft/uvm_create_refactor - - Split UVM create into WCOW/LCOW - -commit 504c18040421a61669db4533d18f5c2d657f8c2e -Merge: a83b08327 cb3af812e -Author: Justin -Date: Tue Dec 4 10:19:14 2018 -0800 - - Merge pull request #411 from Microsoft/wclayer_logrus - - Convert wclayer to use logrus.Fields - -commit cb3af812ee57536b3f3dfe025534e914508efa70 -Author: Justin Terry (VM) -Date: Mon Dec 3 23:15:11 2018 -0800 - - Convert wclayer to use logrus.Fields - - Signed-off-by: Justin Terry (VM) - -commit 0fa0ccfef020f37ca03192677f6f8ad323a6822b -Author: Justin Terry (VM) -Date: Tue Nov 20 15:48:25 2018 -0800 - - Split UVM create into WCOW/LCOW - - Splits up the internal uvm.Create into uvm.CreateWCOW and uvm.CreateLCOW which - enables us to have options for each. This makes the code significantly easier - to read and maintain. - - Signed-off-by: Justin Terry (VM) - -commit a83b08327360d83bedf49f8d9f732596dfc13df4 (tag: v0.8.3) -Merge: ac0c7acbe f9f4940bd -Author: Justin -Date: Mon Dec 3 13:42:18 2018 -0800 - - Merge pull request #409 from Microsoft/uvm_lcow_kernel_opts - - More LCOW boot opts - -commit f9f4940bd171e06ba5d24301ba35d9e0c41b40f0 -Author: Justin Terry (VM) -Date: Mon Dec 3 13:32:51 2018 -0800 - - Add LCOW pmtmr=0 boot opt - - Signed-off-by: Justin Terry (VM) - -commit d9e7874ec132a7d8de98132d6fb8f5b13efeb7f1 -Author: Justin Terry (VM) -Date: Mon Dec 3 13:08:20 2018 -0800 - - Add LCOW brd.rd_nr=0 boot opt - - Signed-off-by: Justin Terry (VM) - -commit ac0c7acbee2166d95505fc582649fdc10308b226 -Merge: e9983bad2 d623cb8b8 -Author: Justin -Date: Mon Dec 3 11:35:25 2018 -0800 - - Merge pull request #408 from Microsoft/wclayer_filterrw - - Remove FilterLayerReader/Writer as it is unused - -commit d623cb8b8acd8c88ad94449bd6a4732b5a870640 -Author: Justin Terry (VM) -Date: Sat Dec 1 13:54:20 2018 -0800 - - Remove FilterLayerReader/Writer as it is unused - - Signed-off-by: Justin Terry (VM) - -commit e9983bad27edda3d48e66b28a878bb1a3c5cedea -Merge: 67ddf37f4 f64ae7f68 -Author: Justin -Date: Sat Dec 1 12:51:40 2018 -0800 - - Merge pull request #406 from jstarks/ro_root - - uvm: Mark pmem0 root fs readonly - -commit f64ae7f68f4bb4cbda1212c67e6534a482a4744d -Author: John Starks -Date: Fri Nov 30 23:25:28 2018 -0800 - - uvm: Mark pmem0 root fs readonly - - Not doing this causes spurious machine checks during boot in some cases. - -commit 67ddf37f404e05299e33b83ff8867bf1275a3b79 -Merge: 7f5118e35 6290b5839 -Author: Justin -Date: Fri Nov 30 20:49:27 2018 -0800 - - Merge pull request #387 from Microsoft/log_kvp - - Changing logging to use logrus.WithFields - -commit 6290b58393c3047b6c0198751656088b207f88f1 -Author: Justin Terry (VM) -Date: Wed Nov 21 14:06:41 2018 -0800 - - Changing logging to use logrus.WithFields - - Signed-off-by: Justin Terry (VM) - -commit 7f5118e353221132688b2ecc1ffbc64dd539ad16 -Merge: 25fcd6a79 99fce7d68 -Author: Justin -Date: Fri Nov 30 15:43:07 2018 -0800 - - Merge pull request #405 from kevpar/callback-hang-fix - - Don't attempt to write to callback channels that we don't support - -commit 25fcd6a794cc95e8948e38396b86a55371720286 -Merge: 132be6d33 6763b8d86 -Author: Justin -Date: Fri Nov 30 15:31:10 2018 -0800 - - Merge pull request #402 from Microsoft/oci_uvm_cpu_mem_override - - Adding CPU and Memory override OCI annotations - -commit 132be6d33406394fc0430b6bd54be73a1e5271de -Merge: 3a08484f1 63dd75c8b -Author: Justin -Date: Fri Nov 30 15:29:32 2018 -0800 - - Merge pull request #401 from Microsoft/revertdsr - - Revert breaking change to AddLoadBalancer - -commit 3a08484f11b2ea62c29d004b46a7550cbad0086b -Merge: d98a2594a be27fce3e -Author: Justin -Date: Fri Nov 30 15:28:46 2018 -0800 - - Merge pull request #404 from Microsoft/machine_generated - - Update generated file headers for mksyscall_windows - -commit d98a2594a3121d0b2e196830ece25f20a3f1e765 -Merge: 7f79371e7 b111b2465 -Author: Justin -Date: Fri Nov 30 14:58:44 2018 -0800 - - Merge pull request #400 from Microsoft/linux_kernel_direct - - Adding LinuxKernelDirect boot support - -commit 99fce7d68cfc6f3acd993cfef02d3f41dcbb7549 -Author: Kevin Parsons -Date: Fri Nov 30 12:42:06 2018 -0800 - - Don't attempt to write to callback channels that we don't support - -commit be27fce3ec340ea2db0501dfb9412c86a47cc7e1 -Author: Justin Terry (VM) -Date: Fri Nov 30 12:03:49 2018 -0800 - - Update generated file headers for mksyscall_windows - - Update to comply with the go standard for generated files found here: - https://github.com/golang/go/issues/13560#issuecomment-288457920 - - Signed-off-by: Justin Terry (VM) - -commit 63dd75c8beaf951849dcc4ac99a241e852dfc3c3 -Author: John Howard -Date: Fri Nov 30 10:27:21 2018 -0800 - - Rever isDSR breaking change to HNSAddLoadBalancer - - Signed-off-by: John Howard - -commit b111b24658f6ca506c4d9c47a62c3a91de6ba2b4 -Author: Justin Terry (VM) -Date: Thu Nov 29 15:34:38 2018 -0800 - - Adding LinuxKernelDirect boot support - - Signed-off-by: Justin Terry (VM) - -commit 7f79371e7bf92cb4953e9b9ca70cc3b7ef01602d -Merge: 371bbcbe2 1bbe025bc -Author: Justin -Date: Fri Nov 30 10:27:28 2018 -0800 - - Merge pull request #397 from Microsoft/scsi_uint32_uvm - - UVMOptions.SCSIControllerCount should be uint - -commit 371bbcbe229706caee37a1898e0b2317cdc39aa6 -Merge: f827be4ff d2e9ace33 -Author: Justin -Date: Fri Nov 30 10:11:42 2018 -0800 - - Merge pull request #403 from tfenster/patch-1 - - fix typo - -commit d2e9ace33c4e0ce6e1cc90e50946646557032919 -Author: Tobias Fenster -Date: Fri Nov 30 19:07:42 2018 +0100 - - fix typo - -commit 6763b8d8663690f4500d444c935564bada5f0e35 -Author: Justin Terry (VM) -Date: Thu Nov 29 22:07:30 2018 -0800 - - Adding CPU and Memory override OCI annotations - - Signed-off-by: Justin Terry (VM) - -commit f827be4ff656e1fb4956c994cb193e22a9a76942 -Merge: 3f7661148 e93d509eb -Author: Justin -Date: Thu Nov 29 15:42:33 2018 -0800 - - Merge pull request #399 from Microsoft/uvm_create_opts_test - - Cleanup uvm functional tests to use opts - -commit e93d509eb01c5c74008a7739e4bfb6e1f634f865 -Author: Justin Terry (VM) -Date: Thu Nov 29 14:45:53 2018 -0800 - - Cleanup uvm functional tests to use opts - - Signed-off-by: Justin Terry (VM) - -commit 1bbe025bc8eab69ef7c27c0cfc85e6f5787bb1a7 -Author: Justin Terry (VM) -Date: Thu Nov 29 10:39:41 2018 -0800 - - UVMOptions.SCSIControllerCount should be uint - - Signed-off-by: Justin Terry (VM) - -commit 3f76611480813aaa40a6401d1b0db8db5b5dd8a2 -Merge: 2da02d8fe cec2b0df5 -Author: Justin -Date: Thu Nov 29 13:33:51 2018 -0800 - - Merge pull request #398 from Microsoft/uart_enable_vmdebug - - Moving uart kernel config to ComPort creation - -commit cec2b0df57b633581ec98d17b6342e30faad590a -Author: Justin Terry (VM) -Date: Thu Nov 29 10:43:28 2018 -0800 - - Moving uart kernel config to ComPort creation - - Signed-off-by: Justin Terry (VM) - -commit 2da02d8feae6d5e622e39b196f570849aa286768 -Merge: 263722c20 f2636a732 -Author: Justin -Date: Thu Nov 29 13:21:54 2018 -0800 - - Merge pull request #396 from Microsoft/jjh/envoverride - - Annotation for preferred rootfs type - -commit f2636a732b85ba6ef82ed2c571107c9560f09f2e -Author: John Howard -Date: Thu Nov 29 09:51:22 2018 -0800 - - Annotation for preferred rootfs type - - Signed-off-by: John Howard - -commit 263722c202f3e3cbe07f1491e645acf24961f3a3 -Merge: 113ee11be c96ef8c64 -Author: Justin -Date: Wed Nov 28 17:16:26 2018 -0800 - - Merge pull request #394 from Microsoft/lcow_quiet - - Set LCOW kernel boot quiet for production - -commit c96ef8c64bb4ab422e40dd01babeabdc6a46cf2f -Author: Justin Terry (VM) -Date: Wed Nov 28 16:22:07 2018 -0800 - - Set LCOW kernel boot quiet for production - - Signed-off-by: Justin Terry (VM) - -commit 113ee11be1e5fd17ecd0a055315bf1447ca26e1d -Merge: 4b8e5951c 9720f99de -Author: Justin -Date: Wed Nov 28 15:36:09 2018 -0800 - - Merge pull request #393 from Microsoft/no_serial - - Skip uart enumeration on production boot - -commit 9720f99def3d978a4d9dbcec3854d41d070791b7 -Author: Justin Terry (VM) -Date: Wed Nov 28 15:28:18 2018 -0800 - - Skip uart enumeration on production boot - - Signed-off-by: Justin Terry (VM) - -commit 4b8e5951c74b714bcf02deaedfce3258e7c164bb -Merge: eb23b2c8d 49789112b -Author: Justin -Date: Wed Nov 28 14:56:46 2018 -0800 - - Merge pull request #392 from Microsoft/pci_off - - Turn pci devices off for LCOW - -commit 49789112bc73951e66600c891b2e39f0c60ea1ee -Author: Justin Terry (VM) -Date: Wed Nov 28 14:19:12 2018 -0800 - - Turn pci devices off for LCOW - - Signed-off-by: Justin Terry (VM) - -commit eb23b2c8d8548b28c989340264351ca25e82008f -Merge: cf26dff31 440ef2fc1 -Author: Justin -Date: Tue Nov 27 15:03:03 2018 -0800 - - Merge pull request #391 from Microsoft/runhcs_cmd_context_master - - Store the runhcs.exe path for faster invocation - -commit 440ef2fc185b1358e440ac49d92fec8dde6b1155 -Author: Justin Terry (VM) -Date: Tue Nov 27 12:40:36 2018 -0800 - - Store the runhcs.exe path for faster invocation - - Signed-off-by: Justin Terry (VM) - -commit cf26dff31d80f0c692725570e369ff127b7e9313 -Merge: 1e4444511 3e9e94dc2 -Author: Justin -Date: Tue Nov 20 19:33:54 2018 -0800 - - Merge pull request #385 from Microsoft/fix_owner_on_createscratch - - Forward Owner to runhcs create-scratch - -commit 1e44445110e5bae589513fc17e02ac68c5d2e0a5 -Merge: 62c7eb6ea 44fd3f569 -Author: John Starks -Date: Tue Nov 20 16:26:19 2018 -0800 - - Merge pull request #386 from jiria/jiria/fix-arm32-int-overflow - - Fix int overflow for ARM32 builds - -commit 44fd3f56932b844aad316a304020daabe6949abb -Author: Jiri Appl -Date: Tue Nov 20 16:21:59 2018 -0800 - - Fix int overflow for ARM32 builds - -commit 3e9e94dc2eb5a59808ae4c05aefa678b30b2704c -Author: Justin Terry (VM) -Date: Tue Nov 20 15:43:44 2018 -0800 - - Forward Owner to runhcs create-scratch - - Signed-off-by: Justin Terry (VM) - -commit 62c7eb6ea169ccab0a1b0fb7c2915de611950236 -Merge: 6040dd26d 73aa4feb1 -Author: Justin -Date: Tue Nov 20 15:31:34 2018 -0800 - - Merge pull request #384 from Microsoft/fix_schemaversion_tests - - Fix schemaversion tests on RS5+ - -commit 73aa4feb1d0c76a85d1dce1eb895d75c3528a66e -Author: Justin Terry (VM) -Date: Tue Nov 20 13:50:15 2018 -0800 - - Fix schemaversion tests on RS5+ - - Signed-off-by: Justin Terry (VM) - -commit 6040dd26d8de28ff4637b34e21929f52898ca1a0 -Merge: 6abe1bb09 5030fb027 -Author: Justin -Date: Mon Nov 19 15:13:30 2018 -0800 - - Merge pull request #383 from Microsoft/remove_unused_cmd - - Remove unused test cmd - -commit 6abe1bb098661c9b5c40f48ed28c4bf5decc1223 -Merge: 643242df9 ec43188ac -Author: Justin -Date: Mon Nov 19 14:55:17 2018 -0800 - - Merge pull request #382 from Microsoft/ext4_test_fix - - Fix ext4 compact_test leak testfs.img - -commit 5030fb0275a7fff626964670b06ea718ec7329cb -Author: Justin Terry (VM) -Date: Mon Nov 19 14:55:08 2018 -0800 - - Remove unused test cmd - - Signed-off-by: Justin Terry (VM) - -commit 643242df94f2a78262aef991e67428e69e293dcd -Merge: 1386fb103 8bd16a0bb -Author: Justin -Date: Mon Nov 19 14:45:17 2018 -0800 - - Merge pull request #381 from Microsoft/fix_vmmem_size - - Update uvm_mem tests to use 512MB by default - -commit ec43188ac2d9a7909303e48e32dfa19d91c52488 -Author: Justin Terry (VM) -Date: Mon Nov 19 14:40:29 2018 -0800 - - Fix ext4 compact_test leak testfs.img - - Signed-off-by: Justin Terry (VM) - -commit 1386fb10368146b6b76635faffcda6fcead3aba9 -Merge: 2d97ca3b8 94f0b7012 -Author: Justin -Date: Mon Nov 19 14:29:24 2018 -0800 - - Merge pull request #380 from Microsoft/runhcs_vm_layerfolders - - Stop passing appending \vm to Windows scratch LayerFolders - -commit 94f0b70126a1e3ca2802374744ab89f908b0e113 -Author: Justin Terry (VM) -Date: Mon Nov 19 14:21:29 2018 -0800 - - Add comment about why runhcs uses the sandbox layer folder \vm - - Signed-off-by: Justin Terry (VM) - -commit 2d97ca3b89d1126945e579e181f248994989d832 -Merge: 56dc43e39 66224090e -Author: Justin -Date: Mon Nov 19 14:08:59 2018 -0800 - - Merge pull request #379 from Microsoft/update_test_tags - - Change runhcs_test build tag to 'integration' to match other tests. - -commit 8bd16a0bb9fca7fe1226276906958929fdec6d45 -Author: Justin Terry (VM) -Date: Mon Nov 19 13:58:32 2018 -0800 - - Update uvm_mem tests to use 512MB by default - - Signed-off-by: Justin Terry (VM) - -commit 56dc43e39c4ba67ae6680ad910a5bc956bfec1d5 -Merge: 98eb7f01e f8edcce24 -Author: Justin -Date: Mon Nov 19 13:56:15 2018 -0800 - - Merge pull request #378 from Microsoft/uvm_close_tests - - Use uvm.Close() rather than uvm.Terminate() - -commit 66224090ea71aa6a3ca7109a0828907f68a60e04 -Author: Justin Terry (VM) -Date: Mon Nov 19 13:22:33 2018 -0800 - - Change runhcs_test build tag to 'integration' to match other tests. - - Signed-off-by: Justin Terry (VM) - -commit f8edcce246161cb0af989e01273bd03305146f30 -Author: Justin Terry (VM) -Date: Mon Nov 19 13:15:44 2018 -0800 - - Use uvm.Close() rather than uvm.Terminate() - - Signed-off-by: Justin Terry (VM) - -commit 98eb7f01e55c55488617a7316f18b1fae14cf3b1 -Merge: a246220a7 598dda9a6 -Author: Justin -Date: Mon Nov 19 12:32:16 2018 -0800 - - Merge pull request #375 from Microsoft/runhcs_simplify_annotations - - Simplify annotations for easier use across types - -commit a246220a704d3a3e0c44ba391e90dc53e7856b5b -Merge: 38d162f40 ae0393202 -Author: John Howard -Date: Mon Nov 19 10:01:33 2018 -0800 - - Merge pull request #376 from Microsoft/persisted_state_json - - Add JSON tagging and comments to persistedState fields - -commit 598dda9a6d21153c897953a253c080daaa0abc01 -Author: Justin Terry (VM) -Date: Mon Nov 19 09:24:26 2018 -0800 - - Convert annotation parse failure to Warning - - Signed-off-by: Justin Terry (VM) - -commit ae039320286b78474bc46522733c2f8d761bf675 -Author: Justin Terry (VM) -Date: Mon Nov 19 09:08:59 2018 -0800 - - Add JSON tagging and comments to persistedState fields - - Signed-off-by: Justin Terry (VM) - -commit c8b3ad04832a078f9bb5003b379a79042f6009fd -Author: Justin Terry (VM) -Date: Mon Nov 19 08:47:00 2018 -0800 - - Fix issue not forwarding UVM resources for LCOW activations - - Signed-off-by: Justin Terry (VM) - -commit 093c0cea288f637de6ecfab4c59dfa44f4318661 -Author: Justin Terry (VM) -Date: Mon Nov 19 08:45:10 2018 -0800 - - Simplify annotations parsing and assignment for custom opts - - Signed-off-by: Justin Terry (VM) - -commit 38d162f40e8cf02413292c30c5d337b49911d62d -Merge: ea14d179e d0edf8f46 -Author: Justin -Date: Mon Nov 19 08:47:19 2018 -0800 - - Merge pull request #374 from Microsoft/runhcs_fix_owner - - Forward --owner from runhcs command to UVM/container creation - -commit d0edf8f46614643ce997ada46b6ad8d399ff75d1 -Author: Justin Terry (VM) -Date: Mon Nov 19 08:30:48 2018 -0800 - - Forward --owner from runhcs command to UVM/container creation - - Signed-off-by: Justin Terry (VM) - -commit ea14d179ee5442cd8af532787aa4afda68f81d8b -Merge: 4f64a5980 7de83b9c7 -Author: Justin -Date: Fri Nov 16 14:46:24 2018 -0800 - - Merge pull request #373 from Microsoft/fix_assign_pmem - - Assign uvm.vpmemMaxSizeBytes on create to avoid SCSI fallback - -commit 7de83b9c7feb886bb53c1f99f55faf82f698a2df -Author: Justin Terry (VM) -Date: Fri Nov 16 14:37:34 2018 -0800 - - Assign uvm.vpmemMaxSizeBytes on create to avoid SCSI fallback - - Signed-off-by: Justin Terry (VM) - -commit 4f64a598035b09da04155f7dfd76b63edf04fca1 (tag: v0.8.1) -Merge: 02bd6848d 102a6f0be -Author: Justin -Date: Fri Nov 9 15:38:14 2018 -0800 - - Merge pull request #370 from Microsoft/jjh/annotations2 - - Fix panic - -commit 102a6f0bed0c012f3484a44a6a0f5098fca1dab1 -Author: John Howard -Date: Fri Nov 9 14:38:53 2018 -0800 - - Fix panic - - Signed-off-by: John Howard - -commit 02bd6848d53d2e82b2adc5ffacf556f16e4c1f9c (tag: v0.8.0) -Merge: af4e2cd5b 1c613a083 -Author: Justin -Date: Fri Nov 9 11:38:20 2018 -0800 - - Merge pull request #369 from Microsoft/jjh/annotations - - Update annotation fields - -commit 1c613a083ed94c0923f8c0829beedcdbce44417e -Author: John Howard -Date: Fri Nov 9 10:42:12 2018 -0800 - - Review comments - - Signed-off-by: John Howard - -commit 6224e34b7893600ede17b4edf9c285cd6e5eec46 -Author: John Howard -Date: Thu Nov 8 15:55:15 2018 -0800 - - Compile functional tests - - Signed-off-by: John Howard - -commit dd319b3505dd80377edf9b29c0c5fcc667804c08 -Author: John Howard -Date: Thu Nov 8 15:06:37 2018 -0800 - - Fix functional tests - - Signed-off-by: John Howard - -commit ea1ae19186da497eeac2db35c06f99007abf6003 -Author: John Howard -Date: Thu Nov 8 08:55:11 2018 -0800 - - Update annotation fields - - Signed-off-by: John Howard - -commit af4e2cd5ba2e53235f6fbaed93786793e219f5b3 -Merge: 3f8501726 a8d67a7d9 -Author: Justin -Date: Wed Nov 7 10:27:49 2018 -0800 - - Merge pull request #366 from Microsoft/runhcs_test_matrix - - Add runhcs E2E matrix tests for Windows - -commit a8d67a7d9b7a3ce799261450ea6b9416133b4900 -Author: Justin Terry (VM) -Date: Tue Nov 6 14:40:53 2018 -0800 - - Publish go-runhcs functional tests as part of build - - Signed-off-by: Justin Terry (VM) - -commit 3f850172656f5158580526774b4a76186f0a1dfb (tag: v0.7.14) -Merge: 3270136cc 82bb745e7 -Author: Justin -Date: Tue Nov 6 15:22:58 2018 -0800 - - Merge pull request #364 from Microsoft/jjh/movegrantvmaccess - - Move GrantVmAccess calls - -commit 3270136cc589ce6d7ba35a3e9bb19735535f99bb -Merge: 1d3e1d927 1a9ef3397 -Author: Justin -Date: Tue Nov 6 15:22:38 2018 -0800 - - Merge pull request #367 from Microsoft/uvm_mem_backing - - AllowOvercommit has replaced Backing and should be used instead. - -commit 1a9ef33975b77415e71cd9cd62445cd2d671abc5 -Author: Justin Terry (VM) -Date: Tue Nov 6 15:06:06 2018 -0800 - - AllowOvercommit has replaced Backing and should be used instead. - - Signed-off-by: Justin Terry (VM) - -commit 1d3e1d927be33a51b8d9cc1f25df4d3b26640bd2 -Merge: 1cb5e2cf2 31d279894 -Author: Justin -Date: Tue Nov 6 14:43:56 2018 -0800 - - Merge pull request #365 from Microsoft/jjh/runmemstartwcowtest - - Use Scratch in TestMemBackingTypeWCOW - -commit aa1ff4dcded088edbe159ff4c43968798833a97e -Author: Justin Terry (VM) -Date: Tue Nov 6 14:38:10 2018 -0800 - - Add runhcs E2E matrix tests for Windows - - Signed-off-by: Justin Terry (VM) - -commit 31d279894d360203c33e3144157a78f765323f6e -Author: John Howard -Date: Tue Nov 6 10:48:54 2018 -0800 - - Use Scratch in TestMemBackingTypeWCOW - - Signed-off-by: John Howard - -commit 82bb745e76eeb99aa23757d2799ea873ff5cb0bd -Author: John Howard -Date: Tue Nov 6 10:46:01 2018 -0800 - - Move GrantVmAccess calls - - Signed-off-by: John Howard - -commit 1cb5e2cf2b55d25154919d86acd2706c374d3e9f -Merge: 1565ec37a 46ddede47 -Author: Justin -Date: Mon Nov 5 08:51:37 2018 -0800 - - Merge pull request #363 from Microsoft/v0.7.9-dev - - V0.7.9 dev - -commit 46ddede4768e56935b0739edbb81e796304a25e2 (tag: v0.7.9-1, upstream-hcshsim/v0.7.9-dev, origin/v0.7.9-dev, hcsshim/v0.7.9-dev) -Merge: 521d0b77d d35ef6950 -Author: Justin -Date: Mon Nov 5 08:29:42 2018 -0800 - - Merge pull request #362 from Microsoft/export_assigned_device - - Export AssignedDevice in V1 - -commit d35ef6950e397b74b1d0fe106732c148fc358181 -Author: Justin Terry (VM) -Date: Mon Nov 5 08:21:51 2018 -0800 - - Export AssignedDevice in V1 - - Signed-off-by: Justin Terry (VM) - -commit 1565ec37a5a5bf580e349139d8c9bd0e2b32571b (tag: v0.7.13) -Merge: c5c7c5c42 f1772354a -Author: Justin -Date: Fri Nov 2 10:02:55 2018 -0700 - - Merge pull request #360 from Microsoft/memory_opt - - Adding MemoryBackingType support via OCI annotations - -commit c5c7c5c423f271a26bfea9e504d4d2f2d281583b -Merge: 04fd3112a bdb1952d6 -Author: Justin -Date: Wed Oct 31 11:46:20 2018 -0700 - - Merge pull request #359 from Microsoft/jjh/lcowlargelayeronscsi - - LCOW: Use SCSI for layers over 512MB rather than PMEM - -commit f1772354adff103f9b4b7a9c00c4f68eaf767ec4 -Author: Justin Terry (VM) -Date: Wed Oct 31 10:44:16 2018 -0700 - - Adding MemoryBackingType support via OCI annotations - - Signed-off-by: Justin Terry (VM) - -commit bdb1952d6a717ee4736b19ed6b1f9953d4793914 -Author: John Howard -Date: Wed Oct 24 14:59:01 2018 -0700 - - LCOW: Use SCSI for layers over 512MB - - Signed-off-by: John Howard - -commit 04fd3112a484505898a175773ae751928efa67a8 -Merge: 94038f203 fa0fcc423 -Author: Justin -Date: Fri Oct 19 13:18:07 2018 -0700 - - Merge pull request #358 from pradipd/remotesubnet - - Adding functions to modify network settings and policies. Adding RemoteSubnetRoutePolicy. - -commit fa0fcc423e891a506ae5fed8bc0b9b4272cbfaba -Author: Pradip Dhara -Date: Fri Oct 19 12:20:26 2018 -0700 - - Fixing tests. - -commit f18977c9bc3bb78f606fd8f54f7b263e3ab9f22b -Author: Pradip Dhara -Date: Fri Oct 19 11:18:24 2018 -0700 - - More PR changes. - -commit b19dd74b6caee626b89b8c6a07185a9a770d4379 -Author: Pradip Dhara -Date: Fri Oct 19 11:06:24 2018 -0700 - - fixing test. - -commit 119a079670884c832666d52f61c99ee4174deb30 -Author: Pradip Dhara -Date: Fri Oct 19 11:03:17 2018 -0700 - - PR changes. - -commit c2d44082e8793cd5e7d045375ed35293b2898efc -Author: Pradip Dhara -Date: Fri Oct 19 10:42:09 2018 -0700 - - gofmt -s -w hcnutils_test.go - -commit 3a3001e0d71a593cd9dbe2ea41d8f24a133946d4 -Author: Pradip Dhara -Date: Wed Oct 10 10:35:26 2018 -0700 - - Adding functions to modify network settings and policies. Adding RemoteSubnetRoutePolicy. - -commit 94038f203f488410f56c2efb61c0ef30e3d940bd -Merge: 4c3e966e0 f670ba5ae -Author: Justin -Date: Fri Oct 19 10:54:09 2018 -0700 - - Merge pull request #356 from madhanrm/elbdsr - - Expose DSR Settings in Load Balancer - -commit 4c3e966e0114c45dca094eebba6323342385a4fd -Merge: fb82daad4 4898b4ef9 -Author: Justin -Date: Fri Oct 19 10:51:55 2018 -0700 - - Merge pull request #355 from Microsoft/argon_signal_support - - Adding Signal support for RS5 Argon - -commit fb82daad433bcca016238d13d13a3a3f47f6bd12 -Merge: 6cca3cb41 5ed37087c -Author: Justin -Date: Fri Oct 19 10:49:06 2018 -0700 - - Merge pull request #357 from Microsoft/enable_hot_hint - - Enable HotHint for Windows - -commit 5ed37087cb6dc37171d0b3cac7637584d9b5014f -Author: Justin Terry (VM) -Date: Fri Oct 19 10:25:32 2018 -0700 - - Enable HotHint for Windows - - Signed-off-by: Justin Terry (VM) - -commit f670ba5ae4e2f8921d3cd1c6eb651abf7a1ed222 -Author: Madhan Raj Mookkandy -Date: Thu Oct 11 22:30:56 2018 -0700 - - Fix tests to fail and continue - - Expose ELB DSR flag - -commit 4898b4ef9773740f0e990f246fc253c4c63e3e6b -Author: Justin Terry (VM) -Date: Thu Oct 18 10:29:42 2018 -0700 - - Adding Signal support for RS5 Argon - - Signed-off-by: Justin Terry (VM) - -commit 6cca3cb411c22d34aa97c81c98532500cff4860c -Merge: 5b3eff572 8a23738a9 -Author: Justin -Date: Thu Oct 18 07:50:41 2018 -0700 - - Merge pull request #354 from erfrimod/erfrimod/adding-debugprint - - Debug prints out the json provided to HNS on CreateX calls. - -commit 8a23738a92666bbebb5f7f88766ad1eee3af76c2 -Author: Erik Frimodig -Date: Wed Oct 17 16:51:05 2018 -0700 - - Debug prints out the json provided to HNS. - -commit 5b3eff572681588b6ce3df295d3d23b72f053f32 (tag: v0.7.12) -Merge: 2ef465979 234770f9b -Author: Justin -Date: Mon Oct 15 13:22:33 2018 -0700 - - Merge pull request #353 from Microsoft/fix_close - - Fix issue failing to close handle in some cases - -commit 234770f9bb86130becd2d489a0bbb7f4b9e52d82 -Author: Justin Terry (VM) -Date: Mon Oct 15 13:22:08 2018 -0700 - - Fix issue failing to close handle in some cases - - Signed-off-by: Justin Terry (VM) - -commit 2ef465979b68863164ec5babcccd8a6ed4b7881e -Merge: 97ac67c39 1b90ca682 -Author: Justin -Date: Mon Oct 15 13:08:38 2018 -0700 - - Merge pull request #352 from Microsoft/mv_to_pkg - - go-runhcs should not be in cmd/ - -commit 1b90ca68286272b8055d1fe76a7166ec93ec2715 -Author: Justin Terry (VM) -Date: Mon Oct 15 12:58:20 2018 -0700 - - go-runhcs should not be in cmd/ - - Signed-off-by: Justin Terry (VM) - -commit 97ac67c39fcc2c5b576f0e403057d6695403e6d3 -Merge: 21c9d90b5 cc9aad746 -Author: Justin -Date: Mon Oct 15 12:52:48 2018 -0700 - - Merge pull request #349 from Microsoft/fix_signal - - Implement signal support - -commit cc9aad74674a51b9b9fa1b9dd476d925e3a2160a -Author: Justin Terry (VM) -Date: Mon Oct 15 12:38:09 2018 -0700 - - Fix issue failing to close handle in some cases - - Signed-off-by: Justin Terry (VM) - -commit 35bf3db14489d1ba27e09d6dd29d9a0d19bfaa96 -Author: Justin Terry (VM) -Date: Fri Oct 12 15:37:06 2018 -0700 - - Implement signal support - - Signed-off-by: Justin Terry (VM) - -commit 3b26b4d506948473ad90b504a1c563ea792a5b32 -Merge: 94030be22 b291a0068 -Author: John Howard -Date: Mon Oct 15 10:07:40 2018 -0700 - - Merge pull request #262 from Microsoft/signal_support - - Return GuestDefinedCapabilities with SignalProcess support - -commit 94030be225b7d6398c92ac37cbf438dd5b0d91be -Merge: 6ca2495a8 12c75e34e -Author: Justin -Date: Mon Oct 15 10:07:32 2018 -0700 - - Merge pull request #261 from franksinankaya/sinankaya/unittests - - Sinankaya/unittests - -commit b291a00688efa4f6e403270feebe1adc5542252a -Author: Justin Terry (VM) -Date: Mon Oct 15 09:33:29 2018 -0700 - - Return GuestDefinedCapabilities with SignalProcess support - - Signed-off-by: Justin Terry (VM) - -commit 12c75e34e4a3b399eb262186567f227da8506885 -Author: Sinan Kaya -Date: Fri Oct 12 05:57:43 2018 +0000 - - runc: look for whoami string instead of match - - Search for whoami rather than looking for an exact match. - Command prompt is different between OS flavors. - -commit 44bfe35c5a9e39ae3cc7bc8b24619122f68fef2b -Author: Sinan Kaya -Date: Fri Oct 12 04:02:53 2018 +0000 - - Support OS with sysvinit in PathIsMounted - - tmpfs is mounted at /var/volatile on some sysvinit based operating - systems. - - Search mount point in PathIsMounted with /var/volatile prefixed as - an alternative. - -commit 21c9d90b535b6009e17bae665ce1334006ee7820 (tag: v0.7.11) -Merge: 0e76f28bd c8634ebcf -Author: Justin -Date: Thu Oct 11 14:11:58 2018 -0700 - - Merge pull request #343 from Microsoft/runhcs_argon_volumematch - - Runhcs argon/xenon fixes - -commit c8634ebcfea55077dd0718f6a9886dd2bac7ba32 -Author: Justin Terry (VM) -Date: Wed Oct 10 15:48:14 2018 -0700 - - Fix runhcs create issue for Windows Xenon - - Signed-off-by: Justin Terry (VM) - -commit 0e76f28bdb8ed162ab07a53d17048ecb3fcc8a1e -Merge: 022ce5861 2e0fd1229 -Author: Justin -Date: Thu Oct 11 13:13:55 2018 -0700 - - Merge pull request #345 from madhanrm/winNsRs4 - - Fix runhcs to setup networking for RS4 WCOW images - -commit 2e0fd1229103c345bee4b24a1129dc38c122bafb -Author: Madhan Raj Mookkandy -Date: Thu Oct 11 13:08:16 2018 -0700 - - Fix runhcs to setup networking for RS4 WCOW images - -commit 022ce5861e3ccd2396688c77993765d526eb179e (tag: v0.7.10) -Merge: ec67d8ada e59750fd9 -Author: John Howard -Date: Thu Oct 11 12:06:42 2018 -0700 - - Merge pull request #344 from Microsoft/jjh/namespace - - Add GuestConnection query - -commit e59750fd9693351117b48290b8e358a240ea6078 -Author: John Howard -Date: Thu Oct 11 11:49:39 2018 -0700 - - Add GuestConnection query - - Signed-off-by: John Howard - -commit e6bc263fc0948b63a3fad41be228a133f55ae6dc -Author: Justin Terry (VM) -Date: Wed Oct 10 15:23:44 2018 -0700 - - Properly check Root.Path regexp - - Signed-off-by: Justin Terry (VM) - -commit ec67d8adabb094c359828e3048c6eccc5c4a83ac -Merge: 521d0b77d 829ca83b0 -Author: Justin -Date: Wed Oct 10 11:31:27 2018 -0700 - - Merge pull request #340 from Microsoft/linter - - Add gofmt linter on all PR's - -commit 829ca83b0d591c18363e4b0a274fa44870a34c89 -Author: Justin Terry (VM) -Date: Wed Oct 10 11:09:00 2018 -0700 - - Add gofmt linting - - Signed-off-by: Justin Terry (VM) - -commit 1825d4a6244821a4a87e528ac466ebf3eeb3a8b1 -Author: Justin Terry (VM) -Date: Wed Oct 10 11:08:38 2018 -0700 - - Fix gofmt -s -w on all files - - Signed-off-by: Justin Terry (VM) - -commit 521d0b77d0302dd078f23c5b0d50c25b11de1849 (tag: v0.7.9) -Merge: 61e11b9f7 0940539b8 -Author: John Howard -Date: Tue Oct 9 16:19:20 2018 -0700 - - Merge pull request #339 from Microsoft/jjh/dos2unix - - Line endings again! - -commit 0940539b88302ff18e11d3ba83dd3177f3405dc6 -Author: John Howard -Date: Tue Oct 9 16:13:01 2018 -0700 - - Line endings again! - - Signed-off-by: John Howard - -commit 61e11b9f70596fc851c47fd04cc1066ae0bc4983 (tag: v0.7.8) -Merge: b92933868 a044a4d28 -Author: Justin -Date: Tue Oct 9 11:47:14 2018 -0700 - - Merge pull request #338 from Microsoft/tar2ext - - Add tar2ext4 to artifacts - -commit a044a4d289abd0e7f4874d5f7217e5a0fdcf0b10 -Author: John Howard -Date: Tue Oct 9 10:14:02 2018 -0700 - - Add tar2ext4 to artifacts - - Signed-off-by: John Howard - -commit b929338687bb4a06318ed63f20d7f3731d3574e7 -Merge: 9fa70dd6d ccedcbad8 -Author: John Howard -Date: Tue Oct 9 10:10:18 2018 -0700 - - Merge pull request #337 from jstarks/ext4_limit - - tar2ext4: Make disk size limit configurable - -commit ccedcbad83af7549c7bf771e2e18edfd8394f549 -Author: John Starks -Date: Thu Oct 4 11:46:29 2018 -0700 - - tar2ext4: Make disk size limit configurable - - The limit is necessary to reduce the group descriptor block size - overhead. It may be unnecessary in the future if metabg support is - implemented. - -commit 9fa70dd6de77ea6d6298d4b939a3fda324c00684 (tag: v0.7.7) -Merge: a92717667 0e65f42cc -Author: John Howard -Date: Mon Oct 8 14:59:04 2018 -0700 - - Merge pull request #336 from Microsoft/initxattrs - - ext4:Init Xattrs in Stat() - -commit 0e65f42ccc7063803b8bd900cbbb4f93dd4f27c8 -Author: John Howard -Date: Mon Oct 8 14:35:49 2018 -0700 - - ext4:Init Xattrs in Stat() - - Signed-off-by: John Howard - -commit a9271766729f3397fb446085a2c42cdb816a199d -Merge: baac74f0e 55f47474c -Author: John Howard -Date: Mon Oct 8 11:30:38 2018 -0700 - - Merge pull request #335 from Microsoft/runhcs_fix_namespace_config - - Only store namespace in registry for sandbox/uvm - -commit baac74f0e273933d7a50ecbefa2fa0e322ceeaef -Merge: c99722adf 776445ec4 -Author: John Howard -Date: Mon Oct 8 11:30:01 2018 -0700 - - Merge pull request #334 from jstarks/ext4_link_overflow - - tar2ext4: Enforce maximum link count - -commit c99722adf8edfffcb196344cafb0e87baa2ce0d1 -Merge: c9c35b22e d9ae28c05 -Author: John Howard -Date: Mon Oct 8 11:29:31 2018 -0700 - - Merge pull request #333 from jstarks/ext4_dir_determine - - tar2ext4: Eliminate non-determinism in directory entries - -commit c9c35b22e1ff87db3ba5290b7e1b29b462ccef8e -Merge: 548046cb2 acf618d08 -Author: John Howard -Date: Mon Oct 8 11:28:59 2018 -0700 - - Merge pull request #331 from jstarks/ext4_whiteout - - tar2ext4: Add opaque whiteout support - -commit 55f47474c23e295e0a52636f98110b0b5a6138d9 -Author: Justin Terry (VM) -Date: Thu Oct 4 14:11:19 2018 -0700 - - Only store namespace in registry for sandbox/uvm - - Signed-off-by: Justin Terry (VM) - -commit 548046cb2f0495eb2acd7682a0035d465bf05ea9 -Merge: 11a4334f3 99957fd4e -Author: Justin -Date: Thu Oct 4 13:13:50 2018 -0700 - - Merge pull request #332 from Microsoft/nit_networking_fixes - - A few network fixes - -commit 776445ec4efad99af0d7e7491c64ed6d85d8087e -Author: John Starks -Date: Thu Oct 4 12:21:36 2018 -0700 - - tar2ext4: Enforce maximum link count - -commit d9ae28c05cce49eb64c1e8ee76337acf42e599f1 -Author: John Starks -Date: Thu Oct 4 11:58:22 2018 -0700 - - tar2ext4: Eliminate non-determinism in directory entries - -commit acf618d08fa1453f74c92c3255c84333cbfbaa96 -Author: John Starks -Date: Thu Oct 4 11:17:59 2018 -0700 - - tar2ext4: Support opaque directories even with large xattrs - -commit 99957fd4e5860d07022dd1fc5ed51b5194cddcb4 -Author: Justin Terry (VM) -Date: Thu Oct 4 10:59:55 2018 -0700 - - A few network fixes - - Signed-off-by: Justin Terry (VM) - -commit 11a4334f3a724c44bfee9c3e02cf5ec82ed3c69c -Merge: ff1452791 8497e0360 -Author: Justin -Date: Thu Oct 4 10:49:42 2018 -0700 - - Merge pull request #320 from madhanrm/winNamespace - - Implement namespace support - -commit c7709814919e789021a733bad4dd3c196c9bc7de -Author: John Starks -Date: Thu Oct 4 08:31:30 2018 -0700 - - tar2ext4: Add opaque whiteout support - - There may still be some rare cases where opaque whiteouts are not - supported (specifically if there are large xattrs already on the - directory that is being removed). - -commit 8497e036063e0f8a9aa0ab034fa46e9eb06a85a5 -Author: Madhan Raj Mookkandy -Date: Wed Oct 3 16:33:37 2018 -0700 - - Comment out GuestNetworkSettings for LCOW - -commit ff14527911561feca991ff4264eab076de238811 -Merge: 4d90387f0 4241699d6 -Author: Justin -Date: Wed Oct 3 14:25:32 2018 -0700 - - Merge pull request #330 from jstarks/ext4_lostfound - - tar2ext4: Allow limited duplication of files - -commit 4241699d60d5730f0c05cf6d12930657347f282e -Author: John Starks -Date: Wed Oct 3 14:06:11 2018 -0700 - - tar2ext4: Allow limited duplication of files - - In some cases, tar files will have root directories, lost+found - directories, or duplicate file or directory entries. Support this when - possible. - -commit 4d90387f0d0830cba45e691ad9d5ed990d757a20 -Merge: d88aa6c58 6caa64a5b -Author: Justin -Date: Wed Oct 3 13:01:18 2018 -0700 - - Merge pull request #329 from Microsoft/remove_runhcs_tar2vhd - - Remove runhcs.exe tar2vhd command - -commit 6caa64a5bfe41aee514700e26779f7c9408494d8 -Author: Justin Terry (VM) -Date: Wed Oct 3 12:54:05 2018 -0700 - - Remove runhcs.exe tar2vhd command - - Signed-off-by: Justin Terry (VM) - -commit d88aa6c58eea88fbe92cd2c25c6f2e9761f68fd3 -Merge: 5291dc935 0c73b83e4 -Author: John Howard -Date: Wed Oct 3 11:52:15 2018 -0700 - - Merge pull request #328 from jstarks/ext4_dax - - tar2ext4: Make inline data optional for DAX support - -commit 187b8a19745f662880f80c0b6f729a8f312ebdb3 -Author: Madhan Raj Mookkandy -Date: Wed Oct 3 11:37:16 2018 -0700 - - Address review comments - -commit 0c73b83e4b996a762d437a99244aeb7dddc01e1f -Author: John Starks -Date: Wed Oct 3 11:13:38 2018 -0700 - - tar2ext4: Make inline data optional for DAX support - -commit 9bb66796a9328ef4198c275c1bfb48f0aadd5a2b -Author: Madhan Raj Mookkandy -Date: Tue Oct 2 19:13:18 2018 -0700 - - Fix NetworkModifyRequest to use rs5 schema AdapterInstanceId=>AdapterId - -commit 4d46ba31948105e6bfd1aa51bdf866025c396e02 -Author: Madhan Raj Mookkandy -Date: Fri Sep 14 23:11:57 2018 -0700 - - Fix Namespace from oci spec - - Implement Guest Namespace creation & removal - - Change default schema version for RS5 - -commit 5291dc935b8c3065c4266ece9ef1e210ac2e9e79 -Merge: e7c6aca27 176e1670a -Author: Justin -Date: Tue Oct 2 15:50:28 2018 -0700 - - Merge pull request #327 from Microsoft/user/jostarks/fix_overlayfs_wo - - tar2ext4: Use correct overlayfs whiteout format - -commit 176e1670a1e0fd2cee5cd019d07bf73b7b9008cc -Author: John Starks -Date: Tue Oct 2 15:35:21 2018 -0700 - - tar2ext4: Use correct overlayfs whiteout format - -commit e7c6aca2745c210f528d3a15fe7948edc10c2ed5 -Merge: d6582adb2 c9559c40f -Author: John Howard -Date: Tue Oct 2 15:20:18 2018 -0700 - - Merge pull request #326 from jstarks/tar2ext4 - - tar2ext4: Converter from tar to compact ext4 - -commit c9559c40fff1a7cb4b113d4eacad57c51b26a776 -Author: John Starks -Date: Tue Oct 2 13:37:33 2018 -0700 - - tar2ext4: Converter from tar to compact ext4 - -commit 6ca2495a82e0a58118a1265bf8a6fc1f6f4739be -Merge: f9d9074b6 825fa0ced -Author: Justin -Date: Tue Oct 2 14:56:05 2018 -0700 - - Merge pull request #260 from Quasilyte/quasilyte/unslice - - service/gcsutil/gcstools: simplify s[:] to s - -commit 825fa0ced8b5026f3bb3d3dd50a53a247fca2500 -Author: Iskander Sharipov -Date: Tue Oct 2 23:55:39 2018 +0300 - - service/gcsutil/gcstools: simplify s[:] to s - - For s which is slice `s[:]` is identical to just `s`. - - https://open.microsoft.com/2018/09/30/join-hacktoberfest-2018-celebration-microsoft - -commit d6582adb25036766085eddc70fec73526aa4b186 -Merge: dab4aa72a 7932b7601 -Author: Justin -Date: Tue Oct 2 11:14:34 2018 -0700 - - Merge pull request #325 from erfrimod/erfrimod/adding-error-logging - - Erfrimod/adding error logging - -commit 7932b760180d29425580d18b06d11d84d5f36a7d -Author: Erik Frimodig -Date: Mon Oct 1 17:04:56 2018 -0700 - - Namespace Guest test - -commit ac9ccdec7224ee7f7bbd2700a33357baaef6a4c0 -Author: Erik Frimodig -Date: Mon Oct 1 15:55:21 2018 -0700 - - All HNS errors are debug logged. - -commit dab4aa72aed3e95180464bed8039025cce1d1a8c -Merge: bd3a676ef 6672b6296 -Author: Justin -Date: Mon Oct 1 11:42:21 2018 -0700 - - Merge pull request #323 from Microsoft/removeIsTP4 - - Remove redundant no-op IsTP4() - -commit bd3a676ef98d1039e1f7e93138e68bd16084eda2 -Merge: 45b89a72e bb6b18cdb -Author: Justin -Date: Mon Oct 1 11:41:51 2018 -0700 - - Merge pull request #324 from Microsoft/jjh/rs5andpromote - - Bump RS5; Promote osversion - -commit bb6b18cdb527145747b43a770efdea50491dd1d5 -Author: John Howard -Date: Mon Oct 1 09:41:02 2018 -0700 - - Bump RS5; Promote osversion - - Signed-off-by: John Howard - -commit 6672b6296999f4ff1c8db1d6f7aeeacbae5b42d4 -Author: John Howard -Date: Mon Oct 1 09:32:31 2018 -0700 - - Remove redundant no-op IsTP4() - - Signed-off-by: John Howard - -commit 45b89a72ee34e75f68da9073f5b71ba06a8e55cf -Merge: 28a1d8996 fb694104f -Author: John Howard -Date: Mon Oct 1 09:10:10 2018 -0700 - - Merge pull request #322 from Microsoft/runhcs_support_runas - - V2 support process User - -commit fb694104f3ed1c4c62de1f37b95a6ea2e8339382 -Author: Justin Terry (VM) -Date: Fri Sep 28 12:27:43 2018 -0700 - - V2 support process User - - Signed-off-by: Justin Terry (VM) - -commit 28a1d899607f76c1354eebd8ea9be874db71ee7d -Merge: a2dfd2894 c30f6fe43 -Author: Justin -Date: Fri Sep 28 11:50:25 2018 -0700 - - Merge pull request #321 from erfrimod/erfrimod/namespace-sync-tests - - Erfrimod/namespace sync tests - -commit c30f6fe438d516d566f6f46ead04aabf24b97d0a -Author: Erik Frimodig -Date: Thu Sep 27 15:27:37 2018 -0700 - - Adding tests for Namespace Sync. - -commit cc34845b3b0ff8a4c6c96f87e1b666827a57f851 -Author: Justin Terry (VM) -Date: Thu Sep 27 10:40:31 2018 -0700 - - Add SyncNamespace support to the CNI package. - - Implements the logic for the CNI package to look up the VMPipe to the VM shim - started via runhcs.exe and issue a Sync Namespace query to it. - - Signed-off-by: Justin Terry (VM) - -commit a2dfd28944fb2ac50e97b016c05e61ecd3321c7d (tag: v0.7.6) -Merge: 9db405e96 fbb921aa2 -Author: Justin -Date: Wed Sep 26 13:17:43 2018 -0700 - - Merge pull request #319 from Microsoft/fix_exec - - Reorder shim cmd args - -commit fbb921aa2fb10965c9d54635a06cadc302c19acc -Author: Justin Terry (VM) -Date: Wed Sep 26 12:57:55 2018 -0700 - - Reorder shim cmd args - - Signed-off-by: Justin Terry (VM) - -commit 9db405e9624c89f9666cfd87a3c27b548c4d9a70 (tag: v0.7.5) -Merge: 37e922b44 79973cc72 -Author: Justin -Date: Wed Sep 26 10:39:20 2018 -0700 - - Merge pull request #317 from Microsoft/jjh/nilcheck - - Nil check in allocateWindowsResources - -commit 79973cc72650220556e9ce2d31b9c4c0f2473b24 -Author: John Howard -Date: Tue Sep 25 14:20:36 2018 -0700 - - Nil check in allocateWindowsResources - - Signed-off-by: John Howard - -commit 37e922b44ed135ea2cd05d9855f61e9bbf51a335 -Merge: d79ba17d2 96762ff13 -Author: John Howard -Date: Wed Sep 26 10:30:47 2018 -0700 - - Merge pull request #318 from Microsoft/runhcs_upstream_logging - - Adds named pipe logging for debug/shim/vmshim logs - -commit 96762ff134196ce4fbeeb91dd8eab084f4ef2664 -Author: Justin Terry (VM) -Date: Tue Sep 25 10:38:54 2018 -0700 - - Adds named pipe logging for debug/shim/vmshim logs - - Signed-off-by: Justin Terry (VM) - -commit d79ba17d248084116e0ea526205c3d08518729f2 -Merge: 5c4225d59 2a2a68c3a -Author: Justin -Date: Tue Sep 25 11:07:49 2018 -0700 - - Merge pull request #316 from Microsoft/runhcs_resize_tty_pid - - Adding map between host pid and guest pid - -commit 2a2a68c3acef805be18f45a829c3853a29c2404c -Author: Justin Terry (VM) -Date: Tue Sep 25 10:44:28 2018 -0700 - - Adding map between host pid and guest pid - - Signed-off-by: Justin Terry (VM) - -commit 5c4225d59b00bd1a1475b5b88aef059cdc9befe2 -Merge: dc8e9cba3 8195945ef -Author: Justin -Date: Mon Sep 24 10:20:50 2018 -0700 - - Merge pull request #314 from erfrimod/erfrimod/hcn-better-errors-networktype - - Better errors, NetworkType added. - -commit 8195945eff997505c502d102b537f07378b09555 -Author: Erik Frimodig -Date: Fri Sep 21 17:30:37 2018 -0700 - - Responding to PR comments. - -commit dc8e9cba31b78bfbe1ead8416fb615699df44819 -Merge: 076e38820 1311d5610 -Author: Justin -Date: Fri Sep 21 12:44:45 2018 -0700 - - Merge pull request #315 from Microsoft/fix_exec_linux - - Fix issue with exec on linux oci spec - -commit 1311d5610b5027877ae904eaa1d69262cd495491 -Author: Justin Terry (VM) -Date: Fri Sep 21 12:18:26 2018 -0700 - - Fix issue with exec on linux oci spec - - Signed-off-by: Justin Terry (VM) - -commit 1aa738f3759dfbb06516f5780c5bbd35d1d56af0 -Author: Erik Frimodig -Date: Thu Sep 20 14:41:23 2018 -0700 - - Better errors, NetworkType added. - -commit 076e388208683a4ce9db9544ab507040be9c7d7c -Merge: e44e499d2 01dc11937 -Author: Justin -Date: Thu Sep 20 13:57:31 2018 -0700 - - Merge pull request #311 from erfrimod/erfrimod/hns-v1-exports-Namespace - - Adding Namespace to HNS exports. - -commit e44e499d29527b244d6858772f1b9090eeaddc4e (tag: v0.7.4) -Merge: 18b832695 9cb7bad9a -Author: Justin -Date: Wed Sep 19 14:29:14 2018 -0700 - - Merge pull request #313 from Microsoft/go_runhcs_bindings - - Go runhcs bindings - -commit 9cb7bad9a8adc8b10e06919b1d47792a000a6474 -Author: Justin Terry (VM) -Date: Wed Sep 19 12:34:12 2018 -0700 - - Adding runhcs resize-tty go bindings - - Signed-off-by: Justin Terry (VM) - -commit 84a2586da1d0de9f8f98a4e7981f683613c1cdf1 -Author: Justin Terry (VM) -Date: Wed Sep 19 12:17:36 2018 -0700 - - Adding runhcs state go bindings - - Signed-off-by: Justin Terry (VM) - -commit 856540a9052abf8cb5f9e789e6c5630a290cec72 -Author: Justin Terry (VM) -Date: Wed Sep 19 12:17:15 2018 -0700 - - Adding runhcs ps go bindings - - Signed-off-by: Justin Terry (VM) - -commit 1ccfe28bc73c33d66dccc867dbd8915d2cbde5b8 -Author: Justin Terry (VM) -Date: Wed Sep 19 12:16:53 2018 -0700 - - Adding runhcs pause/resume go bindings - - Signed-off-by: Justin Terry (VM) - -commit 4607c97ded436c88627eae1fa722d0756fee013a -Author: Justin Terry (VM) -Date: Wed Sep 19 11:47:34 2018 -0700 - - Add runhcs create-scratch and list tests - - Signed-off-by: Justin Terry (VM) - -commit aba89567c200a267dbe977203f2528611a84a0a9 -Author: Justin Terry (VM) -Date: Wed Sep 19 11:29:08 2018 -0700 - - Add runhcs list go binding - - Signed-off-by: Justin Terry (VM) - -commit 1c55295f4e39b34925521b8cbafc7324cc57ab8f -Author: Justin Terry (VM) -Date: Wed Sep 19 11:23:15 2018 -0700 - - Adding create-scratch go binding - - Signed-off-by: Justin Terry (VM) - -commit 18b83269570bb7954e8dc2db72c181972476304f -Merge: 943d8fec2 f25353d9f -Author: Justin -Date: Wed Sep 19 10:49:34 2018 -0700 - - Merge pull request #312 from Microsoft/unify_runhcs_stopped_error - - Unify runhcs container stopped error - -commit f25353d9ff62092a879cd6ff6480d0a002970874 -Author: Justin Terry (VM) -Date: Wed Sep 19 10:40:35 2018 -0700 - - Unify runhcs container stopped error - - Signed-off-by: Justin Terry (VM) - -commit 01dc11937f222484a544083490b7cdbc36929ee2 -Author: Erik Frimodig -Date: Mon Sep 17 17:56:21 2018 -0700 - - Adding Namespace to HNS exports. Required for CNI to provide Endpoint Namespace in HNS V1. - -commit 943d8fec26ba5ba845f6ab59ce9078db68b4e352 -Merge: 3afd75b67 51ed347ce -Author: John Howard -Date: Thu Sep 13 13:23:56 2018 -0700 - - Merge pull request #309 from Microsoft/jjh/fixlogging - - Fix logging in CreateLayer - -commit 51ed347ce8dd1219b66a011999c84412610308ea -Author: John Howard -Date: Thu Sep 13 10:41:34 2018 -0700 - - Fix logging in CreateLayer - - Signed-off-by: John Howard - -commit 3afd75b67fe9ec0c8ce72c2d2c160fcddd0fc532 -Merge: f3c754d16 c782eb992 -Author: John Howard -Date: Mon Sep 10 10:17:02 2018 -0700 - - Merge pull request #308 from Microsoft/jjh/morelineendings - - More unix line ending fixes - -commit c782eb992265b610a9ce00bb44b15ca08016b933 -Author: John Howard -Date: Mon Sep 10 09:52:01 2018 -0700 - - More unix line ending fixes - - Signed-off-by: John Howard - -commit f3c754d1689c1a2028ca5d96103695422f131df3 (tag: v0.7.3) -Merge: 3b3d80e14 d8163de56 -Author: Justin -Date: Fri Sep 7 14:18:39 2018 -0700 - - Merge pull request #306 from Microsoft/fix_guid - - Updates the GUID type to marshal as string. - -commit 3b3d80e14345c17de713b5c6f3e600cba652002b -Merge: 939ef9a51 67937587e -Author: Justin -Date: Fri Sep 7 14:03:34 2018 -0700 - - Merge pull request #307 from erfrimod/erfrimod/hcn-fixes-tests - - Erfrimod/hcn fixes tests - -commit 67937587e909cad662a327cc2f31599797434aa8 -Author: Erik Frimodig -Date: Fri Sep 7 13:53:33 2018 -0700 - - Adding test to verify passing v1 schema to RPC. - -commit d8163de5658ec56c7ac69fc24223363436c1bdae -Author: Justin Terry (VM) -Date: Fri Sep 7 13:40:10 2018 -0700 - - Updates the GUID type to marshal as string. - - Signed-off-by: Justin Terry (VM) - -commit cacccd2dbf84a317c0fa022cd030d38c066e048d -Author: Erik Frimodig -Date: Fri Sep 7 12:47:08 2018 -0700 - - Get functions return an error if no matches exist. - -commit 939ef9a5179232988ba79372d158b473146bf1c1 (tag: v0.7.2) -Merge: 839a2fd93 1d65daa2d -Author: John Howard -Date: Thu Sep 6 11:39:54 2018 -0700 - - Merge pull request #304 from Microsoft/jjh/lineneding - - Fix line ending in guid.go - -commit 1d65daa2d58a543c977041d57bb011e79b3d3a8e -Author: John Howard -Date: Thu Sep 6 11:36:58 2018 -0700 - - Fix line ending in guid.go - - Signed-off-by: John Howard - -commit 839a2fd931c148a08d4d264804dace156bdd5641 (tag: v0.7.1) -Merge: 42f0e04dc 7d25762d8 -Author: John Howard -Date: Thu Sep 6 10:17:57 2018 -0700 - - Merge pull request #303 from Microsoft/fix_tar2vhd_rs5 - - Adding VHD Access for tart2vhd - -commit 7d25762d86972c4b174b9e8df0832d414530edcc -Author: Justin Terry (VM) -Date: Wed Sep 5 10:08:57 2018 -0700 - - Adding VHD Access for tart2vhd - - Signed-off-by: Justin Terry (VM) - -commit 42f0e04dcaf638772466e252fac3703bcb13dccd -Merge: 3cbd119df 5181bb7e3 -Author: Justin -Date: Tue Sep 4 12:04:31 2018 -0700 - - Merge pull request #302 from Microsoft/jjh/syscallwatcher - - Add syscall watcher - -commit 5181bb7e3f8eacdabfc05b14853b956790f9b125 -Author: John Howard -Date: Tue Sep 4 11:07:20 2018 -0700 - - Add syscall watcher - - Signed-off-by: John Howard - -commit 3cbd119df3fcc7492430551d67e0402eaa406e42 -Merge: 11de494ff 24674a758 -Author: Justin -Date: Fri Aug 31 16:00:02 2018 -0700 - - Merge pull request #301 from Microsoft/go1_11_fixes - - Fixing issues found by go 1.11 - -commit 24674a758eed7d91c82130c3354bdc12b1b5a50f -Author: Justin Terry (VM) -Date: Fri Aug 31 15:57:51 2018 -0700 - - Fixing issues found by go 1.11 - - Signed-off-by: Justin Terry (VM) - -commit 11de494ff5970d45138fc02ce8c83b406634aea7 -Merge: ad5b578a1 b80200e43 -Author: Justin -Date: Fri Aug 31 15:38:23 2018 -0700 - - Merge pull request #274 from erfrimod/erfrimod/hns-v2-api - - WIP: Erfrimod/hns v2 api - -commit b80200e435a1971193fc63187851ad3e3ead69b5 -Author: Erik Frimodig -Date: Fri Aug 31 15:19:58 2018 -0700 - - Removing version checks from internal api calls. - -commit d7fab11be29ad7b3f59b7c8e9e031d022143c13e -Author: Erik Frimodig -Date: Fri Aug 31 14:57:59 2018 -0700 - - Re-use the Version in globals for SchemaVersion. - -commit 9772607a27af24a02fce4dac08c34f811b896b2c -Author: Erik Frimodig -Date: Fri Aug 31 14:29:25 2018 -0700 - - Responding to PR feedback. - -commit eb2d9ba9ef94d18b1b70a55e2b201e51a4e1dfd0 -Author: Erik Frimodig -Date: Fri Aug 31 12:49:07 2018 -0700 - - CheckError moved to lowercase to no longer publish - -commit e215cc8d81581c3c67807d536333c4a7eaf0cb1e -Author: Erik Frimodig -Date: Fri Aug 31 11:27:36 2018 -0700 - - Endpoints handle arrays of Policy objects. - -commit d653c2554bda5fbbbb5ef6d89b39a0d7be47eddf -Author: Erik Frimodig -Date: Thu Aug 30 15:42:04 2018 -0700 - - Adding multiple ACLs to endpoint tested. - -commit bf14fc22895f89b0154f93d6370c90063855f0be -Author: Erik Frimodig -Date: Thu Aug 30 14:37:38 2018 -0700 - - Update the mksyscall comment in hcn.go - -commit 40b8bbda758c307bf003544561ec33c3a4bce7f4 -Author: Erik Frimodig -Date: Thu Aug 30 14:35:19 2018 -0700 - - Moving HSN code to hcnshim::hcs. - -commit 3c64bb84489f8f5cd5bde4fdd1e8760f53cdda37 -Author: Erik Frimodig -Date: Wed Aug 29 17:20:40 2018 -0700 - - Squash before rebase. - -commit ad5b578a19495423d2546545fd5134127b272f79 (tag: v0.7.0) -Merge: 9856d81fc 230cc8114 -Author: Justin -Date: Fri Aug 24 10:02:39 2018 -0700 - - Merge pull request #300 from Microsoft/jjh/lineendings - - Convert all files to UNIX line endings - -commit 230cc81140509f40bf2b468759434a46fd8a8e17 -Author: John Howard -Date: Fri Aug 24 08:06:18 2018 -0700 - - Convert all files to UNIX line endings - - Signed-off-by: John Howard - -commit 9856d81fc4258e66eeeebe906c29fa07f6e12189 -Merge: 44c060121 48a95a59c -Author: John Howard -Date: Wed Aug 22 09:04:23 2018 -0700 - - Merge pull request #295 from Microsoft/jjh/uniquetimeouts - - Add individual timeouts rather than global - -commit 44c060121b68e8bdc40b411beba551f3b4ee9e55 -Merge: 9ae610d59 8d6cd8126 -Author: Justin -Date: Wed Aug 22 08:13:09 2018 -0700 - - Merge pull request #296 from Microsoft/fix_line_endings - - Fix CRLF to LF in some files - -commit 8d6cd812604e0aef14bbd8796d8ff4691d979aa1 -Author: Justin Terry (VM) -Date: Wed Aug 22 07:56:41 2018 -0700 - - Fix CRLF to LF in some files - - Signed-off-by: Justin Terry (VM) - -commit 48a95a59c886e4be9d366f555f0f6568a1741e1e -Author: John Howard -Date: Tue Aug 21 14:51:41 2018 -0700 - - Add individual timeouts rather than global - - Signed-off-by: John Howard - -commit 9ae610d5962dbb4778987805b6173b5b0e1c4263 -Merge: 4c804da6c a343346e8 -Author: Justin -Date: Tue Aug 21 14:13:32 2018 -0700 - - Merge pull request #294 from Microsoft/exec_detach - - Adding detach support to go-runhcs exec - -commit a343346e8e37bc029a6fdd970a54d8a993a66c98 -Author: Justin Terry (VM) -Date: Tue Aug 21 14:10:45 2018 -0700 - - Adding detach support to go-runhcs exec - - Signed-off-by: Justin Terry (VM) - -commit 4c804da6c6e9025334b7a389e1d8f0c24c06a501 -Merge: de5af6486 35436e40d -Author: Justin -Date: Mon Aug 20 15:11:53 2018 -0700 - - Merge pull request #293 from Microsoft/jjh/john-is-an-idiot-sometimes - - Put LinuxMetadata in the right place (oops) - -commit 35436e40d86648057f1c2768cdb2a82375d26dc2 -Author: John Howard -Date: Mon Aug 20 15:10:07 2018 -0700 - - Put LinuxMetadata in the right place (oops) - - Signed-off-by: John Howard - -commit de5af648634ddc15af06e7b3a25abaae0a16af48 -Merge: fc5774bb7 5d6ef6335 -Author: Justin -Date: Mon Aug 20 14:37:40 2018 -0700 - - Merge pull request #290 from Microsoft/go_runhcs - - Introduce go-runhcs client bindings - -commit fc5774bb7e0254061c3ec407382c65a550694139 -Merge: 850502f4f b1ae280af -Author: Justin -Date: Mon Aug 20 14:37:16 2018 -0700 - - Merge pull request #291 from Microsoft/jjh/setcurrentthreadcompartmentid - - Repromote SetCurrentThreadCompartmentId - -commit 850502f4f58925203e0d6fdca0517b57afe7fe24 -Merge: 8739e80d2 708826e2a -Author: Justin -Date: Mon Aug 20 14:35:53 2018 -0700 - - Merge pull request #292 from Microsoft/jjh/linuxmetadata-back-in-master - - Adds LinuxMetadata back (omitted in master) - -commit 708826e2a7ea92e98cb0d3296bc1d9b4d3231db8 -Author: John Howard -Date: Mon Aug 20 14:33:00 2018 -0700 - - Adds LinuxMetadata back (omitted in master) - - Signed-off-by: John Howard - -commit b1ae280af6260f2d6e7b9faeadda062158306599 -Author: John Howard -Date: Mon Aug 20 14:23:02 2018 -0700 - - Repromote SetCurrentThreadCompartmentId - - Signed-off-by: John Howard - -commit 5d6ef6335066e5921fcf8334990c2a856410dc93 -Author: Justin Terry (VM) -Date: Fri Aug 17 13:14:16 2018 -0700 - - Introduce go-runhcs client bindings - - Signed-off-by: Justin Terry (VM) - -commit f9d9074b643b7ca03f52994f5d640b2884a352bc -Merge: 4446ff298 843def10f -Author: Justin -Date: Mon Aug 20 12:39:04 2018 -0700 - - Merge pull request #254 from Microsoft/runc_kill_err - - Fix issue with runc kill - -commit 843def10f049cbf9ee8474c5212a81e39db1f793 -Author: Justin Terry (VM) -Date: Mon Aug 20 11:33:30 2018 -0700 - - Fix issue with runc kill - - Converts a runc error calling kill on an already dead pid to a success - since it is the final state we wanted anyways. - - Signed-off-by: Justin Terry (VM) - -commit 4446ff298e35bc6c4a47f8dd535a539375c3d9af -Merge: aae7bacb5 6258ed97a -Author: Justin -Date: Fri Aug 17 12:34:56 2018 -0700 - - Merge pull request #253 from Microsoft/jjh/fixbuild - - Fix info messages in build.ps1 - -commit 6258ed97aedd611b7e350e30ee9cb65e3813ffab -Author: John Howard -Date: Fri Aug 17 12:06:32 2018 -0700 - - Fix info messages in build.ps1 - - Signed-off-by: John Howard - -commit 8739e80d282d03baee4f01d3b96542541073b714 -Merge: a3c34bb18 4cb129576 -Author: Justin -Date: Fri Aug 17 11:33:30 2018 -0700 - - Merge pull request #289 from Microsoft/jjh/bumprs5 - - Bump RS5 build number - -commit a3c34bb1899f76e9394b79a8eb31ebe82b4ebd18 -Merge: c328a0ef1 e9a1157bb -Author: John Howard -Date: Fri Aug 17 10:58:08 2018 -0700 - - Merge pull request #288 from Microsoft/jjh/attachonly - - Remove AttachOnly - -commit 4cb129576225a9d5951d65d1b136583d750133c5 -Author: John Howard -Date: Fri Aug 17 10:40:46 2018 -0700 - - Bump RS5 build number - - Signed-off-by: John Howard - -commit e9a1157bb1c82458028201a94457f82241f15140 -Author: John Howard -Date: Fri Aug 17 10:38:36 2018 -0700 - - Remove AttachOnly - - Signed-off-by: John Howard - -commit c328a0ef1b2752804d028e2d4b2cb593d15eebe3 -Merge: 97c80f88f 56a3adc6f -Author: John Howard -Date: Fri Aug 17 10:30:36 2018 -0700 - - Merge pull request #286 from Microsoft/jterry75/containerd-runhcs-shim_fixes - - Jterry75/containerd runhcs shim fixes - -commit aae7bacb57d459a2d304844c5fadbb3df9927311 -Merge: db6b525bf 48a963be0 -Author: John Howard -Date: Fri Aug 17 10:29:09 2018 -0700 - - Merge pull request #249 from jterry75/v2_exec_external - - Supports V2 exec external process with a V2 schema - -commit 97c80f88fbfe4b5f3fc472549eb4e201624ea6fb -Merge: 573060c15 101fb900f -Author: Justin -Date: Fri Aug 17 10:20:43 2018 -0700 - - Merge pull request #287 from Microsoft/jjh/swagger-8-17-18 - - Refresh swagger - -commit 101fb900fa43fdffa8c1cfc3f4b1c5cdb4f2c08d -Author: John Howard -Date: Fri Aug 17 10:08:15 2018 -0700 - - Refresh swagger - - Signed-off-by: John Howard - -commit 573060c15561798303e08381d34f4474023afb84 -Merge: 6f4272e5a 3a2ea8f47 -Author: John Starks -Date: Thu Aug 16 10:58:35 2018 -0700 - - Merge pull request #277 from jiria/fix-convertandfree-32bit - - Fix ConvertAndFreeCoTaskMemString for 32 bit platforms - -commit db6b525bf60d6dd7c28505cef8eefcf6ba719bfb -Merge: 6294b3cab 7ceb2508d -Author: Justin -Date: Thu Aug 16 09:13:38 2018 -0700 - - Merge pull request #251 from jterry75/time_duration - - Fixing time.Duration casts - -commit 7ceb2508dd68e0da7e4a79228a99b5c8be4eb32f -Author: Justin Terry (VM) -Date: Wed Aug 15 14:58:04 2018 -0700 - - Fixing time.Duration casts - - Signed-off-by: Justin Terry (VM) - -commit 56a3adc6f0e2f0b5e884530239b4a1bb6a4c5204 -Author: Justin Terry (VM) -Date: Mon Aug 13 13:56:58 2018 -0700 - - Adding runhcs.exe tar2vhd command - - Signed-off-by: Justin Terry (VM) - -commit 2175e3ebbde2e86efa871db8aeef873d59551554 -Author: Justin Terry (VM) -Date: Tue Aug 14 08:13:07 2018 -0700 - - Add runhcs.exe create-scratch command - - Signed-off-by: Justin Terry (VM) - -commit a7b6c59a3f451c582bc7013390978c19a9795081 -Author: Justin Terry (VM) -Date: Mon Aug 13 08:20:41 2018 -0700 - - Removes punctuation from start error - - Signed-off-by: Justin Terry (VM) - -commit 6bf74c7a229bf6c4b1e1562deb6f69e17981b5ad -Author: Justin Terry (VM) -Date: Fri Aug 10 09:52:02 2018 -0700 - - Fixes an issue with state - - Occasionally the product will fail the state query and return "operation - is not valid in the current sate". Rather than returning an error in - this case we want to return state "unknown" with a valid json output for - clients to be able to handle. - - Signed-off-by: Justin Terry (VM) - -commit 48a963be052ed49aa098acf6ffdf8625edac072e -Author: Justin Terry (VM) -Date: Wed Aug 15 12:57:24 2018 -0700 - - Supports V2 exec external process with a V2 schema - - Adds support for a V2 exec external process that uses an oci.Process - spec rather than the v1 schema of cmd/args. - - Resolves: #246 - - Signed-off-by: Justin Terry (VM) - -commit 6294b3cabf1f6ae3f66944d9ec4704e2c466a88c -Merge: e7d636bb7 ba6a610b8 -Author: John Howard -Date: Wed Aug 15 11:28:57 2018 -0700 - - Merge pull request #247 from Microsoft/jterry75/stdio_close_log - - Adding log support on stdio connections - -commit ba6a610b8d36e874c33d7f29f58c2b692d0fb8c1 -Author: Justin Terry (VM) -Date: Tue Aug 14 10:30:26 2018 -0700 - - Adding log support on stdio connections - - Signed-off-by: Justin Terry (VM) - -commit 6f4272e5a96e53e3e2719ce9d53fa2516c92914d -Merge: 6c511c0a9 c335b9c7a -Author: Justin -Date: Tue Aug 14 08:35:35 2018 -0700 - - Merge pull request #249 from Microsoft/consolepipe - - abbreviate logging; fix test - -commit e7d636bb744853237979f3d03a22391a85f52e1c -Merge: 443b91ba7 6fae160bc -Author: John Howard -Date: Mon Aug 13 09:22:26 2018 -0700 - - Merge pull request #245 from Microsoft/rootfsvhd - - Carry #227: build.ps1: Build rootfs.vhd - -commit 6fae160bc123435c9d2fe3f22e16317c57f57d80 -Author: John Howard -Date: Fri Aug 10 15:43:24 2018 -0700 - - Fix --device-cgroup-rule typo - - Signed-off-by: John Howard - -commit d782cbd5fe57e45011f29bb42ccd9a327aea2a3c -Author: John Starks -Date: Thu Jun 21 11:01:04 2018 -0700 - - build.ps1: Build rootfs.vhd - -commit 6c511c0a92bf6ec952336c6cc5bcf4884dda572c -Merge: 46e81a2ea 1867c49be -Author: John Howard -Date: Fri Aug 10 15:22:21 2018 -0700 - - Merge pull request #275 from Microsoft/jjh/todos - - Clearup some TODOs, bump RS5 build - -commit 1867c49be736707b8a7f59f8564f38ccfdd62423 -Author: John Howard -Date: Thu Jul 26 11:13:34 2018 -0700 - - Clearup some TODOs, bump RS5 build - - Signed-off-by: John Howard - -commit 46e81a2ea0d77d62336908aa8f7a7f258c240cc7 -Merge: b08edbc01 fa457166d -Author: Justin -Date: Fri Aug 10 15:05:09 2018 -0700 - - Merge pull request #282 from Microsoft/jjh/masterlimitstarts - - Limit parallel starts if HCSSHIM_MAX_PARALLEL_START is set - -commit fa457166d8040de93ff11ec24b6b80e33df58365 -Author: John Howard -Date: Fri Aug 10 14:31:27 2018 -0700 - - Limit parallel starts - - Signed-off-by: John Howard - -commit b08edbc011f8d316cfdddfc7d64a95706185edca -Merge: 4a468a6f7 7feb8b6f5 -Author: Justin -Date: Fri Aug 10 14:50:03 2018 -0700 - - Merge pull request #276 from jiria/fix_fileattributes_size - - Fix FileAttributes size to work across all platforms - -commit 443b91ba766b14724e9470a22d5c2fea540cb84a -Merge: 2398de591 dee64dfb2 -Author: John Howard -Date: Thu Aug 9 11:49:16 2018 -0700 - - Merge pull request #244 from Microsoft/fix_reboot - - Fixing Reboot system call flags - -commit dee64dfb2fabbb1b68e37c222d5249f98b7dd01d -Author: Justin Terry (VM) -Date: Thu Aug 9 11:33:32 2018 -0700 - - Fixing Reboot system call flags - - Signed-off-by: Justin Terry (VM) - -commit 3a2ea8f473928ec022b208186fa35fac76f78256 -Author: Jiri Appl -Date: Fri Aug 3 12:12:56 2018 -0700 - - Fix ConvertAndFreeCoTaskMemString for 32 bit platforms - -commit 7feb8b6f58afd9e2fba400a383dbc510ea99abcc -Author: Jiri Appl -Date: Fri Aug 3 12:02:49 2018 -0700 - - Changes based on PR - -commit 8ec7e9b0509470d315e8fbe75ce88ce22f95ade0 -Author: Jiri Appl -Date: Thu Aug 2 11:12:49 2018 -0700 - - Fix FileAttributes size to work across all platforms - -commit 4a468a6f7ae547974bc32911395c51fb1862b7df -Merge: ab21da6a3 cb18d0084 -Author: Justin -Date: Mon Jul 23 13:05:44 2018 -0700 - - Merge pull request #273 from Microsoft/jjh/scsi - - Fixups to latest vmcompute as of 7/23/18 - -commit cb18d0084b70a4f8ac6ff80bfd06303370cd076e -Author: John Howard -Date: Mon Jul 23 12:50:24 2018 -0700 - - Updated for new VPMem schema - - Signed-off-by: John Howard - -commit 4a72322a1a6cf40f44823ab5c1026b27bd6aeec9 -Author: John Howard -Date: Mon Jul 23 11:46:45 2018 -0700 - - Fixups for moved fields (memory/vsmb) - - Signed-off-by: John Howard - -commit af9e475a6a459ff8a128f0a5bebe71a5a3b7107c -Author: John Howard -Date: Mon Jul 23 11:39:16 2018 -0700 - - Refresh swagger - - Signed-off-by: John Howard - -commit 172f6ab2412cb50b90d2ab29286b9e0e689cd234 -Author: John Howard -Date: Mon Jul 23 11:36:02 2018 -0700 - - Fix compile error, revert SCSI hack - - Signed-off-by: John Howard - -commit ab21da6a3b9b667c4ec37694efb7c0ea62069c80 -Merge: 437e687f3 186389daf -Author: Justin -Date: Thu Jul 19 15:34:41 2018 -0700 - - Merge pull request #268 from Microsoft/jjh/extraprintln - - Remove two noisy non-required fmt.Println in test code - -commit 437e687f35bc751239fa46be174764b1f41f90e9 -Merge: 637f233e0 e71658bb2 -Author: Justin -Date: Thu Jul 19 15:34:18 2018 -0700 - - Merge pull request #269 from Microsoft/jjh/userightimage - - TestWCOWXenonOciV1 was using wrong image - -commit e71658bb23f59a0482939fe5778e6f7ab694d1e3 -Author: John Howard -Date: Wed Jul 18 16:07:48 2018 -0700 - - TestWCOWSenonOciV1 was using wrong image - - Signed-off-by: John Howard - -commit 186389daf78b82a336321b8f1f8f7f1aaabd9aa5 -Author: John Howard -Date: Wed Jul 18 15:38:34 2018 -0700 - - Remove too noisy non-required fmt.Println in test code - - Signed-off-by: John Howard - -commit 637f233e07c034012eed8d1afdeea6371d2387a9 -Merge: 85fbacc2b a2badbf19 -Author: John Howard -Date: Wed Jul 18 15:26:00 2018 -0700 - - Merge pull request #261 from Microsoft/jjh/plan9fixup - - Fix ResourcePath for Plan9 - -commit 85fbacc2b987a29866d4871a3e3471036eb400f5 -Merge: 95f773c83 2be632347 -Author: John Howard -Date: Wed Jul 18 15:25:38 2018 -0700 - - Merge pull request #267 from Microsoft/jjh/vsmbfixup - - Fix VSMB, and scsi variable masking bug - -commit 2be632347d712cfc29f2ad9a46ff243c01a7af91 -Author: John Howard -Date: Wed Jul 18 14:30:48 2018 -0700 - - Fix VSMB, and scsi variable masking bug - - Signed-off-by: John Howard - -commit 95f773c83ea6558fb1d4e9dd9a3e083eede9c5dc -Merge: a45cb86dc c90b12fda -Author: Justin -Date: Wed Jul 18 13:32:19 2018 -0700 - - Merge pull request #266 from Microsoft/jterry75/latest_v1_assigned_device_support - - Add device passthrough support - -commit a45cb86dc60970d99dfd78bb424072281ee987dd -Merge: 90150b002 e71b7e435 -Author: John Howard -Date: Wed Jul 18 13:03:00 2018 -0700 - - Merge pull request #260 from Microsoft/jjh/scsicomment - - Remove old SCSI comment - -commit c90b12fda4b8b80a4b8293758b0ebdf7a0e43ec9 -Author: Justin Terry (VM) -Date: Tue Jul 17 14:42:10 2018 -0700 - - Add device passthrough support - - Signed-off-by: Justin Terry (VM) - -commit a2badbf19fa824136d6733583840f009ac7872a6 -Author: John Howard -Date: Wed Jul 18 10:32:20 2018 -0700 - - Fix ResourcePath for Plan9 - - Signed-off-by: John Howard - -commit 90150b002ba660f67d1d7148e20437260e8f337a -Merge: ec8a9cc09 1cd351af8 -Author: John Howard -Date: Wed Jul 18 11:54:50 2018 -0700 - - Merge pull request #264 from Microsoft/jjh/scsihack - - Temporary hack to +1 SCSI LUN due to VSO 18313454 - -commit 1cd351af8cc25c8512e2d34c5248f41831ac47c6 -Author: John Howard -Date: Wed Jul 18 11:47:59 2018 -0700 - - Temporary hack to +1 SCSI due to VSO 18313454 - - Signed-off-by: John Howard - -commit ec8a9cc090fbb28791408556249eec9a295e9e2b -Merge: 2fe5281f3 5e628b5e6 -Author: John Howard -Date: Wed Jul 18 11:41:40 2018 -0700 - - Merge pull request #262 from Microsoft/jjh/vpmemfixup - - Fix vpmem add/remove - -commit 5e628b5e6f00e362e2a491cbeb5ae32622184310 -Author: John Howard -Date: Wed Jul 18 10:39:44 2018 -0700 - - Fix vpmem add/remove - - Signed-off-by: John Howard - -commit e71b7e4354727e8ba6df851ab4a65be3534ccb52 -Author: John Howard -Date: Wed Jul 18 09:42:04 2018 -0700 - - Remove old SCSI comment - - Signed-off-by: John Howard - -commit 2fe5281f3d038255a0c44570b2a82d6291793b2b -Merge: 781276ffe b8256f94a -Author: John Howard -Date: Tue Jul 17 13:04:08 2018 -0700 - - Merge pull request #257 from Microsoft/jjh/networking - - Network pre-add and network add/rm updates - -commit b8256f94aba4a360fe4e755cec3cc2ba2842923a -Author: John Howard -Date: Mon Jul 16 10:24:52 2018 -0700 - - Network pre-add and network add/rm updates - - Signed-off-by: John Howard - -commit 781276ffe855d5f17941a92fa4101cbd542b3ce7 -Merge: b28cba84e a1be1573e -Author: John Howard -Date: Tue Jul 17 11:06:31 2018 -0700 - - Merge pull request #258 from Microsoft/jjh/resourcepaths - - Next breaking change - -commit a1be1573e3926a0cf130f1ecd9392689b0b88ed1 -Author: John Howard -Date: Mon Jul 16 15:32:42 2018 -0700 - - Compile fixups - - Signed-off-by: John Howard - -commit 51cf6a3357aec4ea837d159b8c58e840e3d4c41b -Author: John Howard -Date: Mon Jul 16 15:26:46 2018 -0700 - - Juggle ResourceTu[e removal - - Signed-off-by: John Howard - -commit dbfdb6ce07312986774f175f3fe44a9564db2f61 -Author: John Howard -Date: Mon Jul 16 14:43:11 2018 -0700 - - Schema to Friday 13th build - - Signed-off-by: John Howard - -commit 2d9754062bdb191538fda19338a70551f89d9a67 -Author: John Howard -Date: Mon Jul 16 10:46:09 2018 -0700 - - Fix resource path to latest breaking change - - Signed-off-by: John Howard - -commit b28cba84e7358f8d5dbe79d51f76f629c49483b7 -Merge: 18fe5ad1f 0ad56ba20 -Author: John Howard -Date: Fri Jul 13 13:35:09 2018 -0700 - - Merge pull request #256 from Microsoft/jjh/fixes - - Updates for latest schema, and workaround - -commit 0ad56ba2004298e32c62a80d1c89e651934ac504 -Author: John Howard -Date: Fri Jul 13 13:26:06 2018 -0700 - - Have GuestResourceType its own type - - Signed-off-by: John Howard - -commit a123bba553eba9b20d8752cbdef79277af046577 -Author: John Howard -Date: Fri Jul 13 13:05:24 2018 -0700 - - Remove no-longer-true comment - - Signed-off-by: John Howard - -commit bc28463bcdacabdad8a5f7c396365af2df610371 -Author: John Howard -Date: Fri Jul 13 13:03:57 2018 -0700 - - DOn't add Request/RequestType outside GuestRequest if no settings - - Signed-off-by: John Howard - -commit 4c12dc14b512816e0145acd4c57b74bfae8cecdc -Author: John Howard -Date: Fri Jul 13 12:52:42 2018 -0700 - - s/hostedsettings/guestrequest - - Signed-off-by: John Howard - -commit 5ee336fce61bfa96c5076832cfba860a5b5ae000 -Author: John Howard -Date: Fri Jul 13 12:31:41 2018 -0700 - - Fix SCSI nightname - - Signed-off-by: John Howard - -commit 20640a7b6c723aedeac213b40ae0824fbe38c52c -Author: John Howard -Date: Wed Jul 11 20:05:03 2018 -0700 - - Functional tests working - - Signed-off-by: John Howard - -commit f08a0577113cfb15d4a4d08b262da068ec806e15 -Author: John Howard -Date: Tue Jul 10 15:16:18 2018 -0700 - - Retry for test-d /sys/bus/scsi/.... - - Signed-off-by: John Howard - -commit 2398de591e9c577c112c6eeb7dd7659ecc77a46e -Merge: f4421ed6d fdfcf6d63 -Author: John Howard -Date: Tue Jul 10 14:41:31 2018 -0700 - - Merge pull request #238 from Microsoft/v2_process_version - - Remove ProcessV2 Version property requirement - -commit fdfcf6d635450f64c590efb38c31b81378aada11 -Author: Justin Terry (VM) -Date: Tue Jul 10 13:08:31 2018 -0700 - - Remove ProcessV2 Version property requirement - - Removes the SchemaVersion property requirement from the ProcessV2 schema - and gathers the version number from the ContainerID itself that was used - at create time. - - Signed-off-by: Justin Terry (VM) - -commit bea509c479e44803b66db24cd1d71549c2e63a90 -Author: John Howard -Date: Tue Jul 10 09:24:38 2018 -0700 - - Use busyboxw for wcow tests - can't have both linux/windows busybox images with same tag - - Signed-off-by: John Howard - -commit 01fb57ecf58c69ff03f5c44904e6b65beac1db02 -Merge: 7bb674b05 8202a2499 -Author: John Howard -Date: Tue Jul 10 09:26:31 2018 -0700 - - Merge pull request #255 from Microsoft/jterry75/fixes - - Jterry75/fixes - -commit 8202a24993de937532a44566bf80013024ddf170 -Author: Justin Terry (VM) -Date: Tue Jul 10 09:19:28 2018 -0700 - - Use GuestConnection for WCOW/LCOW in all cases - - Signed-off-by: Justin Terry (VM) - -commit b49915cf514597014b100daa81de6f5c176d84ed -Author: Justin Terry (VM) -Date: Tue Jul 10 09:13:42 2018 -0700 - - Fixing PMEM ImageFormat casing - - Signed-off-by: Justin Terry (VM) - -commit b40415305df717c1f242a32131fd17827cce4927 -Author: Justin Terry (VM) -Date: Tue Jul 10 09:06:46 2018 -0700 - - Bump Schema V2.1 version - - Signed-off-by: Justin Terry (VM) - -commit b8130634e1cc71213923df1f02086510fbdb799f -Author: Justin Terry (VM) -Date: Tue Jul 10 08:57:13 2018 -0700 - - Remove comment with new GuestConnection settings - - Signed-off-by: Justin Terry (VM) - -commit 63208dfcaae13d554d44ceb8f99dfbfae03ba6b9 -Author: Justin Terry (VM) -Date: Tue Jul 10 08:50:10 2018 -0700 - - Renaming VPMEM and VSMB share paths - - Signed-off-by: Justin Terry (VM) - -commit 7bb674b05c035efcb6cdeafe3db968f70dfb6f42 -Author: John Howard -Date: Mon Jul 9 16:04:08 2018 -0700 - - Back to compiling - - Signed-off-by: John Howard - -commit f4421ed6d06d1583e4625634a8cc4f5f864d77fe -Merge: f5289606b 40dcf5929 -Author: John Howard -Date: Mon Jul 9 16:02:08 2018 -0700 - - Merge pull request #237 from Microsoft/system_already_stopped - - Fixes v1 shutdown failure code - -commit 18fe5ad1fcac0292f535286a89f7f8b9014a0fee -Merge: a2572a88e 1d6fef405 -Author: Justin -Date: Mon Jul 9 15:08:53 2018 -0700 - - Merge pull request #253 from scooley/runc-reference-removal - - Removing runc help doc references from runhcs - -commit 40dcf5929406403fc51b6c60eff87b6fd17afe9f -Author: Justin Terry (VM) -Date: Mon Jul 9 15:06:08 2018 -0700 - - Fixes v1 shutdown failure code - - 1. Fixes an issue where when signaling a container either via Shutdown - or Terminate the HCS previously would return an error that indicated the - Compute System was already stopped. We now have the gcs return this - HRESULT directly to honor the existing hcsshim behavior for determining - if the signal error is a real one or not. - - Signed-off-by: Justin Terry (VM) - -commit e0423a94bd753bade73f392051de8a8edfd3c310 -Author: John Howard -Date: Mon Jul 9 13:20:57 2018 -0700 - - Refresh Swagger - - Signed-off-by: John Howard - -commit a2572a88e2483ab4379061a836026b57ef7e0ed2 -Merge: b71fa3891 27006252c -Author: John Howard -Date: Mon Jul 9 11:35:46 2018 -0700 - - Merge pull request #252 from Microsoft/schemaupdate - - HCS v2 Schema Updates to align with breaking change notification - -commit 1d6fef405084bca531f82f0265fec8b1ac039e65 -Author: Sarah -Date: Fri Jul 6 15:37:25 2018 -0700 - - noticed a minor grammar fail - -commit 9ccb8e1327af5e6d2b8ce208192f27d97697340e -Author: Sarah -Date: Fri Jul 6 15:31:45 2018 -0700 - - updating per feedback - -commit f5289606ba2d62e2c7d9aa73ec87353622d98a09 -Merge: 81cdc3e9f dd2cce66f -Author: Justin -Date: Fri Jul 6 15:11:44 2018 -0700 - - Merge pull request #235 from Microsoft/v2_name_changes - - V2 changes to modifysettings type - -commit d36cae81d3b8a7827350ccac1db67df68cc1cec6 -Author: Sarah -Date: Fri Jul 6 14:36:21 2018 -0700 - - name update - -commit da13cbe1318156299c475eb52de5394d38329747 -Author: Sarah -Date: Fri Jul 6 14:14:46 2018 -0700 - - updated main to refer to Hyper-V isolated containers rather than lcow based on references to wcow - -commit fe4fe0acdc3c0f8667f52068ef9547308f1f456e -Author: Sarah -Date: Fri Jul 6 14:10:34 2018 -0700 - - removed runc reference from run - modified to remove reference to runc spec (unimplemented in runhcs) - -commit cb5ac6361823f11aeb82d32de57fac350fd9ee7c -Author: Sarah -Date: Fri Jul 6 14:08:05 2018 -0700 - - removed runc reference from pause - -commit b0866532595e5eb70648d943678379306ad3922d -Author: Sarah -Date: Fri Jul 6 14:04:52 2018 -0700 - - minor updates to main - -commit 23e0510bc09eadfd90c503b0de32512dbd1ccc54 -Author: Sarah -Date: Fri Jul 6 14:00:31 2018 -0700 - - notice modification - -commit 387f1c5aaf747cf266ac01e29d45a5a26e4f57f8 -Author: Sarah -Date: Fri Jul 6 13:42:09 2018 -0700 - - removed runc reference from main - this will need to be updated to reflect differences between runhcs and runc - -commit 8aa5cfbf0fe71bb3f38370bd818797e37cddbe43 -Author: Sarah -Date: Fri Jul 6 13:37:51 2018 -0700 - - removed runc reference from list - -commit 136b0df464484161e62eab5be05289431457e63c -Author: Sarah -Date: Fri Jul 6 13:36:15 2018 -0700 - - removed runc reference from kill - -commit bff809e69781c4d6553ef97ee9beffb29d1b2ad4 -Author: Sarah -Date: Fri Jul 6 13:35:17 2018 -0700 - - changed notice - -commit b79c686437023d09eb0ab8c8fab3b21aea8c1761 -Author: Sarah -Date: Fri Jul 6 13:26:57 2018 -0700 - - changed notice - -commit 7fa3eb426620c59b8222b3d106291505fc85a9b5 -Author: Sarah -Date: Fri Jul 6 13:01:06 2018 -0700 - - removed runc refernces from delete.go - -commit dd2cce66fdeb5002ab22fcbdd68c8dbcb2a4ef76 -Author: Justin Terry (VM) -Date: Wed Jul 4 14:39:26 2018 -0700 - - V2 changes to modifysettings type - - Signed-off-by: Justin Terry (VM) - -commit 27006252cab143ae60cb549745bcd1eb88488d82 -Author: John Howard -Date: Mon Jul 2 10:50:20 2018 -0700 - - HCS v2 Schema Updates to align with breaking change notification - - This updates internal/schema2 to use (with some very minor modifications) - swagger generated code. The ripple effects then pass on through pretty - much everywhere else. - - Modification particularly to ModifySettingRequest so that Settings and - HostedSettings are `interface{}` rather than `*interface{}` - - Note there are new/updated internal packages for things which are not generated - by swagger: - - - The LCOW hosted settings for ProcessParameters are in lcow/types.go - - Request Types in internal/requesttype - - Resource Types in internal/resourcetype - - Signed-off-by: John Howard - -commit 81cdc3e9f74924f938f33ba23458c09bd39c8571 -Merge: 71721a238 bc06bb491 -Author: Justin -Date: Tue Jun 26 13:07:58 2018 -0700 - - Merge pull request #233 from Microsoft/multicontainer - - Merge Multicontainer into master - -commit bc06bb49132ae962745f344aef63d4e5f47ade63 -Merge: ce4c96aad 71721a238 -Author: Justin Terry (VM) -Date: Tue Jun 26 11:41:12 2018 -0700 - - Merge remote-tracking branch 'origin/master' into multicontainer - -commit ce4c96aad23884212170af346148798e25eb6fed -Merge: b0f290e3e ff739685a -Author: Justin -Date: Tue Jun 26 11:26:57 2018 -0700 - - Merge pull request #230 from Microsoft/multi_fix_unittests - - Cleanup GCS ginkgo tests in multicontainer - -commit ff739685a25caf731d6341a4e33c3caeac6a6974 -Author: Justin Terry (VM) -Date: Fri Jun 22 13:57:00 2018 -0700 - - Cleanup GCS ginkgo tests in multicontainer - - Signed-off-by: Justin Terry (VM) - -commit b0f290e3e4c8419f7319674e3fbde82761f7cba6 -Author: Justin Terry (VM) -Date: Tue Jun 26 10:42:37 2018 -0700 - - Rename OtherCapabilities->GuestDefinedCapabilities - - Signed-off-by: Justin Terry (VM) - -commit 83f4ea5c5aef829252a022d863ffae006ca3652d -Merge: 57c205771 8178e564e -Author: John Howard -Date: Mon Jun 25 09:49:18 2018 -0700 - - Merge pull request #232 from Microsoft/doh - - Ooops. Why we need CI back working - -commit 8178e564e6e3ee417e977cef4e3eb5bdcaa5ea2d -Author: John Howard -Date: Mon Jun 25 09:41:26 2018 -0700 - - Ooops. Why we need CI back working - - Signed-off-by: John Howard - -commit 57c205771fb1bb73c77192f527e437473617be6a -Merge: 6bc958142 52c45b00a -Author: John Howard -Date: Mon Jun 25 09:39:19 2018 -0700 - - Merge pull request #231 from Microsoft/init_exec_error_order - - Timeout netnscfg, logging, message to HCS on init process failure. - -commit 52c45b00af1532cd9c93e68d1c78886708bcfb63 -Author: John Howard -Date: Fri Jun 22 09:33:53 2018 -0700 - - Timeout netnscfg - - Signed-off-by: John Howard - -commit 6bc9581421b0675c1b0e7222645efd37a292164a -Merge: 0f9264675 2810bdcee -Author: Justin -Date: Fri Jun 22 15:53:35 2018 -0700 - - Merge pull request #228 from Microsoft/remove_v2_workarounds - - Remove the RS5 V2 Workarounds for multicontainer - -commit 2810bdceea7086b510ae76b95ea899e0a16c3771 -Author: Justin Terry (VM) -Date: Fri Jun 22 13:24:55 2018 -0700 - - Remove the RS5 V2 Workarounds for multicontainer - - Signed-off-by: Justin Terry (VM) - -commit 0f9264675a7feb051a7dbb42e646fa64bf2f1692 -Merge: a89985119 d9cd420f4 -Author: Justin -Date: Thu Jun 21 10:20:19 2018 -0700 - - Merge pull request #221 from Microsoft/multi_fix_unittests - - Fix bridge unit tests for V2 changes - -commit a899851197a0154730f30973f6c3ca8aabc04c42 -Merge: 7e1d1826c 138015ca0 -Author: Justin -Date: Thu Jun 21 10:17:53 2018 -0700 - - Merge pull request #226 from Microsoft/multicontainer_ostype - - Adds support for the RuntimeOsType Capability - -commit 138015ca047e339c23bcf544921e75995d46ed6e -Author: Justin Terry (VM) -Date: Wed Jun 20 13:30:12 2018 -0700 - - Adds support for the RuntimeOsType Capability - - Signed-off-by: Justin Terry (VM) - -commit 7e1d1826c651252714ae2997a509bef336dd50df -Merge: ba384d2f5 e7009243b -Author: Justin -Date: Mon Jun 18 15:05:34 2018 -0700 - - Merge pull request #224 from jstarks/rootfs_vhd - - Add Makefile rule to build rootfs.vhd - -commit e7009243bb9c286e68b9d68541ae57d7755f3cdd -Author: John Starks -Date: Fri Jun 15 16:21:47 2018 -0700 - - Add Makefile rule for building rootfs.vhd - -commit eaf7118ac221843d4f8c1ef3047a2fdee9dd3c42 -Author: John Starks -Date: Fri Jun 15 16:21:17 2018 -0700 - - tar2vhd: Print errors to stderr - -commit ba384d2f536b98e5eab9d8f6dd0f4d296a9f0aa1 -Merge: 93258f68d b127005bf -Author: John Howard -Date: Fri Jun 15 14:49:42 2018 -0700 - - Merge pull request #223 from jstarks/revert_makefile_change - - Revert "Build rootfs2vhd and run it" - -commit c335b9c7a25c3915768838b1a20556304a26a519 -Author: John Howard -Date: Fri Jun 15 09:49:06 2018 -0700 - - Env var for console pipe; abbreviate logging; fix test - - Signed-off-by: John Howard - -commit b127005bf4097fc8f8d918dd8a61ce0746234895 -Author: John Starks -Date: Fri Jun 15 14:29:22 2018 -0700 - - Revert "Build rootfs2vhd and run it" - - This reverts commit baf0fb6da7045f9e36d8c180ee3165ee65b83f34. - -commit 93258f68d793fcd388f5297036b7d2a205c332e1 -Merge: 96c811225 a857a5b87 -Author: Justin -Date: Fri Jun 15 12:02:50 2018 -0700 - - Merge pull request #222 from Microsoft/makelogsreadable - - Make logs readable! - -commit a857a5b87abbe0b2428aef7a28a0f766cba5d7c9 -Author: John Howard -Date: Fri Jun 15 11:43:10 2018 -0700 - - Make logs readable! - - Signed-off-by: John Howard - -commit d9cd420f4433fbf30ab2c4cafc16f3c7866b0d45 -Author: Justin Terry (VM) -Date: Fri Jun 15 10:09:07 2018 -0700 - - Fixes gcs tests in multicontainer V2 - - Signed-off-by: Justin Terry (VM) - -commit 22d1e76245492c226f4fb4bf8114c8ae20440481 -Author: Justin Terry (VM) -Date: Mon Jun 11 11:57:24 2018 -0700 - - Fix bridge unit tests for V2 changes - - Signed-off-by: Justin Terry (VM) - -commit 96c811225b9ad22567087aa4d0cd180192adf6a2 -Merge: ae9f8dcfe baf0fb6da -Author: John Howard -Date: Fri Jun 15 09:34:34 2018 -0700 - - Merge pull request #220 from Microsoft/jjh/rootfs2vhd - - Build rootfs2vhd and run it - -commit baf0fb6da7045f9e36d8c180ee3165ee65b83f34 -Author: John Howard -Date: Thu Jun 14 16:02:15 2018 -0700 - - Build rootfs2vhd and run it - - Signed-off-by: John Howard - -commit ae9f8dcfea5fe993b542f76435521bf548ffcc59 -Author: Justin Terry (VM) -Date: Thu Jun 14 13:52:54 2018 -0700 - - Ignore locally built folders in docker build - -commit 3a436228b9222c3800b50f887fe1abe30a6130a9 -Merge: 6462d7e96 18f58f34f -Author: John Starks -Date: Thu Jun 14 08:45:59 2018 -0700 - - Merge pull request #218 from Microsoft/capabilities_versions - - Return suported versions is GcsCapabilities - -commit 18f58f34fa13f0efef6ab045ce7643eaacc82d1b -Author: Justin Terry (VM) -Date: Wed Jun 13 15:27:27 2018 -0700 - - Return suported versions in GcsCapabilities - - 1. Now returns the fully supported list in GcsCapabilities - - Signed-off-by: Justin Terry (VM) - -commit 6462d7e9636bb1853ca6e0afa9e5940f8bf6ad4c -Merge: c09756a9d 3cd4a2854 -Author: John Howard -Date: Wed Jun 13 16:29:34 2018 -0700 - - Merge pull request #219 from jstarks/fix_lcowv1 - - gcs: Fix guards on StdOut, StdErr ports - -commit c09756a9da14ae703ca441d5eb44978f3fba9fcb -Merge: 0538d625c 957b3f9d8 -Author: Justin -Date: Wed Jun 13 15:30:58 2018 -0700 - - Merge pull request #217 from Microsoft/makefile - - Fix makefile - -commit 3cd4a28544d37ac2516cbc927895728d7edfe005 -Author: John Starks -Date: Wed Jun 13 15:30:33 2018 -0700 - - gcs: Fix guards on StdOut, StdErr ports - -commit b71fa3891c479302ce143b10f2bd1eb3590112cb -Merge: a66044fff a03de1d7e -Author: John Howard -Date: Wed Jun 13 11:31:06 2018 -0700 - - Merge pull request #248 from Microsoft/jjh/scsiremoval - - Fix SCSI eject - -commit 957b3f9d8a5ea9d31fcb8183918a720ec573820e -Author: Justin Terry (VM) -Date: Wed Jun 13 11:00:30 2018 -0700 - - Fix makefile - - Signed-off-by: Justin Terry (VM) - -commit a03de1d7e509b3f68694e1642083ef2433f7ce49 -Author: John Howard -Date: Tue Jun 12 15:06:54 2018 -0700 - - Fix SCSI eject - - Signed-off-by: John Howard - -commit a66044fff3ab3731ff43b4c810d1ff489746f1f8 -Merge: 5327bd1e3 9544f03fc -Author: John Howard -Date: Tue Jun 12 14:10:36 2018 -0700 - - Merge pull request #246 from Microsoft/jjh/wcowtesting - - WCOW testing - -commit 9544f03fc15663f8939a2bab36f96c0d88622d56 -Author: John Howard -Date: Thu Jun 7 17:09:48 2018 -0700 - - WCOW testing - - Signed-off-by: John Howard - -commit 5327bd1e35cde367ae28bb1e00771fa0475caf67 -Merge: eca717759 060fc907b -Author: John Starks -Date: Mon Jun 11 08:56:45 2018 -0700 - - Merge pull request #245 from jstarks/vsocklog - - uvm: Flow opengcs logs to host logrus - -commit 060fc907b397b450da032ed2d5eb51a2591ffdd4 -Author: John Starks -Date: Fri Jun 8 16:10:10 2018 -0700 - - uvm: Flow opengcs logs to host logrus - - This change opens a vsock port when creating a utility VM and directs - the init process inside the VM to launch gcs with stderr pointing to - that port. The host then collects the log entries from gcs and reports - them via logrus. - -commit 0538d625c328bfef0521d81b37689521172b76fc -Merge: f6917ea0e b837a2b56 -Author: John Starks -Date: Mon Jun 11 08:29:22 2018 -0700 - - Merge pull request #214 from jstarks/makefile - - Use a single Makefile to build initrd and contents - -commit f6917ea0ea1e0d95c1e29fb78ac0d4f6bd18d3b0 -Merge: 6901d5dc3 3462633e7 -Author: John Starks -Date: Mon Jun 11 08:25:18 2018 -0700 - - Merge pull request #215 from jstarks/no_recover - - gcstools: Allow panic to panic - -commit 3462633e7f5ea5b65363c1b3f60d1e2e81fa2a71 -Author: John Starks -Date: Fri Jun 8 16:50:37 2018 -0700 - - gcstools: Allow panic to panic - -commit b837a2b56f0b932e302b653aff78efdc2d13df62 -Author: John Starks -Date: Fri Jun 8 11:23:10 2018 -0700 - - Use a single Makefile to build initrd and contents - -commit 6901d5dc3e9f19b5207d0f499c50177c8c02a6d4 -Merge: 2c6e64500 5721451d9 -Author: Justin -Date: Fri Jun 8 14:18:40 2018 -0700 - - Merge pull request #213 from jstarks/vsockexec_glibc - - vsockexec: Don't reorder getopt args - -commit 5721451d96116ceaeeaeafaba987300d6f40a82d -Author: John Starks -Date: Fri Jun 8 14:06:43 2018 -0700 - - vsockexec: Don't reorder getopt args - - When linking against glibc, getopt will scan for arguments after the - first-non-flag argument, which causes problems when passing a command - without using -- (which does not appear to be possible on the Linux - kernel command line). - -commit 2c6e645003a82ba30e62fba7c8c39eb5db03c09c -Author: Justin Terry (VM) -Date: Fri Jun 8 13:53:00 2018 -0700 - - Adds support for running GCS via stdin,stdout - - 1. Implements the logic to allow for running the GCS via stdin,stdout - for reading and writing bridge messages. By default this still uses the - default way of connecting to the vsock port itself but this allows the - flexibility for debug mode where we can forward all traffic back to the - host from the daemon. - - Signed-off-by: Justin Terry (VM) - -commit 4d405ee983127900e34b1b42344ba23987ec40cb -Merge: 5515b6627 02cf33137 -Author: Justin -Date: Fri Jun 8 13:15:35 2018 -0700 - - Merge pull request #211 from jstarks/logformat - - gcs: Add -log-format option - -commit 5515b6627b7fbfd55a5a5cc8779f9adbe5387c56 -Merge: 2cccee4d4 cff5fc786 -Author: Justin -Date: Fri Jun 8 13:14:28 2018 -0700 - - Merge pull request #212 from jstarks/init_flex - - init: Allow the host to specify what to launch - -commit cff5fc7865f092aac32501ba10e70ae6b8e250f6 -Author: John Starks -Date: Fri Jun 8 11:27:30 2018 -0700 - - init: Allow the host to specify what to launch - -commit 02cf33137770f40b3051276ba729701386dc701f -Author: John Starks -Date: Fri Jun 8 11:28:06 2018 -0700 - - gcs: Add -log-format option - -commit 2cccee4d464eba254130b8c9f1e029c50b7e913d -Merge: 05418dd08 f518161c6 -Author: Justin -Date: Fri Jun 8 11:22:38 2018 -0700 - - Merge pull request #210 from jstarks/init - - Pull init script into repository - -commit 05418dd088bffd6be4a74791bedf28d35191a753 -Merge: cb0965ded 37e5f529e -Author: Justin -Date: Fri Jun 8 10:44:44 2018 -0700 - - Merge pull request #209 from jstarks/vsockexec - - vsockexec: Tool for execing with vsock handles - -commit f518161c656e8cf56e9b863a8bf4a69dd200bd12 -Author: John Starks -Date: Fri Jun 8 10:27:12 2018 -0700 - - Pull init script into repository - -commit 37e5f529ef33aabd0ce7cdd940075b466bb2d76e -Author: John Starks -Date: Fri Jun 8 10:19:47 2018 -0700 - - vsockexec: Tool for execing with vsock handles - - This tool will be used to write log files out to the host directly. - -commit cb0965ded9712fb91fd5fb3eadf59a1d4a83a80d -Author: Justin Terry (VM) -Date: Thu Jun 7 10:29:44 2018 -0700 - - Adds V2 GetProperties support - - 1. V1 only supported the process pid's query so this adds support to - that for V2 as an initial checkin. Other queries can be added if - required. - - Signed-off-by: Justin Terry (VM) - -commit eca7177590cdcbd25bbc5df27e3b693a54b53a6a -Merge: f47e6d88e 2dfbd8e3b -Author: John Howard -Date: Wed Jun 6 14:28:36 2018 -0700 - - Merge pull request #243 from Microsoft/jjh/wcowbinds - - Various tidy-up. See detailed list in comment. - -commit 2dfbd8e3b7152a6861b1217be57a33fed762c8f9 -Author: John Howard -Date: Tue Jun 5 17:42:43 2018 -0700 - - Move vpmem count to allow zero - - Signed-off-by: John Howard - -commit cb4902bfaf5d16f92d78e38214346012c9dca86e -Author: John Howard -Date: Mon Jun 4 18:01:01 2018 -0700 - - Various tidy-up - - Signed-off-by: John Howard - - Internalised all the properties in the Resources structure, providing methods (well one) where they are needed externally - - Tidied up the bind-mounts code - - Tidied up the VPMem code for utility VMs. Still some more work needed. - - Fixed the LCOW scratch path to under /run/gcs/c/n/scratch (rather than /run/gcs/c/n/upper) - - Renamed several variables so that it's much clearer what they actually are. Code was extremely confusing (to me...) - - Finished removing the aliasing of schema2 to hcsschemav2 - - Split the HCS document creation code in hcsoci into hcsdoc_wcow.go and hcsdoc_lcow.go for clarity.` - - Got rid of a few TODOs - - Fixed SCSI to pass the hosted settings through on remove correctly when mapped. Otherwise you have inconsistent "surprise" removal - - Removed CreateProcess from internal/uvm and moved to lcow/process. Extended it to cope with both in UVM and for init process - - Finally got an LCOW container init process to start in test code and get stdout back to prove a simple pod scenario - - Updated rootfs2vhd to use lcow.CreateProcess instead of shelling out to hcsdiag exec (another TODO removed) - -commit 71721a238352794418082ada9b92fde9f8414690 -Merge: 8ae7924fd dfec8a42a -Author: John Howard -Date: Mon Jun 4 16:07:42 2018 -0700 - - Merge pull request #207 from Microsoft/kernel - - Stop calling kernel bootx64.efi. It confuses everybody! - -commit dfec8a42a5efb3ff0038b4dc3f74776244eaac60 -Author: John Howard -Date: Mon Jun 4 10:44:50 2018 -0700 - - Stop calling kernel bootx64.efi. It confuses everybody! - - Signed-off-by: John Howard - -commit f47e6d88e78fee4d6d76d181bc93101f52dfb635 -Merge: 81291f5de 7addedece -Author: John Howard -Date: Mon Jun 4 10:13:30 2018 -0700 - - Merge pull request #240 from Microsoft/jjh/pmemboottestnotinitrd - - Add LCOW rootfs as pmem/vhd as option; Config for no scsi and number of VPMem - -commit 7addedece1dd3217e1a9c1abd7f060bce278da34 -Author: John Howard -Date: Fri Jun 1 16:52:18 2018 -0700 - - Feedback and moving WCOW tests - - Signed-off-by: John Howard - -commit 89303bdf70da9ddb42325b4b0f7bd4be7f424615 -Author: John Howard -Date: Tue May 29 19:10:02 2018 -0700 - - Boot PMEM option - - Signed-off-by: John Howard - -commit 81291f5debaa83d996964243670610ffc36b9191 -Merge: 7da072d02 4bad4db5a -Author: John Howard -Date: Mon Jun 4 09:04:57 2018 -0700 - - Merge pull request #242 from Microsoft/jjh/sandbox2scratchpart1 - - Rename sandbox to scratch, part 1. - -commit 7da072d0286e57e34ff1c0079ac3a37d50853002 -Merge: ca1b3625b b51a43c9b -Author: John Howard -Date: Fri Jun 1 10:01:21 2018 -0700 - - Merge pull request #241 from Microsoft/jjh/removeunusedtests - - Remove unused tests - -commit 4bad4db5acedea2a48562610b00935dc9a61bbb1 -Author: John Howard -Date: Thu May 31 19:49:47 2018 -0700 - - Rename sandbox to scratch - - Signed-off-by: John Howard - -commit b51a43c9b404824dc4bd81188ab5fce80ee4e1fb -Author: John Howard -Date: Thu May 31 19:21:50 2018 -0700 - - Remove unused tests - - Signed-off-by: John Howard - -commit 3eeb035c135af58101b824acf8dc59a9f6f2af38 -Author: Justin Terry (VM) -Date: Thu May 31 10:19:01 2018 -0700 - - Adds V2 supprot for exec, and wait process - - 1. Implements the support for create/exec where the container uses a tty or standard stdin,stdout,stderr - 2. Implements the proper wait logic for handling process/container exit. - - Signed-off-by: Justin Terry (VM) - -commit 089574ed128b6c317e47ae0e75d3a55426beeef1 -Merge: 25c4acdbf 8ae7924fd -Author: Justin Terry (VM) -Date: Thu May 31 12:21:10 2018 -0700 - - Merge remote-tracking branch 'origin/master' into multicontainer - -commit 8ae7924fd915db050b071d621a26de4048e4d1af -Merge: 1120fe80c 5a3af533f -Author: John Howard -Date: Wed May 30 21:33:49 2018 -0700 - - Merge pull request #206 from Microsoft/jjh/rootfstargz - - Build rootfs.tar.gz - -commit 5a3af533f46fb4742a35719c3d0668d11b6050ee -Author: John Howard -Date: Tue May 29 14:51:19 2018 -0700 - - Build rootfs.tar.gz - - Signed-off-by: John Howard - -commit ca1b3625b68509ed303b93333f658ddda0d55a5b -Merge: b930fbbe1 cbae1fdac -Author: John Howard -Date: Wed May 30 11:00:30 2018 -0700 - - Merge pull request #239 from Microsoft/jjh/catchappvpmemfail - - Mount: Catch AddVPMEM failure correctly - -commit 25c4acdbffccfe64fb7b805fd48b5670f5950130 -Author: Justin Terry (VM) -Date: Wed May 30 10:54:29 2018 -0700 - - Add support for V2 ModifyRequest Settings/Hosted - - 1. Some previous ModifyRequests in V2 were on HostedSettings - incorrectly. This add support for the fixes as they get moved to - Settings. The change perfers Settings but falls back to HostedSettings - if no value was passed for Settings. - - Signed-off-by: Justin Terry (VM) - -commit cbae1fdaceca22b7d0ee227e3ebbadf59382b7a0 -Author: John Howard -Date: Wed May 30 10:52:07 2018 -0700 - - Mount: Catch AddVPMEM failure correctly - - Signed-off-by: John Howard - -commit b930fbbe1e820ecabe5666846aae3e7d03c32fc6 -Merge: a5ae8e07c 409c71b70 -Author: John Howard -Date: Tue May 29 16:58:54 2018 -0700 - - Merge pull request #237 from Microsoft/jjh/test - - Test framework and re-org - -commit 409c71b705dd63202e9765aba47ef453d2dee5d1 -Author: John Howard -Date: Wed May 23 16:03:21 2018 -0700 - - Test framework and re-org - - Signed-off-by: John Howard - -commit a5ae8e07cd4686e562b58b8a38499660eb8ba67a -Merge: 7bad006b5 44cd9c71d -Author: John Starks -Date: Tue May 29 16:30:09 2018 -0700 - - Merge pull request #238 from jstarks/fix_plan9_mounts - - runhcs: Fix plan9 mounts - -commit 3b8617fe5e2af28efbd371049c0a08bcb6d1d7db -Author: Justin Terry (VM) -Date: Tue May 29 13:18:11 2018 -0700 - - Adds support to mount 9p aname's - - Signed-off-by: Justin Terry (VM) - -commit 44cd9c71d387b4c15916e590b7723bfeaf0a9bd0 -Author: John Starks -Date: Tue May 29 12:52:11 2018 -0700 - - runhcs: Fix plan9 mounts - -commit fee8700203c03c690e21daa2327c4288f8699efb -Author: Justin Terry (VM) -Date: Tue May 29 11:34:49 2018 -0700 - - Refactor V2 Start out of ExecProcess - - 1. More clearly describes when starting the init process versus execing - the 2nd-N'th process. - - Signed-off-by: Justin Terry (VM) - -commit 9619192a054bc6dc76ea5c1fd9a0f2334a4b2115 -Author: Justin Terry (VM) -Date: Tue May 29 10:01:21 2018 -0700 - - Move ModifySettingsV2 to UVM - - 1. Moves the ModifySettingsV2 to the UVM.ModifyHostSettings call. - 2. Moves SignalContainer targeting the host UVM to the bridge and - propertly shuts down the GCS. - 3. Removes the CreateContainerV2 function from the gcs core that was not - being referenced as it has moved to the UVM. - - Signed-off-by: Justin Terry (VM) - -commit 782ccf9f53b343d3d05eb19ee8cbd72f175b64c3 -Author: Justin Terry (VM) -Date: Tue May 29 09:41:21 2018 -0700 - - Log MessageIdentifer string rather than value for debug logs - - Signed-off-by: Justin Terry (VM) - -commit 7bad006b5f0f654fc115c8c91b8a2a4707741d1d -Merge: f17512a42 9a7451e7e -Author: John Howard -Date: Fri May 25 11:43:09 2018 -0700 - - Merge pull request #236 from jstarks/share_name - - hcsoci: Simplify VSMB - -commit 9a7451e7e7fba076d26eea9ca6ff9821989ec6ac -Author: John Starks -Date: Fri May 25 10:59:12 2018 -0700 - - hcsoci: Simplify VSMB - - This restore's jhoward's previous change to separate the layer ID from - the VSMB share name, but fixes it to still pass the layer ID correctly - for the container and combined layers calls. - -commit f17512a42fc995cff979d7f4596c814f16fdb863 -Merge: 68f10925f 654a95d17 -Author: John Howard -Date: Fri May 25 09:33:27 2018 -0700 - - Merge pull request #235 from jstarks/cleanup_container_root - - hcsoci: Put container state in more appropriate paths - -commit 68f10925fd514cdb43d324bb934d615376622e2b -Merge: 72bba1a5b 7e5f0095c -Author: John Howard -Date: Fri May 25 09:01:24 2018 -0700 - - Merge pull request #234 from jstarks/fix_xenon_windows - - Revert "VSMB Updates to match Plan9 PR" - -commit 654a95d17ca37ec8b83efd2ac575aef273807710 -Author: John Starks -Date: Fri May 25 08:20:07 2018 -0700 - - hcsoci: Put container state in more appropriate paths - -commit 7e5f0095c4560434f2830fa6278123a67c1e8ec2 -Author: John Starks -Date: Fri May 25 07:51:37 2018 -0700 - - Revert "VSMB Updates to match Plan9 PR" - - This reverts commit 18ee82cda2a1dac7e6a34d2d6723c31823d6460e, which - broke v2 VM-isolated Windows containers. - -commit 72bba1a5b6856acff7e42e0274ad8f0663370185 -Merge: 21ede7d0d 021252cf0 -Author: John Starks -Date: Fri May 25 07:52:25 2018 -0700 - - Merge pull request #233 from jstarks/random_pipe - - runhcs: Use random pipe names when communicating - -commit 21ede7d0d48ce4537d295fbe0fcdf36e362946a9 -Merge: d45550c97 30f211008 -Author: John Starks -Date: Thu May 24 17:28:03 2018 -0700 - - Merge pull request #232 from jstarks/plan9_mounts - - runhcs: Support plan9 root and mounts - -commit 021252cf0ca17f34aa63f1de1be9c877b0334e0e -Author: John Starks -Date: Thu May 24 17:25:47 2018 -0700 - - runhcs: Use random pipe names when communicating - - When a container ID is reused, it's possible to get runhcs into a state - where it will try to connect to the wrong VM (e.g. when cleaning up - resources for a container whose host has been deleted and recreated). - - Resolve this comprehensively by using a new random ID to generate the - pipe names for each container. - -commit 30f211008abab9f05b2ad4c3c6fa9655bf80832e -Author: John Starks -Date: Thu May 24 16:57:03 2018 -0700 - - runhcs: Support plan9 root and mounts - -commit d45550c97e46c2020b89064ce52a8fbb4ef7c6cf -Merge: 63fee2b7f 41b8af5ec -Author: John Howard -Date: Thu May 24 14:11:09 2018 -0700 - - Merge pull request #229 from jstarks/unmount_hosted - - runhcs: Fix unmount of hosted container - -commit 63fee2b7f7eae23090395caac515b809ecb50b52 -Merge: d05275050 dd648b607 -Author: John Howard -Date: Thu May 24 14:08:43 2018 -0700 - - Merge pull request #231 from jstarks/include_runhcs_in_artifacts - - appveyor: Include runhcs.exe in artifacts - -commit dd648b6078e9bb355c41da9867e1f7325acfdd4e -Author: John Starks -Date: Thu May 24 12:55:36 2018 -0700 - - appveyor: Include runhcs.exe in artifacts - -commit 41b8af5ecd7eeb2d084a3ed9b5a21cfb249c3297 -Author: John Starks -Date: Thu May 24 09:11:30 2018 -0700 - - runhcs: Fix unmount of hosted containers - -commit d052750506a1f517103ba3e80dd7fa9fe9dd6831 -Merge: f9f341e1e d5303919e -Author: John Starks -Date: Thu May 24 09:02:36 2018 -0700 - - Merge pull request #228 from jstarks/run_host - - runhcs: Add --host flag to run command too - -commit f9f341e1e1a72c75bbd5068e009f95feed14532d -Merge: 8defe5570 e63ae0820 -Author: John Howard -Date: Wed May 23 16:23:39 2018 -0700 - - Merge pull request #226 from Microsoft/jjh/unmount - - Unmount for VPMEM/Linux, VSMB/Windows - -commit d5303919ed7bee661d771609a3eba20422846566 -Author: John Starks -Date: Wed May 23 16:20:54 2018 -0700 - - runhcs: Add --host flag to run command too - -commit e63ae082048e8041a3df46fbd42d6311152ac8d0 -Author: John Howard -Date: Wed May 23 15:09:42 2018 -0700 - - Unmount for VPMEM/Linux, VSMB/Windows - - Signed-off-by: John Howard - -commit 8defe55707b4d6b12c18e5c5ec26643dbb947e48 -Merge: addbd1719 18ee82cda -Author: John Howard -Date: Wed May 23 16:17:37 2018 -0700 - - Merge pull request #225 from Microsoft/jjh/vsmbfix - - VSMB Updates to match Plan9 PR feedback - -commit 18ee82cda2a1dac7e6a34d2d6723c31823d6460e -Author: John Howard -Date: Wed May 23 14:28:53 2018 -0700 - - VSMB Updates to match Plan9 PR - - Signed-off-by: John Howard - -commit addbd17195944cdf1aaefb3a969f77d9d7b1ab7c -Merge: d7326fc35 e6038744b -Author: John Howard -Date: Wed May 23 16:08:25 2018 -0700 - - Merge pull request #224 from Microsoft/jjh/plan9 - - Add Plan9 shares for LCOW - -commit e6038744b58ad19749e983590e73c09bd7dcfe93 -Author: John Howard -Date: Wed May 23 14:00:16 2018 -0700 - - Address feedback - - Signed-off-by: John Howard - -commit b875597e3661a1508a4b4c66b732b5c60a870206 -Author: John Howard -Date: Wed May 23 08:52:21 2018 -0700 - - Add Plan9 shares for LCOW - - Signed-off-by: John Howard - -commit d7326fc3589bf902148b3e7927d744b06f9aff21 -Merge: 433ca4927 33c4e5670 -Author: John Starks -Date: Wed May 23 15:50:38 2018 -0700 - - Merge pull request #227 from Microsoft/jjh/lcowv2 - - Enable LCOWv2 - -commit 33c4e567018f1e5044df119d0cee01c227175391 -Author: John Starks -Date: Wed May 23 15:21:25 2018 -0700 - - Disable functional tests - -commit c0baefb6121dd4356c31aec359e2180133a16559 -Author: John Starks -Date: Wed May 23 15:19:06 2018 -0700 - - Disable functional tests - -commit 20e595b24609bcc8e0eae60c68288ea308803dc9 -Author: John Starks -Date: Wed May 23 15:12:22 2018 -0700 - - runhcs: Add --host parameter to specify the hosting VM container - -commit dba79432879c2b4bb4cd97be43e27f9327f6949a -Author: Justin Terry (VM) -Date: Wed May 23 15:10:43 2018 -0700 - - Adds V2 support for WaitContainer WaitProcess - - Signed-off-by: Justin Terry (VM) - -commit daec35e627c68118bc6accc2a788fd057dbe305e -Author: Justin Terry (VM) -Date: Wed May 23 13:21:22 2018 -0700 - - Adds V2 support for SignalContainer SignalProcess - - Signed-off-by: Justin Terry (VM) - -commit 0e588db1393c4475f11877b223893443e91c2e1c -Author: John Starks -Date: Wed May 23 11:11:14 2018 -0700 - - runhcs: Enable VM serial console with --vm-console flag - -commit f9db5d77f9b72860b60f86aeb0f6495a773a55a4 -Author: Justin Terry (VM) -Date: Tue May 22 16:37:42 2018 -0700 - - Adds CreateContainerV2 and CreateProcessV2 support - - Adds support for the CreateContainerV2 work based on an oci.Spec - Adds supprot for starting the container int process via the - CreateProcessV2 calls. - Fixes an issue in CombineLayers where we were not honoring the location - the client passed in on mount. - -commit 1903f6641648841a1740377b0a64a7188e4ac2ed -Author: John Starks -Date: Wed May 23 08:47:57 2018 -0700 - - Fix error detection from winio.DialPipe - -commit 2f86f95829366687ac8616d297e8ac69eb381e0e -Author: John Starks -Date: Wed May 23 08:38:34 2018 -0700 - - Handle LCOWv2 process launch - -commit 7233e4c9069111aef18ecdfb822903c7018b8bd1 -Author: Justin Terry (VM) -Date: Tue May 22 22:55:10 2018 -0700 - - Rename OciSpecificationPath to OciBundlePath - - Signed-off-by: Justin Terry (VM) - -commit db18da2aad1a6c5f4353d2be47feb64449ebfcd6 -Author: John Starks -Date: Tue May 22 16:42:36 2018 -0700 - - Try to create LCOWv2 containers - -commit 72a8d20dac6bae639bf1a16f6278520131d0467a -Author: John Howard -Date: Tue May 22 15:04:22 2018 -0700 - - Remove wrong test bits - - Signed-off-by: John Howard - -commit d70c156114a9fe86e30dcdb11f8ffe93e7d93937 -Author: John Starks -Date: Tue May 22 14:27:36 2018 -0700 - - Add LCOW spec filter function - -commit 446556d67696adb3d0ec237b9991252815a7af9f -Author: John Howard -Date: Tue May 22 14:46:13 2018 -0700 - - Unify mount error handling - - Signed-off-by: John Howard - -commit 12fd4a5b5c60dd39ec3634302c24f276ac00701c -Author: John Howard -Date: Tue May 22 14:24:40 2018 -0700 - - LCOW v2 limping - - Signed-off-by: John Howard - -commit 433ca492724657a2f7dcf7bdec8cfcb5fb7d9379 -Merge: bab21c47c 5ab76225f -Author: John Starks -Date: Tue May 22 11:10:41 2018 -0700 - - Merge pull request #222 from jstarks/network_xenon - - Enable v2 Xenon networking and network namespace sharing - -commit bab21c47c7fb9e167a10f517a4f26bb0c83168c2 -Merge: fcb334d75 1c0669ece -Author: John Howard -Date: Tue May 22 10:51:15 2018 -0700 - - Merge pull request #223 from Microsoft/vpmem - - Ref counting removal on vpmem - -commit 1c0669ecec7d0de88739daffa5a53cf602dcee22 -Author: John Howard -Date: Tue May 22 10:15:04 2018 -0700 - - Ref counting removal on vpmem - - Signed-off-by: John Howard - -commit 5ab76225f0f4fa5bdb64ac6082699b6bc4988775 -Author: John Starks -Date: Tue May 22 09:51:55 2018 -0700 - - Enable v2 Xenon networking and network namespace sharing - -commit fcb334d75761b4ecaea4e9a86980fdb96d8fc057 -Merge: 0041cbe6c 3f7cc180f -Author: John Starks -Date: Tue May 22 09:41:34 2018 -0700 - - Merge pull request #221 from Microsoft/fixtests - - Fix UVM tests after lock changes - -commit 3f7cc180f082caae668475d186063e98dfbffefd -Author: John Howard -Date: Tue May 22 09:34:14 2018 -0700 - - Fix UVM tests after lock changes - - Signed-off-by: John Howard - -commit 0041cbe6ce234a133e44c3c7ad37dc40e5701896 -Merge: 79e669602 8ecb50a03 -Author: John Howard -Date: Tue May 22 09:31:38 2018 -0700 - - Merge pull request #220 from jstarks/fewerlocks - - Consolidate UVM locks - -commit 8ecb50a03fdffaa9df881d31bd78df29ada0c293 -Author: John Starks -Date: Mon May 21 22:26:13 2018 -0700 - - Consolidate UVM locks - -commit 79e6696027e115b25aa9bedd36820ab6df639526 -Merge: 06b49ae51 f1dfd113b -Author: John Howard -Date: Mon May 21 22:34:35 2018 -0700 - - Merge pull request #219 from Microsoft/samplesofar - - Remove sample bits done so far - -commit f1dfd113bb05144de766d9bea95d0510088e012e -Author: John Howard -Date: Mon May 21 22:33:54 2018 -0700 - - Remove sample bits done so far - - Signed-off-by: John Howard - -commit 06b49ae510511f2adac1ae01b8c27ad3dd94b941 -Merge: 455ea56aa 3634e6756 -Author: John Howard -Date: Mon May 21 22:03:43 2018 -0700 - - Merge pull request #218 from Microsoft/functional2 - - Functional tests. VPMEM still failing - -commit 3634e6756c2892481a597c019e4c722d7ae0b46c -Author: John Howard -Date: Mon May 21 22:02:02 2018 -0700 - - Functional tests. VPMEM still failing - - Signed-off-by: John Howard - -commit 455ea56aa61a0264642fb46c4ff74f0a19f74180 -Merge: 9075c7b33 04cd7984b -Author: John Howard -Date: Mon May 21 21:48:30 2018 -0700 - - Merge pull request #216 from Microsoft/functional - - Functional tests UVM - -commit 04cd7984b5473f1b9f496463fc974f92e2b0fefb -Author: John Howard -Date: Mon May 21 21:45:40 2018 -0700 - - Functional tests UVM - - Signed-off-by: John Howard - -commit 9075c7b3309d23186e3066d30aaab638604eb7c6 -Merge: 185a6abe9 39869aa92 -Author: John Howard -Date: Mon May 21 21:35:41 2018 -0700 - - Merge pull request #215 from Microsoft/tidyuvm - - Lots of tidying. VPMem removal next step. Refcounting missing - -commit 39869aa92d33ef0e05cd16842d7613c9ebe72d57 -Merge: 988becada 6662e1012 -Author: John Howard -Date: Mon May 21 21:33:23 2018 -0700 - - Tidy merge conflicts - - Signed-off-by: John Howard - -commit 988becadad6752c9c8749cb9622cbd324244007a -Author: John Howard -Date: Mon May 21 20:46:48 2018 -0700 - - Lots of tidying. VPMem removal next step. Refcounting missing - - Signed-off-by: John Howard - -commit 185a6abe9890bd861741bb45d12a00d7fd6aa038 -Merge: 76f7e7633 373ecbcbc -Author: John Starks -Date: Mon May 21 21:28:30 2018 -0700 - - Merge pull request #210 from jstarks/shimlog - - runhcs: Open shim logs on stderr - -commit 76f7e7633f8e8b1697b0c728f5ab12c820ffab0a -Merge: 0c75dc2c6 a55056e47 -Author: John Starks -Date: Mon May 21 21:27:00 2018 -0700 - - Merge pull request #211 from jstarks/network - - Implement v2 Argon networking - -commit 6662e10124bb2813e53799c618a1755d10e03543 -Author: John Howard -Date: Mon May 21 20:46:48 2018 -0700 - - Lots of tidying. VPMem removal next step. Refcounting missing - - Signed-off-by: John Howard - -commit 0c75dc2c677e04571d0e4c33f18d792321e73486 -Merge: c7e541336 90196d2d3 -Author: John Howard -Date: Mon May 21 18:27:39 2018 -0700 - - Merge pull request #214 from jstarks/runtimecpu - - Remove internal/cpu package - -commit c7e5413360f44bfdfac97027d9352e5bf10e7d03 -Merge: e5c68ae12 e814f4f5d -Author: John Howard -Date: Mon May 21 18:27:05 2018 -0700 - - Merge pull request #213 from jstarks/gitignore - - Add .gitignore - -commit e5c68ae12033c52f5c72ade1cfa8e48e1ad9740e -Merge: 3e66594fd 63f26db10 -Author: John Howard -Date: Mon May 21 18:26:43 2018 -0700 - - Merge pull request #212 from jstarks/manifests - - Add Windows manifests for wclayer and runhcs - -commit 96d176950aa649ae6afec32b153848b364e645c8 -Author: Justin Terry (VM) -Date: Mon May 21 15:36:14 2018 -0700 - - Changes the Mounted* patterns for V2 - - Implements the changes to V2 in the HostedSettings for - MappedVirtualDiskV2, MappedDirectioryV2, MappedVPMemDeviceV2. This more - closely aligns with the unique requirements of LCOW over the predefined - Windows structs. - -commit 90196d2d33a76cbc4fa0084b3afc2a38e9b8df50 -Author: John Starks -Date: Mon May 21 15:27:57 2018 -0700 - - Remove internal/cpu package - -commit e814f4f5d188870764a5720fc05025e1efee9293 -Author: John Starks -Date: Mon May 21 15:24:27 2018 -0700 - - Add .gitignore - -commit 63f26db107df0d0ce3333cd1a6e504f494ae349b -Author: John Starks -Date: Mon May 21 14:59:47 2018 -0700 - - Add Windows manifests for wclayer and runhcs - -commit a55056e4774eb99c0575dbe5c79b291d24f6d0d4 -Author: John Starks -Date: Mon May 21 14:33:27 2018 -0700 - - Implement v2 Argon networking - -commit 3e66594fd8949e2d2efe2499302cbdedafb6ecb6 -Merge: a9b2cbca6 ac1593041 -Author: John Howard -Date: Mon May 21 13:59:09 2018 -0700 - - Merge pull request #209 from jstarks/v2xenon - - Enable v2 Hyper-V Windows containers - -commit 373ecbcbcb5c0ee953eb7ed7cd37e538ebe963e4 -Author: John Starks -Date: Mon May 21 10:13:22 2018 -0700 - - runhcs: Open shim logs on stderr - - This change opens the shim log files onto the shim processes' standard - error so that Go panics for those processes are written to the log. - -commit ac159304128e3ec05be1cf3c2e1ad4648639a994 -Author: John Starks -Date: Mon May 21 09:37:36 2018 -0700 - - Enable v2 Hyper-V Windows containers - -commit a9b2cbca6d0d36d953653a97e7ea6e729f843f0e -Merge: 39eae0af7 c39f4c2da -Author: John Howard -Date: Mon May 21 09:41:52 2018 -0700 - - Merge pull request #206 from jstarks/no_uvm_error - - uvm: Remove unnecessary error wrapper - -commit 39eae0af774ce42b4c06869d52466d937dd9c720 -Merge: 84a9e15d7 b68a9e060 -Author: John Howard -Date: Mon May 21 09:41:25 2018 -0700 - - Merge pull request #207 from jstarks/json_merge - - Restore HCSSHIM_CREATECONTAINER_ADDITIONALJSON functionality - -commit b68a9e060becd83186cab8b6e6669b2146a0b1b6 -Author: John Starks -Date: Sun May 20 14:23:39 2018 -0700 - - Restore HCSSHIM_CREATECONTAINER_ADDITIONALJSON functionality - -commit c39f4c2daf1f4a22d59f1ce2ef287d212836fc3c -Author: John Starks -Date: Sun May 20 13:52:38 2018 -0700 - - uvm: Remove unnecessary error wrapper - -commit 84a9e15d720b9984e5fbd1f0cd729826e579d00d -Merge: 327a04ecf c1af80054 -Author: John Howard -Date: Fri May 18 23:45:30 2018 -0700 - - Merge pull request #203 from Microsoft/scsitest - - Partial SCSI UVM tests - -commit c1af80054a6878fbea1c22af75a83a714a21a1df -Author: John Howard -Date: Fri May 18 23:43:43 2018 -0700 - - Partial SCSI UVM tests - - Signed-off-by: John Howard - -commit 327a04ecf3137a1cdc3ec88a3a0100ea9d515516 -Merge: 7fbac12bf b2a79d5ab -Author: John Howard -Date: Fri May 18 22:53:55 2018 -0700 - - Merge pull request #202 from Microsoft/tidying - - Tidying to uvm package - -commit b2a79d5abb2f149f5e839c25a0b94e6deff23a0f -Author: John Howard -Date: Fri May 18 22:53:11 2018 -0700 - - Tidying to uvm package - - Signed-off-by: John Howard - -commit 7fbac12bf2cf5d7b704847992d6bd269f6d0f51d -Merge: 134890878 984458de2 -Author: John Howard -Date: Fri May 18 22:48:07 2018 -0700 - - Merge pull request #201 from Microsoft/removev1 - - Remove v1 from UVM - -commit 984458de2abf928654ecb22b1f11df9f9e6b4249 -Author: John Howard -Date: Fri May 18 22:45:45 2018 -0700 - - Remove v1 from UVM - - Signed-off-by: John Howard - -commit 1348908789bcc3ec33cf2592539cdd0081109f7a -Merge: 1d5a9f6b7 1948d7712 -Author: John Howard -Date: Fri May 18 20:25:25 2018 -0700 - - Merge pull request #199 from Microsoft/uvmimplmentation1 - - First cut of uvm implementation (incomplete) - -commit 1948d7712c699df5fea5ed10429c1da8548071a4 -Author: John Howard -Date: Fri May 18 20:20:32 2018 -0700 - - Add CreateLCOWScratch helper - - Signed-off-by: John Howard - -commit af058f8ffe42af681986995cabcd951f199befae -Author: John Howard -Date: Fri May 18 20:02:06 2018 -0700 - - Adds implementation for create,modify,process,start,terminate,wait - - Signed-off-by: John Howard - -commit 290cd56a58c87551c34ac616f7b5cc0ea5d72292 -Author: John Howard -Date: Fri May 18 17:49:10 2018 -0700 - - Adding VPMem and VSMB too - - Signed-off-by: John Howard - -commit 1c8e76a8bb6fb73c45907107c089ad144e477098 -Author: John Howard -Date: Fri May 18 17:39:28 2018 -0700 - - Coalesce create and add SCSI - - Signed-off-by: John Howard - -commit 1d5a9f6b79cf1631c6ba75dd22e9d4eb9d09e960 -Merge: 25ffb37e1 6f55763ad -Author: John Howard -Date: Fri May 18 17:36:30 2018 -0700 - - Merge pull request #193 from jstarks/hns - - Move HNS implementation to internal package - -commit 9fead87cec00d09e9c34cd528b17325c55b51bd2 -Author: John Howard -Date: Fri May 18 16:59:17 2018 -0700 - - Before SCSI - - Signed-off-by: John Howard - -commit 25ffb37e1f6248e2fbb5dcb3dea2156e3449dd1d -Merge: f8ab8c20d 9e24cd65c -Author: John Howard -Date: Fri May 18 16:58:43 2018 -0700 - - Merge pull request #198 from jstarks/ex - - hcsoci: Remove Ex suffixes - -commit 9e24cd65c21cab7955d61b6fa95c358809a83d7c -Author: John Starks -Date: Fri May 18 16:31:13 2018 -0700 - - hcsoci: Remove Ex suffixes - -commit f8ab8c20dfdf1a8e8315dd8606bcc4e946c8789b -Merge: 6341e0ab0 fc5ccfe37 -Author: John Starks -Date: Fri May 18 16:20:10 2018 -0700 - - Merge pull request #197 from jstarks/runhcs - - Initial commit of runhcs, derived from runc - -commit fc5ccfe371ae653442edb26dec550d3cb76e67d3 -Author: John Starks -Date: Fri May 18 15:52:49 2018 -0700 - - Initial commit of runhcs, derived from runc - -commit bc26a48ae77f7eb208fb71248f7ce67f925843f8 -Author: John Howard -Date: Fri May 18 15:55:05 2018 -0700 - - CreateLCOW - - Signed-off-by: John Howard - -commit 6341e0ab0444bbd4daa99d127c6edde5a935d6e3 -Merge: 90d86467b 6fdd4653c -Author: John Starks -Date: Fri May 18 15:56:47 2018 -0700 - - Merge pull request #196 from jstarks/hcsoci - - Initial commit of OCI spec interface for HCS - -commit 6fdd4653cc77504bb4fe895f57ff5addaeda6514 -Author: John Howard -Date: Fri May 18 15:51:52 2018 -0700 - - Initial commit of OCI spec interface for HCS - -commit 90d86467bf3483bae1c708ca78e6e61a8065e631 -Merge: 5b3ff33c4 a251efb7e -Author: John Howard -Date: Fri May 18 15:39:16 2018 -0700 - - Merge pull request #194 from jstarks/state - - Add State property and remove HasPendingUpdates - -commit 5b3ff33c4150f74fd3391c0ce8808a4ce9068678 -Merge: b79b9fc2b 7f2b35c4c -Author: John Howard -Date: Fri May 18 15:37:50 2018 -0700 - - Merge pull request #195 from jstarks/guid - - Add utility packages for OCI containers - -commit 7f2b35c4c7836feee670588c8b93c1a2fd862c75 -Author: John Howard -Date: Fri May 18 15:03:19 2018 -0700 - - Add CPU package - -commit b566cae9216fc340935d04ccbb61ce111b63fe74 -Author: John Starks -Date: Fri May 18 15:03:09 2018 -0700 - - Split GUID functionality to separate package - -commit c6ed7e4aa14061f4325ddc604908a61e3e52978f -Author: Justin Terry (VM) -Date: Fri May 18 14:41:19 2018 -0700 - - Adds support for createContainer with V2 settings - - 1. Implements the bridge work to accept a createContainer that is with - the V2 schema. This overwrites the way windows does it with a OCI - specific area for the HostedSettings that allows for direct OCI - passthrough to runc. - - Signed-off-by: Justin Terry (VM) - -commit a251efb7e1b7c992f3e104d0d149473820f25b7b -Author: John Starks -Date: Fri May 18 14:03:45 2018 -0700 - - Add State property and remove HasPendingUpdates - - This change also adds some type safety to hcs.System.Properties. - -commit b79b9fc2bb5c2f941921c67ebad0e062fccbce8b -Merge: 1be1708b5 aa5f4faac -Author: John Starks -Date: Fri May 18 13:16:45 2018 -0700 - - Merge pull request #192 from Microsoft/uvminterface - - Adds external utility VM object and methods - -commit 6f55763adb33e840f8c66aecd523d07466cca355 -Author: John Starks -Date: Fri May 18 13:11:44 2018 -0700 - - Move HNS implementation to internal package - - This moves the HNS implementation out of the root package into an - internal package, with forwarders for existing clients. Once the - package's interface is updated and stabilized, it can be made external. - - This change also eliminates the ContainerHotAdd and ContainerHotRemove - methods, which are not used by any open source software on GitHub. These - methods are redundant with the free functions HotAttachEndpoint and - HotDetachEndpoint. - -commit 1be1708b5e85d08e00cd0c6931e83cb13b6b44e0 -Merge: d93eb2b49 e70197ad1 -Author: John Howard -Date: Fri May 18 12:50:42 2018 -0700 - - Merge pull request #191 from jstarks/error_events - - hcs: Include error events in errors - -commit aa5f4faaca4337a939c008d921050a6900017fe7 -Author: John Howard -Date: Fri May 18 12:02:24 2018 -0700 - - Adds external utility object and methods - - Signed-off-by: John Howard - -commit e70197ad1ccac8951651dc7c9c38e726425bcd8f -Author: John Starks -Date: Fri May 18 11:42:27 2018 -0700 - - hcs: Include error events in errors - -commit d93eb2b4906cb531dcb721be0435dca80392d0ae -Merge: 4101bbe20 635af9b38 -Author: John Starks -Date: Fri May 18 11:44:04 2018 -0700 - - Merge pull request #190 from Microsoft/computesystem - - Container to ComputeSystem - -commit 4101bbe204979ec10980c9fd2b81e2a78bccc806 -Merge: 4d5dfdf2f b18b4de05 -Author: John Starks -Date: Fri May 18 11:28:32 2018 -0700 - - Merge pull request #187 from Microsoft/remove18 - - Remove support for pre golang 1.9 - -commit 635af9b38d9d9f049f0a21466a275de5ebef4172 -Author: John Howard -Date: Fri May 18 10:57:40 2018 -0700 - - Container to ComputeSystem - - Signed-off-by: John Howard - -commit 4d5dfdf2f7e583d985af6aa8421e68a9f5576246 -Merge: d40251c30 d9f17cbd4 -Author: John Howard -Date: Fri May 18 11:00:35 2018 -0700 - - Merge pull request #189 from Microsoft/mergemap - - Move mergemaps to its own internal package - -commit d9f17cbd4e8046be500be4241a942f34e863ada5 -Author: John Howard -Date: Fri May 18 10:06:24 2018 -0700 - - Move mergemaps to its own internal package - - Signed-off-by: John Howard - -commit b18b4de05376c91af33264f757ab0382e36cd1f2 -Author: John Howard -Date: Fri May 18 09:53:21 2018 -0700 - - Remove support for pre golang 1.9 - - Signed-off-by: John Howard - -commit d40251c302e026cc5f7d4d1d7a3606ea98a5e2d6 -Merge: 796ee4c2b 198608399 -Author: John Starks -Date: Fri May 18 09:55:05 2018 -0700 - - Merge pull request #188 from jstarks/fix_hcs - - Fix process.Stdio() - -commit 19860839961e7f2010bf2099922309bce067e098 -Author: John Starks -Date: Fri May 18 09:54:08 2018 -0700 - - Fix process.Stdio() - -commit 90a826d6ec025d0d4e29eff3b0f3b5be8a0e032d -Author: Justin Terry (VM) -Date: Fri May 18 09:39:42 2018 -0700 - - Fixes to V2 protocol around CombinedLayers - - 1. There is a bug in the HCS that is not honoring the Capabilities sent - back via the negotiateProtcol. This is causing the first CreateContainer - call to come in in the protocol v4 which should not be. This had the - unintended consequence that the container cache had an entry for the UVM - and the baseFilesPath for /etc already existed. Both of these are - incorrect in the V2 case. This adds a work around to ignore the first - CreateContainer call and simply return a success case until the HCS is - fixed. - 2. Removes the use of the container cache in the V2 hot modify case - because the disks/folders/layers are not associated to a container in - the same way and should not be cleaned up automatically as they can - exist in the lifetime of multiple containers. - - Signed-off-by: Justin Terry (VM) - -commit 796ee4c2b1be2a84f9ef1d4c26f6835396c4c753 -Merge: 63661d945 c1d2c866a -Author: John Howard -Date: Fri May 18 09:39:32 2018 -0700 - - Merge pull request #186 from Microsoft/schemav2 - - Add schema2, schemaversion, test\assets, osversion - -commit c1d2c866ad232423a795506e9abc6755757883f8 -Author: John Howard -Date: Fri May 18 09:12:44 2018 -0700 - - Add schema2, schemaversion, test\assets, osversion - - Signed-off-by: John Howard - -commit 63661d945bdb514919a8e8202afecba6ada82f05 -Merge: 09cfdcca0 48596615c -Author: John Starks -Date: Fri May 18 08:53:04 2018 -0700 - - Merge pull request #185 from jstarks/hcs - - Split HCS methods into internal package - -commit 48596615c52a5f6d29a40942b0b97e5705073d3f -Author: John Starks -Date: Thu May 17 23:30:46 2018 -0700 - - Split HCS methods into internal package - - This change preserves the container interface but splits the core HCS - system and process APIs to an internal package and the v1 HCS schema - types to a second package. This allows further evolution of the core - HCS APIs without changing the existing container contract. - -commit 09cfdcca06477f4edf04f83c2e207a55c5cca116 -Merge: dabca480a 215cd8069 -Author: John Howard -Date: Thu May 17 20:25:07 2018 -0700 - - Merge pull request #184 from nwoodmsft/master - - Support for HNS global version and 1803 HNS ACL features - -commit dabca480af98d32e9fcc6ab9f79b662542ea5c39 -Merge: 770ed2688 9f63b70f9 -Author: John Howard -Date: Thu May 17 20:11:11 2018 -0700 - - Merge pull request #183 from jstarks/storage_simplify - - internal/wclayer: Remove DriverInfo arguments - -commit aee383a664447e3133c2620b7b5b1a68bce1ca19 -Author: Justin Terry (VM) -Date: Thu May 17 15:28:51 2018 -0700 - - Adds support for V2 ShutdownContainer on UVM - - Adds the supprot for calling ShutdownContainer where the target is the - UVM itself rather than a specific container. - - Signed-off-by: Justin Terry (VM) - -commit 215cd8069903f83192413b99faacb32de7eb7546 -Author: Nick Wood -Date: Thu May 17 15:13:23 2018 -0700 - - Fixing version number - -commit 75523eecb0494589596114eef225e1425dc2f64c -Merge: adebaa01e 770ed2688 -Author: Nick Wood -Date: Thu May 17 15:08:03 2018 -0700 - - Merge branch 'master' of https://github.com/Microsoft/hcsshim - -commit 85422854fe08e0dd2566470f4fa2a3c46bc1170c -Author: Justin Terry (VM) -Date: Thu May 17 14:59:26 2018 -0700 - - Adds support for modify CombinedLayers in V2 - - Signed-off-by: Justin Terry (VM) - -commit 9f63b70f9805bf8bd9bf224f0116402e5dc2fe90 -Author: John Starks -Date: Thu May 17 12:27:08 2018 -0700 - - internal/wclayer: Remove DriverInfo arguments - -commit 770ed2688c8089a15bdc8daf899536cd030a4f10 -Merge: 59a1ccbff d72910cce -Author: John Starks -Date: Thu May 17 11:15:31 2018 -0700 - - Merge pull request #178 from jstarks/new_storage - - Move layer functionality to separate package - -commit d72910ccef9ed201fa7df165010070ecb0b8c589 -Author: John Starks -Date: Wed May 16 16:54:32 2018 -0700 - - Move layer functionality to separate package - - Compatibility is preserved via aliases/forwarders for the layer-related - types and functions. - - For now this new package is internal. Once it has evolved to the - interface we want, we can make it public as a new package and deprecate - the existing interface. - -commit 59a1ccbff7ebff7f155607f92d5c531b8c58fe7f -Merge: b9ffe8b3e 80470512c -Author: John Starks -Date: Thu May 17 11:07:24 2018 -0700 - - Merge pull request #182 from jstarks/appveyor_test - - appveyor: Run non-functional tests - -commit 80470512c1efc10fa789d30b68a5585a55032a39 -Author: John Starks -Date: Thu May 17 11:01:56 2018 -0700 - - appveyor: Run non-functional tests - -commit b9ffe8b3ef23128b1c2ba847ce9ff9948e1b3806 -Merge: 3a95b8b96 e682f5dc7 -Author: John Starks -Date: Thu May 17 10:49:47 2018 -0700 - - Merge pull request #181 from Microsoft/build-badge - - Add appveyor build badge to README.md - -commit e682f5dc7c9005faaeb93e3de5dce60df12100ac -Author: John Starks -Date: Thu May 17 10:42:05 2018 -0700 - - Add appveyor build badge to README.md - -commit 3a95b8b96b9400e3c80f565ed2032013e503ba8c -Merge: 7814a4a5b d150dccde -Author: John Starks -Date: Thu May 17 10:34:40 2018 -0700 - - Merge pull request #180 from jstarks/appveyor_artifacts - - Collect wclayer.exe artifact in CI - -commit d150dccde53fa219969f12f6b998e73cc6fe3c4d -Author: John Starks -Date: Thu May 17 10:30:41 2018 -0700 - - Collect wclayer.exe artifact in CI - -commit 7814a4a5b21fed46e61af3d1248592bf41c4983c -Merge: 55bd6218d 5cb5354a0 -Author: John Starks -Date: Thu May 17 10:24:32 2018 -0700 - - Merge pull request #179 from jstarks/appveyor - - Add appveyor.yml - -commit 5cb5354a0aa5230aae2f47391293b28be0d1d6bb -Author: John Starks -Date: Thu May 17 09:38:19 2018 -0700 - - Add appveyor.yml - -commit 55bd6218d8dc9995fea8088e2742151053154e3f -Merge: 0a4192c60 ef7a456e3 -Author: John Starks -Date: Wed May 16 16:59:03 2018 -0700 - - Merge pull request #176 from jstarks/faster_import_2 - - Use bufio when extracting layer files - -commit 0a4192c603327c6ba07bd5dfa3fd1389ee418c56 -Merge: 370850844 836b946a3 -Author: John Starks -Date: Wed May 16 16:58:55 2018 -0700 - - Merge pull request #177 from jstarks/split_safeopen - - Move safeopen to an internal package - -commit 3708508446dd2cfe5f0df3ed0406f6ae341722e3 -Merge: b77ae037d 8a538bc7b -Author: John Starks -Date: Wed May 16 16:58:46 2018 -0700 - - Merge pull request #175 from jstarks/appargs - - internal/appargs: Improve interface - -commit 836b946a348e08ea1233cb1df3ca7a6461d969b1 -Author: John Starks -Date: Wed May 16 15:55:02 2018 -0700 - - Move safeopen to an internal package - -commit ee6f1e263f88eed3865916f8d1acba12142f211c -Author: Justin Terry (VM) -Date: Wed May 16 15:40:45 2018 -0700 - - Add support for MappedDisks and MappedDrives in V2 - - Signed-off-by: Justin Terry (VM) - -commit ef7a456e31ec424ac9bfed4fec3a9afcb0be791a -Author: John Starks -Date: Wed May 16 15:19:09 2018 -0700 - - Use bufio when extracting layer files - - On NTFS, on spinning hard disks, reducing the number of writes reduces - the number of disk seeks, which greatly improves image extraction - performance. - -commit 8a538bc7b52b324350ca51ac330c1df9f937744e -Author: John Starks -Date: Wed May 16 10:17:34 2018 -0700 - - internal/appargs: Improve interface - -commit 8403db01eba95f6cecaa4fb6fcc77ff9c179b405 -Author: Justin Terry (VM) -Date: Wed May 16 09:38:13 2018 -0700 - - Add VPMem Support for V2 - - Signed-off-by: Justin Terry (VM) - -commit b77ae037de7e41e21f89fd6bb1d718bb5a6ba4aa -Merge: befeb2e76 779e2797a -Author: John Howard -Date: Wed May 16 09:01:35 2018 -0700 - - Merge pull request #174 from jstarks/remove_docker_dep - - wclayer: Remove github.com/docker/docker dependency - -commit 779e2797a831f15737ae89980549e54dbeadab80 -Author: John Starks -Date: Wed May 16 08:55:24 2018 -0700 - - wclayer: Remove github.com/docker/docker dependency - -commit b14a94ee5e88640ba05f44ef081dfab21854a524 -Author: Justin Terry (VM) -Date: Wed May 16 07:26:39 2018 -0700 - - Adds support for Protocol v4 dispatch - - Implements the logic to support dispatching method types when the - protocol has been selected to be v4 for the bridge formats. - - Signed-off-by: Justin Terry (VM) - -commit befeb2e76da870dc3a74a9612fee45da589559a1 -Merge: cfdaa49c5 eb0cc2575 -Author: John Starks -Date: Tue May 15 16:03:40 2018 -0700 - - Merge pull request #173 from jstarks/wclayer_internal - - Move oci/wclayer to internal for now - -commit eb0cc25755569ca6fcb06f1ef54edd9c976cce82 -Author: John Starks -Date: Tue May 15 16:02:16 2018 -0700 - - Move oci/wclayer to internal for now - - We may want to iterate on this interface a bit before we support it - outside of hcsshim. - -commit cfdaa49c5b05fe09fb6984907e12429b537a04c8 -Merge: b46cbe1f6 e585ff8fc -Author: John Howard -Date: Tue May 15 15:44:31 2018 -0700 - - Merge pull request #172 from jstarks/wclayer - - wclayer: New package and utility for WCOW layer ops - -commit e585ff8fc51b19303a2ab084e8f947172c4f35fa -Author: John Starks -Date: Tue May 15 15:21:20 2018 -0700 - - wclayer: New package and utility for WCOW layer ops - - This adds new packages oci/wclayer and cmd/wclayer that can be used to - manipulate Windows container layers. The former is concerned only with - importing and exporting layers from and to their OCI tar formats. The - latter is a command line tool with myriad uses. - -commit 95b751a8c6459d5ac5d1ef28761aa67445cc0031 -Author: Ben Weedon -Date: Wed Feb 28 11:18:35 2018 -0800 - - Merge pull request #197 from Microsoft/v2_requests - - Support basic V2 ModifySettings requests - -commit 9e6c749a2c392864590a2d9439515378d097d780 -Merge: 3d91ba72a 1120fe80c -Author: Justin Terry (VM) -Date: Mon May 14 12:59:45 2018 -0700 - - Merging origin/master - -commit b46cbe1f60fed824e9d4a90d7eb94523e308a8d6 -Merge: 9c5a9ed71 b4fae2a31 -Author: John Howard -Date: Fri May 11 15:38:39 2018 -0700 - - Merge pull request #171 from darrenstahlmsft/README - - Update README to include HCS link, and formatting/spelling fixes - -commit b4fae2a312da2da18fbbaf799b01dcb772c4b756 -Author: Darren Stahl -Date: Fri May 11 13:40:21 2018 -0700 - - Remove extra underlines - - Signed-off-by: Darren Stahl - -commit 83162ba9749f9a2fbaa865b367a99704a49edfea -Author: Darren Stahl -Date: Fri May 11 13:37:06 2018 -0700 - - Add link to HCS, Include project dependencies - - Signed-off-by: Darren Stahl - -commit 9c5a9ed713b6d3a11c79f52e79056fd82c5a4e87 -Merge: 800683ae7 84e1fa53d -Author: John Howard -Date: Wed May 9 18:59:27 2018 -0700 - - Merge pull request #170 from darrenstahlmsft/README - - Update README.md - -commit 84e1fa53d19c07a0a8a8fd45f948756ce774ea51 -Author: Darren Stahl -Date: Wed May 9 17:58:31 2018 -0700 - - Update README.md - - Update description, add additional details on security reporting, and formatting fixes - - Signed-off-by: Darren Stahl - -commit 800683ae704ac360b2f3f47fa88f3a6c8c9091b5 (tag: v0.6.11) -Merge: ef2b994ff ba4e94420 -Author: John Howard -Date: Thu May 3 10:38:30 2018 -0700 - - Merge pull request #169 from johnstep/ignore-recycle-bin-case - - Ignore file name case when skipping $Recycle.Bin - -commit ba4e94420e46b89896f6acad894171de517f834a -Author: John Stephens -Date: Thu May 3 07:17:54 2018 -0700 - - Ignore file name case when skipping $Recycle.Bin - - Signed-off-by: John Stephens - -commit ef2b994ff21d5426829cdcaf164e3c9283bc25d5 -Merge: 26713568b f6218f9df -Author: John Howard -Date: Wed May 2 12:29:13 2018 -0700 - - Merge pull request #168 from Microsoft/taylorb-readme - - Update README.md - -commit f6218f9dfa054c08c4cef2896da163ba7d2d60cc -Author: Taylor Brown -Date: Wed May 2 11:27:20 2018 -0700 - - Update README.md - - Updating formatting, added security reporting information. - -commit 26713568b7c6a6686e147b5dd294dc7dd159a6f9 (tag: v0.6.10) -Merge: 8fccb44c8 79062a5b9 -Author: Darren Stahl -Date: Wed May 2 09:58:36 2018 -0700 - - Merge pull request #167 from Microsoft/rootJoin - - Root join - -commit 8fccb44c85288f54389c412b2ec466e4481fd252 (tag: v0.6.9) -Merge: 216772e34 f4eb3e75b -Author: Darren Stahl -Date: Tue Apr 24 11:46:18 2018 -0700 - - Merge pull request #165 from Microsoft/jjh/fix-oopsie - - Fix oopsie to not cause files to be skipped - -commit f4eb3e75b61062ced23c5a8b3ee7029625b98be2 -Author: John Howard (VM) -Date: Tue Apr 24 11:34:35 2018 -0700 - - Fix oopsie to not cause files to be skipped - - Signed-off-by: John Howard (VM) - -commit 79062a5b985d24ef42a4252a1b63a93ec450e407 -Merge: 85c171ce7 3b52b9e13 -Author: Darren Stahl -Date: Thu Apr 19 17:01:16 2018 -0700 - - Merge pull request #4 from Microsoft/accessDenied - - Implement removeAllRelative to not use os.RemoveAll - -commit 3b52b9e132f7ad6b29dd7938bcbde8c62cbdac43 -Author: Darren Stahl -Date: Thu Apr 19 15:40:34 2018 -0700 - - Implement removeAllRelative to not use os.RemoveAll - - Signed-off-by: Darren Stahl - -commit 85c171ce7377c47e1fa1a23597be04ae7727b707 -Merge: 9413f613b a0adf94c0 -Author: Darren Stahl -Date: Thu Apr 19 16:13:59 2018 -0700 - - Merge pull request #3 from johnstep/ignore-missing-tombstones - - Ignore missing tombstone files when closing an image - -commit a0adf94c0fc1f318b006ebf6be8720507d8f0324 -Author: John Stephens -Date: Wed Apr 18 03:38:29 2018 -0700 - - Ignore missing tombstone files when closing an image - - Signed-off-by: John Stephens - -commit 1120fe80c8cf5b5725ec2cc5fb73f3e3b649b785 -Merge: d249c1d35 92a4b72a9 -Author: John Howard -Date: Wed Apr 11 09:23:46 2018 -0700 - - Merge pull request #205 from rn/unplug - - Unplug mapped disks from inside the VM - -commit 92a4b72a9e7603eada4c7fb4de2946dff44a4589 -Author: Rolf Neugebauer -Date: Tue Apr 10 16:00:32 2018 +0100 - - Unplug mapped disks from inside the VM - - Currently, when removing mapped disks the disks are unmounted - before the host removes them. The removal from the host is just - a notification and the Linux kernel then performs the clean-up - asynchronously. - - If we unplug a larger number of disks this may take some time - and there is no way for the host to know when the clean-up is - finished and new/different disks can be added. - - This patch tells the Linux kernel that we are about to unplug - the disks after they were unmounted, allowing it to perform - the clean-up in advance. - - This fixes the issue in globalmode where a mkdir fails within - the Linux utility/service VM. - - Signed-off-by: Rolf Neugebauer - -commit d249c1d352f89ac65481d83a5556301f4f89b696 -Merge: 0aea33bc8 1eefe0e98 -Author: John Howard -Date: Tue Mar 27 10:32:08 2018 -0700 - - Merge pull request #204 from Microsoft/jjh/fromscratch - - Support FROM scratch - -commit 9413f613b3f5fab5364a58206ffd9d3c62564bef -Merge: 216772e34 731a68d7e -Author: Darren Stahl -Date: Tue Mar 20 16:59:20 2018 -0700 - - Merge pull request #2 from Microsoft/relOpen - - Relative open to bound paths - -commit 731a68d7efcd156d07149336aa35ec09aed75297 -Author: Darren Stahl -Date: Mon Mar 19 18:14:20 2018 -0700 - - Use the safeopen functions - - Use the safeopen functions to prevent following symlinks - and using relative paths in layer extraction. Also block tombstones - and delay reparse point directory creation to prevent platform follows. - - Signed-off-by: Darren Stahl - -commit 69375687f3aece3800a9b93e9c0b4b6acd4c949c -Author: Darren Stahl -Date: Mon Mar 19 18:04:30 2018 -0700 - - Add safeopen operations - - Add safeopen operations that prevent following symlinks and use NT paths - to prevent using relative path traversal operations. - - Signed-off-by: Darren Stahl - -commit 1eefe0e9834f28161f7c2387971de8a8efebe446 -Author: John Howard -Date: Wed Jan 10 15:37:29 2018 -0800 - - Support FROM scratch - - Signed-off-by: John Howard - -commit adebaa01e31820d45378e8c0e85266532b44c0e1 -Author: Nick Wood -Date: Mon Mar 12 18:55:17 2018 -0700 - - Fixing comment - -commit 9ce34b480b436d4dd4f03eb0be3aeddd7775895c -Author: Nick Wood -Date: Mon Mar 12 18:53:53 2018 -0700 - - Adding support for HNS versioning and updated ACL policy members - -commit 0aea33bc8fff7dc30577f98ddfe7757afc726138 -Merge: 1554a6bca cfab7ad6d -Author: John Howard -Date: Thu Mar 8 16:16:05 2018 -0800 - - Merge pull request #203 from Microsoft/jjh/bumpexternals - - Bump linuxkit alpine and runc - -commit cfab7ad6d9f04a9fde0162e038237f6d9d6a54cc -Author: John Howard -Date: Mon Mar 5 08:42:29 2018 -0800 - - Bump linuxkit alpine and runc - - Signed-off-by: John Howard - -commit 1554a6bcafeb4942a67869d21478a8c63273d6e7 -Merge: 1ae064448 bf8e1b381 -Author: John Howard -Date: Mon Mar 5 10:46:13 2018 -0800 - - Merge pull request #202 from Microsoft/revert_v2_schema - - Revert v2 schema - -commit bf8e1b381568b00b68a21f8e9c22bef3a392b73c -Author: Ben Weedon -Date: Tue Feb 27 19:51:52 2018 -0800 - - Use Errorf in remotefs_test where it should be used - -commit 6e185a65e0e3e8fc414a8628cb42feb861f84452 -Author: Justin Terry (VM) -Date: Mon Mar 5 10:25:58 2018 -0800 - - Revert "Merge pull request #197 from Microsoft/v2_requests" - - This reverts commit f9d2b725664d2a0129f68613d1f2d3cc8e1ce004, reversing - changes made to 5eaa01010b0c6ecbcaebf3b957b60fd8f792ac40. - -commit 4ce0b3e4bd2c300113aca642dc757976f285a601 -Author: Justin Terry (VM) -Date: Mon Mar 5 10:23:40 2018 -0800 - - Revert "Support basic V2 ModifySettings requests" - - This reverts commit 7317643ce0e15c219a8aed3a475f7760f47efa63. - -commit 3d91ba72a767f0033f8924d9a71e90c5daa94d26 -Merge: 4a822c968 1ae064448 -Author: Justin Terry (VM) -Date: Mon Mar 5 09:51:53 2018 -0800 - - Merge remote-tracking branch 'origin/master' into multicontainer - -commit 1ae064448429bad95ba277cb9139c97cc97f1e61 -Merge: 9d6c97a60 6e57b1f14 -Author: Justin -Date: Fri Mar 2 13:26:47 2018 -0800 - - Merge pull request #201 from Microsoft/jjh/addgitcommit - - Add /git.commit to docs - -commit 6e57b1f14289a168f9936c7e665932f5ddebf6be -Author: John Howard -Date: Fri Mar 2 11:40:29 2018 -0800 - - Add /git.commit to docs - - Signed-off-by: John Howard - -commit 4a822c968e860b43fca7ef919b8d3a7a8121264e -Merge: 860ed4475 9d6c97a60 -Author: Justin Terry (VM) -Date: Thu Mar 1 13:21:33 2018 -0800 - - Merge remote-tracking branch 'origin/master' into multicontainer - -commit 9d6c97a601d309738b1452172056dcc4c652de37 -Merge: 34247d82b 4415b9b9b -Author: John Howard -Date: Thu Mar 1 09:53:46 2018 -0800 - - Merge pull request #200 from jterry75/fix_bridge_unit_tests - - Fix race in WaitOnProcess tests - -commit 4415b9b9b733826dd74a364e3a0d21e8a6356972 -Author: Justin Terry (VM) -Date: Thu Mar 1 09:39:47 2018 -0800 - - Fix race in WaitOnProcess tests - -commit 34247d82b87b8936e2acf9966e2346c1d0fb0d58 -Merge: 11a442236 fea501d7a -Author: Justin -Date: Thu Mar 1 09:38:25 2018 -0800 - - Merge pull request #199 from Microsoft/jjh/remotefsdebug - - Adds logging to remotefs - -commit 11a442236f30b55328098de3cec8bcd13cf0cba0 -Merge: c98d7d2e8 8ed3cf00a -Author: Justin -Date: Thu Mar 1 09:37:23 2018 -0800 - - Merge pull request #196 from Microsoft/jjh/cutdowninitrd - - Strip debug symbols, add commit, fix alignment - -commit 8ed3cf00a2a13d898df43eee526b12ddd3c02121 -Author: John Howard -Date: Wed Feb 21 09:03:31 2018 -0800 - - Strip debug symbols, add commit, fix alignment - - Signed-off-by: John Howard - -commit c98d7d2e81192723810db31c6d854bc67b5953df -Merge: f9d2b7256 6e727ea3b -Author: Justin -Date: Thu Mar 1 09:00:59 2018 -0800 - - Merge pull request #198 from jterry75/fix_bridge_unit_tests - - Explicitly check for success/error in verify - -commit fea501d7a362ae48227bb08bdbabc962a5a19276 -Author: John Howard -Date: Thu Jan 18 07:47:08 2018 -0800 - - Adds logging to remotefs - - Signed-off-by: John Howard - -commit 6e727ea3b0465d07bf91229c57353f060d99f3d4 -Author: Justin Terry (VM) -Date: Thu Mar 1 08:56:30 2018 -0800 - - Explicitly check for success/error in verify - -commit 860ed44755dfba2cc8033f5a082d9b2ca35ea352 -Author: Ben Weedon -Date: Wed Feb 28 11:22:32 2018 -0800 - - Update new ModifySettings tests to use protocol V3 - -commit 39f41598b5ec0996456f6ebe8cd549feb4f671ca -Merge: bd50b3ffd f9d2b7256 -Author: Ben Weedon -Date: Wed Feb 28 11:19:46 2018 -0800 - - Merge branch 'master' into multicontainer - -commit f9d2b725664d2a0129f68613d1f2d3cc8e1ce004 -Merge: 5eaa01010 85175a093 -Author: Ben Weedon -Date: Wed Feb 28 11:18:35 2018 -0800 - - Merge pull request #197 from Microsoft/v2_requests - - Support basic V2 ModifySettings requests - -commit 85175a093bfb5c593b6c27ba37151f82a436d733 -Author: Ben Weedon -Date: Tue Feb 27 19:51:52 2018 -0800 - - Use Errorf in remotefs_test where it should be used - -commit 7317643ce0e15c219a8aed3a475f7760f47efa63 -Author: Ben Weedon -Date: Tue Feb 27 19:33:54 2018 -0800 - - Support basic V2 ModifySettings requests - - This doesn't actually add any V2 functionality. It just supports - receiving messages with the v2Request field filled in. - -commit 5eaa01010b0c6ecbcaebf3b957b60fd8f792ac40 -Merge: 18f6fec59 620af17b5 -Author: John Howard -Date: Wed Feb 21 09:01:40 2018 -0800 - - Merge pull request #195 from Microsoft/jjh/dockerfile - - Dockerfile to build initrd.img under LCOW - -commit 620af17b5ba4a6ba8c55bcb5315533ccb9adbca0 -Author: John Howard -Date: Fri Feb 16 15:23:00 2018 -0800 - - Dockerfile to build initrd.img under LCOW - - Signed-off-by: John Howard - -commit bd50b3ffd5036d3d3a8e7e8b20b2e05446abaf03 -Merge: 7663d3d65 f9835635f -Author: Justin -Date: Thu Feb 8 12:03:20 2018 -0800 - - Merge pull request #194 from Microsoft/multi_symver - - Changing bridge to major numbers only - -commit f9835635f0080d2cad5e8bfe889b3228808e1e16 -Author: Justin Terry (VM) -Date: Wed Feb 7 12:15:19 2018 -0800 - - Changing bridge to major numbers only - -commit 7663d3d6593834979e4ce141fb764178d327fa8a -Merge: 711141443 bc1ddd53a -Author: Ben Weedon -Date: Wed Feb 7 14:50:35 2018 -0800 - - Merge pull request #193 from Microsoft/add_capabilities - - Add and rename capabilities - -commit bc1ddd53aa885057eaa814102152cbb3d337a04e -Author: Ben Weedon -Date: Mon Feb 5 12:23:53 2018 -0800 - - Add and rename capabilities - - This change includes renaming SendInitialCreateMessage to - SendHostCreateMessage, and adding the capabilities SendHostStartMessage - and HVSocketConfigOnStartup. - -commit 18f6fec59ee021ac351f7e7b8d8e02bd06f929cd -Merge: a52fa6eeb 2e636698e -Author: Justin -Date: Mon Feb 5 12:26:11 2018 -0800 - - Merge pull request #192 from rbalint/master - - Fix int overflow on 32 bit architectures - -commit 2e636698ee818378c4bc4e3377c166d310beb753 -Author: Balint Reczey -Date: Sat Feb 3 03:10:32 2018 +0100 - - Fix int overflow on 32 bit architectures - -commit a52fa6eeb618e1ad2fa920ebd35883789bf8d143 -Merge: 19b160439 944350ddb -Author: Justin -Date: Thu Feb 1 14:56:42 2018 -0800 - - Merge pull request #191 from Microsoft/users/jterry75/171 - - Fixes an issue with resolv.conf on Ubuntu - -commit 944350ddbebd5f97e7d8634173ec6ce3ec25f68b -Author: Justin Terry (VM) -Date: Thu Feb 1 12:11:55 2018 -0800 - - Fixes an issue with resolv.conf on Ubuntu - - Resolves: #171 - -commit 71114144362bf4533b6e8e034a47758c9ba602ef -Merge: 814f5f02c 19b160439 -Author: Ben Weedon -Date: Wed Jan 31 18:17:29 2018 -0800 - - Merge branch 'master' into multicontainer - -commit 19b160439931d978b9871cf4e3dc0d8dbc14093b -Merge: 28bf6b4f7 1ebea8c7b -Author: Ben Weedon -Date: Wed Jan 31 18:14:29 2018 -0800 - - Merge pull request #189 from Microsoft/handle_nil_getproperties - - Properly handle case where GetProperties returns nil on non error - -commit 814f5f02c453b01f3c9ddbe09950d4dcc96a1931 -Merge: 06726eb33 c19ab0ac7 -Author: Justin -Date: Wed Jan 31 13:43:06 2018 -0800 - - Merge pull request #178 from Microsoft/unknown_message_error - - Unknown messages should return E_VMCOMPUTE_UNKNOWN_MESSAGE - -commit 06726eb33c6aa8fef288a3ff0d34ca19a4a62df6 -Merge: 90a753c70 fc269e452 -Author: Justin -Date: Wed Jan 31 13:42:43 2018 -0800 - - Merge pull request #176 from Microsoft/start_noop - - Handle start message as noop in bridge - -commit 28bf6b4f79f6f1be7a7650ea0e9007f13e8ac945 -Merge: 343fafbd8 35b8630cd -Author: Justin -Date: Wed Jan 31 13:41:35 2018 -0800 - - Merge pull request #190 from Microsoft/workdir_2 - - Creates the workdir on start - -commit 35b8630cd9be710f2cd108a83f928707833014b5 -Author: Justin Terry (VM) -Date: Tue Jan 30 16:13:50 2018 -0800 - - Creates the workdir on start - - Propertly creates the workdir in the container bundle previous to a start if - that workdir is not '/' - - Ref: #188 - -commit 1ebea8c7b737fb96333ee04b9364e1078b2321de -Author: Ben Weedon -Date: Mon Jan 29 18:58:15 2018 -0800 - - Properly handle case where GetProperties returns nil on non error - -commit 343fafbd8ebc3cb460f96836759b65bcc9ac8d45 -Merge: 823109b0c fda4658ca -Author: John Howard -Date: Wed Jan 24 16:04:36 2018 -0800 - - Merge pull request #186 from Microsoft/jjh/handleclosestdincorrectly - - Handle valid errors on process CloseStdin() - -commit fda4658ca65806e37f382a002d5c854744c8e8e4 -Author: John Howard -Date: Wed Jan 24 15:42:18 2018 -0800 - - Handle valid errors on process CloseStdin() - - Signed-off-by: John Howard - -commit 90a753c70f3611ba1f511d48a8186107035d71ed -Author: Ben Weedon -Date: Mon Jan 22 13:17:35 2018 -0800 - - Fix build error from merge - -commit e49f291a10690d830bdc115a6c2498725c715ed7 -Merge: 7321f329d 823109b0c -Author: Ben Weedon -Date: Mon Jan 22 13:00:52 2018 -0800 - - Merge branch 'master' into multicontainer - -commit 823109b0c47f66a87d48777a88cdac3b327e1dbb -Merge: a01f62aeb bb1471d74 -Author: Cheng-mean Liu -Date: Mon Jan 22 12:56:31 2018 -0800 - - Merge pull request #185 from Microsoft/getproperties - - Return the correct structure from GetProperties - -commit 216772e344403bb9fa8b04be64e6f64fa934b492 -Merge: 45ef15484 ac2867418 -Author: Darren Stahl -Date: Mon Jan 22 10:57:48 2018 -0800 - - Merge pull request #157 from thaJeztah/fix-line-endings - - Fix CRLF line-endings on some files - -commit ac28674180d8c7feee4b87c535307ac4f8ed3e8c -Author: Sebastiaan van Stijn -Date: Sat Jan 20 17:51:33 2018 +0100 - - Fix CRLF line-endings on some files - - Signed-off-by: Sebastiaan van Stijn - -commit bb1471d746337380c5cb42b69170aecca7ad16dc -Author: Ben Weedon -Date: Fri Jan 19 18:47:36 2018 -0800 - - Return the correct structure from GetProperties - - Nothing in the HCS was ever sending a GetProperties message, so this - issue didn't really ever come up. We should fix it now, though. - -commit a01f62aeb567053fdee0bf7b376083ae7b511ca4 -Merge: 7010b68f4 045ab4fe9 -Author: Cheng-mean Liu -Date: Thu Jan 18 14:23:37 2018 -0800 - - Merge pull request #184 from Microsoft/jjh/debugcopywithtimeout - - Adds advanced debugging to dump data to/from UVM - -commit 7010b68f4b161cb6daccfd7923848314af867687 -Merge: 6d24169ca 8cfbb6d8a -Author: Cheng-mean Liu -Date: Thu Jan 18 14:22:48 2018 -0800 - - Merge pull request #183 from Microsoft/jjh/translate-io-eof - - Translate io.EOF - -commit 045ab4fe9a9f163261277fd0c2b249366ba2ec68 -Author: John Howard -Date: Thu Jan 18 11:37:25 2018 -0800 - - Adds advanced debugging to dump data to/from UVM - - Signed-off-by: John Howard - -commit 6d24169ca82f47fdf5cc0adfa66c730788626e15 -Merge: 0eb964cce ead60c7c5 -Author: Cheng-mean Liu -Date: Thu Jan 18 11:08:11 2018 -0800 - - Merge pull request #182 from Microsoft/jjh/remotefs-loglevel - - Add logging flags for remotefs - -commit 8cfbb6d8ae8203a80464ca6e2bd39102d6fd9deb -Author: John Howard -Date: Thu Jan 18 07:47:59 2018 -0800 - - Translate io.EOF - - Signed-off-by: John Howard - -commit ead60c7c57a20b282ce97c15de5dddb795cb01c8 -Author: John Howard -Date: Wed Jan 17 14:23:53 2018 -0800 - - Add logging flags for remotefs - - Signed-off-by: John Howard - -commit 0eb964cce52adda7be54d661fa812d6cc6124fb5 -Merge: 3f708a091 05f3aa535 -Author: Cheng-mean Liu -Date: Wed Jan 17 11:37:59 2018 -0800 - - Merge pull request #181 from Microsoft/jjh/paniclog - - Basic panic logger for gcstools - -commit 05f3aa535d7d9d34f85c19e5074d590a0116a01e -Author: John Howard -Date: Tue Jan 16 15:59:48 2018 -0800 - - Basic panic logger for gcstools - - Signed-off-by: John Howard - -commit c19ab0ac713159ec4b96b45ba64723f4b7dbf30b -Author: Ben Weedon -Date: Tue Jan 9 17:08:14 2018 -0800 - - Unknown messages should return E_VMCOMPUTE_UNKNOWN_MESSAGE - - They used to return E_NOTIMPL, which is different from what the Windows - GCS would return. - -commit fc269e452aaf3e35e8075018c9bfae1617f54aab -Author: Ben Weedon -Date: Tue Dec 19 13:02:41 2017 -0800 - - Handle start message as noop in bridge - - The HCS will send this message to Linux VMs in the future, so we should - handle it rather than returning an error. - -commit 7321f329d3df91f8a68b4696492db67961626782 -Merge: 3f708a091 9c6d5d193 -Author: Ben Weedon -Date: Mon Jan 8 15:19:28 2018 -0800 - - Merge pull request #180 from Microsoft/protocol_negotiation - - Implements version based multiplexer dispatch and protocol negotiation - -commit 9c6d5d193267bc07677817dbc590aebf61ba7fdf -Author: Justin Terry (VM) -Date: Fri Jan 5 14:40:13 2018 -0800 - - Remove inaccessible code checks - -commit 40cbd7bf7708e766b4079622bf0efa54d156fb34 -Author: Justin Terry (VM) -Date: Fri Jan 5 10:46:58 2018 -0800 - - Review feedback - - 1. Implements a few unit tests around the negotiate protcol workflows. - 2. Updates based on early review feedback. - 3. Makes negotiate protcol dynamic rather than hard coded to the current version. - -commit 5ae3e4ce51905f28de44d95b139ccc191e5008ad -Author: Ben Weedon -Date: Tue Dec 19 17:51:30 2017 -0800 - - Implements version based multiplexer dispatch - - Resolves: #161 - -commit 3f708a091b4afc28c918ac6063e706c48a5f67de -Merge: 3b797f5ee 96cda51b4 -Author: Cheng-mean Liu -Date: Thu Jan 4 15:26:03 2018 -0800 - - Merge pull request #179 from jterry75/instructions - - Minor fix to doc markdown - -commit 96cda51b45223738185a4859775fabd214c29c0a -Author: Justin Terry (VM) -Date: Thu Jan 4 14:53:16 2018 -0800 - - Minor fix to doc markdown - -commit 45ef15484298b76abeb9513ea0ea0abd2b5b84b3 (tag: v0.6.8) -Merge: 34a629f78 0d5bb78dc -Author: Darren Stahl -Date: Wed Jan 3 11:29:33 2018 -0800 - - Merge pull request #154 from Microsoft/moby-partfix-32838 - - Skip recycle bin and part fix for moby/moby 32838 - -commit 0d5bb78dcdfedf19b523b432ec5dfbe5394d1ede -Author: John Howard -Date: Wed Jan 3 09:56:41 2018 -0800 - - Skip recycle bin - - Signed-off-by: John Howard - -commit 3b797f5ee8e8d4249d385f230a676ba307eec8e5 -Merge: 363ff12d4 eca96a27b -Author: Cheng-mean Liu -Date: Tue Jan 2 15:01:39 2018 -0800 - - Merge pull request #177 from kant/patch-1 - - Minor fixes (proposal) - -commit eca96a27b73c10620b1e0720ec8cb2bd49150cde -Author: Darío Hereñú -Date: Tue Dec 19 18:27:34 2017 -0300 - - Minor fixes (proposal) - -commit 363ff12d45a732e73e71ee92b9f916ac3b37cb4d -Merge: 564a38c30 60ae3e388 -Author: Cheng-mean Liu -Date: Thu Dec 7 14:53:07 2017 -0800 - - Merge pull request #170 from Microsoft/fix_layer_depth - - Fixing layer path size to long - -commit 564a38c30416403e537a2fbd9dccd687a4482e59 -Merge: 444a94724 d9d251334 -Author: Akash Gupta -Date: Fri Dec 1 11:58:41 2017 -0800 - - Merge pull request #160 from Microsoft/gateway - - Added support for setting a gateway that's outside of subnet it's setting for. - -commit 60ae3e3888ef515545b8258325e03b1fb3624c21 -Author: Justin Terry (VM) -Date: Thu Nov 30 15:03:41 2017 -0800 - - Review Feedback - -commit 1d109d8f26582c661e93d35a96ca27437c35ceb2 -Author: Justin Terry (VM) -Date: Wed Nov 29 14:42:39 2017 -0800 - - Fixing layer path size to long - -commit 444a94724c21b32c2ae56c9bf1fa6e0c3d077267 -Merge: b3146d0cc 0d797383b -Author: Cheng-mean Liu -Date: Wed Nov 29 17:22:26 2017 -0800 - - Merge pull request #150 from dvrkps/patch-1 - - travis: update go version - -commit b3146d0ccf327dcb0235bd8627043ca069b45690 -Merge: ec7c21720 861173575 -Author: Cheng-mean Liu -Date: Tue Nov 28 13:02:57 2017 -0800 - - Merge pull request #154 from jhowardmsft/jjh/sigusr1-debugging - - Add sigusr1 debugging to client - -commit d9d25133468c925e16925c4895ca6fdcba9ef09c -Merge: b4609cd98 0a80ebfc7 -Author: Cheng-mean Liu -Date: Tue Nov 21 16:45:11 2017 -0800 - - Merge branch 'gateway' of github.com:Microsoft/opengcs into gateway - -commit b4609cd98d12c7689989406e1c772a5369f962e0 -Author: Cheng-mean Liu -Date: Sun Nov 19 17:50:37 2017 -0800 - - added support for setting a gateway ip that's outside a subnet - -commit 34a629f78a5d50f7de07727e41a948685c45e026 (tag: v0.6.7) -Merge: 97daa08b8 0c09862b8 -Author: Darren Stahl -Date: Mon Nov 20 16:25:33 2017 -0800 - - Merge pull request #144 from greenhouse-org/go1.9 - - patch hcsshim to work with go1.9 - -commit 0c09862b86725a460e5aa043ce98fac1919e03ff -Author: Sunjay Bhatia -Date: Mon Nov 20 19:13:55 2017 -0500 - - patch hcsshim to work with go1.9 - - In go1.9, fi.IsDir() returns false if the directory is also a symlink. - - See: https://github.com/golang/go/commit/1989921aef60c83e6f9127a8448fb5ede10e9acc - - This breaks copyFileWithMetadata as it will not pre-create the - destination dir, causing the SetFileBasicInfo call to fail - - This fixes the problem by checking syscall.FILE_ATTRIBUTE_DIRECTORY - directly. - - Signed-off-by: Sam Smith - -commit 0a80ebfc7e97d59fb42b6b662d5363cec4a64fff -Author: Cheng-mean Liu -Date: Sun Nov 19 17:50:37 2017 -0800 - - added support for setting a gateway ip that's outside a subnet - -commit ec7c21720ed6d773a98dfa29a8f2f292b879c05f -Author: Cheng-mean Liu -Date: Sun Nov 19 17:38:34 2017 -0800 - - Removed previous accidental direct commit to the master - -commit 735335ed21b9defbf888a1a87460cd51804b994a -Author: Cheng-mean Liu -Date: Sun Nov 19 17:29:48 2017 -0800 - - added support for setting a gateway ip that's outside a subnet - -commit 2a3a94cca366171f159399ffbd1333058e1cef53 -Merge: de0346953 fad07561e -Author: Cheng-mean Liu -Date: Fri Nov 10 11:08:30 2017 -0800 - - Merge pull request #159 from jterry75/cleanup_logrus - - Fixes some logrus messages with newline - -commit fad07561ef7a80d632a469a6ab0c0120e76d136c -Merge: 05e847ab3 de0346953 -Author: Cheng-mean Liu -Date: Fri Nov 10 10:26:28 2017 -0800 - - Merge branch 'master' into cleanup_logrus - -commit 05e847ab324445744c35712d0ea784326dc614b2 -Merge: 0c0ccefac de0346953 -Author: Cheng-mean Liu -Date: Fri Nov 10 10:15:11 2017 -0800 - - Merge branch 'master' into cleanup_logrus - -commit de034695317c432e66bd59ea5aeb6718bec8980d -Merge: c1b7fb074 82ae51599 -Author: Cheng-mean Liu -Date: Fri Nov 10 10:13:25 2017 -0800 - - Merge pull request #157 from Microsoft/fix_race_on_exit - - Fixing issues with process exit - -commit 0c0ccefacb48f0c5f3539c06f53b6af90ee7ee7c -Author: Justin Terry (VM) -Date: Fri Nov 10 09:48:50 2017 -0800 - - Fixes some logrus messages with newline - - Resolves: #158 - -commit 82ae51599c5635f02a351ecb6a2ba821f1dc2033 -Author: Justin Terry (VM) -Date: Thu Nov 9 12:30:54 2017 -0800 - - Fixing a few bridge unit tests - -commit 97daa08b865a25dbdbd5b0e5ece889a982dd62f5 -Merge: e7bcb8a64 0e27f8f47 -Author: Darren Stahl -Date: Wed Nov 8 13:16:23 2017 -0800 - - Merge pull request #146 from mdelillo/typed-errors - - Return typed errors when getting endpoints and networks - -commit 21cfb8995312fb0fc7e9ad745fbf118e7d5f1864 -Author: Justin Terry (VM) -Date: Wed Nov 8 10:10:35 2017 -0800 - - Adding ack to WaitProcess - -commit 974b40e458bd5292c25e996ccb3467102b189cc9 -Author: Justin Terry (VM) -Date: Mon Nov 6 16:23:23 2017 -0800 - - Fixing issues with process exit - - Resolves: #153 - Init process exit codes are not always returning because the container exited notification returns before the WaitProcess call comes in causing the HCS to teardown the container. - Resolves: #126 - WaitProcess should honor the timeout associated with the call and return the proper error response on timeout. - -commit e7bcb8a6450b14c441e23a8a54126471ce69d962 -Merge: 337934926 cf75dcfd1 -Author: Darren Stahl -Date: Mon Nov 6 13:52:46 2017 -0800 - - Merge pull request #147 from darrenstahlmsft/skipDirReparse - - Stop skipping directory reparse points in Go1.9 - -commit c1b7fb074a6e4b612c81a941182f9f423ed99e50 -Merge: ab628ecbc e6f8d8974 -Author: Cheng-mean Liu -Date: Mon Nov 6 13:28:09 2017 -0800 - - Merge pull request #152 from Microsoft/add_stack_dump - - Adds stack dump support - -commit cf75dcfd1b43bc428181b3f7100f5073601da9ea -Author: Darren Stahl -Date: Mon Nov 6 13:16:42 2017 -0800 - - Stop skipping directory reparse points in Go1.9 - - Signed-off-by: Darren Stahl - -commit 0e27f8f473aed2ba2ac68a5e9df34e43a0aa79a8 -Author: Mark DeLillo -Date: Fri Nov 3 17:47:56 2017 -0400 - - Return typed errors when getting endpoints and networks - - * Makes it easier to determine if a resource does not exist or something else went wrong - -commit 8611735754847ea2d644ac9c2bed6002eea9fda9 -Author: John Howard -Date: Tue Oct 31 10:02:48 2017 -0700 - - Add sigusr1 debugging to client - - Signed-off-by: John Howard - -commit e6f8d897477584dad7eff49ce4aeabe4ca26cae8 -Author: Justin Terry (VM) -Date: Fri Oct 20 11:51:49 2017 -0700 - - Adds stack dump support - -commit ab628ecbcd900ac19d8b6b0c6aeb78f836904d99 -Merge: 48ae4e3ba 86c2214eb -Author: Cheng-mean Liu -Date: Wed Oct 18 09:39:51 2017 -0700 - - Merge pull request #151 from StefanScherer/fix-typo - - Fix typos - -commit 86c2214eb68f0ce9b5951dee6a14238507ad4e97 -Author: Stefan Scherer -Date: Wed Oct 18 12:48:15 2017 +0200 - - Fix typos - -commit 0d797383b3966d9a7e05945519ca6ebaa320de07 -Author: Davor Kapsa -Date: Thu Oct 12 18:33:09 2017 +0200 - - travis: update go version - -commit 33793492662087369cf96403be23a1ec8360f7dd -Merge: 7db05c0f1 d1097dbfc -Author: Darren Stahl -Date: Tue Oct 3 15:16:22 2017 -0700 - - Merge pull request #145 from nwoodmsft/master - - Correcting ACLPolicy field names to LocalAddresses and RemoteAddresses - -commit d1097dbfc8c2ae24d089938004bac2d61a41b727 -Author: Nick Wood -Date: Thu Sep 28 18:12:03 2017 -0700 - - Correcting ACLPolicy field names to LocalAddresses and RemoteAddresses - -commit 7db05c0f1e17f2d6a1fc2b3bddb2e39ed30804e8 (tag: v0.6.6) -Merge: 4486bc29c 08379cc24 -Author: Darren Stahl -Date: Thu Sep 28 16:27:35 2017 -0700 - - Merge pull request #143 from nwoodmsft/master - - ApplyACLPolicy needs to allow multiple policies to be provided - -commit 08379cc24ce52038f5d18817e7c5b621f1120efe -Author: Nick Wood -Date: Thu Sep 28 15:16:09 2017 -0700 - - Fixing typo in ApplyACLPolicy func comment - -commit ef84ccead846463309533631d12a206ce4d89d42 -Author: Nick Wood -Date: Wed Sep 27 16:37:09 2017 -0700 - - PR code review feedback - -commit 9303effa036dc69dc84afc79dba3a6b9f647efed -Author: Nick Wood -Date: Tue Sep 26 16:46:18 2017 -0700 - - ApplyACLPolicy needs to allow a collection of policies to be applied to the endpoint - -commit 48ae4e3ba3d2fea746fb4dc20a72832a46f45466 -Merge: e9838ced1 0ffc2a04d -Author: Akash Gupta -Date: Fri Sep 22 14:01:15 2017 -0700 - - Merge pull request #147 from Microsoft/patches - - Added new hyperv vsock patches for addressing connection close racing… - -commit 0ffc2a04d24d4dacca7095d2481aaa518cbd4c28 -Author: Cheng-mean Liu -Date: Fri Sep 22 11:19:47 2017 -0700 - - Added new hyperv vsock patches for addressing connection close racing condition issue - -commit e9838ced183be08b51502e7b915c46d60e932718 -Merge: af8bcbce5 6a947600c -Author: Cheng-mean Liu -Date: Thu Sep 21 15:43:27 2017 -0700 - - Merge pull request #139 from jterry75/130 - - Moves runc logs to per container id - -commit 6a947600c15eaf97a908e450cb867a2e398a7bfc -Author: Justin Terry (VM) -Date: Fri Sep 15 15:20:38 2017 -0700 - - Moves runc logs to per container id - - Resolves: #130 - -commit af8bcbce53af7d202fe18b4361dbd0f7e7c8561e -Merge: 353a47aea caacb87be -Author: Akash Gupta -Date: Mon Sep 18 13:50:33 2017 -0700 - - Merge pull request #143 from jterry75/26 - - Renames gcs/errors to gcs/gcserr - -commit caacb87beaca95faf2be856caa6ca7ca195d374b -Author: Justin Terry (VM) -Date: Mon Sep 18 13:33:38 2017 -0700 - - Renames gcs/errors to gcs/gcserr - - Resolves: #26 - -commit 353a47aea9ec51f755c5d529479269fac57ad989 -Merge: a7cca0dd4 ca946d59d -Author: Akash Gupta -Date: Mon Sep 18 13:41:38 2017 -0700 - - Merge pull request #142 from jterry75/12 - - Fixes a golint issue - -commit ca946d59db0d979a1a4f4dc332aa4c8cedbd5a72 -Author: Justin Terry (VM) -Date: Mon Sep 18 13:26:10 2017 -0700 - - Fixes a golint issue - - Resolves: #12 - -commit a7cca0dd463d1d0b7854d1767a6fa567f2069312 -Author: Cheng-mean Liu -Date: Fri Sep 15 11:21:34 2017 -0700 - - Updated LCOW custom kernel builds instructions with 4.12 support (#138) - - * Updated LCOW custom kernel builds instructions with 4.12 support - -commit de29646b8dfadfc443e1467bd4b493e9068fb582 -Merge: d8dcf800d ca4f9a8e6 -Author: Akash Gupta -Date: Thu Sep 14 16:22:41 2017 -0700 - - Merge pull request #137 from jterry75/131 - - Fixes potential delete on unmounts failure - -commit ca4f9a8e6ce596047c8b6452daf6125cd2e7e203 -Author: Justin Terry (VM) -Date: Thu Sep 14 12:53:24 2017 -0700 - - Fixes potential delete on unmounts failure - - Will only destroy the container storage in the UVM if all mounts are successfully unmounted. Without this we have no way of knowing if it safe to delete the files or if this could have an affect on the host files. - - Resolves: #131 - -commit d8dcf800d2b115abeebd12f3c16d22c5cd836b76 -Merge: b26665705 5d8f573d2 -Author: Akash Gupta -Date: Thu Sep 14 09:48:34 2017 -0700 - - Merge pull request #136 from rn/vsock-timeout - - Improve the vsock timeout handling - -commit 5d8f573d27b31d06fbdf69fcf4c0784e8bbe838d -Author: Rolf Neugebauer -Date: Thu Sep 14 11:53:24 2017 +0100 - - Improve error handling and retry of vsock.Dial() - - The update vsock package returns th underlying error. Use it - to determine if the error was ETIMEDOUT and only retry if it was. - - Other errors are treated as real errors and the Dial attempt is - aborted. Also, improve the logging to see the real error. - - Signed-off-by: Rolf Neugebauer - -commit 0a108afb032bd32ad966011ae9af02389e8da7c0 -Author: Rolf Neugebauer -Date: Thu Sep 14 11:26:06 2017 +0100 - - Update vsock package to latest - - Signed-off-by: Rolf Neugebauer - -commit b26665705d946626f6c9a2255a6d17f06e93f0cf -Merge: abfed798b 33d89b69e -Author: Cheng-mean Liu -Date: Wed Sep 13 15:10:39 2017 -0700 - - Merge pull request #133 from Microsoft/retry-connect - - Add a retry when connecting stdin/stdout/stderr - -commit abfed798b278301a9d3df64c955d27cab8f9eeae -Merge: 203a54283 ad9d9e50e -Author: Cheng-mean Liu -Date: Wed Sep 13 10:13:47 2017 -0700 - - Merge pull request #134 from jhowardmsft/jjh/getlogs - - Enable GCS debugging from docker - -commit 33d89b69e4babb73c3025eb15a34d3bc49f6ca68 -Author: Akash Gupta -Date: Wed Sep 6 14:35:28 2017 -0700 - - Add a retry when connecting stdin/stdout/stderr - -commit ad9d9e50e0656ac3c5228730989505bae0244f09 -Author: John Howard -Date: Fri Sep 8 14:26:03 2017 -0700 - - Enable GCS debugging from docker - - Signed-off-by: John Howard - -commit 4486bc29c643509eac9de46f1d77ecb96b5b364f (tag: v0.6.5) -Merge: b144c6050 12f6b54e1 -Author: Darren Stahl -Date: Thu Sep 7 18:19:22 2017 -0700 - - Merge pull request #142 from darrenstahlmsft/CreateTimeout - - Cleanup on failed container create due to timeout - -commit 12f6b54e1eb3816b625c77b98768c1b5f3be3074 -Author: Darren Stahl -Date: Wed Sep 6 12:57:16 2017 -0700 - - Cleanup on failed container create due to timeout - - Signed-off-by: Darren Stahl - -commit 203a54283e0b0d58c1bc9d8d0f0b4bea8503fe37 -Merge: 726a1d9fd e4a274473 -Author: Akash Gupta -Date: Thu Sep 7 16:54:25 2017 -0700 - - Merge pull request #125 from jterry75/async_bridge_tests - - Implements the bridge handler tests - -commit 726a1d9fdd9a017a24cb5fdcf2468d8cc58b1728 -Merge: a358b5838 2403c72ae -Author: Akash Gupta -Date: Thu Sep 7 16:52:20 2017 -0700 - - Merge pull request #132 from jterry75/131 - - Fixes an issue on cleanup with mapped directories - -commit 2403c72ae0ac803f4e3f7c6905a7da6bd10d3c5e -Author: Justin Terry (VM) -Date: Thu Sep 7 15:11:50 2017 -0700 - - Fixes an issue on cleanup with mapped directories - - Resolves: #131 - -commit b144c605002d4086146ca1c15c79e56bfaadc2a7 (tag: v0.6.4) -Merge: 6ea7fe54f da9e7b79f -Author: John Howard -Date: Thu Sep 7 10:57:15 2017 -0700 - - Merge pull request #141 from Microsoft/jjh/mappeddir - - Add CreateInUtilityVM to MappedDir - -commit da9e7b79fe11175fc510036539efb89381ca859a -Author: John Howard -Date: Thu Sep 7 09:16:11 2017 -0700 - - Add CreateInUtilityVM to MappedDir - - Signed-off-by: John Howard - -commit e4a2744739de07a9287f4f21c65a7f6e178f5489 -Author: Justin Terry (VM) -Date: Wed Aug 16 10:48:22 2017 -0700 - - Implements the bridge handler tests - - 1. Updates the bridge_test suite to test just the handler code and all error/success cases. - 2. Cleans up a little bit of the bridge handler code. - 3. Fixes the way that the 'Settings' field of a ContainerModifyRequestResponse is sent so that - we dont have an additional level of inderiction. - -commit a358b5838a87a83ce68a65c26604f905939cbe80 -Merge: ab442e9a0 d63e5f20c -Author: Akash Gupta -Date: Wed Sep 6 12:37:08 2017 -0700 - - Merge pull request #129 from jhowardmsft/jjh/readonly - - LCOW: VHDX boot to read-only - -commit d63e5f20c5385a7c49c75c0d1f4043391873a390 -Author: John Howard -Date: Wed Sep 6 11:04:37 2017 -0700 - - LCOW: VHDX boot to read-only - - Signed-off-by: John Howard - -commit ab442e9a042246e5e6c87102ed56faa6d3925458 -Merge: bba126e0a ba270d2f2 -Author: Cheng-mean Liu -Date: Tue Sep 5 21:49:03 2017 -0700 - - Merge pull request #128 from jstarks/mount_plan9_without_vsock_kernel_patch - - gcs: Mount plan9 shares with fd transport - -commit ba270d2f2f3982863cbcbe8b17897e1bdde38de0 -Author: John Starks -Date: Fri Sep 1 14:52:53 2017 -0700 - - gcs: Mount plan9 shares with fd transport - - This change eliminates the need for the plan9 vsock transport by - connecting to the plan9 server in GCS and using the plan9 fd - transport. - -commit bba126e0ae5fb4d720f0d76be64ed83506928947 -Merge: 34a64c360 1ef737534 -Author: Cheng-mean Liu -Date: Thu Aug 31 18:01:55 2017 -0700 - - Merge pull request #127 from Microsoft/docs - - Updated patch doc for the pickup of the latest Hyper-V vsock fix - -commit 1ef7375343f7b9fe1fc108df9db15c8ccadc556c -Author: Cheng-mean Liu -Date: Thu Aug 31 17:48:18 2017 -0700 - - Updated patch doc for the pickup of the latest Hyper-V vsock fix - -commit 34a64c3608036509e36bf9a211579a411f4d10da -Merge: a8a66ed78 af640c590 -Author: Cheng-mean Liu -Date: Tue Aug 29 13:50:47 2017 -0700 - - Merge pull request #116 from Microsoft/async_bridge_loop - - Implements the async bridge loop - -commit a8a66ed78fbdc6274ee9a6bdc89a61843481b462 -Merge: d98b0b1e5 6df781fd3 -Author: Cheng-mean Liu -Date: Fri Aug 25 16:54:24 2017 -0700 - - Merge pull request #123 from jterry75/golint - - Fixes the majority of golint issues - -commit 6df781fd3791f1ddb351f51130799554b14d1ded -Author: Justin Terry (VM) -Date: Fri Aug 25 14:16:33 2017 -0700 - - Updating comments to be under 80 chars - -commit af640c590aa0de1965174b8c74c5c35f527a2e0d -Author: Justin Terry (VM) -Date: Fri Aug 25 14:53:11 2017 -0700 - - Fixing nil map checks - -commit 97a7e8bed8f529885cb079904c152883166ddf3a -Author: Justin Terry (VM) -Date: Mon Aug 14 11:55:48 2017 -0700 - - Implements the async bridge loop - - Implements the async bridge - Implements the bridge multiplexer - Removes any waiting between commands in favor of a channel writer per request - Fixes the "RegisterExitHook" pattern in favor of a single channel writer on an async goroutine - Temporarily disables the bridge_test suite put puts in place bridge unit tests. These will be moved when the handler funcs are pulled off of the bridge in the second change. - -commit d98b0b1e51fe392ac67566c01a04fc73f1e9347f -Merge: aee5da25f 189a3fa86 -Author: Cheng-mean Liu -Date: Fri Aug 25 14:00:04 2017 -0700 - - Merge pull request #118 from Microsoft/vsock_relay - - Implement stdio pipe relay for container processes - -commit a618cc5cf50f4042f48e7a9d2f5ee98ba75ed90a -Author: Justin Terry (VM) -Date: Fri Aug 25 12:53:22 2017 -0700 - - Fixes the majority of golint issues - - Partial: #12 - -commit aee5da25f354b8b660a20a50b68479b17de7f8d4 -Merge: f05981df1 a08081743 -Author: Cheng-mean Liu -Date: Fri Aug 25 12:26:13 2017 -0700 - - Merge pull request #121 from Microsoft/update_runc_version - - Update runc version to version used by docker - -commit a08081743d8fa8cdf799c994b0cf8ca07983ac3c -Author: Ben Weedon -Date: Fri Aug 25 11:01:04 2017 -0700 - - Update runc version to version used by docker - - The docker update to use this version of runc can be found in the PR - https://github.com/moby/moby/pull/34356. - -commit f05981df1ee30380217c64886dc636409a3830e2 -Merge: aa648d4a9 ea1abdb54 -Author: Akash Gupta -Date: Fri Aug 25 10:12:11 2017 -0700 - - Merge pull request #120 from Microsoft/OCI_V_1.0.0 - - updated gcs to oci v1.0.0 - -commit ea1abdb54786e2d8d37a5ab24c13f97ef93835a0 -Author: Cheng-mean Liu -Date: Fri Aug 25 01:51:36 2017 -0700 - - updated gcs to oci v1.0.0 - -commit 189a3fa8605406ef6f168763ca1277aff9cb47ae -Author: Justin Terry (VM) -Date: Thu Aug 24 21:16:44 2017 -0700 - - Fixing a runc_test issue - - The cleanup code runs a goroutine that leaks the capture state of the stdioset which causes go to detect a race only when running tests and not production code. - -commit 34d74a65dcc813e07c97313d16e45bb88c538b6f -Author: Justin Terry (VM) -Date: Tue Aug 22 14:42:23 2017 -0700 - - Implement stdio pipe relay for container processes - - Resolves: #114 - -commit aa648d4a9eb4140223093d01933c06a51a33ea26 -Merge: f87b25d86 2f319d643 -Author: Cheng-mean Liu -Date: Thu Aug 24 15:36:52 2017 -0700 - - Merge pull request #94 from Microsoft/remotefs-sync - - remotefs: Added sync to writes and OpenFile - -commit f87b25d862c8f18b503444c1e23c8e25f2844ed9 -Merge: a3116797c cd355b57b -Author: Cheng-mean Liu -Date: Thu Aug 24 15:19:03 2017 -0700 - - Merge pull request #117 from Microsoft/mtu - - Sets the MTU when a non-default value is specified - -commit a3116797cceda8f8b477c36b0d4fe47a0103b5cd -Merge: b73ea61a2 924880f09 -Author: Cheng-mean Liu -Date: Thu Aug 24 11:12:49 2017 -0700 - - Merge pull request #119 from Microsoft/mount - - Tar2vhd should use -t ext4 when calling mount. - -commit 924880f09cf314b1691dc11283d4cf524012df3d -Author: Justin Terry (VM) -Date: Thu Aug 24 10:21:43 2017 -0700 - - Tar2vhd should use -t ext4 when calling mount. - -commit b73ea61a2a98f620e906b1484b268d1d4c1224f7 -Merge: 3193f23a4 38abb8633 -Author: Justin -Date: Wed Aug 23 13:22:54 2017 -0700 - - Merge pull request #107 from Microsoft/error_recovery - - Proper error recovery in the bridge - -commit 2f319d6439b4f60fcbd49f076cf635344a923198 -Author: Akash Gupta -Date: Fri Aug 18 17:30:55 2017 -0700 - - Add build tag to remotefs implementation - -commit abd271d6013eea2bc8e1a370b93573afad481917 -Author: Akash Gupta -Date: Wed Aug 9 15:57:50 2017 -0700 - - Added Seek to remotefs.OpenFile - -commit 3dd8a4b2c7f402b25b62dd390f25c47f3be1b19b -Author: Akash Gupta -Date: Wed Aug 9 15:22:51 2017 -0700 - - Changed remotefs organization - -commit 4c5bd9a32710e6e1bf802e0cc39acfcf71e08725 -Author: Akash Gupta -Date: Tue Aug 8 13:24:21 2017 -0700 - - Reworked OpenFile to have protocol - -commit f956d6c6fe27e4db0e419e2591ad3c8c492cddd3 -Author: Akash Gupta -Date: Thu Aug 3 18:01:13 2017 -0700 - - Added sync on write operations - -commit 8b8c7d4f163f5198f00b36cb3ea6e3095624078a -Author: Akash Gupta -Date: Thu Aug 3 15:59:50 2017 -0700 - - Added openfile to remotefs - -commit cd355b57b77aa4a3ee8a25ac52f28c0e1f4bcf77 -Author: Justin Terry (VM) -Date: Thu Aug 17 15:01:51 2017 -0700 - - Sets the MTU when a non-default value is specified - - Resolves: #115 - -commit 3193f23a47db3dc77162a0b99f431203d374664c -Merge: 2dad06f03 c66398b24 -Author: Cheng-mean Liu -Date: Wed Aug 16 15:17:49 2017 -0700 - - Merge pull request #111 from miguelinux/kernelconfig-refactoring - - Kernelconfig refactoring and add missing patches - -commit c66398b245111dc188d83a43e169a7e37b8c5d58 -Author: Miguel Bernal Marin -Date: Wed Aug 9 15:05:17 2017 -0500 - - kernel: consolidate documentation to one file - - consolidate the information to README.md, so in - the GitHub page it will be showed at a directory level. - - Signed-off-by: Miguel Bernal Marin - -commit b997de397663e77aede372e17bae19e698962081 -Author: Miguel Bernal Marin -Date: Wed Aug 9 14:14:13 2017 -0500 - - kernelconfig: organize kernel directory as linuxkit - - As the files are properly named with the kernel version, is time to - move the directory to be similar as linuxkit. - - This commit moves the content from kernelconfig/4.11 to kernel - directory, and updates customosbuildinstructions document. - - Signed-off-by: Miguel Bernal Marin - -commit da6797e3a750ca6ccb721a40278566b953532062 -Author: Miguel Bernal Marin -Date: Mon Aug 7 19:02:59 2017 -0500 - - kernelconfig: organize kernel patches as linuxkit - - This commit creates a directory where the Linux kernel patches live, - the directory is called patches-4.11.x (similar as linuxkit) - - The following patches were renamed: - - * patch_9pfs_vsock-transport.patch -> patches-4.11.x/0001-Added-vsock-transport-support-to-9pfs.patch - * patch_lower-the-minimum-PMEM-size.patch -> patches-4.11.x/0002-NVDIMM-reducded-ND_MIN_NAMESPACE_SIZE-from-4MB-to-4K.patch - - And the kernel config file was renamed - - * kconfig_for_4_11 -> kernel_config-4.11.x - - Signed-off-by: Miguel Bernal Marin - -commit 2dad06f038530dc305fb139a281507f1002e7e51 -Merge: 0410aabd5 05b0e586e -Author: Cheng-mean Liu -Date: Tue Aug 15 13:55:39 2017 -0700 - - Merge pull request #106 from Microsoft/more_runc_tests - - Expanded runC tests - -commit 38abb86337ce3570685fbe77f3acfa15bae0f1bf -Author: Ben Weedon -Date: Wed Aug 9 20:36:22 2017 -0700 - - Add bridge tests for core error responses - -commit 05b0e586ef2bff95da1a0913782577111080ed39 -Author: Ben Weedon -Date: Tue Aug 15 11:46:42 2017 -0700 - - Only use empty connection sets for sleep processes in runc tests - - This prevents potential process exits for processes like sh or cat which - require non-empty connection sets. - -commit e3b81fc4ed4c673fe92e4adb0e930bc4de3eb3ec -Author: Ben Weedon -Date: Wed Aug 9 17:05:11 2017 -0700 - - Add stderr tests to runC tests - -commit 34cfe2b9235e655515937775e7ef7d6a6cc1b24c -Author: Ben Weedon -Date: Wed Aug 9 15:07:06 2017 -0700 - - Add stdio validation to runC tests - - Some tests will now send input to processes and expect the correct - output to be returned. - -commit 587e4a424a14e51063eccd813b427759d848af7f -Author: Ben Weedon -Date: Wed Aug 9 12:11:36 2017 -0700 - - Support non-initial cat processes in runC tests - -commit b57fc6d82d15107415e8a841212126176737d92f -Author: Ben Weedon -Date: Wed Aug 9 11:54:35 2017 -0700 - - Support a cat init process in the runC tests - -commit ec4ecc5330b569d34141ffdbc0b61874bb344fda -Author: Ben Weedon -Date: Wed Aug 9 11:44:31 2017 -0700 - - Support non-empty ConnectionSets in runC tests - -commit 1a6499aa601416a4ff9781e6e5b8e7c67ede2202 -Author: Ben Weedon -Date: Tue Aug 8 18:28:49 2017 -0700 - - Reimplement MockConnection to use unix sockets - - This more closely mirrors vsocks, especially in allowing for - implementation of the File() method. - -commit 0410aabd5ba42fc3375f0a906f683c6d26efc95b -Merge: 6587989a9 590f34149 -Author: Akash Gupta -Date: Tue Aug 15 11:21:04 2017 -0700 - - Merge pull request #113 from Microsoft/close_nil_connset - - Fix nil deref when closing ConnectionSet on error - -commit 590f3414977436a5a49bcf356c14f3c72df34024 -Author: Ben Weedon -Date: Mon Aug 14 18:13:42 2017 -0700 - - Fix nil deref when closing ConnectionSet on error - - This bug caused the GCS to crash with a panic when connecting to stdio - sockets failed in any way. - -commit 6587989a95a2f64705ccd569abe68d0a2ffc20b1 -Merge: b8aae4a62 4604cf060 -Author: Akash Gupta -Date: Fri Aug 11 16:02:19 2017 -0700 - - Merge pull request #112 from Microsoft/etc_perms - - Change permissions of etc directory from 0700 to 0755 - -commit 4604cf0602686b2985e0d74daf13c76df4faccb3 -Author: Ben Weedon -Date: Fri Aug 11 15:45:22 2017 -0700 - - Change permissions of etc directory from 0700 to 0755 - - This fixes an issue experienced in the ubuntu image where apt-get needs - the /etc directory to be executable to perform an nslookup. When we - switch to using bind mounts specified by docker to get resolv.conf into - the container namespace, we might be able to avoid specifying the - permission bits altogether. - -commit 73c352e686db410ab49c319f3a9c9460ab2099c9 -Author: Miguel Bernal Marin -Date: Fri Aug 4 18:03:16 2017 -0500 - - kernelconfig: modify file mode bits - - The following files had the execution bit enabled - - * kconfig_for_4_11 - * patch_9pfs_vsock-transport.patch - * patch_hyperv_vsock_patch_instruction.txt - * patch_lower-the-minimum-PMEM-size.patch - * readme.txt - - This commit removes the execution bit. - - Also set the execution bit to the init_sript - - * scripts/init_script - - Signed-off-by: Miguel Bernal Marin - -commit 922a826a8138a585737894482ada2d503faab81f -Author: Ben Weedon -Date: Tue Aug 8 15:47:17 2017 -0700 - - Support multiple test config.json files - - The current one was renamed to sh_config.json. The runc tests will now - symlink the specified file into testbundle. - - Also makes sure to make parent directories in setup_test_env, since the - testbundle directory is now empty and so won't be included in the git - repo. - -commit b54345f91dedd9498347967eb2287805cf6a401a -Author: Ben Weedon -Date: Tue Aug 8 15:15:01 2017 -0700 - - runc test init process is now sh rather than sleep - - Also replace the long sleep processes in the tests with sh as well. - -commit 502efaa4ae979d49e943fced9a0fd69c92be361b -Author: Ben Weedon -Date: Tue Aug 8 15:07:24 2017 -0700 - - Only wait for runc master pt after runc finishes - - This prevents the socket read from hanging when runc encounters an - error. - -commit b8aae4a623d61c9862aead6d560ad13dc04a5f87 -Merge: d5e297f59 cf92d91f6 -Author: Akash Gupta -Date: Thu Aug 10 11:52:07 2017 -0700 - - Merge pull request #108 from jhowardmsft/fixmessage - - client: fix error message - -commit d5e297f5933edfa6781a3e133f80f62f4dcb21f2 -Merge: 874b6714c cf327b5e8 -Author: Akash Gupta -Date: Thu Aug 10 11:51:42 2017 -0700 - - Merge pull request #109 from jhowardmsft/golint - - Fixes some golint errors - -commit cf327b5e80a453420eeacf05747e087af804d90d -Author: John Howard -Date: Thu Aug 10 10:50:49 2017 -0700 - - Fixes some golint errors - - Signed-off-by: John Howard - -commit cf92d91f6037e19fc2e4533ef228b3bb756d3b64 -Author: John Howard -Date: Thu Aug 10 10:29:42 2017 -0700 - - client: fix error message - - Signed-off-by: John Howard - -commit 7762cf8143c49c181b54f9fdd94d0fc39544cc61 -Author: Ben Weedon -Date: Wed Aug 9 18:21:51 2017 -0700 - - Remove the unnecessary "the message is normal ASCII" test Contexts - -commit 6ea7fe54f719d95721e7d9b26ac0add224c9b923 (tag: v0.6.3, tag: V0.6.3) -Merge: 43f972530 821c68e41 -Author: John Howard -Date: Tue Aug 8 00:05:43 2017 -0700 - - Merge pull request #140 from pradipd/LB_fix - - Adding SourceVIP and fixing VIPs in AddLoadBalancer. - -commit 874b6714c9d15f9f346f7f6c080069b399285f06 -Merge: c0a6db952 32fdcada3 -Author: Cheng-mean Liu -Date: Mon Aug 7 17:44:35 2017 -0700 - - Merge pull request #84 from Microsoft/console_resize - - Adds console resize support. - -commit c0a6db9523d43063ad1057af7e2d5151be91778f -Merge: 7f54f585a 891e7f7ef -Author: Cheng-mean Liu -Date: Mon Aug 7 17:43:48 2017 -0700 - - Merge pull request #97 from Microsoft/stack_trace_in_response - - Support responses with both error messages and stack traces - -commit 891e7f7efed9053f44dc6504eca00e9d5ad313bb -Author: Ben Weedon -Date: Mon Jul 31 12:08:41 2017 -0700 - - Support responses with both error messages and stack traces - - The HCS now can accept stack trace information in the ErrorRecord - struct. As a result, the GCS should provide that information back on - error. - -commit 821c68e419f15ab764315ec5cb6ae1743eae3500 -Author: Pradip Dhara -Date: Mon Aug 7 09:26:03 2017 -0700 - - Adding SourceVIP and fixing VIPs in AddLoadBalancer. - - Signed-off-by: Pradip Dhara - -commit 7f54f585a5bd3d5bfc4f0e1aa2fd98f77a7f8bab -Merge: 285d650c8 1decdad52 -Author: Cheng-mean Liu -Date: Fri Aug 4 15:34:07 2017 -0700 - - Merge pull request #95 from Microsoft/dns_resolv_conf - - Changing base layer order - -commit 1decdad523a716677b2bddc5650ec6307fae9a7d -Author: Justin Terry (VM) -Date: Wed Aug 2 13:33:18 2017 -0700 - - Changing base layer order - - Partially Resolves: #78 - -commit 32fdcada34a17dc7172ae708bc5826d38dc79e8e -Author: Justin Terry (VM) -Date: Fri Aug 4 09:11:09 2017 -0700 - - Updating comment - -commit b5e25bab13b9b613de9262f8d3beaf385d0e00bb -Author: Justin Terry (VM) -Date: Tue Aug 1 14:02:49 2017 -0700 - - Change to use mutex for sync - - Removes the per container cache for processes as they are all external pid's - Changes to use a mutex instead of the wait group for ResizeConsole so we are confident of order. - Puts back some of the containerID overloads because HCS always sends this even for external processes. - -commit ab71b3f2c7a694d520be64d2f7262c8b8df6e91d -Author: Justin Terry (VM) -Date: Tue Aug 1 11:10:35 2017 -0700 - - Synchronizing ResizeConsole - -commit 5691c4e2f6c98a5e14aa732f334aa7a798c39e05 -Author: Justin Terry (VM) -Date: Tue Aug 1 10:15:58 2017 -0700 - - Adding console resize bridge tests. - -commit 7556251ab64e43d93f81283c8e7ce0e4ba7d7ddc -Author: Justin Terry (VM) -Date: Mon Jul 31 12:31:11 2017 -0700 - - Adds console resize support. - - Resolves: #76 - -commit 285d650c8f3aa754af537871cddc273b6c5c6d58 -Merge: 67f64632c 538c30635 -Author: Akash Gupta -Date: Thu Aug 3 18:10:09 2017 -0700 - - Merge pull request #93 from Microsoft/build_instructions - - Updated user mode preparation instructions in response to the removal - -commit 538c3063559438648fba76c0ce2b87f734bfcd0b -Merge: de973bf9b 67f64632c -Author: Cheng-mean Liu (SOCCER) -Date: Thu Aug 3 17:55:26 2017 -0700 - - Updated user mode preparation instructions in response to the removal of prebuiltsandbox.vhdx from the requirement - -commit de973bf9b4f1278fea6ed42efb7b3b4cae7c2c97 -Author: Cheng-mean Liu (SOCCER) -Date: Thu Aug 3 17:13:32 2017 -0700 - - Updated user mode preparation instructions in response to the removal of prebuiltsandbox.vhdx from the requirement - -commit 67f64632c1011a8fe1622116d063ba986a9949bc -Merge: 4aee5fc4f 601dd2748 -Author: Akash Gupta -Date: Thu Aug 3 17:05:24 2017 -0700 - - Merge pull request #91 from jhowardmsft/jjh/doccorrection - - docs: remotefs and netnscfg - -commit 601dd27482444f8c6e673a637e6d5301e973781c -Author: John Howard -Date: Thu Aug 3 16:59:36 2017 -0700 - - docs: remotefs and netnscfg - - Signed-off-by: John Howard - -commit 4aee5fc4f3116b13cb4ab097ed399c18a712e396 -Merge: edd79db19 03fb78a50 -Author: Cheng-mean Liu -Date: Thu Aug 3 16:54:57 2017 -0700 - - Merge pull request #41 from jhowardmsft/jjh/removecreatesandbx - - Remove createSandbox utility - -commit 03fb78a50f43288d1aab75c58e4bc36f19b875f8 -Author: John Howard -Date: Thu Jul 13 12:01:55 2017 -0700 - - Remove createSandbox - - Signed-off-by: John Howard - -commit edd79db19adcd7387ef7f10ef4657f4bfab39546 -Merge: 675f68677 492716ef5 -Author: Akash Gupta -Date: Thu Aug 3 16:23:39 2017 -0700 - - Merge pull request #90 from Microsoft/newkconfig - - Removed a few more unnecessary kconfig for reduing the kernel size - -commit 675f68677074e581f87f2b2c1101ebf1cc83cd42 -Merge: 0a7cc451f 5e8c4c3f4 -Author: Cheng-mean Liu -Date: Thu Aug 3 16:13:44 2017 -0700 - - Merge pull request #89 from Microsoft/tmp-gcsutils - - changed temp directory for gcstools - -commit 0a7cc451fba2344118030bb1d67faf7a993be1db -Merge: d0bae48f0 00d75e41c -Author: Cheng-mean Liu -Date: Thu Aug 3 16:13:03 2017 -0700 - - Merge pull request #88 from jhowardmsft/bootvhd - - Add boot from VHD - -commit 43f9725307998e09f2e3816c2c0c36dc98f0c982 (tag: v0.6.2) -Merge: 807cab50f 4107f5b56 -Author: John Starks -Date: Thu Aug 3 16:10:26 2017 -0700 - - Merge pull request #139 from Microsoft/jjh/bootfromvhd - - Add Boot from VHD settings - -commit 492716ef53444c87b22b18d5012c52a96182621f -Author: Cheng-mean Liu (SOCCER) -Date: Thu Aug 3 16:07:56 2017 -0700 - - Removed a few more unnecessary kconfig for reduing the kernel size - -commit 5e8c4c3f46af500179fab76b4869178276c10483 -Author: Akash Gupta -Date: Thu Aug 3 16:01:50 2017 -0700 - - changed temp directory for gcstools - -commit 00d75e41c424091dbbe08e79e03944a662f7ff7e -Author: John Howard -Date: Thu Aug 3 16:01:55 2017 -0700 - - Add boot from VHD - - Signed-off-by: John Howard - -commit 4107f5b564a250977778c4779c91fc74b34d0e8c -Author: John Howard -Date: Thu Aug 3 15:56:51 2017 -0700 - - Add Boot from VHD settings - - Signed-off-by: John Howard - -commit d0bae48f0a956d2320a0dd863f58e8a49839bdc6 -Merge: b3f837990 4b48998dd -Author: Cheng-mean Liu -Date: Wed Aug 2 17:00:33 2017 -0700 - - Merge pull request #87 from jterry75/sirupsen - - Update to lowercase sirupsen/logrus - -commit 4b48998ddb6e6f2208c168de5c9a2212ea52f2df -Author: Justin Terry (VM) -Date: Wed Aug 2 16:32:05 2017 -0700 - - Adding golang.org/x/crypto to vendor - -commit 807cab50f9377d5a29aa59d45fa8fd559496199b -Merge: a8d9cc56c 37b447b34 -Author: John Starks -Date: Wed Aug 2 11:42:53 2017 -0700 - - Merge pull request #138 from jstarks/seekable_layer_reader - - Add Seek to layer reader - -commit 0f64acf13c60c7a08500b2c46779ba9ad018eb72 -Author: Justin Terry (VM) -Date: Wed Aug 2 11:34:21 2017 -0700 - - Updating service files with Sirupsen - -commit e363cbb1c6a825d1b18289962b904d4fdf0f04b3 -Author: Justin Terry (VM) -Date: Wed Aug 2 11:34:03 2017 -0700 - - Updating dependent vendor's with Sirupsen casing - -commit 3909b2179e7c380748742a5279b392bd30b5ffa7 -Author: Justin Terry (VM) -Date: Wed Aug 2 10:59:45 2017 -0700 - - Adding back lowercase sirupsen package - -commit 8a672aff39fa09ccb7fc2fe75f551dd7207a3999 -Author: Justin Terry (VM) -Date: Wed Aug 2 10:58:35 2017 -0700 - - Remove capital Sirupsen vendor package - -commit b3f83799000b0cfcddcd34021cfccd2cc8fa49d5 -Merge: 29241d303 0d7438b07 -Author: Cheng-mean Liu -Date: Wed Aug 2 10:26:35 2017 -0700 - - Merge pull request #85 from Microsoft/remotefs-dir - - Added readdir and fixed typo in omitempty - -commit 29241d30397cee46d627a61f6a9c7aef41933f2e -Merge: e248b10d8 b8f581e25 -Author: Cheng-mean Liu -Date: Wed Aug 2 10:25:06 2017 -0700 - - Merge pull request #86 from Microsoft/jjh/opengcs.12 - - (Final!) refresh of client - -commit 37b447b34728eb60903866ab8f9b3131ac911da0 -Author: John Starks -Date: Tue Aug 1 16:35:30 2017 -0700 - - Add Seek to layer reader - -commit b8f581e25727e246b4819ee9ff68aeffcb4762e3 -Author: John Howard -Date: Tue Aug 1 16:04:23 2017 -0700 - - (Final!) refresh of client - - Signed-off-by: John Howard - -commit 0d7438b074bb9d110a0e6db323d7be3d8b8f5cbf -Author: Akash Gupta -Date: Tue Aug 1 12:50:11 2017 -0700 - - Added readdir and fixed json omitempty - -commit e248b10d8dae94ffaa59fae15245b4e7b6c56fbb -Merge: 48af930c9 239a4b993 -Author: Cheng-mean Liu -Date: Mon Jul 31 17:03:20 2017 -0700 - - Merge pull request #81 from Microsoft/remotefs-bak - - Added remotefs binary - -commit 239a4b993de41ee9b9125b1b82f3393a6e6dd3ce -Author: Akash Gupta -Date: Mon Jul 31 15:28:24 2017 -0700 - - Implemented rest of remote file system - -commit 48af930c9e9b0a150aab8160678e40e3e406a32b -Merge: 8f5d50fa9 6825d2bcd -Author: Cheng-mean Liu -Date: Mon Jul 31 11:41:39 2017 -0700 - - Merge pull request #82 from Microsoft/signal_process_2 - - Change TerminateProcess to SignalProcess - -commit 8f5d50fa9b4af1341713f06d19fe2e22fd85524c -Merge: c36e11860 00c1fcf5e -Author: Cheng-mean Liu -Date: Sat Jul 29 11:00:28 2017 -0700 - - Merge pull request #83 from Microsoft/mapped_dir_full_path - - Mount MappedDirectories under full path ContainerPath - -commit 00c1fcf5edd46a35561a35002a0aeaf74e1d6627 -Author: Ben Weedon -Date: Fri Jul 28 16:35:02 2017 -0700 - - Remove unnecessary variable for dir/disk.ContainerPath - -commit 6825d2bcd4ca38a984755a137f24fc381508e4be -Author: Ben Weedon -Date: Wed Jul 26 14:03:41 2017 -0700 - - Change TerminateProcess to SignalProcess - - Now the GCS will receive a SignalProcessOptions field in the - ContainerSignalProcess message (which was renamed from - ContainerTerminateProcess). Rather than sending a SIGTERM to the process - followed by a SIGKILL after a timeout, the GCS will simply send the - specified signal to the process. Renaming has also been done throughout - the code to match this semantic change. - -commit 39bf49820df656faea5572a12d2903cc728a33ef -Author: Akash Gupta -Date: Thu Jul 27 18:50:27 2017 -0700 - - Changed time to nanoseconds - -commit 4a470e0fa938a8ec8836f0e95d4cd9fc961ec2fb -Author: Akash Gupta -Date: Thu Jul 27 16:52:35 2017 -0700 - - Fixed serialization and added tests for remotefs - -commit c36e118608493a7ab5c624bfb836f16fddbe5e10 -Merge: c89eef133 730dff1a1 -Author: Akash Gupta -Date: Thu Jul 27 18:02:27 2017 -0700 - - Merge pull request #80 from Microsoft/docs - - Updated kconfig with the latest clean .config + persistent memory sup… - -commit 730dff1a177aeda8dc84f9ab64ba437e5f45ddeb -Author: Cheng-mean Liu (SOCCER) -Date: Thu Jul 27 16:22:37 2017 -0700 - - Updated kconfig with the latest clean .config + persistent memory support - -commit e820c97db608f036e13dcaf0a1a0137beef0a8fd -Author: Akash Gupta -Date: Wed Jul 26 17:37:08 2017 -0700 - - Added docker symlink pkg to vendor - -commit f38dfdd92b027b297c55d479397632cbcc87e327 -Author: Akash Gupta -Date: Wed Jul 26 17:36:35 2017 -0700 - - ran gofmt and fixed error serialization - -commit 4c4406b3f209476ea1768612c42d80352ad8e0fe -Author: Akash Gupta -Date: Wed Jul 26 16:37:17 2017 -0700 - - forgot to fix merge conflict on makefile - -commit 36ee04434ce12536e16f8aefe3e6f8f9758738f4 -Author: Akash Gupta -Date: Thu Jul 13 17:07:57 2017 -0700 - - Cleaned up remotefs - -commit f8e4eb7406168fb6285fe3e30bff320a13c9f00e -Author: Akash Gupta -Date: Mon Jul 10 18:05:45 2017 -0700 - - added mkdirall - -commit d9469a30d7894c0209ced57744df2b1b466d51f2 -Author: Akash Gupta -Date: Thu Jul 6 11:39:00 2017 -0700 - - Added logging for debugging - -commit b438d9b4e6b5a2235a5b28d4858c98866ef26f1b -Author: Akash Gupta -Date: Thu Jul 6 10:38:49 2017 -0700 - - Implemented remotefs - -commit 6f5074407db25752272f46317b6bcf0620b3a895 -Author: Ben Weedon -Date: Wed Jul 26 16:41:09 2017 -0700 - - Mount MappedDirectories under full path ContainerPath - - Previously, ContainerPath specified a single path element and was always - mounted under /tmp. Now, it is a full path just like - MappedVirtualDisks. - -commit c89eef1339d9bea5106c865f5830798bfa7ad5c0 -Merge: dec72ab7c 351131260 -Author: Cheng-mean Liu -Date: Wed Jul 26 17:14:23 2017 -0700 - - Merge pull request #77 from jterry75/disk_attach_only - - Disk attach only - -commit 3511312608f65376b98bc57c52f1190d0a44aecf -Author: Justin Terry (VM) -Date: Tue Jul 25 14:53:17 2017 -0700 - - Review feedback. - - 1. Fixes the protocol to allow a default request type. - 2. Adds a comment about why we early deserialize. - -commit a8d9cc56cbce765a7eebdf4792e6ceceeff3edb8 -Merge: b35bbcffd dc76e2ed3 -Author: Darren Stahl -Date: Tue Jul 25 13:47:27 2017 -0700 - - Merge pull request #134 from madhanrm/AttachDetach - - (1) Expose Attach/Detach (2) Add hns unit testing - -commit de4ec2648880ce8c27f7c9589e8cf2c362aa81e1 -Author: Justin Terry (VM) -Date: Tue Jul 25 10:13:13 2017 -0700 - - Assigns the bridge activityid as early as possible. - - Fixes an issue where when we fail for validation reasons in - the bridge unmarshal we actually fail to return an error with the correct - activity id's. - -commit b9080368a39f90cc2606dc217b50fad66fee6ef6 -Author: Justin Terry (VM) -Date: Tue Jul 25 09:56:58 2017 -0700 - - Adds the AttachOnly bridge tests. - -commit a82606f2f1cfd341d5bc4f740f1492c3806203b4 -Author: Justin Terry (VM) -Date: Tue Jul 25 09:55:38 2017 -0700 - - Fixes an unmarshal bug in the unit tests. - - 1. When using a global type passed by reference a previous unit tests can unmarshal the results onto properties affecting a later test. - -commit 1d74d2b59d6d5e7c1ccd71fbf77a02c3660c3a8e -Author: Justin Terry (VM) -Date: Tue Jul 25 09:52:33 2017 -0700 - - Fixes a few bridge tests. - - 1. Properly checks for the channel being closed in test teardown. - 2. Removes the default assignment for resource type, request type. These should always be required. - 3. Fixes up the unit tests to match. - -commit b35bbcffd92dd4d51c0963a5ebefa41bac612d4d (tag: v0.6.1) -Merge: c14cfef07 007f13997 -Author: Darren Stahl -Date: Mon Jul 24 15:12:04 2017 -0700 - - Merge pull request #136 from dmcgowan/update-logrus - - Fix casing on logrus - -commit 007f139973e2d02396f37b7f0a87bedec7716dce -Author: Derek McGowan -Date: Fri Jul 21 16:08:12 2017 -0700 - - Fix casing on logrus - - Add files missed with the merge - -commit c14cfef0724512698bbc6833031020e03970c93c (tag: v0.6.0) -Merge: 08397650a 461d6cb54 -Author: John Starks -Date: Fri Jul 21 13:08:59 2017 -0700 - - Merge pull request #123 from XenoPhex/master - - downcase github.com/sirupsen/logrus imports - -commit dc76e2ed396ac8097934c72fe5863aa06fc4711f -Author: Madhan Raj Mookkandy -Date: Tue Jul 18 11:12:20 2017 -0700 - - Unit test for HNS - -commit 44f5291985b06363f8c9a7a594b7f7dccd7d2954 -Author: Madhan Raj Mookkandy -Date: Tue Jul 18 11:11:58 2017 -0700 - - Attach/Detach Apis - - Fix Policy List Apis - -commit 3b5d7dfe92d53911c3300551c1b177cc2ac0794a -Author: Ben Weedon -Date: Thu Jul 13 16:57:15 2017 -0700 - - Don't mount MappedVirtualDisk if specified AttachOnly - -commit dec72ab7c137eb9aa5b3464a86b063359b8284bd -Merge: e04d22255 8c0bb6830 -Author: Cheng-mean Liu -Date: Wed Jul 19 18:36:44 2017 -0700 - - Merge pull request #75 from Microsoft/ci_tests - - CI Tests - -commit 8c0bb68303f1ac8093da034b5c4e2bcda0b7b048 -Author: Ben Weedon -Date: Tue Jul 18 09:29:04 2017 -0700 - - Configure Travis to run tests - -commit 7d1c289e1e8803928d1a149661884998f10eefd5 -Author: Ben Weedon -Date: Wed Jul 19 17:20:28 2017 -0700 - - Add runc test setup to setup_test_env - -commit e04d22255c959ca14a3a41b32b391dcd7edc2625 -Merge: b58d6b723 35ee0c39c -Author: Cheng-mean Liu -Date: Wed Jul 19 18:06:06 2017 -0700 - - Merge pull request #74 from Microsoft/test_fixes - - Test fixes - -commit b58d6b72313e14f8d53aa97c9396d43d263e002e -Merge: bdb44fcc6 428bd4618 -Author: Cheng-mean Liu -Date: Wed Jul 19 15:25:06 2017 -0700 - - Merge pull request #67 from jhowardmsft/jjh/refreshclientagain - - Refreshes the client code again - -commit 35ee0c39cccb27676aa8361040165571818e269c -Author: Ben Weedon -Date: Tue Jul 18 14:26:49 2017 -0700 - - Reimplement PathIsMounted to remove mountpoint dependency - - The mountpoint executable on some systems (such as the Travis CI system) - doesn't work for bindmounts. Reading from /proc/self/mountinfo like - other mountpoint implementations doesn't have this limitation. - -commit 5d2cf10deef16be68467528f93546150a2076972 -Author: Ben Weedon -Date: Tue Jul 18 11:24:13 2017 -0700 - - mockruntime container now only exits when killed - - Previously, a call to Wait on a mockruntime container would exit - immediately. Now, it doesn't exit until the Kill call (with any signal) - has been made on the container. - -commit ae087e6c0d8765e8d6444d7fb68973b560c9c8e1 -Author: Ben Weedon -Date: Tue Jul 18 10:25:01 2017 -0700 - - Pass -F parameter to mkfs.ext4 in storage_test.go - - This parameter is required to ignore the "___ is not a block special - device" warning. - -commit 67d9cc641ebb128dd743aff205934c4f89ad7231 -Author: Ben Weedon -Date: Wed Jul 19 14:34:20 2017 -0700 - - Mark bridge tests as unit tests - - This allows them to be run with "ginkgo -focus unittests". - -commit bdb44fcc6d6fc6204316778b9af9d3bb0dc2bf32 -Merge: 606febe91 dd93d23a9 -Author: Cheng-mean Liu -Date: Wed Jul 19 15:18:22 2017 -0700 - - Merge pull request #57 from jstarks/vpmem - - gcs: Add per-layer vPMEM support - -commit 606febe912790cfa38fc44b812e81c620b8aa2c2 -Merge: 708abf284 c93c98f52 -Author: Akash Gupta -Date: Wed Jul 19 14:58:18 2017 -0700 - - Merge pull request #73 from Microsoft/netdoc - - Updated build instructions for the addition of the new netnscfg tool - -commit 708abf284c45aacc61f84395d4afd4221853071a -Merge: 30e5d9367 690951360 -Author: Cheng-mean Liu -Date: Wed Jul 19 14:15:02 2017 -0700 - - Merge pull request #59 from Microsoft/mapped_directories - - Implement mapped directories - -commit c93c98f527f8b6c52dcc7d012b34ff92f906a5f3 -Author: Cheng-mean Liu -Date: Wed Jul 19 14:09:08 2017 -0700 - - Updated build instructions for the addition of the new netnscfg tool - -commit 08397650a089e836bcac4c946175ee0fe49fed69 -Merge: 283d35b22 3d1ca7289 -Author: Darren Stahl -Date: Wed Jul 19 14:01:23 2017 -0700 - - Merge pull request #113 from darrenstahlmsft/CPUComments - - Update ProcessorMaximum and ProcessorWeight comments - -commit 3d1ca728979d3f513b10e6de32027a92c3a5a0a8 -Author: Darren Stahl -Date: Wed Apr 26 12:09:07 2017 -0700 - - Update ProcessorMaximum and ProcessorWeight comments - - Signed-off-by: Darren Stahl - -commit 30e5d93672b11f6588bb909783f5f18ac89a27e8 -Merge: f2f4d2d48 d55a91737 -Author: Cheng-mean Liu -Date: Wed Jul 19 11:40:25 2017 -0700 - - Merge pull request #70 from rn/rootfs - - Fix permissions on the container root filesystem - -commit f2f4d2d482be0581577e3b4a1c50b494a433b3aa -Merge: c17911904 86faef152 -Author: Cheng-mean Liu -Date: Wed Jul 19 11:39:56 2017 -0700 - - Merge pull request #63 from rn/net - - Various fixes to the networking setup - -commit d55a917379686980ef3d68e5ed9b53dd4ea1bcd5 -Author: Rolf Neugebauer -Date: Wed Jul 19 11:08:18 2017 +0100 - - Fix permissions on the container root filesystem - - Make sure the scratch and workdir are accessible - by all users. - - fixes #69 - - Signed-off-by: Rolf Neugebauer - -commit c17911904e39e965a5d8f60643c6dc8418b86a34 -Merge: ad7a0bb54 4adb4ea1e -Author: Cheng-mean Liu -Date: Tue Jul 18 18:37:12 2017 -0700 - - Merge pull request #60 from Microsoft/setup_tests - - Add script to service/gcs for setting up GCS tests - -commit 428bd461888c68253a6f4430fa0a7eae59bd393d -Author: John Howard -Date: Tue Jul 18 14:55:20 2017 -0700 - - Refreshes the client code again - - Signed-off-by: John Howard - -commit 283d35b2271ae4dc5ebb43fdd356c8f873e41568 (tag: v0.5.28) -Merge: abde106ed ffd0daf83 -Author: John Howard -Date: Tue Jul 18 14:41:55 2017 -0700 - - Merge pull request #135 from Microsoft/jjh/dynamicsandboxmanagement - - Dynamic Sandbox Management for LCOW - -commit ffd0daf833588dafa05cd466773229609add2ea5 -Author: John Howard -Date: Tue Jul 18 11:45:40 2017 -0700 - - Dynamic Sandbox Management for LCOW - - Signed-off-by: John Howard - -commit 86faef1527a120555319d7eea4d658d47e0ab08c -Author: Rolf Neugebauer -Date: Tue Jul 18 14:45:57 2017 +0100 - - Remove unused networking and namespace functions from oslayer - - All network and namespace config has been moved to the netnscfg - utility, so there is no need for these functions in the oslayer - anymore. - - Signed-off-by: Rolf Neugebauer - -commit d46eec79e0347e128fbeda1757f8026625554976 -Author: Rolf Neugebauer -Date: Tue Jul 18 13:58:42 2017 +0100 - - Fix resolv.conf - - The list of DNS servers is comma separated, not space separated: - '\"HostDnsServerList\":\"172.24.16.1,10.14.32.10\"' - - Also fix permissions on /etc/resolv.conf. It should not be executable - and should be world readable. - - Signed-off-by: Rolf Neugebauer - -commit 81b67b19f6f325e247d508b365897b0e62955938 -Author: Rolf Neugebauer -Date: Mon Jul 17 17:42:30 2017 +0100 - - Use netnscfg to configure the network interface - - As pointed out in the previous commit, dealing with network namespaces - in Go is iffy, at best. This commit moves the network configuration - over to use the new utility introduced by the previous commit. - - Note, this changes the timing of when the network is configured. - Previously, 'eth0' would be configured in the root network - namespace during 'CreateContainer()' and then later moved to - the runc container network namespace in 'ExecProcess()'. With the - new approach, the network interface is configured directly inside - 'ExecProcess()' and 'eth0' remains down until then. - - This not only makes the code simpler, but also removes the rather - brittle code, which tried to gather the network configuration in the - root network namespace and then replay it inside the new container - namespace. - - /etc/resolv.conf also needed special attention as it is added to - baselayer and with the change of ordering of network config the /etc - must exist before creating the overlay rootfs. - - Signed-off-by: Rolf Neugebauer - -commit 1127136d69c9785b9da908fa46a9a09f880f2d6d -Author: Rolf Neugebauer -Date: Mon Jul 17 15:22:07 2017 +0100 - - Add a utility to configure a network interface in a namespace - - Currently, the network namespaces are configured in the root namespace - and then later moved into the new container network namespace. Dealing - with network namespaces in Go is really tricky as one has very little - control over which go routine is run on which kernel thread/process - and the network namespace ('netns.SetNs()') is tied to the kernel - thread/process. Moving the code to a seperate utility allows us to - lock the kernel threads early on and allows us to use the 'netns' - package in a safer way. - - Signed-off-by: Rolf Neugebauer - -commit 89bf22d249a9b97097f5ca5e0045d6cbb9b34591 -Author: Justin Terry (VM) -Date: Mon Jul 17 10:48:58 2017 -0700 - - Removes the fixed paths to runc. - - exec.Command will use a LookPath so we dont want to hard code paths to commands we are running. - - Resolves: #52 - -commit dd93d23a99c63b8237374e4197ce6609f6c05b24 -Author: John Starks -Date: Mon Jul 17 17:43:28 2017 -0700 - - Fix broken storage tests - -commit 4adb4ea1e1e7c16c3d21022a933a651dee0192d3 -Author: Ben Weedon -Date: Mon Jul 17 11:57:37 2017 -0700 - - Add script to service/gcs for setting up GCS tests - -commit ad7a0bb54a305983640e093b19a44391b56ccce4 -Merge: a208e8c10 f10359fa8 -Author: Cheng-mean Liu -Date: Mon Jul 17 16:03:59 2017 -0700 - - Merge pull request #58 from jterry75/master - - Removes the fixed paths to runc. - -commit 1f8bebc2aa7bb59397ea9c90241f079d2e21e441 -Merge: 1801e612f c30d96bad -Author: John Starks -Date: Mon Jul 17 15:07:53 2017 -0700 - - Merge branch 'master' into vpmem - -commit a208e8c10e1827d53930bcb288435622d59592d0 -Merge: c30d96bad 33a7b06e7 -Author: Akash Gupta -Date: Mon Jul 17 15:07:04 2017 -0700 - - Merge pull request #62 from Microsoft/ci - - Added initial Trais CI for the opengcs - -commit 33a7b06e79582fd3cead1349de66db028be96c5b -Author: Cheng-mean Liu (SOCCER) -Date: Mon Jul 17 14:51:45 2017 -0700 - - Added initial CI setup - -commit 07158af7d6668de31b0e6c58ce5c597e3c8bc9c4 -Author: Cheng-mean Liu (SOCCER) -Date: Mon Jul 17 14:43:09 2017 -0700 - - Added initial CI setup - -commit 40ae86f068c3836ec2a8051cb4d1ee3b12d66587 -Author: Cheng-mean Liu (SOCCER) -Date: Mon Jul 17 14:37:59 2017 -0700 - - Added initial CI setup - -commit 0ed2d03dd587c18fe458a8766b6c90d33519f3a5 -Author: Cheng-mean Liu (SOCCER) -Date: Mon Jul 17 14:34:47 2017 -0700 - - Added initial CI setup - -commit 1801e612fb68a416b7aae005f0845cd3da4a4e78 -Author: John Starks -Date: Mon Jul 17 14:12:57 2017 -0700 - - Adjustments from PR feedback - -commit 69095136092c205a7fa8ccda524defc874903148 -Author: Ben Weedon -Date: Mon Jul 17 12:27:15 2017 -0700 - - Don't produce error when removing mapped disk or directory - -commit 4193a8575703dd7f8cc699a4de15b395b1c5fa96 -Author: Ben Weedon -Date: Wed Jul 5 13:56:09 2017 -0700 - - Implement mapped directories - - These directories are implemented using the Plan9 filesystem. Given a - mount location and a port, the GCS can mount a directory as a Plan9 - share to the host. - -commit f10359fa8229fa730a51b8a35af43d031268ed6b -Author: Justin Terry (VM) -Date: Mon Jul 17 10:48:58 2017 -0700 - - Removes the fixed paths to runc. - - exec.Command will use a LookPath so we dont want to hard code paths to commands we are running. - - Resolves: #52 - -commit c30d96bad25e9d7eea281879c2afc6765706b0a1 -Merge: 820861ce9 407b0488b -Author: Cheng-mean Liu -Date: Mon Jul 17 10:44:07 2017 -0700 - - Merge pull request #51 from Microsoft/cleanup - - General Cleanup - -commit 820861ce926342cb536516d0d74bdf62f0180a35 -Merge: 47c88e858 80946f01e -Author: Cheng-mean Liu -Date: Mon Jul 17 10:31:48 2017 -0700 - - Merge pull request #55 from shaggygi/patch-1 - - Update README.md - -commit ea6148b7547ba806232a35a1e4805633fd2a2863 -Author: John Starks -Date: Sun Jul 16 15:37:32 2017 -0700 - - gcs: Add per-layer vPMEM support - -commit 80946f01e490af57e1afd3a06ad750d526f705cc -Author: Greg Ingram -Date: Sat Jul 15 09:13:23 2017 -0400 - - Update README.md - - Wording - -commit 47c88e858a733cc468f4316a3635a255a478f664 -Merge: c46a09287 af88832f9 -Author: Cheng-mean Liu -Date: Fri Jul 14 18:40:47 2017 -0700 - - Merge pull request #54 from Microsoft/loggingfix - - Fixed a gcs failure due to a logging switching to logrus package - -commit af88832f9eba43c4930e9d66b2c2fd069f413b3f -Author: Cheng-mean Liu -Date: Fri Jul 14 18:29:15 2017 -0700 - - Fixed gcs failure from the typo in logFile - -commit 6ce633931928df07215d45c3ce701a598864600b -Author: Cheng-mean Liu -Date: Fri Jul 14 18:25:00 2017 -0700 - - Fixed gcs failure from the typo in logFile - -commit 407b0488b4522691968ef0814a9b587370964e82 -Author: Ben Weedon -Date: Fri Jul 14 15:28:12 2017 -0700 - - Turn off logging for all test suites - -commit f5eaeb6e2387e9177408908aa5ae62427ec28603 -Author: Ben Weedon -Date: Wed Jul 12 17:49:21 2017 -0700 - - Remove printErrors from bridge - -commit 354da03ae9b43ae8acceff0c7d720121353c7d1f -Author: Ben Weedon -Date: Wed Jul 12 17:32:48 2017 -0700 - - Fix GCS imports to use goimports format - -commit c46a092871d3a4ef043a535be6ed5829e7de62a5 -Merge: 4e4e6f28a c733155fb -Author: Cheng-mean Liu -Date: Fri Jul 14 15:12:59 2017 -0700 - - Merge pull request #37 from jterry75/master - - Merges all logging to use logrus - -commit c733155fb09d7effc5eb9f4fbbf1a8ff3c3e21c9 -Author: Justin Terry (VM) -Date: Wed Jul 12 14:31:27 2017 -0700 - - Merges all loging to use logrus - - Resolves #33 - -commit 4e4e6f28a03e974e6c32f00a91d51f9605821fdd -Merge: fbf06df5a cb82ebf90 -Author: Cheng-mean Liu -Date: Thu Jul 13 19:06:49 2017 -0700 - - Merge pull request #49 from Microsoft/mkfs-fix - - Fix mkfs.ext4 ordering - -commit fbf06df5a25ec8cbc426d48ae652377f51af9fb2 -Merge: c9970b0ba 771770c3f -Author: Cheng-mean Liu -Date: Thu Jul 13 19:03:06 2017 -0700 - - Merge pull request #50 from Microsoft/fix_tests - - Fix tests and other minor changes - -commit 771770c3f89e45a767fca7e3deaf46459c86354a -Author: Ben Weedon -Date: Thu Jul 13 18:23:15 2017 -0700 - - Move gcsrunc state from /var/lib to /var/run - -commit bd36060c52e419bb16e549111bd1d78ec57065e5 -Author: Ben Weedon -Date: Thu Jul 13 18:11:32 2017 -0700 - - Only set runc command's stdio handles if fileSet field not nil - - There's apparently a difference in Go between setting something to nil, - and setting it to a nil interface. Setting cmd.Std* to a nil interface - from fileSet was causing something to get messed up in the runc command - itself, and the create call would hang. - -commit 043d568f2a509adb89eada1166e96842680a5592 -Author: Ben Weedon -Date: Thu Jul 13 18:07:58 2017 -0700 - - Fix some storage and runC tests - - Need to make sure tests expect dirs created by GCS to be under /tmp. - Also, make sure /var/run/runc even exists before cleaning it up. - -commit cb82ebf90005303a755638bb9a1a993f4e967f42 -Author: Akash Gupta -Date: Thu Jul 13 17:25:37 2017 -0700 - - Fix mkfs.ext4 ordering - -commit c9970b0bac8cd9f9f5a864dab46c660d9ce190e0 -Merge: b81761efe 742a2a81e -Author: Akash Gupta -Date: Thu Jul 13 17:05:24 2017 -0700 - - Merge pull request #40 from Microsoft/docs - - Added additional details on the build instructions - -commit 742a2a81eee9146c05fca9b7b0251814b73a02b9 -Author: Cheng-mean Liu (SOCCER) -Date: Thu Jul 13 16:59:15 2017 -0700 - - Added additional details on the build instructions - -commit b81761efe308933037e42b8a0aa26db56567d642 -Merge: d6b438938 3add33422 -Author: Cheng-mean Liu -Date: Thu Jul 13 16:51:28 2017 -0700 - - Merge pull request #44 from jhowardmsft/jjh/gcs.log - - GCS log to gcs.log - -commit d6b438938e0a2ece60e347c82f2dde21617f29dc -Merge: df1c627c6 5b33f9bbc -Author: Cheng-mean Liu -Date: Thu Jul 13 16:41:27 2017 -0700 - - Merge pull request #35 from jstarks/vsock_passthrough_containers - - gcs: Pass vsock handles to container processes - -commit df1c627c6bacb8b84fc36bbfa7a2ab0f80932a35 -Merge: 1c65d61c0 914e25fad -Author: John Starks -Date: Thu Jul 13 16:39:12 2017 -0700 - - Merge pull request #47 from Microsoft/readonly - - Moved storage root and base file path away from potetial real-only directory - -commit 914e25fad87c4474ab61e20062872a1341f644d0 -Author: Cheng-mean Liu -Date: Thu Jul 13 16:07:33 2017 -0700 - - Moved storage root and base file path away from potetial real-only directory - -commit 3add334221ef59cb0758eecf5ed88e3e42269200 -Author: John Howard -Date: Thu Jul 13 14:48:49 2017 -0700 - - GCS log to gcs.log - - Signed-off-by: John Howard - -commit 097c9baf663462a881fed1065b0eee1ef500f0ed -Author: Cheng-mean Liu (SOCCER) -Date: Thu Jul 13 10:18:11 2017 -0700 - - Added additional details the build instrutions - -commit 1c65d61c0ed1d0891108c8e9b5c7359408dd1e1e -Merge: 7ddc2f62d 204eda2ad -Author: Cheng-mean Liu -Date: Thu Jul 13 10:08:48 2017 -0700 - - Merge pull request #39 from jhowardmsft/jjh/additionalbinaries - - Add binaries used by docker - -commit 204eda2adc86dad287efbc887ab587603ae2dd1b -Author: John Howard -Date: Thu Jul 13 09:32:16 2017 -0700 - - Add binaries used by docker - - Signed-off-by: John Howard - -commit 7ddc2f62d93fa1e75c74a3fafa2f75a761989a99 -Author: Cheng-mean Liu -Date: Wed Jul 12 16:28:19 2017 -0700 - - Added docs for how to produce a custom Linux OS image (#38) - - Added LCOW custom kernel build instructions - -commit 5b33f9bbc4df74487538b5485fc60a4330713601 -Author: John Starks -Date: Wed Jul 12 14:59:27 2017 -0700 - - Update with PR feedback - -commit e115671db7a8bb56b8fa6e5d91e06a90ac621aff -Author: John Starks -Date: Wed Jul 12 12:12:18 2017 -0700 - - gcs: Pass vsock handles to container processes - - This also unifies the TTY relay code for external and container - processes and fixes several possible file descriptor leaks. - -commit 2e5c2fac44f4f618017db8a89f9d415aa60ad5b3 -Merge: 422813e48 79138b2e3 -Author: Cheng-mean Liu -Date: Tue Jul 11 18:07:29 2017 -0700 - - Merge pull request #34 from Microsoft/patch - - Updated patches with previsouly missing Signed-off-by line - -commit 79138b2e366b886d81308e7561bcfa998cb555fe -Author: Cheng-mean Liu (SOCCER) -Date: Tue Jul 11 17:04:56 2017 -0700 - - Updated patches with previsouly missing Signed-off-by line - -commit 422813e483ed752322a24b837950514d4c61bd39 -Merge: 4a268ffb0 ffe98a9ed -Author: Cheng-mean Liu -Date: Tue Jul 11 16:13:40 2017 -0700 - - Merge pull request #24 from Microsoft/hresult - - Support embedding HRESULT codes in errors - -commit 4a268ffb04f5f86b5332ad7998187b879df2da54 -Merge: 12a034c67 53f4eb8d9 -Author: Cheng-mean Liu -Date: Tue Jul 11 16:13:23 2017 -0700 - - Merge pull request #23 from jstarks/vsock_passthrough - - gcs: Pass vsock handles through to external processes - -commit 53f4eb8d9056fa57fca53c9657d70b2e6806b7d8 -Merge: 9cb63675d 12a034c67 -Author: John Starks -Date: Tue Jul 11 15:59:07 2017 -0700 - - Merge branch 'master' into vsock_passthrough - -commit 12a034c67b5e7827969237d00b9e7b1b85bec58c -Merge: 1b76cf09f 5fcbbbfad -Author: Akash Gupta -Date: Tue Jul 11 15:45:42 2017 -0700 - - Merge pull request #25 from Microsoft/kconfig - - Added a vhdx file with prebuilt empty ext4 for configuing ServiceVM - -commit 1b76cf09f3ad8a97e8e265f121dafe61639259f2 -Merge: b987a683d 02640a311 -Author: Cheng-mean Liu -Date: Tue Jul 11 15:35:39 2017 -0700 - - Merge pull request #32 from Microsoft/dcui-patch-add-Signed-off-by - - Update the commits after I added my Signed-off-by - -commit b987a683dd0537576e8cb3ec77738ff705986d7d -Merge: ffb9d0957 c8ee352ed -Author: Akash Gupta -Date: Tue Jul 11 15:34:26 2017 -0700 - - Merge pull request #29 from Microsoft/fix_runc_tests - - Fix issue in runC tests where container list not initialized - -commit 02640a311ab1e913ef523c5f3a707834ac1ae71d -Author: Dexuan Cui -Date: Tue Jul 11 15:26:15 2017 -0700 - - Update the commits after I added my Signed-off-by - - The 17 commits are on https://github.com/dcui/linux/commits/decui/hv_sock/v4.11/20170511-debug-0628-with-signed-off-by-of-dexuan-fixed. - -commit ffb9d0957dc234036920ffa43fcfec47d3ed6f60 -Merge: 101346455 4d0b5c7bd -Author: Cheng-mean Liu -Date: Tue Jul 11 14:55:27 2017 -0700 - - Merge pull request #27 from jstarks/unvendor - - Remove unused vendored packages - -commit 9cb63675dfbb273eea64b842c31330416b66d30e -Author: John Starks -Date: Tue Jul 11 13:17:38 2017 -0700 - - Update string for mock - -commit c8ee352ed63ce5958c21269159fa98f4763a23af -Author: Ben Weedon -Date: Tue Jul 11 11:31:03 2017 -0700 - - Fix issue in runC tests where container list not initialized - - This caused the list to leak between tests, resulting in data races and - test failures. - -commit ffe98a9ed85868cc025af3dd20874f6e99d101c3 -Author: Ben Weedon -Date: Mon Jul 10 12:38:31 2017 -0700 - - Support embedding HRESULT codes in errors - - This allows the GCS to return HRESULTs to the HCS for certain errors. - HRESULTs are a common way for the HCS to represent errors. - - This change only adds HRESULTs to JSON parsing errors at the moment. It - is mostly focused on building the necessary infrastructure. Additional - HRESULTs can be added now as needed. - -commit 1013464555eba0deae682653bf18af354ff38ce6 -Merge: b53a32cbc b0ca67659 -Author: Cheng-mean Liu -Date: Tue Jul 11 11:16:33 2017 -0700 - - Merge pull request #20 from jstarks/abstract - - gcs: Improve runtime abstraction - -commit 4d0b5c7bd0d5450f0325cb2980e7d13edbbb3951 -Author: John Starks -Date: Mon Jul 10 18:39:24 2017 -0700 - - Remove unused vendored packages - -commit b44279598fc570924e3a95bd7b9ac17b499554b4 -Author: John Starks -Date: Mon Jul 10 14:27:50 2017 -0700 - - gcs: Pass vsock handles through to external processes - - There's no need to use a relay for non-terminal cases; just pass the - vsock handles through. This change only does this for external - processes. A subsequent change will add support in container processes. - -commit b0ca67659a8dcb8d510aaf06d3016bde8ae68405 -Author: John Starks -Date: Fri Jul 7 17:14:52 2017 -0700 - - gcs: Improve runtime abstraction - - This adds Container and Process interfaces that abstract operations on - container and processes, respectively. - -commit 5fcbbbfad94cd41b69ee9135b0d4c5e85a9b614f -Author: Cheng-mean Liu (SOCCER) -Date: Mon Jul 10 15:52:16 2017 -0700 - - Added a vhdx file with prebuilt empty ext4 for configuing ServiceVM - -commit b53a32cbc2fff5be85b03fb78be5b57b845db85b -Merge: da5b2c868 b7d99ec77 -Author: Akash Gupta -Date: Mon Jul 10 14:41:29 2017 -0700 - - Merge pull request #22 from jstarks/make_pkg - - Make go binaries using a private pkg directory - -commit da5b2c8686a7a853c1f471f2d4f07808658f1edf -Merge: 1ff403115 795281de4 -Author: Akash Gupta -Date: Mon Jul 10 14:28:34 2017 -0700 - - Merge pull request #21 from jstarks/close_config - - runc: Close config.json after reading it - -commit 04a5329a68b3188c3c37093ffcadf45c187920e2 -Author: John Starks -Date: Mon Jul 10 14:27:03 2017 -0700 - - Revendor github.com/linuxkit/virtsock/pkg/vsock - - This adds support for vsock.Conn.File(). - -commit 795281de478757ae8b717a2539575cce5cea3df3 -Author: John Starks -Date: Mon Jul 10 13:51:04 2017 -0700 - - runc: Close config.json after reading it - -commit b7d99ec776a98303f21d89b4ab7b3987a0817079 -Author: John Starks -Date: Fri Jul 7 19:01:00 2017 -0700 - - Make go binaries using a private pkg directory - - When CGO_ENABLED is set to 0, go needs to rebuild its runtime without - cgo support. This requires write access to GOROOT, which the user often - does not have. - - Since this is the non-default configuration, the best thing to do is to - store the pkg cache locally so that Go does not try to overwrite any - existing packages built with CGO_ENABLED=1. - - This also requires removing the -N -l flags from go, since building the - go runtime with these flags set often fails. - -commit 1ff4031159dc53daa0ddabbf418f3bfbea599aff -Merge: 6b3361780 a8e579f5d -Author: Akash Gupta -Date: Mon Jul 10 10:33:00 2017 -0700 - - Merge pull request #19 from Microsoft/kconfig - - updated kconfig with the real kconfig contents - -commit a8e579f5d2cc969e5b881f670f0367a1f240188e -Author: Cheng-mean Liu (SOCCER) -Date: Sun Jul 9 12:38:41 2017 -0700 - - updated kconfig - -commit 6b3361780e5cf17463c2eae68b957fa1fa96eba1 -Merge: 5ddfff20a 6d5bbbdbd -Author: Akash Gupta -Date: Fri Jul 7 14:45:46 2017 -0700 - - Merge pull request #16 from Microsoft/readme - - update hyperv vsock commit list - -commit 5ddfff20af6244c60671f9f05c25d508c73ea1e2 -Merge: b9bd5a73f c9017c37f -Author: Cheng-mean Liu -Date: Fri Jul 7 14:42:19 2017 -0700 - - Merge pull request #18 from Microsoft/golint-gcsutils - - Fixed golint warnings on gcsutils - -commit b9bd5a73f5f409d7baf5f599a6c1da1751f1bf20 -Merge: 32eadd938 ad8e94d30 -Author: Cheng-mean Liu -Date: Fri Jul 7 14:40:39 2017 -0700 - - Merge pull request #17 from Microsoft/revendor-vsock - - Revendor vsock - -commit 6d5bbbdbd7d8eaebc599752755271a8e8fbe42be -Author: Cheng-mean Liu -Date: Fri Jul 7 14:37:06 2017 -0700 - - update hyperv vsock commit list - -commit c9017c37fcf5db732d35722ab06eeac056115d11 -Author: Akash Gupta -Date: Fri Jul 7 14:20:02 2017 -0700 - - Fixed golint warnings on gcsutils - -commit ad8e94d3081c9c771914d85dbcacc80fa1734293 -Author: Akash Gupta -Date: Fri Jul 7 12:49:36 2017 -0700 - - Revendor linuxkit/virtsock/pkg/vsock@298d0178dbea9b267e90112c02bad8835ecf5d63 - -commit 32eadd9387723bf25add759c5e7c358c048145af -Merge: aab751f86 b69f427ff -Author: Akash Gupta -Date: Fri Jul 7 12:31:23 2017 -0700 - - Merge pull request #15 from Microsoft/gen_test_layers - - Generate layer files during storage tests - -commit 39dabcd8ebfacdbea0e6e5561a92f89b9971d6ba -Author: Cheng-mean Liu -Date: Fri Jul 7 11:54:23 2017 -0700 - - update hyperv vsock commit list - -commit abde106edd39e67c6e89ec3c44763fa41411b2ad (tag: v0.5.27) -Merge: 5401bead4 84301e30c -Author: John Howard -Date: Fri Jul 7 11:34:42 2017 -0700 - - Merge pull request #126 from madhanrm/policylist - - Expose HNS Related APIs for Endpoints/Networks/PolicyLists/Policies - -commit b69f427ffe17767905c30cadd16516d0ca5aa525 -Author: Ben Weedon -Date: Fri Jul 7 10:52:09 2017 -0700 - - Generate layer files during storage tests - - Previously, four layer files (scratch, layer1, layer2, and layer3) were - included in the repo. The storage tests would then test mounting against - these layers. Now, these layer files are generated on the fly by the - test, so that binary files don't need to be included in the repo. - -commit 84301e30cf62c8dbdf413dedcc9f59b832c93ce1 -Author: Madhan Raj Mookkandy -Date: Tue Jun 20 11:45:40 2017 -0700 - - Export HNS Related APIs for Endpoints/Networks/PolicyLists/Policies - Add ROUTE policy and methods to create it - Add a new Property for network (AutomaticDNS) - Fixing some Log Typos - Incorportated review comments - -commit aab751f8661e8accb5a729425bed88466b5aa2a2 -Merge: e9f191ad8 10943402f -Author: Cheng-mean Liu -Date: Thu Jul 6 18:14:46 2017 -0700 - - Merge pull request #14 from jstarks/vsock_cloexec - - gcs: Vendor jstarks/virtsock to fix vsock fd leak - -commit 10943402f6c01fd08087b20eecae0f87e26d804d -Author: John Starks -Date: Thu Jul 6 17:54:56 2017 -0700 - - gcs: Vendor jstarks/virtsock to fix vsock fd leak - - This vendors a virtsock fix in so that child processes do not - inherit all vsock fds when they are launched. - -commit 3049d65d10b479cd1c011eafae01a0fba4a73b01 -Author: Ben Weedon -Date: Thu Jul 6 17:40:14 2017 -0700 - - Simplify loopback code in storage_test.go - - The code no longer has special casing for scratch devices vs layers, and - always mounts to the loop devices with the lowest numbers. - -commit e9f191ad80402d9cdfc52ed6206cfae9fb66ffd3 -Merge: d12d6dcbd c4549cc4d -Author: Akash Gupta -Date: Thu Jul 6 16:38:27 2017 -0700 - - Merge pull request #10 from jhowardmsft/refreshclient - - Refresh client to latest - -commit c4549cc4d8bea91c049975a6b5a1a020ecbda50e -Author: John Howard -Date: Thu Jul 6 16:07:56 2017 -0700 - - Refresh client to latest - - Signed-off-by: John Howard - -commit d12d6dcbd5c64931d218954dac4208e1d3ef9a7f -Merge: 3d645d8a6 e16565f17 -Author: Cheng-mean Liu -Date: Thu Jul 6 12:31:35 2017 -0700 - - Merge pull request #9 from Microsoft/linting - - Linting - -commit 3d645d8a625628cd2de6bb255bab1a20631afe81 -Merge: d0011f60b 80a64dbc3 -Author: Cheng-mean Liu -Date: Thu Jul 6 12:30:10 2017 -0700 - - Merge pull request #8 from Microsoft/ignore-bins - - ignore bin directory - -commit e16565f17171fffde4099fd5b55cfe20e2d08f96 -Author: Ben Weedon -Date: Mon Jul 3 17:37:33 2017 -0700 - - Lots of changes all around fixing golint warnings - - This commit does not fix all golint warnings. It only fixes the ones it - seemed reasonable to fix without reducing code clarity or adding - unnecessary comments. It also does not fix any warnings in serviceVM - code, just GCS code. - -commit aad6ab8bc6d24a6c9aa037c4389ad8e4c339be7b -Author: Ben Weedon -Date: Mon Jul 3 14:56:36 2017 -0700 - - Remove newline at end of error string - -commit 80a64dbc31e5febe59266935d6b874b0083cf03f -Author: Akash Gupta -Date: Thu Jul 6 10:44:27 2017 -0700 - - ignore bin directory - -commit d0011f60b7170dd119b1a2f4e4eb96a2311f9aef -Merge: ac9468aa1 bed71d218 -Author: Akash Gupta -Date: Wed Jul 5 18:00:03 2017 -0700 - - Merge pull request #7 from Microsoft/readme - - Fixed broken gcsbuildinstrutions link - -commit bed71d218e00e545781b35d00211657f632b6be1 -Author: Cheng-mean Liu -Date: Wed Jul 5 17:50:51 2017 -0700 - - Fixed broken gcsbuildinstrutions link - -commit ac9468aa192ce9e8646f04e91a338121bf7418b6 -Author: Cheng-mean Liu -Date: Wed Jul 5 16:39:13 2017 -0700 - - Added gcs building instructions (#5) - - * Added opengcs repo clone and build instructions - - * Added opengcs repo clone and build instructions - - * Added opengcs repo clone and build instructions - - * Added opengcs repo clone and build instructions - - * Added opengcs repo clone and build instructions - -commit c2ef1ee9ba68c6d83966f19b26a2258c7fcbb4c9 -Merge: 8ff7ccfbf a0a16bb02 -Author: Cheng-mean Liu -Date: Mon Jul 3 16:03:06 2017 -0700 - - Merge pull request #4 from Microsoft/init_dirs - - Populated opengcs with initial GCS soruce files - -commit a0a16bb02d1df306aca0574d43d875e8f30a0d80 -Author: Cheng-mean Liu -Date: Mon Jul 3 15:58:48 2017 -0700 - - Populated opengcs with initial GCS soruce files - -commit 8ff7ccfbf9c2d7713364b32a4d4c686ddc305483 -Merge: d2bd0f812 d1ff48192 -Author: Akash Gupta -Date: Wed Jun 28 14:21:22 2017 -0700 - - Merge pull request #1 from Microsoft/soccerGB-patch-1 - - Update README.md - -commit d1ff48192e0a2dc7f3878f3413e5cb12885dbf1a -Author: Cheng-mean Liu -Date: Wed Jun 28 14:16:28 2017 -0700 - - Update README.md - - Added initial README.md - -commit d2bd0f8122899e1261e5b68cacad6a9cbc23d373 -Author: Microsoft Open Source -Date: Tue Jun 27 14:29:15 2017 -0700 - - Initial commit - -commit db733a7534b7269ed087fc65a6c8a139bf741f01 -Author: Microsoft Open Source -Date: Tue Jun 27 14:29:13 2017 -0700 - - Initial commit - -commit e96ee58a3f31ed147d75e3ef9ed6e0a73f48bc30 -Author: Microsoft GitHub User -Date: Tue Jun 27 14:28:56 2017 -0700 - - Initial commit - -commit 5401bead4feac753f42a6b72f9d8c2c30647d61e (tag: v0.5.26) -Merge: 78039139c f0390624f -Author: John Starks -Date: Tue Jun 27 12:02:28 2017 -0700 - - Merge pull request #129 from Microsoft/user/jostarks/mappedpipes - - Add HCS interface for mapped named pipes - -commit f0390624f58858bd5881c86d0636a24a4045a1b1 -Author: John Starks -Date: Mon Jun 26 19:12:15 2017 -0700 - - Add HCS interface for mapped named pipes - -commit 78039139c5008979e0de976962c6b4321dae02b0 (tag: v0.5.25) -Merge: 391074557 352678954 -Author: John Starks -Date: Thu Jun 22 17:02:16 2017 -0700 - - Merge pull request #128 from jstarks/commandargs - - Add CommandArgs for passing Linux arguments correctly - -commit 352678954657d2a8a512035aa6ed2bb39707b2a4 -Author: John Starks -Date: Thu Jun 22 17:00:00 2017 -0700 - - Add CommandArgs for passing Linux arguments correctly - -commit 391074557be6835013e03314ed43a0a7d3e67958 (tag: v0.5.24) -Merge: a6281990d d797473d5 -Author: John Howard -Date: Thu Jun 22 14:12:18 2017 -0700 - - Merge pull request #127 from Microsoft/jjh/schema - - HCS schema updates for 6/21 on builds - -commit d797473d5383f65b1afd1c0cb6633f5e9e2f723d -Author: John Howard -Date: Thu Jun 22 14:11:17 2017 -0700 - - HCS schema updates for 6/21 on builds - - Signed-off-by: John Howard - -commit a6281990dd880fc5a285c788f65508917e390e3c (tag: v0.5.23) -Merge: 0ec2249ab 30c2d28a2 -Author: John Howard -Date: Thu Jun 15 11:42:10 2017 -0700 - - Merge pull request #125 from Microsoft/jjh/fixbadlogging - - Fix bad debug log - -commit 30c2d28a2f157e419cc6ff022ad6a24bba80fed8 -Author: John Howard -Date: Thu Jun 15 11:41:09 2017 -0700 - - Fix bad debug log - - Signed-off-by: John Howard - -commit 0ec2249abdf84d600b6a04c0fd9a48a80e989275 -Merge: 918b03ed5 619f41d84 -Author: John Howard -Date: Thu Jun 15 11:39:18 2017 -0700 - - Merge pull request #124 from Microsoft/jjh/modifytointerface - - Change Data to interface in ResourceModificationRequestResponse - -commit 619f41d8447b29a1e9cff24671538704f9cb84ca -Author: John Howard -Date: Wed Jun 14 17:56:12 2017 -0700 - - Change Data to interface in ResourceModificationRequestResponse - - Signed-off-by: John Howard - -commit 461d6cb5453df54ec1b746a43dd2bb320f0f18f8 -Author: Anand Gaitonde -Date: Tue Jun 13 09:20:28 2017 -0700 - - downcase github.com/sirupsen/logrus imports - - According to the sirupsen/logrus README, this package should be imported - entirely lowercased. - -commit 918b03ed5b5dcbbc34e89064f4e5bfdd17be5bb6 (tag: v0.5.22) -Merge: fd95ed0cb 17e710d8a -Author: John Howard -Date: Wed Jun 7 12:52:18 2017 -0700 - - Merge pull request #122 from Microsoft/jjh/linuximage - - Add initrd/kernel path to HvRuntime - -commit 17e710d8a33b5ffdee339f84e400a1f959b8b880 -Author: John Howard -Date: Wed Jun 7 12:46:29 2017 -0700 - - Add initrd/kernel path to HvRuntime - - Signed-off-by: John Howard - -commit fd95ed0cbd97f207707146ca058f57f9bc23687f (tag: v0.5.21) -Merge: 106da6777 513a999d8 -Author: John Howard -Date: Wed Jun 7 12:30:23 2017 -0700 - - Merge pull request #121 from Microsoft/jjh/mappedvirtualdisk - - Add MappedVirtualDisks to ContainerConfig - -commit 513a999d894ecbb74465d3d9c2c258005e6953ee -Author: John Howard -Date: Wed Jun 7 12:21:01 2017 -0700 - - Add MappedVirtualDisks to ContainerConfig - - Signed-off-by: John Howard - -commit 106da67770a4b3388d3e872a99ac80e756a28d13 (tag: v0.5.20) -Merge: ad62b0caf 7edb791bf -Author: John Howard -Date: Tue Jun 6 11:51:34 2017 -0700 - - Merge pull request #120 from Microsoft/jjh/omitempty - - OmitEmpty on ProcessConfig fields - -commit 7edb791bfbd2fed6dea8a07fb6853a323455b565 -Author: John Howard -Date: Tue Jun 6 10:32:36 2017 -0700 - - OmitEmpty on ProcessConfig fields - - Signed-off-by: John Howard - -commit ad62b0cafa1e41ad10961fe1bc20d28edcbba9e5 -Author: John Howard -Date: Fri Jun 2 11:48:56 2017 -0700 - - Remove IsDummy - - Signed-off-by: John Howard - -commit 3146c55e7c57ac6bc20e457ea1a38bd77c081ca9 (tag: v0.5.19) -Merge: 84ea0d366 38e5a9f47 -Author: Cheng-mean Liu -Date: Thu Jun 1 16:13:36 2017 -0700 - - Merge pull request #119 from Microsoft/jjh/lcowinterface - - LCOW: Add fields - -commit 38e5a9f470c8fe25dc1362145841cbddea591f4f -Author: John Howard -Date: Thu Jun 1 09:31:35 2017 -0700 - - LCOW: Add fields - - Signed-off-by: John Howard - -commit 84ea0d3666475c550167921c45a8df68552aa478 (tag: v0.5.18) -Merge: 49582cc50 43879e46e -Author: John Howard -Date: Wed May 24 14:01:14 2017 -0700 - - Merge pull request #117 from Microsoft/jjh/removesandboxpath - - Remove SandboxPath - -commit 43879e46ec89fe5fbfdb0502510b4c310bf6e6b1 -Author: John Howard -Date: Wed May 24 13:51:20 2017 -0700 - - Remove SandboxPath - - Signed-off-by: John Howard - -commit 49582cc501b7b6ade520e91e61e8d77c8a6e162e (tag: v0.5.17) -Merge: d673e9771 ec86ea14c -Author: John Starks -Date: Mon May 8 10:49:17 2017 -0700 - - Merge pull request #114 from darrenstahlmsft/RemoveFinalizers - - Remove finalizers due to go1.8 liveness - -commit d673e9771d2d9f70900c47d533e2cb28d05cf9ef (tag: v0.5.16) -Merge: 75e4c004b dbc4b0ccb -Author: John Howard -Date: Mon May 8 10:26:54 2017 -0700 - - Merge pull request #115 from jstarks/generous_linking - - Allow hard links between utility VM and base layer - -commit dbc4b0ccb6f783988438c543fbea640c45245c22 -Author: John Starks -Date: Fri May 5 17:19:46 2017 -0700 - - Allow hard links between utility VM and base layer - - To save space, new Windows container images will have hard links between - the utility VM image and the container base layer. This change relaxes - hcsshim's requirements to allow this behavior. - -commit ec86ea14ca77bef1a6656327e918de83e07f65d0 -Author: Darren Stahl -Date: Thu May 4 11:40:50 2017 -0700 - - Remove finalizers due to go1.8 liveness - - Signed-off-by: Darren Stahl - -commit 75e4c004b5824be6dd2bee4c47451f9fc33ebf4d (tag: v0.5.15) -Merge: 7fb72df30 26ffe5a5d -Author: John Howard -Date: Thu Apr 6 12:05:46 2017 -0700 - - Merge pull request #112 from Microsoft/jjh/removewhitespace - - Remove whitespace from LICENSE - -commit 26ffe5a5ddb6caa707d97ceb9ee6450df04601b9 -Author: John Howard -Date: Thu Apr 6 12:04:37 2017 -0700 - - Remove whitespace from LICENSE - - Signed-off-by: John Howard - -commit 7fb72df30c604381a1bd0e82fa3660d4e3584307 (tag: v.0.5.14) -Merge: eb3470df7 73084cdf2 -Author: John Howard -Date: Wed Mar 29 23:05:29 2017 -0700 - - Merge pull request #110 from madhanrm/hotadd - - Expose ModifySettings Support in HcsShim. - -commit 73084cdf2decd9e31ebffb5ae247be420429da36 -Author: Madhan Raj Mookkandy -Date: Wed Mar 29 17:33:34 2017 -0700 - - Expose ModifySettings Support in HcsShim. This is required for Hot Add/Remove of Network Endpoints - - Signed-off-by: Madhan Raj Mookkandy - -commit eb3470df7849886d6d40be84e2788d9d08fd40d2 (tag: v0.5.13) -Merge: 69507a3cc 1c8d1042e -Author: John Howard -Date: Thu Mar 23 11:37:37 2017 -0700 - - Merge pull request #111 from Microsoft/jjh/additionaljson - - Allow additional JSON for create container - -commit 1c8d1042ef8f3c101e3bb6bc4882d5d281b2c160 -Author: John Howard (VM) -Date: Wed Mar 22 13:56:09 2017 -0700 - - Allow additional JSON for create container - - Signed-off-by: John Howard (VM) - -commit 69507a3ccf423a86b1995f07b96b7541d093c000 (tag: v0.5.12) -Merge: 0f615c198 18e06133f -Author: Darren Stahl -Date: Wed Feb 15 10:14:18 2017 -0800 - - Merge pull request #109 from Microsoft/jjh/addaccessisdenied - - Add 'Access is denied' error - -commit 18e06133f8e48f5f3ed6c6cb0bb5270e8e3425e4 -Author: John Howard -Date: Wed Feb 15 09:45:03 2017 -0800 - - Add 'Access is denied' error - - Signed-off-by: John Howard - -commit 0f615c198a84e0344b4ed49c464d8833d4648dfc (tag: v0.5.11) -Merge: 71115b827 07f8c0bea -Author: John Howard -Date: Thu Jan 26 10:44:08 2017 -0800 - - Merge pull request #103 from madhanrm/ns - - Interface changes to support --net:container: for Windows - -commit 07f8c0beaab61a15a05525c11ef8c25054b2e862 -Author: Madhan Raj Mookkandy -Date: Fri Jan 13 16:56:31 2017 -0800 - - Interface changes to support --net:container: for Windows - - Signed-off-by: Madhan Raj Mookkandy - -commit 71115b82780d4248ef32f80519490b179d5da350 (tag: v0.5.10) -Merge: 2c872d137 010b942a6 -Author: John Howard -Date: Fri Jan 13 11:00:55 2017 -0800 - - Merge pull request #101 from msabansal/dnssearch - - Adding omitempty tag to DnsSearchList - -commit 010b942a6d082fc81e46ab474e8ddf9eb761cedc -Author: msabansal -Date: Fri Jan 13 10:25:53 2017 -0800 - - Adding omitempty tag to DnsSearchList - - Signed-off-by: msabansal - -commit 2c872d137f3a1064686710ec072141b741924fb3 -Merge: d327ca738 498b3a781 -Author: John Howard -Date: Mon Jan 9 16:05:14 2017 -0800 - - Merge pull request #98 from msabansal/dnssearch - - Added option to allow setting DNS search list for containers - -commit 498b3a781236972f8bd362fa461c2bce4eac433c -Author: msabansal -Date: Tue Dec 27 11:49:25 2016 -0800 - - Added option to allow setting DNS search list for containers - - Signed-off-by: msabansal - -commit d327ca738085de7d617aa1df16d98fe7a64c2455 (tag: v0.5.9) -Merge: ba7f9b77b e9f85e30b -Author: Darren Stahl -Date: Mon Nov 21 11:31:14 2016 -0800 - - Merge pull request #93 from darrenstahlmsft/UpdateMkSyscall - - Update mksyscall_windows.go to match upstream updates - -commit e9f85e30bf2dceced80b91683b82b01a6c7b7d88 -Author: Darren Stahl -Date: Fri Nov 18 18:20:11 2016 -0800 - - Update mksyscall_windows.go to match upstream updates - - Signed-off-by: Darren Stahl - -commit ba7f9b77b0a18ffd7cf697da401256c14a83f494 (tag: v0.5.8) -Merge: e439b7d2b 8a9596f9e -Author: John Howard -Date: Thu Nov 10 11:33:58 2016 -0800 - - Merge pull request #92 from darrenstahlmsft/GetContainerError - - bug fix: return errors from hcsEnumerateComputeSystem - -commit 8a9596f9ed4a689e90ef1f21eca4a02b84552a0f -Author: Darren Stahl -Date: Wed Nov 9 17:55:12 2016 -0800 - - bug fix: return errors from hcsEnumerateComputeSystem - - Signed-off-by: Darren Stahl - -commit e439b7d2b63f036d3a50c93a9e0b154a0d50e788 (tag: v0.5.7) -Merge: 6553f7caf f755000dc -Author: John Starks -Date: Tue Nov 8 12:05:42 2016 -0800 - - Merge pull request #82 from darrenstahlmsft/NilFinalizer - - Nil the finalizers on Close - -commit 6553f7cafaf3e2b7d993e8bc88bfb15e130bd4ab -Merge: 03051f0b5 3873740af -Author: John Howard -Date: Tue Nov 8 12:04:29 2016 -0800 - - Merge pull request #91 from darrenstahlmsft/properties - - Add comment for exported ContainerProperties - -commit 3873740af99f01470eeb54e461f91e6ceb1efa20 -Author: Darren Stahl -Date: Tue Nov 8 12:03:19 2016 -0800 - - Add comment for exported ContainerProperties - - Signed-off-by: Darren Stahl - -commit 03051f0b51fed0b880d03383910e76c72e4ef8ee -Merge: 9e91fe08c b5b46351e -Author: John Howard -Date: Tue Nov 8 12:02:12 2016 -0800 - - Merge pull request #90 from msabansal/DisableICC - - Fixing the field name to DisableICC - -commit b5b46351e45441b5993ecaab90812ee53a1c4f01 -Author: msabansal -Date: Tue Nov 8 12:00:29 2016 -0800 - - Fixing the field name to DisableICC - - Signed-off-by: msabansal - -commit 9e91fe08c6dc4e95fad6e9d1f6c5f650b946d513 (tag: v0.5.6, tag: v0.5.5) -Merge: 392add835 9f18f0048 -Author: John Howard -Date: Tue Nov 8 11:30:07 2016 -0800 - - Merge pull request #89 from msabansal/DisableICC - - Control path support to disable ICC - -commit 9f18f004899a9529e6e925d9b74b86049075f0f8 -Author: msabansal -Date: Mon Nov 7 17:37:11 2016 -0800 - - Control path support to disable ICC - - Signed-off-by: msabansal - -commit 392add8355ccd1d46111bd5144d631400c818f0e (tag: v0.5.5.5) -Merge: cf8b6fb40 09c11445e -Author: John Howard -Date: Tue Nov 8 11:16:05 2016 -0800 - - Merge pull request #88 from darrenstahlmsft/containerProperties - - Fix compile error due to containerProperties rename - -commit 09c11445e13187e80cbd880feef66d38d35a17e3 -Author: Darren Stahl -Date: Tue Nov 8 11:12:51 2016 -0800 - - Fix compile error due to containerProperties rename - - Signed-off-by: Darren Stahl - -commit cf8b6fb4074c5c6b86f74a6a1611b61859670ed4 (tag: v.0.5.4) -Merge: 44aa6ad64 1d14bc2b1 -Author: John Howard -Date: Tue Nov 8 11:04:35 2016 -0800 - - Merge pull request #84 from darrenstahlmsft/CombineTimeoutWait - - Combine timeout switches - -commit 44aa6ad64f186a74eee6613d6901900357a0da1f (tag: v0.5.3) -Merge: 4ca4b19e4 dd1bd8f3b -Author: John Howard -Date: Tue Nov 8 11:02:02 2016 -0800 - - Merge pull request #85 from darrenstahlmsft/RegisterCallbackOpen - - Add a callback registration when opening a container - -commit 4ca4b19e45abb33b2fdaf53d2b4df531078ef90f -Merge: c2c946457 8d4ff2e15 -Author: John Howard -Date: Tue Nov 8 10:59:26 2016 -0800 - - Merge pull request #86 from darrenstahlmsft/GetContainers - - Add GetContainers function - -commit c2c946457a3a614df2d3d569befd35a82fc5aa63 -Merge: ccae35550 2c0716647 -Author: John Howard -Date: Tue Nov 8 10:58:48 2016 -0800 - - Merge pull request #87 from Microsoft/jjh/user - - Add user to ProcessConfig interface - -commit 2c071664764b1a258c4bbb8b2716356176e8449d -Author: John Howard -Date: Tue Nov 8 10:44:36 2016 -0800 - - Add user to ProcessConfig interface - - Signed-off-by: John Howard - -commit dd1bd8f3bcf3ae86cb95b8548678aed1638f3311 -Author: Darren Stahl -Date: Mon Nov 7 17:24:37 2016 -0800 - - Add a callback registration when opening a container - - Signed-off-by: Darren Stahl - -commit 8d4ff2e15f1737661ee7c68c0fb827b8eb2c0c1b -Author: Darren Stahl -Date: Mon Nov 7 17:23:31 2016 -0800 - - Add GetContainers function - - Signed-off-by: Darren Stahl - -commit ccae3555085fbec1e146658768bd9e3dfea40092 -Merge: a2c7176d7 fd5191ac5 -Author: Darren Stahl -Date: Mon Oct 31 12:28:30 2016 -0700 - - Merge pull request #83 from darrenstahlmsft/AlreadyClosed - - Change ErrInvalidHandle to ErrAlreadyClosed - -commit 1d14bc2b16e20c3193670c05ead89276179cbed4 -Author: Darren Stahl -Date: Thu Oct 27 15:10:47 2016 -0700 - - Combine timeout switches - - Signed-off-by: Darren Stahl - -commit fd5191ac58e2ecfdc39468cf5cd59ade4692251e -Author: Darren Stahl -Date: Thu Oct 27 13:02:50 2016 -0700 - - Change ErrInvalidHandle to ErrAlreadyClosed - - Signed-off-by: Darren Stahl - -commit f755000dcd9caaf1304af87025fca9ea11176719 -Author: Darren Stahl -Date: Thu Oct 27 12:39:54 2016 -0700 - - Nil the finalizers on Close - - Signed-off-by: Darren Stahl - -commit a2c7176d71f579623ba55005e505905b44bf0baf (tag: v0.5.2) -Merge: b9ddf81bb 0eb786cbc -Author: John Starks -Date: Wed Oct 26 14:48:01 2016 -0700 - - Merge pull request #81 from darrenstahlmsft/PrepareLayerHack - - Serialize calls to PrepareLayer due to Windows bug - -commit 0eb786cbc7842b668cfed5cc448cf5ba9f2893c2 -Author: Darren Stahl -Date: Tue Oct 25 20:06:37 2016 -0700 - - Serialize calls to PrepareLayer due to Windows bug - - Signed-off-by: Darren Stahl - -commit b9ddf81bba1cfdccf64ce2e79f3d7a6865c1e278 -Merge: df9c56465 258284091 -Author: John Starks -Date: Fri Oct 21 18:31:26 2016 -0700 - - Merge pull request #79 from allencloud/allencloud-patch-1 - - Update hcsshim.go - -commit df9c564659bf5c8ca27213d328d127055703e16b -Merge: 00e294208 523023ef1 -Author: John Starks -Date: Fri Oct 21 18:30:47 2016 -0700 - - Merge pull request #80 from msabansal/overlay - - Overlay networking support - -commit 523023ef1ef8ec08b23bbff88ab68552c5f1a6d7 -Author: msabansal -Date: Fri Oct 21 16:59:22 2016 -0700 - - Overlay networking support - - Signed-off-by: msabansal - -commit 2582840915b13736236f52cd012927b5f77922e4 -Author: Allen Sun -Date: Wed Oct 5 11:17:35 2016 +0800 - - Update hcsshim.go - - correct HSC to HCS - -commit 00e2942088e65cec1754ae4096d1bae739efcc1f (tag: v0.5.1) -Merge: 0a4175a49 f63798c03 -Author: Stefan J. Wernli -Date: Mon Oct 3 17:12:23 2016 -0700 - - Merge pull request #77 from darrenstahlmsft/RemoveTP5 - - Remove TP5 support - -commit 0a4175a49a826b812be248e23deb0b7f13064b88 -Merge: 7fc39210b c38818f4e -Author: Stefan J. Wernli -Date: Mon Oct 3 10:50:18 2016 -0700 - - Merge pull request #78 from jstarks/use_lstat - - Use Lstat to avoid following reparse points - -commit c38818f4ebf563081923c0af6752d2e34a73ca05 -Author: John Starks -Date: Fri Sep 30 18:50:15 2016 -0700 - - Use Lstat to avoid following reparse points - - Signed-off-by: John Starks - -commit 7fc39210ba159ce923c7a22461c0b4efc53a8a9d -Merge: f6ba880e9 0fae7c9fc -Author: Stefan J. Wernli -Date: Fri Sep 30 13:41:01 2016 -0700 - - Merge pull request #76 from jstarks/uvm_dir - - Fix non-base utility VM directory additions - -commit f63798c03d5206b9d7b486776eebedfa237baf19 -Author: Darren Stahl -Date: Fri Sep 30 13:05:04 2016 -0700 - - Remove TP5 support - - Signed-off-by: Darren Stahl - -commit 0fae7c9fc77ffc84ce5945d58a5baea07de59979 -Author: John Starks -Date: Fri Sep 30 12:33:13 2016 -0700 - - Fix non-base utility VM directory additions - -commit f6ba880e91aad9d8a386f84be7b318fbef4d233a -Merge: 2c8189a12 2bfd23c89 -Author: John Starks -Date: Wed Sep 28 19:09:46 2016 -0700 - - Merge pull request #75 from jstarks/no_reparse_walk - - Don't follow reparse points when cloning the utility VM - -commit 2bfd23c890712fbd979c142d8f55f1d3c27cfdb2 -Author: John Starks -Date: Wed Sep 28 13:40:20 2016 -0700 - - Don't follow reparse points when cloning the utility VM - - This works around a Go issue where on Windows filepath.Walk follows - reparse points. - -commit 2c8189a12c3f291a72a037a3ff4f51c573bb7b46 -Merge: 26aaa85d8 68381525b -Author: Stefan J. Wernli -Date: Wed Sep 28 13:18:48 2016 -0700 - - Merge pull request #74 from jstarks/layer_hardlink_support - - Support importing layers with hard links - -commit 68381525b99eeb90e74ff75fd97232d8d1056cc9 -Author: John Starks -Date: Wed Sep 28 12:14:18 2016 -0700 - - Support importing layers with hard links - - This is necessary to support servicing layers distributed by Microsoft, - since these layers will contain hard links to save space. - - Signed-off-by: John Starks - -commit 26aaa85d88cf171a3d96d92664f47b9722ffec37 -Merge: ab64fb88b 4f245d12e -Author: Stefan J. Wernli -Date: Tue Sep 27 11:53:14 2016 -0700 - - Merge pull request #73 from jstarks/layered_utilityvm - - Support utility VM changes in non-base layers - -commit 4f245d12ece5f7a48cf62c89daf83f46b554a394 -Author: John Starks -Date: Mon Sep 26 18:42:05 2016 -0700 - - Support utility VM changes in non-base layers - - With this change, non-base layers can have utility VM changes. Since - Server 2016 does not support layered utility VMs, this works by cloning - the parent layer's utility VM and applying the changes directly. Layers - are assumed to be immutable, so hard links are used to make this cloning - operation fast. - - Signed-off-by: John Starks - -commit ab64fb88b54c722d68336a354193ea0c0db3f065 (tag: v0.5.0) -Merge: 2f5428934 89caa8858 -Author: Darren Stahl -Date: Fri Sep 23 14:07:29 2016 -0700 - - Merge pull request #72 from darrenstahlmsft/ContainerError - - Stop saying all container errors occured in win32 - -commit 89caa8858210cc08d6e03c65ec3ed99abd974d7e -Author: Darren Stahl -Date: Fri Sep 23 11:05:02 2016 -0700 - - Stop saying all container errors occured in win32 - - Signed-off-by: Darren Stahl - -commit 2f542893463b1da515679c889b36528051311127 -Merge: 64101c714 928337438 -Author: Darren Stahl -Date: Thu Sep 22 18:42:36 2016 -0700 - - Merge pull request #71 from darrenstahlmsft/Locks - - Add RW Lock to protect the hcs handles - -commit 9283374380929c2946276be4024d064ec29b28f0 -Author: Darren Stahl -Date: Wed Sep 21 16:14:32 2016 -0700 - - Add RW Lock to protect the hcs handles - - Signed-off-by: Darren Stahl - -commit 64101c714707e0083512445e3157a7fc17e54b5f -Merge: 4899f73bb 70f33c801 -Author: Darren Stahl -Date: Tue Sep 20 17:12:20 2016 -0700 - - Merge pull request #70 from darrenstahlmsft/ExitCodeError - - Check errors in LastWaitResult - -commit 4899f73bbd06252284712605fbeaf69cd74894a6 -Merge: d8e08e7d3 e22d55c41 -Author: John Howard -Date: Tue Sep 20 14:59:20 2016 -0700 - - Merge pull request #69 from Microsoft/jjh/omitempty - - Add omitempty and annotations - -commit 70f33c801766f381fbc1c9cf38a2202a0f42701e -Author: Darren Stahl -Date: Tue Sep 20 14:29:15 2016 -0700 - - Check errors in LastWaitResult - - Signed-off-by: Darren Stahl - -commit e22d55c4199128d5d7a61bd3131fb2d82b6cb1ce -Author: John Howard -Date: Tue Sep 20 08:45:44 2016 -0700 - - Add omitempty and annotations - - Signed-off-by: John Howard - -commit d8e08e7d31d4f441646638b35f423a760d6dfbcd -Merge: ee12be31f d3554df8c -Author: John Howard -Date: Fri Sep 16 10:29:03 2016 -0700 - - Merge pull request #67 from Microsoft/jjh/consolesize - - ConsoleSize --> uint - -commit d3554df8c4e158244b93c3f9b6d470712f91ee43 -Author: John Howard -Date: Thu Sep 15 12:26:18 2016 -0700 - - ConsoleSize --> uint - - Signed-off-by: John Howard - -commit ee12be31f1d7df1dbb81b9bb00ff3e151a0fcd1d -Merge: 6611816fb ef97acc3c -Author: Darren Stahl -Date: Thu Sep 8 14:44:32 2016 -0700 - - Merge pull request #66 from darrenstahlmsft/VolumeQoS - - Added volume QoS settings to MappedDir - -commit ef97acc3ce8bae16842d1e945bc56793e2be5d58 -Author: Darren Stahl -Date: Tue Sep 6 16:09:53 2016 -0700 - - Added volume QoS settings to MappedDir - - Signed-off-by: Darren Stahl - -commit 6611816fb4c1693b429ada0f358102119a0b1466 (tag: v0.4.3) -Merge: e5e415eb5 407de2853 -Author: John Starks -Date: Thu Aug 18 14:15:15 2016 -0700 - - Merge pull request #62 from msabansal/dns - - Added dns support - -commit e5e415eb501f8226c671b71e966839fa76c6d6ed (tag: v0.4.2) -Merge: 600757db2 4a0988d65 -Author: Darren Stahl -Date: Wed Aug 17 17:39:22 2016 -0700 - - Merge pull request #65 from Microsoft/jjh/processlist - - Add support for ProcessList - -commit 4a0988d6549162141f8ec9980f37d253c075eef8 -Author: John Howard -Date: Wed Aug 17 16:57:09 2016 -0700 - - Add support for ProcessList - - Signed-off-by: John Howard - -commit 600757db21d4b3d9974f7394a90ab17933748efd -Merge: 4b220a174 6635818ce -Author: John Starks -Date: Wed Aug 17 17:00:30 2016 -0700 - - Merge pull request #64 from darrenstahlmsft/OpenProcessCallbacks - - Stop calling post TP5 API in OpenProcess - -commit 6635818cebe2dd6c896bbdd170d5eca9c9adfdc4 -Author: Darren Stahl -Date: Wed Aug 17 15:36:45 2016 -0700 - - Stop calling post TP5 API in OpenProcess - - Signed-off-by: Darren Stahl - -commit 4b220a174dd16fe1d2e679ac61e15739f21ee721 (tag: v0.4.1) -Merge: 6a6862bd8 f43b71b58 -Author: John Starks -Date: Tue Aug 16 16:31:35 2016 -0700 - - Merge pull request #63 from darrenstahlmsft/ReparseModifiedTime - - Only update directory modified times if not a reparse point - -commit f43b71b58785865e0b99f6027bbe68a36577ea49 -Author: Darren Stahl -Date: Tue Aug 16 15:27:09 2016 -0700 - - Only update directory modified times if not a reparse point - - Signed-off-by: Darren Stahl - -commit 407de28530b937db3954d8205392d5a5f0ef8009 -Author: msabansal -Date: Thu Jul 14 16:13:32 2016 -0700 - - Added dns support - - Signed-off-by: msabansal - -commit 6a6862bd8669eeae0ee0e75b8d3455c29fb56fe0 (tag: v0.4.0) -Merge: 7b7051ecc 4f10c13aa -Author: Stefan J. Wernli -Date: Wed Aug 10 11:37:48 2016 -0700 - - Merge pull request #61 from darrenstahlmsft/RemoveOldAPI - - Deleting old API in preparation for v0.4.0 - -commit 7b7051ecc1585ade9134b3ac5500884210b0d742 -Merge: a79940068 0ae7e7ece -Author: Stefan J. Wernli -Date: Tue Aug 9 15:54:18 2016 -0700 - - Merge pull request #60 from darrenstahlmsft/ProcNotFound - - Added proc not found error - -commit 4f10c13aa7d12ad727779d9469a92431f94d880b -Author: Darren Stahl -Date: Tue Aug 9 14:30:19 2016 -0700 - - Deleting old API in preparation for v0.4.0 - - Signed-off-by: Darren Stahl - -commit 0ae7e7ecebd7b5609582153ed680c35ba666a264 -Author: Darren Stahl -Date: Tue Aug 9 13:45:30 2016 -0700 - - Added proc not found error - - Signed-off-by: Darren Stahl - -commit a79940068e291a3535c896e9d769d16c962b99a8 -Merge: f22313726 0303637d3 -Author: Darren Stahl -Date: Tue Aug 9 13:23:42 2016 -0700 - - Merge pull request #59 from Microsoft/jjh/statistics - - Add statistics query - -commit 0303637d3bc1e43ab52d7b4c8868d23de69dfde2 -Author: John Howard -Date: Mon Aug 8 15:04:37 2016 -0700 - - Add statistics query - - Signed-off-by: John Howard - -commit f22313726f850ecd6e78a9018f3c32bff53fc60a -Merge: 92bbeef4e 34bcde9a0 -Author: John Starks -Date: Mon Aug 8 15:09:53 2016 -0700 - - Merge pull request #58 from darrenstahlmsft/RemoveKnownErrors - - Removed knownErrors in favour of helper methods to check error types - -commit 34bcde9a0270972ef65990d054a47d672cb829aa -Author: Darren Stahl -Date: Wed Aug 3 16:34:36 2016 -0700 - - Removed knownErrors in favour of helper methods to check error types - - Signed-off-by: Darren Stahl - -commit 92bbeef4ebd268dff4dd993ad58de7360a7a6058 -Merge: e6abe39ac 135df7275 -Author: Stefan J. Wernli -Date: Thu Jul 28 10:52:20 2016 -0700 - - Merge pull request #57 from jstarks/preserve_directory_times - - Preserve directory times when writing base layer - -commit 135df7275fee70b0bd82bfcdceba8c00730c6b0a -Author: John Starks -Date: Wed Jul 27 18:44:57 2016 -0700 - - Preserve directory times when writing base layer - -commit e6abe39ac5cc46ae095f72f445108873d7e255aa -Merge: a8b686dbe 604d38e62 -Author: John Starks -Date: Tue Jul 19 16:35:43 2016 -0700 - - Merge pull request #55 from darrenstahlmsft/cgo - - Added import C to force hcsshim to compile as CGO - -commit 604d38e6200e8d89c46fabd029e0b50abbc4f7eb -Author: Darren Stahl -Date: Tue Jul 19 16:14:12 2016 -0700 - - Added import C to force hcsshim to compile as CGO - - Signed-off-by: Darren Stahl - -commit a8b686dbee0d309c09deb679ed135481637f0efd (tag: v0.3.6) -Merge: 9bcfb85fc 0386414f0 -Author: Darren Stahl -Date: Fri Jun 24 15:55:06 2016 -0700 - - Merge pull request #53 from jstarks/skip_template - - Add SkipTemplate flag for disabling clone - -commit 0386414f0b59ede3c88828e268690417d8ec394f -Author: John Starks -Date: Fri Jun 24 13:33:09 2016 -0700 - - Add some missing fields to container config - - Adds HvRuntime.SkipTemplate and ProcessorCount. - -commit 9bcfb85fc94a019f106133e9b8c3f54040ccc676 -Merge: 5357233d2 46cdef4ce -Author: John Howard -Date: Thu Jun 23 13:17:16 2016 -0700 - - Merge pull request #52 from jstarks/conduct - - Add reference to code of conduct - -commit 46cdef4ce09a5570429477dc572ad4fc75b59280 -Author: John Starks -Date: Tue Jun 21 14:14:13 2016 -0700 - - Add reference to code of conduct - -commit 5357233d2489512ee045478d3ce1d282cd445aa2 (tag: v0.3.5) -Merge: 3aeaaddbb 5065f1a57 -Author: Darren Stahl -Date: Wed Jun 15 16:41:13 2016 -0700 - - Merge pull request #51 from Microsoft/ContainerAlreadyStoppedError - - Added known error code when shutdown is already complete - -commit 5065f1a577bef8ff0cb94abe075c17a0694b6fb2 -Author: Darren Stahl -Date: Tue Jun 14 11:05:57 2016 -0700 - - Added known error code when shutdown is already complete - - Signed-off-by: Darren Stahl - -commit 3aeaaddbb11bcbf777d1696c51a9bc4561c2433a (tag: v0.3.4) -Merge: 59dba3910 ef88ee861 -Author: Stefan J. Wernli -Date: Fri Jun 10 15:02:39 2016 -0700 - - Merge pull request #49 from Microsoft/CallbackLock - - Prevent deadlock when unregistering notification handler - -commit ef88ee8615c6539347f406fd6adfaff251051c7b -Author: Darren Stahl -Date: Thu Jun 9 12:57:17 2016 -0700 - - Prevent deadlock when unregistering notification handler - - Signed-off-by: Darren Stahl - -commit 59dba3910e81e634b380f9872349d1d359d2b497 (tag: v0.3.3) -Merge: 5f88b2ebf c4d043d5b -Author: Darren Stahl -Date: Wed Jun 8 18:23:11 2016 -0700 - - Merge pull request #48 from Microsoft/PendingUpdates - - Fixed PendingUpdates call with correct query - -commit c4d043d5bf8e2579616c937728148b81ed77c21a -Author: Darren Stahl -Date: Wed Jun 8 18:16:22 2016 -0700 - - Fixed PendingUpdates call with correct query - - Signed-off-by: Darren Stahl - -commit 5f88b2ebf0f2fe8fae6eb41177673691c55b339d (tag: v0.3.2) -Merge: 6131038ed 42d8e6156 -Author: John Howard -Date: Wed Jun 8 15:32:48 2016 -0700 - - Merge pull request #47 from Microsoft/credentials - - Added credentials to ContainerConfig - -commit 42d8e6156a63a25989f7245575888c608cddc5b8 -Author: Darren Stahl -Date: Wed Jun 8 14:25:43 2016 -0700 - - Added credentials to ContainerConfig - - Signed-off-by: Darren Stahl - -commit 6131038ed6d018ca64449fd0006533e689d540d0 -Merge: 1358a21ed fb1347a51 -Author: Stefan J. Wernli -Date: Tue Jun 7 18:09:12 2016 -0700 - - Merge pull request #44 from msabansal/vlan - - Vlan and VSID policy - -commit 1358a21ed38b43602c1d74cb00dc512d49d7477c -Merge: efcbf2f19 92cde45e3 -Author: Stefan J. Wernli -Date: Tue Jun 7 17:35:26 2016 -0700 - - Merge pull request #45 from Microsoft/Errors - - Correctly propogate timeouts and other errors - -commit efcbf2f19212ffe70be7c9894e42cb0a7bd662c7 -Merge: 2c6c607df 9ded7c764 -Author: Stefan J. Wernli -Date: Tue Jun 7 17:34:17 2016 -0700 - - Merge pull request #46 from Microsoft/ExpandSandbox - - Added ExpandSandboxSize - -commit 92cde45e346e749a07831111adb95e404b00536b -Author: Darren Stahl -Date: Tue Jun 7 16:05:05 2016 -0700 - - Correctly propogate timeouts and other errors - - Signed-off-by: Darren Stahl - -commit 9ded7c7643790cd474d025e888ae8a0e933c314e -Author: Darren Stahl -Date: Tue Jun 7 15:25:29 2016 -0700 - - Added ExpandSandboxSize - - Signed-off-by: Darren Stahl - -commit 2c6c607df30d905bd5dd5c99e77b4339d5837451 (tag: v0.3.1) -Merge: c247079e3 d7dbe6bef -Author: Darren Stahl -Date: Fri May 27 18:19:32 2016 -0700 - - Merge pull request #42 from Microsoft/NotificationWaiter - - New notification design allows for multiple waiters - -commit d7dbe6bef8548b48ad42e4d6968b83fa354203d0 -Author: Darren Stahl -Date: Thu May 26 15:36:42 2016 -0700 - - New notification design allows for multiple waiters - - Signed-off-by: Darren Stahl - -commit c247079e3c9b8c2e4589fd3255170e7d4bc362e8 -Merge: 4d37d7d31 178fd5193 -Author: John Starks -Date: Fri May 27 16:29:58 2016 -0700 - - Merge pull request #43 from jstarks/fix_tombstones - - legacyLayerReader: handle tombstones correctly - -commit 178fd519344ecfbc20d53296aa158ff424470547 -Author: John Starks -Date: Fri May 27 15:27:05 2016 -0700 - - legacyLayerReader: handle tombstones correctly - -commit fb1347a5173dda809f4e7bb1539f10d9be86bfc5 -Author: msabansal -Date: Thu May 26 16:24:23 2016 -0700 - - Vlan and VSID policy - - Signed-off-by: msabansal - -commit 4d37d7d314a8a6755b49a46db9f2caf9fa81a5fa -Merge: 045aa709e 9c19c72a5 -Author: Darren Stahl -Date: Thu May 26 13:57:04 2016 -0700 - - Merge pull request #41 from Microsoft/LoggingConfigs - - Added logging of JSON config in success case - -commit 9c19c72a50d5eae904bd0742097531f16a4af1c6 -Author: Darren Stahl -Date: Thu May 26 13:51:03 2016 -0700 - - Added logging of JSON config in success case - - Signed-off-by: Darren Stahl - -commit 045aa709eaee99187864b55c720f3fad6535e35d (tag: v0.3.0) -Merge: 9c2382d9d fe77c7c3b -Author: John Starks -Date: Tue May 24 14:25:57 2016 -0700 - - Merge pull request #39 from Microsoft/postTP5 - - Implement the new hcsshim API using the new HCS RPC API - -commit fe77c7c3b4e00213c29949cc176bf94b65d2dbf6 -Author: Darren Stahl -Date: Mon Apr 25 13:22:01 2016 -0700 - - Implement the new hcsshim API using the new HCS RPC API - - Signed-off-by: Darren Stahl - -commit 9c2382d9d7839b66f3ab497fd67ab6c1414b9b4e -Merge: 4f09401a1 d339e0f54 -Author: John Howard -Date: Mon May 16 12:40:38 2016 -0700 - - Merge pull request #38 from Microsoft/nopriv - - Rely on caller to take privileges when manipulating base layers - -commit 4f09401a16a8e8e8b86b5c6ea2d8c4e9773cac11 -Merge: 67e008e55 7fa1cb54f -Author: John Howard -Date: Mon May 16 12:40:04 2016 -0700 - - Merge pull request #37 from Microsoft/nodeps - - Remove Godeps and vendor - -commit d339e0f54bb2f1e29dc722d3c4f494061e9d00dd -Author: John Starks -Date: Thu May 12 21:37:11 2016 -0700 - - Rely on caller to take privileges when manipulating base layers - -commit 7fa1cb54f0384f1269e85ed76ac65560c6c17dc1 -Author: John Starks -Date: Thu May 12 21:38:00 2016 -0700 - - Remove Godeps and vendor - - Vendoring works well for commands, but for libraries such as this one it just - causes problems. Eliminate it. - -commit 67e008e55de5b15567d908d9fc8f7c5767d527db (tag: v0.2.2) -Merge: 70bdea0be c9490a0c1 -Author: John Starks -Date: Wed Apr 13 14:59:27 2016 -0700 - - Merge pull request #35 from Microsoft/sjw/servicing - - Adding GetComputeSystemProperties for use in servicing scenario. - -commit c9490a0c171cf9410cd715ca9fd84935ca015839 -Author: Stefan J. Wernli -Date: Wed Apr 13 14:38:33 2016 -0700 - - Adding GetComputeSystemProperties for use in servicing scenario. - - Signed-off-by: Stefan J. Wernli - -commit 70bdea0be35d83b45d73b40b7e73bf7a15dc4fde (tag: v0.2.1) -Merge: 44ffe2501 05ed910ab -Author: John Starks -Date: Fri Apr 8 11:01:06 2016 -0700 - - Merge pull request #34 from Microsoft/jstarks/uvm - - Support utility VM paired with base image - -commit 05ed910ab49722034de73ebe74e1c2a3dd5773e7 -Author: John Starks -Date: Wed Apr 6 17:03:55 2016 -0700 - - Support utility VM paired with base image - - For TP5, the utility VM is shipped with the base image. Process it if it - is present. - -commit 44ffe2501c0e5f7a2e5bdbe118ad5ccb65cb8d11 (tag: v0.2.0) -Merge: e44ecf4bd 0ed05a9e5 -Author: John Starks -Date: Tue Apr 5 12:49:33 2016 -0700 - - Merge pull request #33 from Microsoft/jstarks/support_base_import - - Support base layer import - -commit 0ed05a9e5a8552ed471b0c9d0a4f375af1ef9fb0 -Author: John Starks -Date: Wed Mar 30 12:34:13 2016 -0700 - - Don't expose internal types - -commit 0bcb8b78d5be22604f379a49da42e1b2d6896408 -Author: John Starks -Date: Wed Mar 30 12:20:19 2016 -0700 - - Support base layer import - -commit 65bcc758abf7955df691a03cb5c12ef4f420d43a -Author: John Starks -Date: Tue Mar 29 10:03:22 2016 -0700 - - Don't swallow ImportLayer errors - -commit e47cb020d909cfa523dc368543c933cac657099f -Author: John Starks -Date: Wed Mar 30 12:48:43 2016 -0700 - - Revendor go-winio and logrus - -commit e44ecf4bd8450a2eeb2b4affd281ad50ec169154 (tag: v0.1.0) -Merge: 116e0e9f5 357aec7e5 -Author: John Starks -Date: Thu Mar 17 13:41:28 2016 -0700 - - Merge pull request #32 from Microsoft/fix_long_paths - - Fix import and export of layers containing long paths - -commit 357aec7e5ba61f8b4332741a68be000ea8a6cb88 -Author: John Starks -Date: Thu Mar 17 13:08:38 2016 -0700 - - Fix import and export of layers containing long paths - - This only affects the legacy import/export code path. - -commit 116e0e9f5ced0cec94ae46d0aa1b3002a325f532 -Merge: f185a162a b018767be -Author: John Starks -Date: Sat Mar 5 18:57:56 2016 -0800 - - Merge pull request #31 from Microsoft/fix_legacy_export - - Fix legacy export - -commit b018767be88a45c062fb593d8617a252ac58e2d3 -Author: John Starks -Date: Sat Mar 5 18:54:53 2016 -0800 - - Fix legacy export - - Post-TP4, $wcidirs$ files are required for Hives and Files directories. - -commit f185a162a9d6ec58116d108648b51f1e92ea140a -Author: John Starks -Date: Fri Mar 4 22:34:21 2016 -0800 - - Fix build break - -commit 08c978dd7e7a40c41e0fc9e4b1f13d1430cd7ba9 -Merge: 9947a4e01 9b424d04a -Author: John Starks -Date: Fri Mar 4 22:31:15 2016 -0800 - - Merge pull request #30 from Microsoft/prepare_base - - Add APIs for processing base layers and utility VM images - -commit 9b424d04a2170693254aa7dfa0bef90c4d982f0b -Author: John Starks -Date: Fri Mar 4 17:30:36 2016 -0800 - - Add APIs for processing base layers and utility VM images - -commit 9947a4e01c2c7b1ef1404c430185fdb286e7be2c -Merge: 9488dda5a 52af10f17 -Author: John Starks -Date: Fri Mar 4 13:29:56 2016 -0800 - - Merge pull request #29 from msabansal/hnsupdate - - Updating HNS structures to their latest implementation - -commit 52af10f17d7b20be829cd514b8a94636625e74cf -Author: msabansal -Date: Fri Mar 4 13:17:30 2016 -0800 - - Updating HNS structures to their latest implementation - - Signed-off-by: msabansal - -commit 9488dda5ab5d3c1af26e17d3d9fc2e9f29009a7b -Merge: 2a8d47c11 7231c5053 -Author: John Starks -Date: Tue Mar 1 12:43:17 2016 -0800 - - Merge pull request #28 from Microsoft/tp4 - - Simplify TP4 version test - -commit 7231c50531b1ef8a582f9f69365fc69ff5a0d780 -Author: John Starks -Date: Tue Mar 1 12:42:29 2016 -0800 - - Simplify TP4 version test - -commit 2a8d47c11b3016473c6824907186d4c0983db0f5 -Merge: 5f354ce07 5f0741866 -Author: John Starks -Date: Tue Feb 23 18:41:29 2016 -0800 - - Merge pull request #27 from Microsoft/jstarks/layers - - Add new import/export APIs - -commit 5f0741866b24007ad7ccb1cbf1a9f032973ed570 -Author: John Starks -Date: Tue Feb 23 12:50:59 2016 -0800 - - Expose stream-oriented export/import APIs - -commit 5f354ce07fe39c7b8323a43301d220851e37377f -Merge: c7fcc23ae 94c1d0c60 -Author: John Starks -Date: Thu Feb 18 20:25:14 2016 -0800 - - Merge pull request #26 from Microsoft/auto_hr_conversion - - Ensure HRESULTs are converted to Win32 code early - -commit 94c1d0c60597ad8710de2ffac7f9cf31eace6bd0 -Author: John Starks -Date: Tue Feb 16 16:55:02 2016 -0800 - - Ensure HRESULTs are converted to Win32 code early - -commit c7fcc23ae0a198db2015449df41a28fdb5e29487 -Merge: 43858ef3c 9cbf6f544 -Author: John Starks -Date: Tue Feb 16 16:45:20 2016 -0800 - - Merge pull request #25 from Microsoft/jstarks/remove_deprecated_call - - Remove deprecated CopyLayer function, which won't be available in TP5 - -commit 9cbf6f5449d2c8ec052b4c8beb90e79b682763aa -Author: John Starks -Date: Mon Feb 8 18:05:59 2016 -0800 - - Remove deprecated CopyLayer function, which won't be available in TP5 - -commit 43858ef3c5c944dfaaabfbe8b6ea093da7f28dba -Merge: 35ad4d808 fd9d5fb11 -Author: John Howard (Microsoft) -Date: Wed Feb 3 12:06:23 2016 -0800 - - Merge pull request #24 from Microsoft/jstarks/go_style_error_handling - - Make Win32 errors visible to callers - -commit fd9d5fb1197b4d1f2d68eab9907af2a695106ae4 -Author: John Starks -Date: Tue Feb 2 18:37:26 2016 -0800 - - Make Win32 errors visible to callers - - This makes hcsError public so that callers can inspect the internal - error and check it against certain known Win32 error codes. - -commit 35ad4d808a97203cb1748d7c43167e91f51e7f86 -Merge: 4f08e9239 acea72d04 -Author: John Starks -Date: Mon Feb 1 14:47:43 2016 -0800 - - Merge pull request #23 from Microsoft/jostarks/pipe - - Perform std handle pipe IO without blocking system threads - -commit acea72d04cb8bf2f9b8e1218c58f828df1019080 -Author: John Starks -Date: Fri Jan 29 15:39:11 2016 -0800 - - Perform std handle pipe IO without blocking system threads - - This should reduce the thread pressure on the docker daemon, which - may help reduce crashes when there are many containers running. - -commit 4f08e9239ccff98e8a5b2f81294bc0cf37434373 -Merge: fc8f843b4 c532ef07e -Author: John Starks -Date: Fri Jan 29 14:30:21 2016 -0800 - - Merge pull request #21 from Microsoft/jostarks/autogen - - Rewrite hcsshim methods to use generated code - -commit c532ef07eec6c0c2f8e809807197dd14bdaf6c3d -Author: John Starks -Date: Thu Jan 28 19:15:48 2016 -0800 - - Rewrite hcsshim methods to use generated code - - Also simplify how errors are returned so that the Win32 HRESULT can be - extracted. This is an improvement over the current situation, but it - is still problematic in that errors cannot be compared for equality. - We should address this in a future change (it will require removing - the debug info from the errors, which means we may want to move it - to the callers first). - -commit bf3883a8e797bfdd4b9efa6aff5b2d0e07bb2cf1 -Author: John Starks -Date: Thu Jan 28 19:14:47 2016 -0800 - - Update mksyscall_windows.go to for hcsshim - - Always use UTF-16 strings, and don't panic if the procedure is missing - from the DLL. - -commit 34ae220d68918f6a7083e0df5fea5b94a3e0eb93 -Author: John Starks -Date: Thu Jan 28 19:14:06 2016 -0800 - - Add mksyscall_windows.go from go 1.5.3 - -commit fc8f843b468326d898f2ef2257440c792d2fa283 -Merge: de43b42b5 5a4bca127 -Author: John Howard (Microsoft) -Date: Fri Jan 29 12:46:01 2016 -0800 - - Merge pull request #20 from msabansal/master - - Adding support for HNS in HCSShim - -commit 5a4bca12703a073b5ab861e4364b09fe29e247b7 -Author: Sandeep Bansal -Date: Tue Dec 15 19:25:00 2015 -0800 - - Added HNS support - -commit de43b42b5ce14dfdcbeedb0628b0032174d89caa -Merge: 325e531f8 c8985474a -Author: John Howard (Microsoft) -Date: Thu Oct 22 13:59:07 2015 -0700 - - Merge pull request #18 from Microsoft/jjh/xenon-exec-workaround - - TP4: CreateProcess: Return RC - -commit c8985474afff2895524c86a0eb13523773ac2188 -Author: John Howard -Date: Thu Oct 22 13:55:36 2015 -0700 - - TP4: CreateProcess: Return RC - - Signed-off-by: John Howard - -commit 325e531f8c49dd78580d5fd197ddb972fa4610e7 -Merge: 7f646aa6b 08107cda0 -Author: John Howard (Microsoft) -Date: Tue Oct 13 15:29:11 2015 -0700 - - Merge pull request #17 from Microsoft/errorcode - - Various bits of tidy up - -commit 08107cda0aee385a993800d96e838e7c766346ab -Author: John Howard -Date: Tue Oct 13 15:27:01 2015 -0700 - - Various bits of tidy up - - Signed-off-by: John Howard - -commit 7f646aa6b26bcf90caee91e93cde4a80d0d8a83e -Merge: da093dac5 c7f529b05 -Author: Stefan J. Wernli -Date: Thu Aug 27 15:39:53 2015 -0700 - - Merge pull request #15 from Microsoft/sjw/comments - - Adding comments for remaining HCSSHIM public functions. - -commit c7f529b052ee3dfa5632bf648ce29c32345bcb32 -Author: Stefan J. Wernli -Date: Thu Aug 27 14:49:14 2015 -0700 - - Adding comments for remaining HCSSHIM public functions. - - Signed-off-by: Stefan J. Wernli - -commit da093dac579302d7b413696b96dec0b5e1bce8d4 -Merge: 2a9898ec1 be4bf9a2c -Author: John Howard (Microsoft) -Date: Mon Aug 10 12:04:06 2015 -0700 - - Merge pull request #14 from Microsoft/gofmt - - Gofmt on all files - -commit be4bf9a2cf3a2536c293a07bb687a072e0db824e -Author: John Howard -Date: Mon Aug 10 12:03:17 2015 -0700 - - Gofmt on all files - - Signed-off-by: John Howard - -commit 2a9898ec11f7c693b91a020b330116730738cc0f -Merge: 236c43404 6e3a41c8d -Author: Stefan J. Wernli -Date: Thu Aug 6 10:55:04 2015 -0700 - - Merge pull request #13 from Microsoft/sjw/guid_fix - - Fix for GUID ToString. - -commit 6e3a41c8d4bd9026900032f226822c327bf239ee -Author: Stefan J. Wernli -Date: Thu Aug 6 10:14:37 2015 -0700 - - Fix for GUID ToString. - - Signed-off-by: Stefan J. Wernli - -commit 236c4340489309791f2509409c3d8abf67102f1a -Merge: 153092cbb 64b66f5b4 -Author: Stefan J. Wernli -Date: Tue Jul 21 17:01:24 2015 -0700 - - Merge pull request #12 from Microsoft/sjw/guid_fix - - Sjw/guid fix - -commit 64b66f5b46e1e91bd4793b45d1ee0147476c6c44 -Author: Stefan J. Wernli -Date: Tue Jul 21 16:39:29 2015 -0700 - - Fixing GUID.ToString to use correct endian-ness. - - Signed-off-by: Stefan J. Wernli - -commit 7d7fbd20760891b6fa6c37472d030fa58539b10c -Author: Stefan J. Wernli -Date: Tue Jul 21 13:15:11 2015 -0700 - - Changing layerutils to use new hcsshim guid hashing function. - - Signed-off-by: Stefan J. Wernli - -commit 153092cbbd77361091eae5236d0e09c8b3d08f1d -Merge: 4afa14d4f a8f1e11ed -Author: John Howard (Microsoft) -Date: Tue Jul 21 12:54:52 2015 -0700 - - Merge pull request #11 from Microsoft/sjw/guid_fix - - Adding methods for calling into hcsshim to do string to guid hashing. - -commit a8f1e11ed24329ab0c30da71e37d00b75cc60fe6 -Author: Stefan J. Wernli -Date: Tue Jul 21 12:46:42 2015 -0700 - - Adding methods for calling into hcsshim to do string to guid hashing. - - Signed-off-by: Stefan J. Wernli - -commit 4afa14d4ff91397d69e7beb3998018da98944f67 -Merge: f674a70f1 e3ddc6f4c -Author: John Howard (Microsoft) -Date: Mon Jul 20 08:44:30 2015 -0700 - - Merge pull request #10 from Microsoft/js/handles - - Improve stdin/out/err handling for container processes - -commit e3ddc6f4cb1bade154fcdec74e28129ff32539ea -Author: John Starks -Date: Sat Jul 18 16:37:35 2015 -0700 - - Improve stdin/out/err handling for container processes - - Use CreateProcessWithStdHandlesInComputeSystem to provide stdin/out/err. - This allows vmcompute.dll to handle creating the named pipes with the - correct paths, security attributes, etc. and provides flexibility for - changing the pipe creation protocol in future builds of Windows. - - Signed-off-by: John Starks - -commit f674a70f1306dbe20b3a516bedd3285d85db60d9 -Merge: 889b3b6e8 31695d474 -Author: John Howard (Microsoft) -Date: Thu Jul 16 11:56:43 2015 -0700 - - Merge pull request #9 from Microsoft/centralstore - - Support for central store - -commit 31695d4746956a0261aae0b301ccfc7d8ccca719 -Author: John Howard -Date: Thu Jul 16 11:45:03 2015 -0700 - - Support for central store - - Signed-off-by: John Howard - -commit 889b3b6e8f6c6c193ca068209edccb5bc0909276 -Merge: 2f540b26b 70d0861a2 -Author: John Howard (Microsoft) -Date: Thu Jul 16 10:32:54 2015 -0700 - - Merge pull request #8 from Microsoft/logging - - Fix logging - -commit 70d0861a2ab4bd5df20dce535159915472964d1a -Author: John Howard -Date: Thu Jul 16 10:31:31 2015 -0700 - - Fix logging - - Signed-off-by: John Howard - -commit 2f540b26beafc3d4aded4fc9799af261a1a91352 -Merge: 43a6d3f19 7e14d3e2a -Author: John Howard (Microsoft) -Date: Thu Jul 2 13:01:44 2015 -0700 - - Merge pull request #7 from Microsoft/fiximportexport - - Fix import/export proc calls - -commit 7e14d3e2aed25a7152a143dc4b495dfbf2887569 -Author: John Howard -Date: Thu Jul 2 13:01:06 2015 -0700 - - Fix import/export proc calls - - Signed-off-by: John Howard - -commit 43a6d3f190395c9b8af2f45c49ad8791e2a901c2 -Merge: 6d06be3e9 0a2675c8f -Author: John Howard (Microsoft) -Date: Thu Jul 2 11:24:31 2015 -0700 - - Merge pull request #6 from Microsoft/guid - - Make guid external - -commit 0a2675c8f278a462b154d61a74e29b0634d750d8 -Author: John Howard -Date: Thu Jul 2 11:23:52 2015 -0700 - - Make guid external - - Signed-off-by: John Howard - -commit 6d06be3e9d4ead787a58c0484079585d13aa2328 -Merge: c99df026c 96a17a471 -Author: John Howard (Microsoft) -Date: Wed Jul 1 16:29:54 2015 -0700 - - Merge pull request #5 from Microsoft/importexport - - Added Import/Export Layer - -commit 96a17a47192602c9a68e37d9a6cec4c770a193ff -Author: John Howard -Date: Wed Jul 1 16:28:33 2015 -0700 - - Added Import/Export Layer - - Signed-off-by: John Howard - -commit c99df026cb2488caad4535694d08da21e23b9bd7 -Merge: 406926754 715fbdbc9 -Author: John Howard (Microsoft) -Date: Wed Jul 1 15:13:52 2015 -0700 - - Merge pull request #4 from Microsoft/consolesizeplumbing - - Plumbing through ConsoleSize - -commit 715fbdbc9d42c768bd26114c0a7725278cfee682 -Author: John Howard -Date: Wed Jul 1 15:12:58 2015 -0700 - - Plumbing through ConsoleSize - - Signed-off-by: John Howard - -commit 406926754572cbb22ee286a75593d1ebb8b72a07 -Merge: 1efe3d09c 8148ab6c9 -Author: John Howard (Microsoft) -Date: Wed Jul 1 10:51:46 2015 -0700 - - Merge pull request #3 from Microsoft/terminatecomputesystem - - Added terminatecomputesystem - -commit 8148ab6c9050f654948db6c75736b0c2f8fdd2a1 -Author: John Howard -Date: Wed Jul 1 10:50:33 2015 -0700 - - Added terminatecomputesystem - - Signed-off-by: John Howard - -commit 1efe3d09c6979aebb0b2d1f39dcd731a0e102886 -Merge: 6d2d19951 09b19fbf2 -Author: John Howard (Microsoft) -Date: Tue Jun 30 18:27:24 2015 -0700 - - Merge pull request #2 from Microsoft/glmp-use - - Move use to avoid GC problem in GLMP - -commit 09b19fbf2218bccbb46245f17f6111179d796fa8 -Author: John Howard -Date: Tue Jun 30 18:25:40 2015 -0700 - - Move use to avoid GC problem in GLMP - - Signed-off-by: John Howard - -commit 6d2d19951953075a7b8ce486be6191b29ba4520a -Merge: bd2bb73fc ae87f320b -Author: John Howard (Microsoft) -Date: Tue Jun 30 12:07:02 2015 -0700 - - Merge pull request #1 from Microsoft/initial - - Initial implementation - -commit ae87f320b9e8cd9308f95f58576c306961105142 -Author: John Howard -Date: Tue Jun 30 11:49:00 2015 -0700 - - Initial implementation - - Signed-off-by: John Howard - -commit bd2bb73fc273fe06ba105a78cc8f097a5c0f3484 -Author: Candice Pfeister -Date: Mon Jun 29 09:44:26 2015 -0700 - - Initial commit diff --git a/internal/gcs-sidecar/bridge.go b/internal/gcs-sidecar/bridge.go index 8df933621a..a0f62f85d6 100644 --- a/internal/gcs-sidecar/bridge.go +++ b/internal/gcs-sidecar/bridge.go @@ -363,7 +363,6 @@ func (b *Bridge) ListenAndServeShimRequests() error { logrus.Error(err) break } - _, err = buffer.WriteTo(b.inboxGCSConn) if err != nil { err = errors.Wrap(err, "err forwarding shim req to inbox GCS") diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 3943eb5bcd..68ace9951a 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -4,7 +4,6 @@ package bridge import ( - "context" "encoding/json" "fmt" "os" @@ -22,7 +21,6 @@ import ( "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/windevice" "github.com/Microsoft/hcsshim/pkg/cimfs" - "github.com/Microsoft/hcsshim/pkg/securitypolicy" "github.com/pkg/errors" ) @@ -101,9 +99,11 @@ func (b *Bridge) shutdownGraceful(req *request) (err error) { // TODO (kiashok/Mahati): Since gcs-sidecar can be used for all types of windows // containers, it is important to check if we want to // enforce policy or not. - b.hostState.securityPolicyEnforcer.EnforceShutdownContainerPolicy(req.ctx, r.ContainerID) - if err != nil { - return fmt.Errorf("rpcShudownGraceful operation not allowed: %v", err) + if b.hostState.isSecurityPolicyEnforcerInitialized() { + b.hostState.securityPolicyEnforcer.EnforceShutdownContainerPolicy(req.ctx, r.ContainerID) + if err != nil { + return fmt.Errorf("shutdownGraceful operation not allowed: %v", err) + } } b.forwardRequestToGcs(req) @@ -292,6 +292,10 @@ func (b *Bridge) modifySettings(req *request) (err error) { guestRequestType = guestrequest.RequestTypeAdd } + if guestRequestType == "" { + guestRequestType = guestrequest.RequestTypeAdd + } + switch guestRequestType { case guestrequest.RequestTypeAdd: case guestrequest.RequestTypeRemove: @@ -370,12 +374,12 @@ func (b *Bridge) modifySettings(req *request) (err error) { } if len(layerCIMs) > 1 { // Get the topmost merge CIM and invoke the MountMergedBlockCIMs - _, err := cimfs.MountMergedBlockCIMs(layerCIMs[0], layerCIMs[1:], wcowBlockCimMounts.MountFlags, wcowBlockCimMounts.VolumeGUID) + _, err := cimfs.MountMergedBlockCIMs(layerCIMs[0], layerCIMs[1:], wcowBlockCimMounts.MountFlags, wcowBlockCimMounts.VolumeGuid) if err != nil { return errors.Wrap(err, "error mounting multilayer block cims") } } else { - _, err := cimfs.Mount(filepath.Join(layerCIMs[0].BlockPath, layerCIMs[0].CimName), wcowBlockCimMounts.VolumeGUID, wcowBlockCimMounts.MountFlags) + _, err := cimfs.Mount(filepath.Join(layerCIMs[0].BlockPath, layerCIMs[0].CimName), wcowBlockCimMounts.VolumeGuid, wcowBlockCimMounts.MountFlags) if err != nil { return errors.Wrap(err, "error mounting merged block cims") } @@ -401,9 +405,11 @@ func (b *Bridge) modifySettings(req *request) (err error) { // check that this is not denied by policy // TODO: modify gcs-sidecar code to pass context across all calls // TODO: Update modifyCombinedLayers with verified CimFS API - policy_err := modifyCombinedLayers(ctx, containerID, guestRequestType, settings.CombinedLayers, b.hostState.securityPolicyEnforcer) - if policy_err != nil { - return errors.Wrapf(policy_err, "CimFS layer mount is denied by policy: %v", settings) + if b.hostState.isSecurityPolicyEnforcerInitialized() { + policy_err := modifyCombinedLayers(ctx, containerID, guestRequestType, settings.CombinedLayers, b.hostState.securityPolicyEnforcer) + if policy_err != nil { + return errors.Wrapf(policy_err, "CimFS layer mount is denied by policy: %v", settings) + } } // TODO: Update modifyCombinedLayers with verified CimFS API @@ -443,12 +449,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { wcowMappedVirtualDisk := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWMappedVirtualDisk) log.G(ctx).Tracef("ResourceTypeMappedVirtualDiskForContainerScratch: { %v }", wcowMappedVirtualDisk) - policy_err := modifyMappedVirtualDisk(ctx, guestRequestType, wcowMappedVirtualDisk, b.hostState.securityPolicyEnforcer) - if policy_err != nil { - return errors.Wrapf(policy_err, "Mount device denied by policy %v", wcowMappedVirtualDisk) - } - - // 1. TODO (kiashok/Mahati): Need to enforce policy before calling into fsFormatter + // 1. TODO (Mahati): Need to enforce policy before calling into fsFormatter // 2. Call fsFormatter to format the scratch disk. // This will return the volume path of the mounted scratch. // Scratch disk should be >= 30 GB for refs formatter to work. @@ -509,42 +510,3 @@ func (b *Bridge) modifySettings(req *request) (err error) { b.forwardRequestToGcs(req) return nil } - -func modifyMappedVirtualDisk( - ctx context.Context, - rt guestrequest.RequestType, - mvd *guestresource.WCOWMappedVirtualDisk, - securityPolicy securitypolicy.SecurityPolicyEnforcer, -) (err error) { - switch rt { - case guestrequest.RequestTypeAdd: - // TODO: Modify and update this with verified Cims API - return securityPolicy.EnforceDeviceMountPolicy(ctx, mvd.ContainerPath, "hash") - case guestrequest.RequestTypeRemove: - // TODO: Modify and update this with verified Cims API - return securityPolicy.EnforceDeviceUnmountPolicy(ctx, mvd.ContainerPath) - default: - return newInvalidRequestTypeError(rt) - } -} - -func modifyCombinedLayers( - ctx context.Context, - containerID string, - rt guestrequest.RequestType, - cl guestresource.WCOWCombinedLayers, - securityPolicy securitypolicy.SecurityPolicyEnforcer, -) (err error) { - switch rt { - case guestrequest.RequestTypeAdd: - layerPaths := make([]string, len(cl.Layers)) - for i, layer := range cl.Layers { - layerPaths[i] = layer.Path - } - return securityPolicy.EnforceOverlayMountPolicy(ctx, containerID, layerPaths, cl.ContainerRootPath) - case guestrequest.RequestTypeRemove: - return securityPolicy.EnforceOverlayUnmountPolicy(ctx, cl.ContainerRootPath) - default: - return newInvalidRequestTypeError(rt) - } -} diff --git a/internal/gcs-sidecar/uvm.go b/internal/gcs-sidecar/uvm.go index 85f4d6609b..54c94b4f91 100644 --- a/internal/gcs-sidecar/uvm.go +++ b/internal/gcs-sidecar/uvm.go @@ -4,6 +4,7 @@ package bridge import ( + "context" "encoding/json" "fmt" @@ -15,9 +16,53 @@ import ( "github.com/Microsoft/hcsshim/internal/oc" "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" "github.com/pkg/errors" ) +func modifyMappedVirtualDisk( + ctx context.Context, + rt guestrequest.RequestType, + mvd *guestresource.WCOWMappedVirtualDisk, + securityPolicy securitypolicy.SecurityPolicyEnforcer, +) (err error) { + switch rt { + case guestrequest.RequestTypeAdd: + // TODO: Modify and update this with verified Cims API + return securityPolicy.EnforceDeviceMountPolicy(ctx, mvd.ContainerPath, "hash") + case guestrequest.RequestTypeRemove: + // TODO: Modify and update this with verified Cims API + return securityPolicy.EnforceDeviceUnmountPolicy(ctx, mvd.ContainerPath) + default: + return newInvalidRequestTypeError(rt) + } +} + +func modifyCombinedLayers( + ctx context.Context, + containerID string, + rt guestrequest.RequestType, + cl guestresource.WCOWCombinedLayers, + securityPolicy securitypolicy.SecurityPolicyEnforcer, +) (err error) { + switch rt { + case guestrequest.RequestTypeAdd: + layerPaths := make([]string, len(cl.Layers)) + for i, layer := range cl.Layers { + layerPaths[i] = layer.Path + } + return securityPolicy.EnforceOverlayMountPolicy(ctx, containerID, layerPaths, cl.ContainerRootPath) + case guestrequest.RequestTypeRemove: + return securityPolicy.EnforceOverlayUnmountPolicy(ctx, cl.ContainerRootPath) + default: + return newInvalidRequestTypeError(rt) + } +} + +func newInvalidRequestTypeError(rt guestrequest.RequestType) error { + return errors.Errorf("the RequestType %q is not supported", rt) +} + func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySettings, err error) { ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalContainerModifySettings") defer span.End() diff --git a/internal/hcs/schema2/cimfs.go b/internal/hcs/schema2/cimfs.go index 52fb62a829..b2a39d133b 100644 --- a/internal/hcs/schema2/cimfs.go +++ b/internal/hcs/schema2/cimfs.go @@ -9,9 +9,18 @@ package hcsschema +import "github.com/Microsoft/go-winio/pkg/guid" + type CimMount struct { ImagePath string `json:"ImagePath,omitempty"` FileSystemName string `json:"FileSystemName,omitempty"` VolumeGuid string `json:"VolumeGuid,omitempty"` MountFlags uint32 `json:"MountFlags,omitempty"` } + +type BlockCIMMount struct { + BlockLUNs []uint32 `json:"BlockLUNs,omitempty"` + CimNames []string `json:"CimNames,omitempty"` + VolumeGuid guid.GUID `json:"VolumeGuid,omitempty"` + MountFlags uint32 `json:"MountFlags,omitempty"` +} diff --git a/internal/layers/wcow_mount.go b/internal/layers/wcow_mount.go index 9df9f199eb..f1f928f880 100644 --- a/internal/layers/wcow_mount.go +++ b/internal/layers/wcow_mount.go @@ -43,7 +43,7 @@ func MountWCOWLayers(ctx context.Context, containerID string, vm *uvm.UtilityVM, if vm == nil { return mountProcessIsolatedBlockCIMLayers(ctx, containerID, l) } - return nil, nil, fmt.Errorf("hyperv isolated containers aren't supported with block cim layers") + return mountHypervIsolatedBlockCIMLayers(ctx, l, vm, containerID) default: return nil, nil, fmt.Errorf("invalid layer type %T", wl) } @@ -329,6 +329,89 @@ func mountProcessIsolatedBlockCIMLayers(ctx context.Context, containerID string, return mountedLayers, rcl, nil } +func mountHypervIsolatedBlockCIMLayers(ctx context.Context, l *wcowBlockCIMLayers, vm *uvm.UtilityVM, containerID string) (_ *MountedWCOWLayers, _ resources.ResourceCloser, err error) { + ctx, span := oc.StartSpan(ctx, "mountHyperVIsolatedBlockCIMLayers") + defer func() { + oc.SetSpanStatus(span, err) + span.End() + }() + + rcl := &resources.ResourceCloserList{} + defer func() { + if err != nil { + if rErr := rcl.Release(ctx); rErr != nil { + log.G(ctx).WithError(err).Warnf("mount process isolated forked CIM layers, undo failed with: %s", rErr) + } + } + }() + + log.G(ctx).WithFields(logrus.Fields{ + "scratch": l.scratchLayerPath, + "merged layer": l.mergedLayer, + "parent layers": l.parentLayers, + }).Debug("mounting hyperv isolated block CIM layers") + + mountedCIMs, err := vm.MountBlockCIMs(ctx, l.mergedLayer, l.parentLayers) + if err != nil { + return nil, nil, fmt.Errorf("failed to mount block CIMs in UVM: %w", err) + } + rcl.Add(mountedCIMs) + + // mount the CIM inside UVM now + log.G(ctx).WithField("volume", mountedCIMs.VolumePath).Debug("mounted blockCIM layers for hyperV isolated container") + + hostPath := filepath.Join(l.scratchLayerPath, "sandbox.vhdx") + + scsiMount, err := vm.SCSIManager.AddVirtualDisk(ctx, hostPath, false, vm.ID(), "", &scsi.MountConfig{ + FormatWithRefs: true, + }) + if err != nil { + return nil, nil, fmt.Errorf("failed to add SCSI scratch VHD: %w", err) + } + containerScratchPathInUVM := scsiMount.GuestPath() + rcl.Add(scsiMount) + + log.G(ctx).WithFields(logrus.Fields{ + "hostPath": hostPath, + "uvmPath": containerScratchPathInUVM, + }).Debug("mounted scratch VHD") + + mountedCIMLayerID, err := cimlayer.LayerID(mountedCIMs.VolumePath) + if err != nil { + return nil, nil, fmt.Errorf("failed to get layer ID for mounted block CIM: %w", err) + } + + ml := &MountedWCOWLayers{ + RootFS: containerScratchPathInUVM, + MountedLayerPaths: []MountedWCOWLayer{ + { + LayerID: mountedCIMLayerID, + MountedPath: mountedCIMs.VolumePath, + }, + }, + } + + hcsLayers := []hcsschema.Layer{ + { + Id: mountedCIMLayerID, + Path: filepath.Join(mountedCIMs.VolumePath, "Files"), + }, + } + + err = vm.CombineLayersForCWCOW(ctx, hcsLayers, ml.RootFS, containerID, hcsschema.UnionFS) + if err != nil { + return nil, nil, err + } + log.G(ctx).Debug("hcsshim::mountHyperVIsolatedBlockCIMLayers Succeeded") + + return ml, &wcowIsolatedWCIFSLayerCloser{ + uvm: vm, + guestCombinedLayersPath: ml.RootFS, + scratchMount: scsiMount, + layerClosers: []resources.ResourceCloser{rcl}, + }, nil +} + type wcowIsolatedWCIFSLayerCloser struct { uvm *uvm.UtilityVM guestCombinedLayersPath string @@ -440,7 +523,7 @@ func mountHypervIsolatedWCIFSLayers(ctx context.Context, l *wcowWCIFSLayers, vm }) } - err = vm.CombineLayersWCOW(ctx, hcsLayers, ml.RootFS) + err = vm.CombineLayersWCOW(ctx, hcsLayers, ml.RootFS, hcsschema.WCIFS) if err != nil { return nil, nil, err } diff --git a/internal/layers/wcow_parse.go b/internal/layers/wcow_parse.go index 15a820ccaa..c2da6f5b8d 100644 --- a/internal/layers/wcow_parse.go +++ b/internal/layers/wcow_parse.go @@ -216,33 +216,7 @@ func ParseWCOWLayers(rootfs []*types.Mount, layerFolders []string) (WCOWLayers, } } -// GetWCOWUVMBootFilesFromLayers prepares the UVM boot files from the rootfs or layerFolders. -func GetWCOWUVMBootFilesFromLayers(ctx context.Context, rootfs []*types.Mount, layerFolders []string) (*uvm.WCOWBootFiles, error) { - var parentLayers []string - var scratchLayer string - var err error - - if err = validateRootfsAndLayers(rootfs, layerFolders); err != nil { - return nil, err - } - - if len(layerFolders) > 0 { - parentLayers = layerFolders[:len(layerFolders)-1] - scratchLayer = layerFolders[len(layerFolders)-1] - } else { - m := rootfs[0] - switch m.Type { - case legacyMountType: - parentLayers, err = getOptionAsArray(m, parentLayerPathsFlag) - if err != nil { - return nil, err - } - scratchLayer = m.Source - default: - return nil, fmt.Errorf("mount type '%s' is not supported for UVM boot", m.Type) - } - } - +func makeLegacyWCOWUVMBootFiles(ctx context.Context, scratchLayer string, parentLayers []string) (*uvm.WCOWBootFiles, error) { uvmFolder, err := uvmfolder.LocateUVMFolder(ctx, parentLayers) if err != nil { return nil, fmt.Errorf("failed to locate utility VM folder from layer folders: %w", err) @@ -272,3 +246,32 @@ func GetWCOWUVMBootFilesFromLayers(ctx context.Context, rootfs []*types.Mount, l }, }, nil } + +// GetWCOWUVMBootFilesFromLayers prepares the UVM boot files from the rootfs or layerFolders. +func GetWCOWUVMBootFilesFromLayers(ctx context.Context, rootfs []*types.Mount, layerFolders []string) (*uvm.WCOWBootFiles, error) { + var parentLayers []string + var scratchLayer string + var err error + + if err = validateRootfsAndLayers(rootfs, layerFolders); err != nil { + return nil, err + } + + if len(layerFolders) > 0 { + parentLayers = layerFolders[:len(layerFolders)-1] + scratchLayer = layerFolders[len(layerFolders)-1] + return makeLegacyWCOWUVMBootFiles(ctx, scratchLayer, parentLayers) + } else if rootfs[0].Type == legacyMountType { + parentLayers, err := getOptionAsArray(rootfs[0], parentLayerPathsFlag) + if err != nil { + return nil, err + } + return makeLegacyWCOWUVMBootFiles(ctx, rootfs[0].Source, parentLayers) + } else if rootfs[0].Type == blockCIMMountType { + return &uvm.WCOWBootFiles{ + BootType: uvm.BlockCIMBoot, + BlockCIMFiles: &uvm.BlockCIMBootFiles{}, + }, nil + } + return nil, fmt.Errorf("mount type '%s' is not supported for UVM boot", rootfs[0].Type) +} diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go index cf8de1227d..1e7325c196 100644 --- a/internal/oci/uvm.go +++ b/internal/oci/uvm.go @@ -5,6 +5,7 @@ package oci import ( "context" "errors" + "fmt" "maps" "strconv" @@ -189,10 +190,21 @@ func handleAnnotationFullyPhysicallyBacked(ctx context.Context, a map[string]str } } -// handleSecurityPolicy handles parsing SecurityPolicy and NoSecurityHardware and setting +// handleWCOWSecurityPolicy handles parsing SecurityPolicy for confidential hyper-v isolated windows containers +func handleWCOWSecurityPolicy(ctx context.Context, a map[string]string, wopts *uvm.OptionsWCOW) error { + wopts.SecurityPolicy = ParseAnnotationsString(a, annotations.WCOWSecurityPolicy, wopts.SecurityPolicy) + wopts.SecurityPolicyEnforcer = ParseAnnotationsString(a, annotations.WCOWSecurityPolicyEnforcer, wopts.SecurityPolicyEnforcer) + if len(wopts.SecurityPolicy) > 0 { + wopts.SecurityPolicyEnabled = true + return uvm.SetDefaultConfidentialWCOWBootConfig(wopts) + } + return nil +} + +// handleLCOWSecurityPolicy handles parsing SecurityPolicy and NoSecurityHardware and setting // implied options from the results. Both LCOW only, not WCOW. -func handleSecurityPolicy(ctx context.Context, a map[string]string, lopts *uvm.OptionsLCOW) { - lopts.SecurityPolicy = ParseAnnotationsString(a, annotations.SecurityPolicy, lopts.SecurityPolicy) +func handleLCOWSecurityPolicy(ctx context.Context, a map[string]string, lopts *uvm.OptionsLCOW) { + lopts.SecurityPolicy = ParseAnnotationsString(a, annotations.LCOWSecurityPolicy, lopts.SecurityPolicy) // allow actual isolated boot etc to be ignored if we have no hardware. Required for dev // this is not a security issue as the attestation will fail without a genuine report noSecurityHardware := ParseAnnotationsBool(ctx, a, annotations.NoSecurityHardware, false) @@ -308,8 +320,8 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) ( lopts.ExtraVSockPorts = ParseAnnotationCommaSeparatedUint32(ctx, s.Annotations, iannotations.ExtraVSockPorts, lopts.ExtraVSockPorts) handleAnnotationBootFilesPath(ctx, s.Annotations, lopts) lopts.EnableScratchEncryption = ParseAnnotationsBool(ctx, s.Annotations, annotations.EncryptedScratchDisk, lopts.EnableScratchEncryption) - lopts.SecurityPolicy = ParseAnnotationsString(s.Annotations, annotations.SecurityPolicy, lopts.SecurityPolicy) - lopts.SecurityPolicyEnforcer = ParseAnnotationsString(s.Annotations, annotations.SecurityPolicyEnforcer, lopts.SecurityPolicyEnforcer) + lopts.SecurityPolicy = ParseAnnotationsString(s.Annotations, annotations.LCOWSecurityPolicy, lopts.SecurityPolicy) + lopts.SecurityPolicyEnforcer = ParseAnnotationsString(s.Annotations, annotations.LCOWSecurityPolicyEnforcer, lopts.SecurityPolicyEnforcer) lopts.UVMReferenceInfoFile = ParseAnnotationsString(s.Annotations, annotations.UVMReferenceInfoFile, lopts.UVMReferenceInfoFile) lopts.KernelBootOptions = ParseAnnotationsString(s.Annotations, annotations.KernelBootOptions, lopts.KernelBootOptions) lopts.DisableTimeSyncService = ParseAnnotationsBool(ctx, s.Annotations, annotations.DisableLCOWTimeSyncService, lopts.DisableTimeSyncService) @@ -320,7 +332,7 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) ( // SecurityPolicy is very sensitive to other settings and will silently change those that are incompatible. // Eg VMPem device count, overridden kernel option cannot be respected. - handleSecurityPolicy(ctx, s.Annotations, lopts) + handleLCOWSecurityPolicy(ctx, s.Annotations, lopts) // override the default GuestState and DmVerityRootFs filenames if specified lopts.GuestStateFile = ParseAnnotationsString(s.Annotations, annotations.GuestStateFile, lopts.GuestStateFile) @@ -343,6 +355,9 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) ( wopts.NoInheritHostTimezone = ParseAnnotationsBool(ctx, s.Annotations, annotations.NoInheritHostTimezone, wopts.NoInheritHostTimezone) wopts.AdditionalRegistryKeys = append(wopts.AdditionalRegistryKeys, parseAdditionalRegistryValues(ctx, s.Annotations)...) handleAnnotationFullyPhysicallyBacked(ctx, s.Annotations, wopts) + if err := handleWCOWSecurityPolicy(ctx, s.Annotations, wopts); err != nil { + return nil, fmt.Errorf("failed to process WCOW security policy: %w", err) + } return wopts, nil } return nil, errors.New("cannot create UVM opts spec is not LCOW or WCOW") diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 60cce3e453..adcf3c9e59 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -71,9 +71,10 @@ type LCOWCombinedLayers struct { } type WCOWCombinedLayers struct { - ContainerRootPath string `json:"ContainerRootPath,omitempty"` - Layers []hcsschema.Layer `json:"Layers,omitempty"` - ScratchPath string `json:"ScratchPath,omitempty"` + ContainerRootPath string `json:"ContainerRootPath,omitempty"` + Layers []hcsschema.Layer `json:"Layers,omitempty"` + ScratchPath string `json:"ScratchPath,omitempty"` + FilterType hcsschema.FileSystemFilterType `json:"FilterType,omitempty"` } type CWCOWCombinedLayers struct { diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go new file mode 100644 index 0000000000..899e72c8a1 --- /dev/null +++ b/internal/uvm/cimfs.go @@ -0,0 +1,90 @@ +//go:build windows +// +build windows + +package uvm + +import ( + "context" + "fmt" + + "github.com/Microsoft/go-winio/pkg/guid" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/Microsoft/hcsshim/internal/uvm/scsi" + "github.com/Microsoft/hcsshim/pkg/cimfs" + "github.com/sirupsen/logrus" +) + +type UVMMountedBlockCIMs struct { + scsiMounts []*scsi.Mount + // Volume Path inside the UVM at which the CIMs are mounted + VolumePath string +} + +func (umb *UVMMountedBlockCIMs) Release(ctx context.Context) error { + for i := len(umb.scsiMounts) - 1; i >= 0; i-- { + if err := umb.scsiMounts[i].Release(ctx); err != nil { + return err + } + } + return nil +} + +// mergedCIM can be nil, +// sourceCIMs MUST be in the top to bottom order +func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.BlockCIM, sourceCIMs []*cimfs.BlockCIM) (_ *UVMMountedBlockCIMs, err error) { + volumeGUID, err := guid.NewV4() + if err != nil { + return nil, fmt.Errorf("generated cim mount GUID: %w", err) + } + + layersToAttach := sourceCIMs + if mergedCIM != nil { + layersToAttach = append([]*cimfs.BlockCIM{mergedCIM}, sourceCIMs...) + } + + settings := &guestresource.WCOWBlockCIMMounts{ + BlockCIMs: []guestresource.BlockCIMDevice{}, + VolumeGuid: volumeGUID, + MountFlags: cimfs.CimMountBlockDeviceCim, + } + + umb := &UVMMountedBlockCIMs{ + VolumePath: fmt.Sprintf(cimfs.VolumePathFormat, volumeGUID.String()), + scsiMounts: []*scsi.Mount{}, + } + + for _, bcim := range layersToAttach { + sm, err := uvm.SCSIManager.AddVirtualDisk(ctx, bcim.BlockPath, true, uvm.ID(), "", nil) + if err != nil { + return nil, fmt.Errorf("failed to attach block CIM %s: %w", bcim.BlockPath, err) + } + log.G(ctx).WithFields(logrus.Fields{ + "block path": bcim.BlockPath, + "cim name": bcim.CimName, + "scsi controller": sm.Controller(), + "scsi LUN": sm.LUN(), + }).Debugf("attached block CIM VHD") + settings.BlockCIMs = append(settings.BlockCIMs, guestresource.BlockCIMDevice{ + CimName: bcim.CimName, + Lun: int32(sm.LUN()), + }) + umb.scsiMounts = append(umb.scsiMounts, sm) + defer func() { + if err != nil { + sm.Release(ctx) + } + }() + } + + guestReq := guestrequest.ModificationRequest{ + ResourceType: guestresource.ResourceTypeWCOWBlockCims, + RequestType: guestrequest.RequestTypeAdd, + Settings: settings, + } + if err := uvm.GuestRequest(ctx, guestReq); err != nil { + return nil, fmt.Errorf("failed to mount the cim: %w", err) + } + return umb, nil +} diff --git a/internal/uvm/combine_layers.go b/internal/uvm/combine_layers.go index 468139c0f7..6d3919a4da 100644 --- a/internal/uvm/combine_layers.go +++ b/internal/uvm/combine_layers.go @@ -10,11 +10,32 @@ import ( "github.com/Microsoft/hcsshim/internal/protocol/guestresource" ) +func (uvm *UtilityVM) CombineLayersForCWCOW(ctx context.Context, layerPaths []hcsschema.Layer, containerRootPath string, containerID string, filterType hcsschema.FileSystemFilterType) error { + if uvm.operatingSystem != "windows" { + return errNotSupported + } + msr := &hcsschema.ModifySettingRequest{ + GuestRequest: guestrequest.ModificationRequest{ + ResourceType: guestresource.ResourceTypeCWCOWCombinedLayers, + RequestType: guestrequest.RequestTypeAdd, + Settings: guestresource.CWCOWCombinedLayers{ + ContainerID: containerID, + CombinedLayers: guestresource.WCOWCombinedLayers{ + ContainerRootPath: containerRootPath, + Layers: layerPaths, + FilterType: filterType, + }, + }, + }, + } + return uvm.modify(ctx, msr) +} + // CombineLayersWCOW combines `layerPaths` with `containerRootPath` into the // container file system. // // Note: `layerPaths` and `containerRootPath` are paths from within the UVM. -func (uvm *UtilityVM) CombineLayersWCOW(ctx context.Context, layerPaths []hcsschema.Layer, containerRootPath string) error { +func (uvm *UtilityVM) CombineLayersWCOW(ctx context.Context, layerPaths []hcsschema.Layer, containerRootPath string, filterType hcsschema.FileSystemFilterType) error { if uvm.operatingSystem != "windows" { return errNotSupported } @@ -25,6 +46,7 @@ func (uvm *UtilityVM) CombineLayersWCOW(ctx context.Context, layerPaths []hcssch Settings: guestresource.WCOWCombinedLayers{ ContainerRootPath: containerRootPath, Layers: layerPaths, + FilterType: filterType, }, }, } diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index 2b6f8c8b2d..9a72c06df4 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -22,6 +22,7 @@ import ( "github.com/Microsoft/hcsshim/internal/oc" "github.com/Microsoft/hcsshim/internal/processorinfo" "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/schemaversion" "github.com/Microsoft/hcsshim/internal/security" "github.com/Microsoft/hcsshim/internal/uvm/scsi" @@ -30,9 +31,10 @@ import ( ) type ConfidentialWCOWOptions struct { - GuestStateFilePath string // The vmgs file path - SecurityPolicyEnabled bool // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length - SecurityPolicy string // Optional security policy + GuestStateFilePath string // The vmgs file path + SecurityPolicyEnabled bool // Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length + SecurityPolicy string // Optional security policy + SecurityPolicyEnforcer string /* Below options are only included for testing/debugging purposes - shouldn't be used in regular scenarios */ IsolationType string @@ -57,6 +59,15 @@ type OptionsWCOW struct { AdditionalRegistryKeys []hcsschema.RegistryValue } +// WindowsSidecarGcsHvsockServiceID is the hvsock service ID that the Windows GCS +// sidecar will connect to. This is only used in the confidential mode. +var windowsSidecarGcsHvsockServiceID = guid.GUID{ + Data1: 0xae8da506, + Data2: 0xa019, + Data3: 0x4553, + Data4: [8]uint8{0xa5, 0x2b, 0x90, 0x2b, 0xc0, 0xfa, 0x04, 0x11}, +} + // NewDefaultOptionsWCOW creates the default options for a bootable version of // WCOW. The caller `MUST` set the `BootFiles` on the returned value. // @@ -72,6 +83,41 @@ func NewDefaultOptionsWCOW(id, owner string) *OptionsWCOW { } } +// SetDefaultConfidentialWCOWBootConfig updates the given WCOW UVM creation options (with the +// default values) so that the created UVM does a confidential boot. +func SetDefaultConfidentialWCOWBootConfig(opts *OptionsWCOW) error { + selfDir, err := filepath.Abs(filepath.Dir(os.Args[0])) + if err != nil { + return fmt.Errorf("failed to get absolute path to shim directory: %w", err) + } + + bootDir := filepath.Join(selfDir, "WindowsBootFiles", "confidential") + opts.GuestStateFilePath = filepath.Join(bootDir, "cwcow.vmgs") + opts.BootFiles = &WCOWBootFiles{ + BootType: BlockCIMBoot, + BlockCIMFiles: &BlockCIMBootFiles{ + BootCIMVHDPath: filepath.Join(bootDir, "rootfs.vhd"), + EFIVHDPath: filepath.Join(bootDir, "boot.vhd"), + ScratchVHDPath: filepath.Join(bootDir, "scratch.vhd"), + }, + } + for _, path := range []string{ + opts.GuestStateFilePath, + opts.BootFiles.BlockCIMFiles.BootCIMVHDPath, + opts.BootFiles.BlockCIMFiles.EFIVHDPath, + opts.BootFiles.BlockCIMFiles.ScratchVHDPath} { + if _, err := os.Stat(path); err != nil { + return fmt.Errorf("failed to stat boot file `%s` for confidential WCOW: %w", path, err) + } + } + + //TODO(ambarve): for testing only remove later + opts.IsolationType = "GuestStateOnly" + opts.DisableSecureBoot = true + opts.ConsolePipe = "\\\\.\\pipe\\uvmpipe" + return nil +} + // startExternalGcsListener connects to the GCS service running inside the // UVM. gcsServiceID can either be the service ID of the default GCS that is present in // all UtilityVMs or it can be the service ID of the sidecar GCS that is used mostly in @@ -328,10 +374,6 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm *UtilityVM, opts *Options doc.VirtualMachine.SecuritySettings.Isolation.IsolationType = opts.IsolationType } - if err := wclayer.GrantVmAccess(ctx, uvm.id, opts.GuestStateFilePath); err != nil { - return nil, errors.Wrap(err, "failed to grant vm access to guest state file") - } - doc.VirtualMachine.GuestState = &hcsschema.GuestState{ GuestStateFilePath: opts.GuestStateFilePath, GuestStateFileType: "BlockStorage", @@ -478,6 +520,11 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error var doc *hcsschema.ComputeSystem if opts.SecurityPolicyEnabled { + uvm.WCOWconfidentialUVMOptions = &guestresource.WCOWConfidentialOptions{ + WCOWSecurityPolicyEnabled: true, + WCOWSecurityPolicy: opts.SecurityPolicy, + WCOWSecurityPolicyEnforcer: opts.SecurityPolicyEnforcer, + } doc, err = prepareSecurityConfigDoc(ctx, uvm, opts) log.G(ctx).Tracef("CreateWCOW prepareSecurityConfigDoc result doc: %v err %v", doc, err) } else { @@ -495,7 +542,7 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error gcsServiceID := prot.WindowsGcsHvsockServiceID if opts.SecurityPolicyEnabled { - gcsServiceID = prot.WindowsSidecarGcsHvsockServiceID + gcsServiceID = windowsSidecarGcsHvsockServiceID } if err = uvm.startExternalGcsListener(ctx, gcsServiceID); err != nil { diff --git a/internal/uvm/start.go b/internal/uvm/start.go index 90b97b314d..8b06743ccd 100644 --- a/internal/uvm/start.go +++ b/internal/uvm/start.go @@ -157,7 +157,7 @@ func (uvm *UtilityVM) configureHvSocketForGCS(ctx context.Context) (err error) { func (uvm *UtilityVM) Start(ctx context.Context) (err error) { // save parent context, without timeout to use in terminate pCtx := ctx - ctx, cancel := context.WithTimeout(pCtx, 2*time.Minute) + ctx, cancel := context.WithTimeout(pCtx, 200*time.Minute) g, gctx := errgroup.WithContext(ctx) defer func() { _ = g.Wait() diff --git a/internal/wclayer/cim/block_cim_writer.go b/internal/wclayer/cim/block_cim_writer.go index 1e7da68c05..33e9a4c23f 100644 --- a/internal/wclayer/cim/block_cim_writer.go +++ b/internal/wclayer/cim/block_cim_writer.go @@ -5,10 +5,15 @@ package cim import ( "context" "fmt" + "os" "path/filepath" + "strconv" "github.com/Microsoft/go-winio" + "github.com/Microsoft/hcsshim/ext4/tar2ext4" "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/wclayer" + "github.com/Microsoft/hcsshim/osversion" "github.com/Microsoft/hcsshim/pkg/cimfs" ) @@ -133,3 +138,47 @@ func (cw *BlockCIMLayerWriter) AddLink(name string, target string) error { return nil } + +func (cw *BlockCIMLayerWriter) Close(ctx context.Context) error { + processUtilityVM := false + if cw.hasUtilityVM { + uvmSoftwareHivePath := filepath.Join(cw.layerPath, wclayer.UtilityVMPath, wclayer.RegFilesPath, "SOFTWARE") + osvStr, err := getOsBuildNumberFromRegistry(uvmSoftwareHivePath) + if err != nil { + return fmt.Errorf("read os version string from UtilityVM SOFTWARE hive: %w", err) + } + + osv, err := strconv.ParseUint(osvStr, 10, 16) + if err != nil { + return fmt.Errorf("parse os version string (%s): %w", osvStr, err) + } + + // write this version to a file for future reference by the shim process + if err = wclayer.WriteLayerUvmBuildFile(cw.layerPath, uint16(osv)); err != nil { + return fmt.Errorf("write uvm build version: %w", err) + } + + // TODO(ambarve): use the accurate OS version here. + // CIMFS for hyperV isolated is only supported after WS2025, processing + // UtilityVM layer lower builds will cause failures since those images + // won't have CIMFS specific UVM files (mostly BCD entries required for + // CIMFS) + processUtilityVM = (osv >= osversion.LTSC2025) + log.G(ctx).Debugf("import image os version %d, processing UtilityVM layer: %t\n", osv, processUtilityVM) + } + if err := cw.cimLayerWriter.Close(ctx, processUtilityVM); err != nil { + return fmt.Errorf("failed to close cim layer writer: %w", err) + } + // append footer only after all writers are closed + + blockFile, err := os.OpenFile(cw.layer.BlockPath, os.O_WRONLY, 0777) + if err != nil { + return fmt.Errorf("failed to open block CIM to append VHD footer: %w", err) + } + defer blockFile.Close() + + if err := tar2ext4.ConvertToVhd(blockFile); err != nil { + return fmt.Errorf("failed to append VHD footer: %w", err) + } + return nil +} diff --git a/internal/wclayer/cim/common.go b/internal/wclayer/cim/common.go index 391a5aaeda..0dfeffe531 100644 --- a/internal/wclayer/cim/common.go +++ b/internal/wclayer/cim/common.go @@ -169,7 +169,7 @@ func (cw *cimLayerWriter) Write(b []byte) (int, error) { } // Close finishes the layer writing process and releases any resources. -func (cw *cimLayerWriter) Close(ctx context.Context) (retErr error) { +func (cw *cimLayerWriter) Close(ctx context.Context, processUtilityVM bool) (retErr error) { if err := cw.stdFileWriter.Close(ctx); err != nil { return err } @@ -181,9 +181,6 @@ func (cw *cimLayerWriter) Close(ctx context.Context) (retErr error) { } }() - // We don't support running UtilityVM with CIM layers yet. - processUtilityVM := false - if len(cw.parentLayerPaths) == 0 { if err := cw.processBaseLayer(ctx, processUtilityVM); err != nil { return fmt.Errorf("process base layer: %w", err) diff --git a/internal/wclayer/cim/forked_cim_writer.go b/internal/wclayer/cim/forked_cim_writer.go index 7da052b515..c5c311e4fa 100644 --- a/internal/wclayer/cim/forked_cim_writer.go +++ b/internal/wclayer/cim/forked_cim_writer.go @@ -76,3 +76,9 @@ func (cw *ForkedCimLayerWriter) Remove(name string) error { } return fmt.Errorf("failed to remove file: %w", err) } + +// Close finishes the layer writing process and releases any resources. +func (cw *ForkedCimLayerWriter) Close(ctx context.Context) error { + // we don't support running UVMs with forked CIM layers + return cw.cimLayerWriter.Close(ctx, false) +} diff --git a/internal/wclayer/cim/process.go b/internal/wclayer/cim/process.go index ace81122bc..03c8706352 100644 --- a/internal/wclayer/cim/process.go +++ b/internal/wclayer/cim/process.go @@ -13,9 +13,15 @@ import ( "golang.org/x/sys/windows" ) +const defaultVHDXBlockSizeInMB = 1 + // processUtilityVMLayer will handle processing of UVM specific files when we start // supporting UVM based containers with CimFS in the future. func processUtilityVMLayer(ctx context.Context, layerPath string) error { + // TODO(ambarve): + // 1. create a scratch VHD + // 2. create a diff scratch VHD + // 3. create an EFI partition VHD for boot return nil } diff --git a/internal/wclayer/cim/registry.go b/internal/wclayer/cim/registry.go index c95b03ca37..d7b7f56191 100644 --- a/internal/wclayer/cim/registry.go +++ b/internal/wclayer/cim/registry.go @@ -5,9 +5,11 @@ package cim import ( "fmt" + "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/winapi" "github.com/Microsoft/hcsshim/osversion" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) // mergeHive merges the hive located at parentHivePath with the hive located at deltaHivePath and stores @@ -47,3 +49,51 @@ func mergeHive(parentHivePath, deltaHivePath, mergedHivePath string) (err error) } return } + +// getOsBuildNumberFromRegistry fetches the "CurrentBuild" value at path +// "Microsoft\Windows NT\CurrentVersion" from the SOFTWARE registry hive at path +// `regHivePath`. This is used to detect the build version of the uvm. +func getOsBuildNumberFromRegistry(regHivePath string) (_ string, err error) { + var storeHandle, keyHandle winapi.ORHKey + var dataType, dataLen uint32 + keyPath := "Microsoft\\Windows NT\\CurrentVersion" + valueName := "CurrentBuild" + dataLen = 16 // build version string can't be more than 5 wide chars? + dataBuf := make([]byte, dataLen) + + if err = winapi.OROpenHive(regHivePath, &storeHandle); err != nil { + return "", fmt.Errorf("failed to open registry store at %s: %s", regHivePath, err) + } + defer func() { + if closeErr := winapi.ORCloseHive(storeHandle); closeErr != nil { + log.L.WithFields(logrus.Fields{ + "error": closeErr, + "hive": regHivePath, + }).Warnf("failed to close hive") + } + }() + + if err = winapi.OROpenKey(storeHandle, keyPath, &keyHandle); err != nil { + return "", fmt.Errorf("failed to open key at %s: %s", keyPath, err) + } + defer func() { + if closeErr := winapi.ORCloseKey(keyHandle); closeErr != nil { + log.L.WithFields(logrus.Fields{ + "error": closeErr, + "hive": regHivePath, + "key": keyPath, + "value": valueName, + }).Warnf("failed to close hive key") + } + }() + + if err = winapi.ORGetValue(keyHandle, "", valueName, &dataType, &dataBuf[0], &dataLen); err != nil { + return "", fmt.Errorf("failed to get value of %s: %s", valueName, err) + } + + if dataType != uint32(winapi.REG_TYPE_SZ) { + return "", fmt.Errorf("unexpected build number data type (%d)", dataType) + } + + return winapi.ParseUtf16LE(dataBuf[:(dataLen - 2)]), nil +} diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go index f1470591bf..75aa1aedfe 100644 --- a/pkg/annotations/annotations.go +++ b/pkg/annotations/annotations.go @@ -221,12 +221,12 @@ const ( // should be encrypted or not. EncryptedScratchDisk = "io.microsoft.virtualmachine.storage.scratch.encrypted" - // SecurityPolicy is used to specify a security policy for opengcs to enforce. - SecurityPolicy = "io.microsoft.virtualmachine.lcow.securitypolicy" + // LCOWSecurityPolicy is used to specify a security policy for opengcs to enforce. + LCOWSecurityPolicy = "io.microsoft.virtualmachine.lcow.securitypolicy" - // SecurityPolicyEnforcer is used to specify which enforcer to initialize (open-door, standard or rego). + // LCOWSecurityPolicyEnforcer is used to specify which enforcer to initialize (open-door, standard or rego). // This allows for better fallback mechanics. - SecurityPolicyEnforcer = "io.microsoft.virtualmachine.lcow.enforcer" + LCOWSecurityPolicyEnforcer = "io.microsoft.virtualmachine.lcow.enforcer" // WCOW SecurityPolicy is used to specify a security policy for opengcs to enforce. WCOWSecurityPolicy = "io.microsoft.virtualmachine.wcow.securitypolicy" diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_deprecated.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_deprecated.go deleted file mode 100644 index c6cd443455..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_deprecated.go +++ /dev/null @@ -1,81 +0,0 @@ -package user - -import ( - "io" - - "github.com/moby/sys/user" -) - -// LookupUser looks up a user by their username in /etc/passwd. If the user -// cannot be found (or there is no /etc/passwd file on the filesystem), then -// LookupUser returns an error. -func LookupUser(username string) (user.User, error) { - return user.LookupUser(username) -} - -// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot -// be found (or there is no /etc/passwd file on the filesystem), then LookupId -// returns an error. -func LookupUid(uid int) (user.User, error) { //nolint:revive // ignore var-naming: func LookupUid should be LookupUID - return user.LookupUid(uid) -} - -// LookupGroup looks up a group by its name in /etc/group. If the group cannot -// be found (or there is no /etc/group file on the filesystem), then LookupGroup -// returns an error. -func LookupGroup(groupname string) (user.Group, error) { - return user.LookupGroup(groupname) -} - -// LookupGid looks up a group by its group id in /etc/group. If the group cannot -// be found (or there is no /etc/group file on the filesystem), then LookupGid -// returns an error. -func LookupGid(gid int) (user.Group, error) { - return user.LookupGid(gid) -} - -func GetPasswdPath() (string, error) { - return user.GetPasswdPath() -} - -func GetPasswd() (io.ReadCloser, error) { - return user.GetPasswd() -} - -func GetGroupPath() (string, error) { - return user.GetGroupPath() -} - -func GetGroup() (io.ReadCloser, error) { - return user.GetGroup() -} - -// CurrentUser looks up the current user by their user id in /etc/passwd. If the -// user cannot be found (or there is no /etc/passwd file on the filesystem), -// then CurrentUser returns an error. -func CurrentUser() (user.User, error) { - return user.CurrentUser() -} - -// CurrentGroup looks up the current user's group by their primary group id's -// entry in /etc/passwd. If the group cannot be found (or there is no -// /etc/group file on the filesystem), then CurrentGroup returns an error. -func CurrentGroup() (user.Group, error) { - return user.CurrentGroup() -} - -func CurrentUserSubUIDs() ([]user.SubID, error) { - return user.CurrentUserSubUIDs() -} - -func CurrentUserSubGIDs() ([]user.SubID, error) { - return user.CurrentUserSubGIDs() -} - -func CurrentProcessUIDMap() ([]user.IDMap, error) { - return user.CurrentProcessUIDMap() -} - -func CurrentProcessGIDMap() ([]user.IDMap, error) { - return user.CurrentProcessGIDMap() -} diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user_deprecated.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user_deprecated.go deleted file mode 100644 index 3c29f3d1d8..0000000000 --- a/vendor/github.com/opencontainers/runc/libcontainer/user/user_deprecated.go +++ /dev/null @@ -1,146 +0,0 @@ -// Package user is an alias for [github.com/moby/sys/user]. -// -// Deprecated: use [github.com/moby/sys/user]. -package user - -import ( - "io" - - "github.com/moby/sys/user" -) - -var ( - // ErrNoPasswdEntries is returned if no matching entries were found in /etc/group. - ErrNoPasswdEntries = user.ErrNoPasswdEntries - // ErrNoGroupEntries is returned if no matching entries were found in /etc/passwd. - ErrNoGroupEntries = user.ErrNoGroupEntries - // ErrRange is returned if a UID or GID is outside of the valid range. - ErrRange = user.ErrRange -) - -type ( - User = user.User - - Group = user.Group - - // SubID represents an entry in /etc/sub{u,g}id. - SubID = user.SubID - - // IDMap represents an entry in /proc/PID/{u,g}id_map. - IDMap = user.IDMap - - ExecUser = user.ExecUser -) - -func ParsePasswdFile(path string) ([]user.User, error) { - return user.ParsePasswdFile(path) -} - -func ParsePasswd(passwd io.Reader) ([]user.User, error) { - return user.ParsePasswd(passwd) -} - -func ParsePasswdFileFilter(path string, filter func(user.User) bool) ([]user.User, error) { - return user.ParsePasswdFileFilter(path, filter) -} - -func ParsePasswdFilter(r io.Reader, filter func(user.User) bool) ([]user.User, error) { - return user.ParsePasswdFilter(r, filter) -} - -func ParseGroupFile(path string) ([]user.Group, error) { - return user.ParseGroupFile(path) -} - -func ParseGroup(group io.Reader) ([]user.Group, error) { - return user.ParseGroup(group) -} - -func ParseGroupFileFilter(path string, filter func(user.Group) bool) ([]user.Group, error) { - return user.ParseGroupFileFilter(path, filter) -} - -func ParseGroupFilter(r io.Reader, filter func(user.Group) bool) ([]user.Group, error) { - return user.ParseGroupFilter(r, filter) -} - -// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the -// given file paths and uses that data as the arguments to GetExecUser. If the -// files cannot be opened for any reason, the error is ignored and a nil -// io.Reader is passed instead. -func GetExecUserPath(userSpec string, defaults *user.ExecUser, passwdPath, groupPath string) (*user.ExecUser, error) { - return user.GetExecUserPath(userSpec, defaults, passwdPath, groupPath) -} - -// GetExecUser parses a user specification string (using the passwd and group -// readers as sources for /etc/passwd and /etc/group data, respectively). In -// the case of blank fields or missing data from the sources, the values in -// defaults is used. -// -// GetExecUser will return an error if a user or group literal could not be -// found in any entry in passwd and group respectively. -// -// Examples of valid user specifications are: -// - "" -// - "user" -// - "uid" -// - "user:group" -// - "uid:gid -// - "user:gid" -// - "uid:group" -// -// It should be noted that if you specify a numeric user or group id, they will -// not be evaluated as usernames (only the metadata will be filled). So attempting -// to parse a user with user.Name = "1337" will produce the user with a UID of -// 1337. -func GetExecUser(userSpec string, defaults *user.ExecUser, passwd, group io.Reader) (*user.ExecUser, error) { - return user.GetExecUser(userSpec, defaults, passwd, group) -} - -// GetAdditionalGroups looks up a list of groups by name or group id -// against the given /etc/group formatted data. If a group name cannot -// be found, an error will be returned. If a group id cannot be found, -// or the given group data is nil, the id will be returned as-is -// provided it is in the legal range. -func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, error) { - return user.GetAdditionalGroups(additionalGroups, group) -} - -// GetAdditionalGroupsPath is a wrapper around GetAdditionalGroups -// that opens the groupPath given and gives it as an argument to -// GetAdditionalGroups. -func GetAdditionalGroupsPath(additionalGroups []string, groupPath string) ([]int, error) { - return user.GetAdditionalGroupsPath(additionalGroups, groupPath) -} - -func ParseSubIDFile(path string) ([]user.SubID, error) { - return user.ParseSubIDFile(path) -} - -func ParseSubID(subid io.Reader) ([]user.SubID, error) { - return user.ParseSubID(subid) -} - -func ParseSubIDFileFilter(path string, filter func(user.SubID) bool) ([]user.SubID, error) { - return user.ParseSubIDFileFilter(path, filter) -} - -func ParseSubIDFilter(r io.Reader, filter func(user.SubID) bool) ([]user.SubID, error) { - return user.ParseSubIDFilter(r, filter) -} - -func ParseIDMapFile(path string) ([]user.IDMap, error) { - return user.ParseIDMapFile(path) -} - -func ParseIDMap(r io.Reader) ([]user.IDMap, error) { - return user.ParseIDMap(r) -} - -func ParseIDMapFileFilter(path string, filter func(user.IDMap) bool) ([]user.IDMap, error) { - return user.ParseIDMapFileFilter(path, filter) -} - -func ParseIDMapFilter(r io.Reader, filter func(user.IDMap) bool) ([]user.IDMap, error) { - return user.ParseIDMapFilter(r, filter) -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0deb3148a3..9c4e6419a4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -397,7 +397,6 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runc v1.2.3 ## explicit; go 1.22 github.com/opencontainers/runc/libcontainer/devices -github.com/opencontainers/runc/libcontainer/user # github.com/opencontainers/runtime-spec v1.2.0 ## explicit github.com/opencontainers/runtime-spec/specs-go diff --git "a/\357\200\222-f" "b/\357\200\222-f" deleted file mode 100644 index 20ad6942d1..0000000000 --- "a/\357\200\222-f" +++ /dev/null @@ -1 +0,0 @@ -erskiashokgosrcgithub.comMicrosofthcsshim qq From c5db9b60aea7ab57a836239fbabe59f94456af47 Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Mon, 28 Apr 2025 14:34:27 -0700 Subject: [PATCH 06/20] Conditionally startup psp driver Signed-off-by: Kirtana Ashok --- internal/gcs-sidecar/handlers.go | 9 +- internal/gcs-sidecar/host.go | 26 ++++- internal/oci/uvm.go | 9 ++ internal/protocol/guestresource/resources.go | 1 + internal/pspdriver/pspdriver.go | 105 +++++++++++++++++++ internal/uvm/create_wcow.go | 4 + internal/uvm/security_policy.go | 7 ++ internal/uvm/start.go | 1 + 8 files changed, 158 insertions(+), 4 deletions(-) create mode 100644 internal/pspdriver/pspdriver.go diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 68ace9951a..8702c94e9f 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -334,8 +334,13 @@ func (b *Bridge) modifySettings(req *request) (err error) { case guestresource.ResourceTypeSecurityPolicy: securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWConfidentialOptions) log.G(ctx).Tracef("WCOWConfidentialOptions: { %v}", securityPolicyRequest) - _ = b.hostState.SetWCOWConfidentialUVMOptions(securityPolicyRequest) - + _ = b.hostState.SetWCOWConfidentialUVMOptions(req.ctx, securityPolicyRequest) + /* + // ignore the returned err temporarily as it fails with "unknown policy rego" error + ; err != nil { + return err + } + */ // Send response back to shim resp := &prot.ResponseBase{ Result: 0, // 0 means success diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go index 601801ad61..d21bc7629c 100644 --- a/internal/gcs-sidecar/host.go +++ b/internal/gcs-sidecar/host.go @@ -4,12 +4,15 @@ package bridge import ( - "errors" + "context" "fmt" "sync" + "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" + "github.com/Microsoft/hcsshim/internal/pspdriver" "github.com/Microsoft/hcsshim/pkg/securitypolicy" + "github.com/pkg/errors" ) type Host struct { @@ -32,7 +35,11 @@ func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Host { } } -func (h *Host) SetWCOWConfidentialUVMOptions(securityPolicyRequest *guestresource.WCOWConfidentialOptions) error { +func (h *Host) isSecurityPolicyEnforcerInitialized() bool { + return h.securityPolicyEnforcer != nil +} + +func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.WCOWConfidentialOptions) error { h.policyMutex.Lock() defer h.policyMutex.Unlock() @@ -40,6 +47,21 @@ func (h *Host) SetWCOWConfidentialUVMOptions(securityPolicyRequest *guestresourc return errors.New("security policy has already been set") } + log.G(ctx).Tracef("NoSecurtyHardware annotation: %v", securityPolicyRequest.NoSecurityHardware) + if securityPolicyRequest.NoSecurityHardware || pspdriver.IsSNPEnabled(ctx) { + // Start the psp driver + if err := pspdriver.StartPSPDriver(ctx); err != nil { + // Failed to start psp driver, return prematurely + return errors.Wrapf(err, "failed to start PSP driver") + } + } else { + // failed to load PSP driver, error out + // TODO (kiashok): Following log can be cleaned up once the caller stops ignoring failure + // due to "rego" error. + log.G(ctx).Fatal("failed to load PSP driver: no hardware support or annotation specified") + return fmt.Errorf("failed to load PSP driver: no hardware support or annotation specified") + } + // This limit ensures messages are below the character truncation limit that // can be imposed by an orchestrator maxErrorMessageLength := 3 * 1024 diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go index 1e7325c196..bc5dff780f 100644 --- a/internal/oci/uvm.go +++ b/internal/oci/uvm.go @@ -194,8 +194,17 @@ func handleAnnotationFullyPhysicallyBacked(ctx context.Context, a map[string]str func handleWCOWSecurityPolicy(ctx context.Context, a map[string]string, wopts *uvm.OptionsWCOW) error { wopts.SecurityPolicy = ParseAnnotationsString(a, annotations.WCOWSecurityPolicy, wopts.SecurityPolicy) wopts.SecurityPolicyEnforcer = ParseAnnotationsString(a, annotations.WCOWSecurityPolicyEnforcer, wopts.SecurityPolicyEnforcer) + // allow actual isolated boot etc to be ignored if we have no hardware. Required for dev + // this is not a security issue as the attestation will fail without a genuine report + noSecurityHardware := ParseAnnotationsBool(ctx, a, annotations.NoSecurityHardware, false) + + // TODO: Process annotations.NoSecurityHardware here for cwcow cases! if len(wopts.SecurityPolicy) > 0 { wopts.SecurityPolicyEnabled = true + + if noSecurityHardware { + wopts.NoSecurityHardware = true + } return uvm.SetDefaultConfidentialWCOWBootConfig(wopts) } return nil diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index adcf3c9e59..8dea7ac3c5 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -244,4 +244,5 @@ type WCOWConfidentialOptions struct { WCOWSecurityPolicyEnabled bool // Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic. WCOWSecurityPolicyEnforcer string + NoSecurityHardware bool } diff --git a/internal/pspdriver/pspdriver.go b/internal/pspdriver/pspdriver.go new file mode 100644 index 0000000000..9968cb3685 --- /dev/null +++ b/internal/pspdriver/pspdriver.go @@ -0,0 +1,105 @@ +//go:build windows +// +build windows + +package pspdriver + +import ( + "context" + "fmt" + "syscall" + "unsafe" + + winio "github.com/Microsoft/go-winio" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/pkg/errors" + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/mgr" +) + +const ( + serviceName = "AmdSnpPsp" + snpFirmwareEnvVariable = "SnpGuestReport" + privilegeName = "SeSystemEnvironmentPrivilege" + amdSevSnpGUIDStr = "{4c3bddb9-c2b1-4cbd-9e0c-cb45e9e0e168}" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32.dll") + procGetFirmwareVar = kernel32.NewProc("GetFirmwareEnvironmentVariableW") +) + +func StartPSPDriver(ctx context.Context) error { + // Connect to the Service Control Manager + m, err := mgr.Connect() + if err != nil { + return errors.Wrap(err, "Failed to connect to service manager") + } + defer m.Disconnect() + + // Open the service + s, err := m.OpenService(serviceName) + if err != nil { + return errors.Wrapf(err, "Could not access service %q", serviceName) + } + defer s.Close() + + // Start the service + err = s.Start() + if err != nil { + return errors.Wrapf(err, "Could not start service %q", serviceName) + } + + log.G(ctx).Tracef("Service %q started successfully", serviceName) + + // TODO cleanup (kiashok): confirm the running state of the pspdriver + status, err := s.Query() + if err != nil { + return errors.Wrap(err, "could not query service status") + } + + switch status.State { + case svc.Running: + fmt.Println("Service is running.") + case svc.Stopped: + fmt.Println("Service is stopped.") + case svc.StartPending: + fmt.Println("Service is starting.") + case svc.StopPending: + fmt.Println("Service is stopping.") + default: + fmt.Printf("Service state: %v\n", status.State) + } + return nil +} + +// IsSNPEnabled() returns true if SNP support is available. +func IsSNPEnabled(ctx context.Context) bool { + // GetFirmwareEnvironmentVariableW() requires privelege of SeSystemEnvironmentName. + // https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getfirmwareenvironmentvariable + err := winio.EnableProcessPrivileges([]string{privilegeName}) + if err != nil { + log.G(ctx).WithError(err).Errorf("enabling privilege failed") + return false + } + + // UEFI variable name for SNP + firmwareEnvVar, _ := syscall.UTF16PtrFromString(snpFirmwareEnvVariable) + amdSnpGUID, _ := syscall.UTF16PtrFromString(amdSevSnpGUIDStr) + // Prepare buffer for data + // SNP report is max of 4KB + buffer := make([]byte, 4096) + + r1, _, err := procGetFirmwareVar.Call( + uintptr(unsafe.Pointer(firmwareEnvVar)), + uintptr(unsafe.Pointer(amdSnpGUID)), + uintptr(unsafe.Pointer(&buffer[0])), + uintptr(len(buffer)), + ) + + if r1 == 0 { + log.G(ctx).WithError(err).Debugf("SNP report not available") + return false + } + + return true +} diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index 9a72c06df4..779a8068e1 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -40,6 +40,9 @@ type ConfidentialWCOWOptions struct { IsolationType string DisableSecureBoot bool FirmwareParameters string + + // Temp (kiashok): + NoSecurityHardware bool } // OptionsWCOW are the set of options passed to CreateWCOW() to create a utility vm. @@ -524,6 +527,7 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error WCOWSecurityPolicyEnabled: true, WCOWSecurityPolicy: opts.SecurityPolicy, WCOWSecurityPolicyEnforcer: opts.SecurityPolicyEnforcer, + NoSecurityHardware: opts.NoSecurityHardware, } doc, err = prepareSecurityConfigDoc(ctx, uvm, opts) log.G(ctx).Tracef("CreateWCOW prepareSecurityConfigDoc result doc: %v err %v", doc, err) diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go index c232f5f491..266601af3d 100644 --- a/internal/uvm/security_policy.go +++ b/internal/uvm/security_policy.go @@ -45,6 +45,13 @@ func WithWCOWSecurityPolicy(policy string) WCOWConfidentialUVMOpt { } } +func WithWCOWNoSecurityHardware(noSecurityHardware bool) WCOWConfidentialUVMOpt { + return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error { + r.NoSecurityHardware = noSecurityHardware + return nil + } +} + // WithSecurityPolicyEnforcer sets the desired enforcer type for the resource. func WithWCOWSecurityPolicyEnforcer(enforcer string) WCOWConfidentialUVMOpt { return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error { diff --git a/internal/uvm/start.go b/internal/uvm/start.go index 8b06743ccd..4eb7283d58 100644 --- a/internal/uvm/start.go +++ b/internal/uvm/start.go @@ -338,6 +338,7 @@ func (uvm *UtilityVM) Start(ctx context.Context) (err error) { copts := []WCOWConfidentialUVMOpt{ WithWCOWSecurityPolicy(uvm.WCOWconfidentialUVMOptions.WCOWSecurityPolicy), WithWCOWSecurityPolicyEnforcer(uvm.WCOWconfidentialUVMOptions.WCOWSecurityPolicyEnforcer), + WithWCOWNoSecurityHardware(uvm.WCOWconfidentialUVMOptions.NoSecurityHardware), } if err := uvm.SetWCOWConfidentialUVMOptions(ctx, copts...); err != nil { return err From 0469d2a9f460b9c81c87afef3773a11bd2624bae Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Tue, 29 Apr 2025 09:49:59 -0400 Subject: [PATCH 07/20] [DO NOT MERGE] Mock verified CIM digest for layers Verified CIMs will allow the gcs-sidecar to query the root digest for each block CIM and then validate that against the policy to see if that layer is allowed. The layer CIMs will be merge mounted only if all of the root digests of all layer CIMs are successfully validated against the policy. However, verified CIMs aren't available yet. In order to unblock testing of the policy engine, this commit mocks the root digest of a block CIM by generating a SHA256 of the layer path on the host. As long as the layer path remains the same (i.e we won't remove and repull the same image) the layer digest will remain same and we can use that in the policy. Note that this only a temporary change and it shouldn't be merged into main. Once verified CIMs are ready, we won't need to pass a digest in the mount block CIM request, instead gcs-sidecar will directly query the digest from the CIM. Signed-off-by: Amit Barve --- go.mod | 2 +- internal/gcs-sidecar/handlers.go | 1 + internal/protocol/guestresource/resources.go | 1 + internal/uvm/cimfs.go | 10 ++++++++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index fa2d7d097c..d0645144a5 100644 --- a/go.mod +++ b/go.mod @@ -15,6 +15,7 @@ require ( github.com/containerd/errdefs v0.3.0 github.com/containerd/errdefs/pkg v0.3.0 github.com/containerd/go-runc v1.0.0 + github.com/containerd/log v0.1.0 github.com/containerd/protobuild v0.3.0 github.com/containerd/ttrpc v1.2.5 github.com/containerd/typeurl/v2 v2.2.0 @@ -52,7 +53,6 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/containerd/continuity v0.4.2 // indirect github.com/containerd/fifo v1.1.0 // indirect - github.com/containerd/log v0.1.0 // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 8702c94e9f..fa3b038e55 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -376,6 +376,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { CimName: blockCimDevice.CimName, } layerCIMs = append(layerCIMs, &layerCim) + log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", blockCimDevice.Digest, physicalDevPath) } if len(layerCIMs) > 1 { // Get the topmost merge CIM and invoke the MountMergedBlockCIMs diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 8dea7ac3c5..6ed5443ede 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -110,6 +110,7 @@ type LCOWMappedVirtualDisk struct { type BlockCIMDevice struct { CimName string Lun int32 + Digest string } type WCOWBlockCIMMounts struct { diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go index 899e72c8a1..679e1ac8a5 100644 --- a/internal/uvm/cimfs.go +++ b/internal/uvm/cimfs.go @@ -5,6 +5,8 @@ package uvm import ( "context" + "crypto/sha256" + "encoding/base64" "fmt" "github.com/Microsoft/go-winio/pkg/guid" @@ -60,15 +62,23 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block if err != nil { return nil, fmt.Errorf("failed to attach block CIM %s: %w", bcim.BlockPath, err) } + + hasher := sha256.New() + hasher.Write([]byte(bcim.BlockPath)) + layerDigest := base64.URLEncoding.EncodeToString(hasher.Sum(nil)) + log.G(ctx).WithFields(logrus.Fields{ "block path": bcim.BlockPath, "cim name": bcim.CimName, + "layer digest": layerDigest, "scsi controller": sm.Controller(), "scsi LUN": sm.LUN(), }).Debugf("attached block CIM VHD") + settings.BlockCIMs = append(settings.BlockCIMs, guestresource.BlockCIMDevice{ CimName: bcim.CimName, Lun: int32(sm.LUN()), + Digest: layerDigest, }) umb.scsiMounts = append(umb.scsiMounts, sm) defer func() { From 30c4bede7a3778ae93915abace448f04edf0a6b7 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Wed, 30 Apr 2025 21:35:31 -0400 Subject: [PATCH 08/20] [DO NOT MERGE] Allow testing with non SNP hardware Signed-off-by: Amit Barve --- internal/uvm/create_wcow.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index 779a8068e1..9a523e0d63 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -118,6 +118,7 @@ func SetDefaultConfidentialWCOWBootConfig(opts *OptionsWCOW) error { opts.IsolationType = "GuestStateOnly" opts.DisableSecureBoot = true opts.ConsolePipe = "\\\\.\\pipe\\uvmpipe" + opts.NoSecurityHardware = true return nil } From df55c0a0fec876094dfd76e1630e64b13d2d637c Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Fri, 2 May 2025 14:34:22 +0100 Subject: [PATCH 09/20] C-WCOW: Securitpolicy pkg changes and enforce CIMs Signed-off-by: Mahati Chamarthy Signed-off-by: Kirtana Ashok --- internal/gcs-sidecar/bridge.go | 7 - internal/gcs-sidecar/handlers.go | 17 ++- internal/gcs-sidecar/host.go | 2 +- internal/gcs-sidecar/uvm.go | 2 + internal/layers/wcow_mount.go | 2 +- internal/protocol/guestresource/resources.go | 7 +- internal/uvm/cimfs.go | 9 +- pkg/securitypolicy/api.rego | 1 + pkg/securitypolicy/framework.rego | 27 ++++ pkg/securitypolicy/open_door.rego | 1 + pkg/securitypolicy/policy.rego | 1 + pkg/securitypolicy/securitypolicy_linux.go | 144 ++++++++++++++++++ .../securitypolicy_uvmpath_linux.go | 34 ----- ...h_windows.go => securitypolicy_windows.go} | 6 + pkg/securitypolicy/securitypolicyenforcer.go | 13 ++ .../securitypolicyenforcer_rego.go | 109 +------------ pkg/securitypolicy/version_api | 2 +- pkg/securitypolicy/version_framework | 2 +- 18 files changed, 230 insertions(+), 156 deletions(-) create mode 100644 pkg/securitypolicy/securitypolicy_linux.go delete mode 100644 pkg/securitypolicy/securitypolicy_uvmpath_linux.go rename pkg/securitypolicy/{securitypolicy_uvmpath_windows.go => securitypolicy_windows.go} (78%) diff --git a/internal/gcs-sidecar/bridge.go b/internal/gcs-sidecar/bridge.go index a0f62f85d6..502d81a8e2 100644 --- a/internal/gcs-sidecar/bridge.go +++ b/internal/gcs-sidecar/bridge.go @@ -86,13 +86,6 @@ func NewBridge(shimConn io.ReadWriteCloser, inboxGCSConn io.ReadWriteCloser, ini } } -func NewPolicyEnforcer(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *SecurityPoliyEnforcer { - return &SecurityPoliyEnforcer{ - securityPolicyEnforcerSet: false, - securityPolicyEnforcer: initialEnforcer, - } -} - // UnknownMessage represents the default handler logic for an unmatched request // type sent from the bridge. func UnknownMessage(r *request) error { diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index fa3b038e55..2349efa104 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -334,7 +334,10 @@ func (b *Bridge) modifySettings(req *request) (err error) { case guestresource.ResourceTypeSecurityPolicy: securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWConfidentialOptions) log.G(ctx).Tracef("WCOWConfidentialOptions: { %v}", securityPolicyRequest) - _ = b.hostState.SetWCOWConfidentialUVMOptions(req.ctx, securityPolicyRequest) + err := b.hostState.SetWCOWConfidentialUVMOptions(req.ctx, securityPolicyRequest) + if err != nil { + return errors.Wrap(err, "error creating enforcer") + } /* // ignore the returned err temporarily as it fails with "unknown policy rego" error ; err != nil { @@ -346,7 +349,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { Result: 0, // 0 means success ActivityID: req.activityID, } - err := b.sendResponseToShim(req.ctx, prot.RPCModifySettings, req.header.ID, resp) + err = b.sendResponseToShim(req.ctx, prot.RPCModifySettings, req.header.ID, resp) if err != nil { return errors.Wrap(err, "error sending response to hcsshim") } @@ -355,12 +358,15 @@ func (b *Bridge) modifySettings(req *request) (err error) { case guestresource.ResourceTypeWCOWBlockCims: // This is request to mount the merged cim at given volumeGUID wcowBlockCimMounts := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWBlockCIMMounts) + containerID := wcowBlockCimMounts.ContainerID log.G(ctx).Tracef("WCOWBlockCIMMounts { %v}", wcowBlockCimMounts) // The block device takes some time to show up. Wait for a few seconds. time.Sleep(2 * time.Second) var layerCIMs []*cimfs.BlockCIM + layerHashes := make([]string, len(wcowBlockCimMounts.BlockCIMs)) + ctx := req.ctx for _, blockCimDevice := range wcowBlockCimMounts.BlockCIMs { // Get the scsi device path for the blockCim lun devNumber, err := windevice.GetDeviceNumberFromControllerLUN( @@ -376,8 +382,13 @@ func (b *Bridge) modifySettings(req *request) (err error) { CimName: blockCimDevice.CimName, } layerCIMs = append(layerCIMs, &layerCim) - log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", blockCimDevice.Digest, physicalDevPath) } + + err := b.hostState.securityPolicyEnforcer.EnforceVerifiedCIMsPolicy(req.ctx, containerID, layerHashes) + if err != nil { + return errors.Wrap(err, "CIM mount is denied by policy") + } + if len(layerCIMs) > 1 { // Get the topmost merge CIM and invoke the MountMergedBlockCIMs _, err := cimfs.MountMergedBlockCIMs(layerCIMs[0], layerCIMs[1:], wcowBlockCimMounts.MountFlags, wcowBlockCimMounts.VolumeGuid) diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go index d21bc7629c..245835c0a6 100644 --- a/internal/gcs-sidecar/host.go +++ b/internal/gcs-sidecar/host.go @@ -47,8 +47,8 @@ func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicy return errors.New("security policy has already been set") } - log.G(ctx).Tracef("NoSecurtyHardware annotation: %v", securityPolicyRequest.NoSecurityHardware) if securityPolicyRequest.NoSecurityHardware || pspdriver.IsSNPEnabled(ctx) { + log.G(ctx).Tracef("Starting psp driver") // Start the psp driver if err := pspdriver.StartPSPDriver(ctx); err != nil { // Failed to start psp driver, return prematurely diff --git a/internal/gcs-sidecar/uvm.go b/internal/gcs-sidecar/uvm.go index 54c94b4f91..f6cf07ec14 100644 --- a/internal/gcs-sidecar/uvm.go +++ b/internal/gcs-sidecar/uvm.go @@ -31,6 +31,7 @@ func modifyMappedVirtualDisk( // TODO: Modify and update this with verified Cims API return securityPolicy.EnforceDeviceMountPolicy(ctx, mvd.ContainerPath, "hash") case guestrequest.RequestTypeRemove: + log.G(ctx).Tracef("enforcing mount_device in mappedvirtualdisk") // TODO: Modify and update this with verified Cims API return securityPolicy.EnforceDeviceUnmountPolicy(ctx, mvd.ContainerPath) default: @@ -51,6 +52,7 @@ func modifyCombinedLayers( for i, layer := range cl.Layers { layerPaths[i] = layer.Path } + //TODO: Remove this when there is verified Cimfs API return securityPolicy.EnforceOverlayMountPolicy(ctx, containerID, layerPaths, cl.ContainerRootPath) case guestrequest.RequestTypeRemove: return securityPolicy.EnforceOverlayUnmountPolicy(ctx, cl.ContainerRootPath) diff --git a/internal/layers/wcow_mount.go b/internal/layers/wcow_mount.go index f1f928f880..0dd4b8af5e 100644 --- a/internal/layers/wcow_mount.go +++ b/internal/layers/wcow_mount.go @@ -351,7 +351,7 @@ func mountHypervIsolatedBlockCIMLayers(ctx context.Context, l *wcowBlockCIMLayer "parent layers": l.parentLayers, }).Debug("mounting hyperv isolated block CIM layers") - mountedCIMs, err := vm.MountBlockCIMs(ctx, l.mergedLayer, l.parentLayers) + mountedCIMs, err := vm.MountBlockCIMs(ctx, l.mergedLayer, l.parentLayers, containerID) if err != nil { return nil, nil, fmt.Errorf("failed to mount block CIMs in UVM: %w", err) } diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 6ed5443ede..83abf3b111 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -115,9 +115,10 @@ type BlockCIMDevice struct { type WCOWBlockCIMMounts struct { // BlockCIMs should be ordered from merged CIM followed by Layer n .. layer 1 - BlockCIMs []BlockCIMDevice `json:"BlockCIMs,omitempty"` - VolumeGUID guid.GUID `json:"VolumeGUID,omitempty"` - MountFlags uint32 `json:"MountFlags,omitempty"` + BlockCIMs []BlockCIMDevice `json:"BlockCIMs,omitempty"` + VolumeGuid guid.GUID `json:"VolumeGuid,omitempty"` + MountFlags uint32 `json:"MountFlags,omitempty"` + ContainerID string } type WCOWMappedVirtualDisk struct { diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go index 679e1ac8a5..8826a82ec1 100644 --- a/internal/uvm/cimfs.go +++ b/internal/uvm/cimfs.go @@ -35,7 +35,7 @@ func (umb *UVMMountedBlockCIMs) Release(ctx context.Context) error { // mergedCIM can be nil, // sourceCIMs MUST be in the top to bottom order -func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.BlockCIM, sourceCIMs []*cimfs.BlockCIM) (_ *UVMMountedBlockCIMs, err error) { +func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.BlockCIM, sourceCIMs []*cimfs.BlockCIM, containerID string) (_ *UVMMountedBlockCIMs, err error) { volumeGUID, err := guid.NewV4() if err != nil { return nil, fmt.Errorf("generated cim mount GUID: %w", err) @@ -47,9 +47,10 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block } settings := &guestresource.WCOWBlockCIMMounts{ - BlockCIMs: []guestresource.BlockCIMDevice{}, - VolumeGuid: volumeGUID, - MountFlags: cimfs.CimMountBlockDeviceCim, + BlockCIMs: []guestresource.BlockCIMDevice{}, + VolumeGuid: volumeGUID, + MountFlags: cimfs.CimMountBlockDeviceCim, + ContainerID: containerID, } umb := &UVMMountedBlockCIMs{ diff --git a/pkg/securitypolicy/api.rego b/pkg/securitypolicy/api.rego index 82e79c9040..36a197ebc2 100644 --- a/pkg/securitypolicy/api.rego +++ b/pkg/securitypolicy/api.rego @@ -5,6 +5,7 @@ version := "@@API_VERSION@@" enforcement_points := { "mount_device": {"introducedVersion": "0.1.0", "default_results": {"allowed": false}}, "mount_overlay": {"introducedVersion": "0.1.0", "default_results": {"allowed": false}}, + "mount_cims": {"introducedVersion": "0.11.0", "default_results": {"allowed": false}}, "create_container": {"introducedVersion": "0.1.0", "default_results": {"allowed": false, "env_list": null, "allow_stdio_access": false}}, "unmount_device": {"introducedVersion": "0.2.0", "default_results": {"allowed": true}}, "unmount_overlay": {"introducedVersion": "0.6.0", "default_results": {"allowed": true}}, diff --git a/pkg/securitypolicy/framework.rego b/pkg/securitypolicy/framework.rego index ffca157147..96ed4330e4 100644 --- a/pkg/securitypolicy/framework.rego +++ b/pkg/securitypolicy/framework.rego @@ -57,6 +57,14 @@ layerPaths_ok(layers) { } } +layerHashes_ok(layers) { + length := count(layers) + count(input.layerHashes) == length + every i, hash in input.layerHashes { + layers[(length - i) - 1] == hash + } +} + default overlay_exists := false overlay_exists { @@ -95,6 +103,25 @@ candidate_containers := containers { containers := array.concat(policy_containers, fragment_containers) } +default mount_cims := {"allowed": false} + +mount_cims := {"metadata": [addMatches], "allowed": true} { + not overlay_exists + + containers := [container | + container := candidate_containers[_] + layerHashes_ok(container.layers) + ] + + count(containers) > 0 + addMatches := { + "name": "matches", + "action": "add", + "key": input.containerID, + "value": containers, + } +} + default mount_overlay := {"allowed": false} mount_overlay := {"metadata": [addMatches, addOverlayTarget], "allowed": true} { diff --git a/pkg/securitypolicy/open_door.rego b/pkg/securitypolicy/open_door.rego index 2bc36123d8..a8e283092d 100644 --- a/pkg/securitypolicy/open_door.rego +++ b/pkg/securitypolicy/open_door.rego @@ -5,6 +5,7 @@ api_version := "@@API_VERSION@@" mount_device := {"allowed": true} mount_overlay := {"allowed": true} create_container := {"allowed": true, "env_list": null, "allow_stdio_access": true} +mount_cims := {"allowed": true} unmount_device := {"allowed": true} unmount_overlay := {"allowed": true} exec_in_container := {"allowed": true, "env_list": null} diff --git a/pkg/securitypolicy/policy.rego b/pkg/securitypolicy/policy.rego index 139d340048..9414116c19 100644 --- a/pkg/securitypolicy/policy.rego +++ b/pkg/securitypolicy/policy.rego @@ -9,6 +9,7 @@ mount_device := data.framework.mount_device unmount_device := data.framework.unmount_device mount_overlay := data.framework.mount_overlay unmount_overlay := data.framework.unmount_overlay +mount_cims:= data.framework.mount_cims create_container := data.framework.create_container exec_in_container := data.framework.exec_in_container exec_external := data.framework.exec_external diff --git a/pkg/securitypolicy/securitypolicy_linux.go b/pkg/securitypolicy/securitypolicy_linux.go new file mode 100644 index 0000000000..eb4a01848c --- /dev/null +++ b/pkg/securitypolicy/securitypolicy_linux.go @@ -0,0 +1,144 @@ +//go:build linux +// +build linux + +package securitypolicy + +import ( + "context" + "fmt" + "os" + "path/filepath" + "strconv" + "strings" + + specGuest "github.com/Microsoft/hcsshim/internal/guest/spec" + specInternal "github.com/Microsoft/hcsshim/internal/guest/spec" + "github.com/Microsoft/hcsshim/internal/guestpath" + "github.com/Microsoft/hcsshim/internal/log" + "github.com/moby/sys/user" + oci "github.com/opencontainers/runtime-spec/specs-go" + "github.com/pkg/errors" +) + +// This is being used by StandEnforcer. +// substituteUVMPath substitutes mount prefix to an appropriate path inside +// UVM. At policy generation time, it's impossible to tell what the sandboxID +// will be, so the prefix substitution needs to happen during runtime. +func substituteUVMPath(sandboxID string, m mountInternal) mountInternal { + if strings.HasPrefix(m.Source, guestpath.SandboxMountPrefix) { + m.Source = specInternal.SandboxMountSource(sandboxID, m.Source) + } else if strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) { + m.Source = specInternal.HugePagesMountSource(sandboxID, m.Source) + } + return m +} + +// SandboxMountsDir returns sandbox mounts directory inside UVM/host. +func SandboxMountsDir(sandboxID string) string { + return specInternal.SandboxMountsDir((sandboxID)) +} + +// HugePagesMountsDir returns hugepages mounts directory inside UVM. +func HugePagesMountsDir(sandboxID string) string { + return specInternal.HugePagesMountsDir(sandboxID) +} + +func getUser(passwdPath string, filter func(user.User) bool) (user.User, error) { + users, err := user.ParsePasswdFileFilter(passwdPath, filter) + if err != nil { + return user.User{}, err + } + if len(users) != 1 { + return user.User{}, errors.Errorf("expected exactly 1 user matched '%d'", len(users)) + } + return users[0], nil +} + +func getGroup(groupPath string, filter func(user.Group) bool) (user.Group, error) { + groups, err := user.ParseGroupFileFilter(groupPath, filter) + if err != nil { + return user.Group{}, err + } + if len(groups) != 1 { + return user.Group{}, errors.Errorf("expected exactly 1 group matched '%d'", len(groups)) + } + return groups[0], nil +} + +func GetAllUserInfo(containerID string, process *oci.Process) (IDName, []IDName, string, error) { + rootPath := filepath.Join(guestpath.LCOWRootPrefixInUVM, containerID, guestpath.RootfsPath) + passwdPath := filepath.Join(rootPath, "/etc/passwd") + groupPath := filepath.Join(rootPath, "/etc/group") + + if process == nil { + return IDName{}, nil, "", errors.New("spec.Process is nil") + } + + // this default value is used in the Linux kernel if no umask is specified + umask := "0022" + if process.User.Umask != nil { + umask = fmt.Sprintf("%04o", *process.User.Umask) + } + + if process.User.Username != "" { + uid, gid, err := specGuest.ParseUserStr(rootPath, process.User.Username) + if err == nil { + userIDName := IDName{ID: strconv.FormatUint(uint64(uid), 10)} + groupIDName := IDName{ID: strconv.FormatUint(uint64(gid), 10)} + return userIDName, []IDName{groupIDName}, umask, nil + } + log.G(context.Background()).WithError(err).Warn("failed to parse user str, fallback to lookup") + } + + // fallback UID/GID lookup + uid := process.User.UID + userIDName := IDName{ID: strconv.FormatUint(uint64(uid), 10), Name: ""} + if _, err := os.Stat(passwdPath); err == nil { + userInfo, err := getUser(passwdPath, func(user user.User) bool { + return uint32(user.Uid) == uid + }) + + if err != nil { + return userIDName, nil, "", err + } + + userIDName.Name = userInfo.Name + } + + gid := process.User.GID + groupIDName := IDName{ID: strconv.FormatUint(uint64(gid), 10), Name: ""} + + checkGroup := true + if _, err := os.Stat(groupPath); err == nil { + groupInfo, err := getGroup(groupPath, func(group user.Group) bool { + return uint32(group.Gid) == gid + }) + + if err != nil { + return userIDName, nil, "", err + } + groupIDName.Name = groupInfo.Name + } else { + checkGroup = false + } + + groupIDNames := []IDName{groupIDName} + additionalGIDs := process.User.AdditionalGids + if len(additionalGIDs) > 0 { + for _, gid := range additionalGIDs { + groupIDName = IDName{ID: strconv.FormatUint(uint64(gid), 10), Name: ""} + if checkGroup { + groupInfo, err := getGroup(groupPath, func(group user.Group) bool { + return uint32(group.Gid) == gid + }) + if err != nil { + return userIDName, nil, "", err + } + groupIDName.Name = groupInfo.Name + } + groupIDNames = append(groupIDNames, groupIDName) + } + } + + return userIDName, groupIDNames, umask, nil +} diff --git a/pkg/securitypolicy/securitypolicy_uvmpath_linux.go b/pkg/securitypolicy/securitypolicy_uvmpath_linux.go deleted file mode 100644 index 4fdfaafdcc..0000000000 --- a/pkg/securitypolicy/securitypolicy_uvmpath_linux.go +++ /dev/null @@ -1,34 +0,0 @@ -//go:build linux -// +build linux - -package securitypolicy - -import ( - "strings" - - specInternal "github.com/Microsoft/hcsshim/internal/guest/spec" - "github.com/Microsoft/hcsshim/internal/guestpath" -) - -// This is being used by StandEnforcer. -// substituteUVMPath substitutes mount prefix to an appropriate path inside -// UVM. At policy generation time, it's impossible to tell what the sandboxID -// will be, so the prefix substitution needs to happen during runtime. -func substituteUVMPath(sandboxID string, m mountInternal) mountInternal { - if strings.HasPrefix(m.Source, guestpath.SandboxMountPrefix) { - m.Source = specInternal.SandboxMountSource(sandboxID, m.Source) - } else if strings.HasPrefix(m.Source, guestpath.HugePagesMountPrefix) { - m.Source = specInternal.HugePagesMountSource(sandboxID, m.Source) - } - return m -} - -// SandboxMountsDir returns sandbox mounts directory inside UVM/host. -func SandboxMountsDir(sandboxID string) string { - return specInternal.SandboxMountsDir((sandboxID)) -} - -// HugePagesMountsDir returns hugepages mounts directory inside UVM. -func HugePagesMountsDir(sandboxID string) string { - return specInternal.HugePagesMountsDir(sandboxID) -} diff --git a/pkg/securitypolicy/securitypolicy_uvmpath_windows.go b/pkg/securitypolicy/securitypolicy_windows.go similarity index 78% rename from pkg/securitypolicy/securitypolicy_uvmpath_windows.go rename to pkg/securitypolicy/securitypolicy_windows.go index cc6949fa68..98b4554342 100644 --- a/pkg/securitypolicy/securitypolicy_uvmpath_windows.go +++ b/pkg/securitypolicy/securitypolicy_windows.go @@ -3,6 +3,8 @@ package securitypolicy +import oci "github.com/opencontainers/runtime-spec/specs-go" + // This is being used by StandEnforcer and is a no-op for windows. // substituteUVMPath substitutes mount prefix to an appropriate path inside // UVM. At policy generation time, it's impossible to tell what the sandboxID @@ -22,3 +24,7 @@ func SandboxMountsDir(sandboxID string) string { func HugePagesMountsDir(sandboxID string) string { return "" } + +func GetAllUserInfo(containerID string, process *oci.Process) (IDName, []IDName, string, error) { + return IDName{}, []IDName{}, "", nil +} diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go index 8792966229..e590233634 100644 --- a/pkg/securitypolicy/securitypolicyenforcer.go +++ b/pkg/securitypolicy/securitypolicyenforcer.go @@ -79,6 +79,7 @@ type SecurityPolicyEnforcer interface { LoadFragment(ctx context.Context, issuer string, feed string, code string) error EnforceScratchMountPolicy(ctx context.Context, scratchPath string, encrypted bool) (err error) EnforceScratchUnmountPolicy(ctx context.Context, scratchPath string) (err error) + EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) (err error) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) } @@ -586,6 +587,10 @@ func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Contex return nil } +func (StandardSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error { + return nil +} + // Stub. We are deprecating the standard enforcer. func (StandardSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) { return IDName{}, nil, "", nil @@ -951,6 +956,10 @@ func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Contex return nil } +func (OpenDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error { + return nil +} + func (OpenDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) { return IDName{}, nil, "", nil } @@ -1037,6 +1046,10 @@ func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Cont return errors.New("unmounting scratch is denied by the policy") } +func (ClosedDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error { + return nil +} + func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) { return IDName{}, nil, "", nil } diff --git a/pkg/securitypolicy/securitypolicyenforcer_rego.go b/pkg/securitypolicy/securitypolicyenforcer_rego.go index 850f7ec133..28dc1136df 100644 --- a/pkg/securitypolicy/securitypolicyenforcer_rego.go +++ b/pkg/securitypolicy/securitypolicyenforcer_rego.go @@ -9,8 +9,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "os" - "path/filepath" "strconv" "strings" "syscall" @@ -18,14 +16,8 @@ import ( "github.com/Microsoft/hcsshim/internal/guestpath" "github.com/Microsoft/hcsshim/internal/log" rpi "github.com/Microsoft/hcsshim/internal/regopolicyinterpreter" - "github.com/moby/sys/user" oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" - - specGuest "github.com/Microsoft/hcsshim/internal/guest/spec" - "github.com/Microsoft/hcsshim/internal/guestpath" - "github.com/Microsoft/hcsshim/internal/log" - rpi "github.com/Microsoft/hcsshim/internal/regopolicyinterpreter" ) const regoEnforcerName = "rego" @@ -995,102 +987,17 @@ func (policy *regoEnforcer) EnforceScratchUnmountPolicy(ctx context.Context, scr return nil } -func getUser(passwdPath string, filter func(user.User) bool) (user.User, error) { - users, err := user.ParsePasswdFileFilter(passwdPath, filter) - if err != nil { - return user.User{}, err - } - if len(users) != 1 { - return user.User{}, errors.Errorf("expected exactly 1 user matched '%d'", len(users)) +func (policy *regoEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error { + log.G(ctx).Tracef("Enforcing verified cims in securitypolicy pkg %+v", layerHashes) + input := inputData{ + "containerID": containerID, + "layerHashes": layerHashes, } - return users[0], nil -} -func getGroup(groupPath string, filter func(user.Group) bool) (user.Group, error) { - groups, err := user.ParseGroupFileFilter(groupPath, filter) - if err != nil { - return user.Group{}, err - } - if len(groups) != 1 { - return user.Group{}, errors.Errorf("expected exactly 1 group matched '%d'", len(groups)) - } - return groups[0], nil + _, err := policy.enforce(ctx, "mount_cims", input) + return err } func (policy *regoEnforcer) GetUserInfo(containerID string, process *oci.Process) (IDName, []IDName, string, error) { - rootPath := filepath.Join(guestpath.LCOWRootPrefixInUVM, containerID, guestpath.RootfsPath) - passwdPath := filepath.Join(rootPath, "/etc/passwd") - groupPath := filepath.Join(rootPath, "/etc/group") - - if process == nil { - return IDName{}, nil, "", errors.New("spec.Process is nil") - } - - // this default value is used in the Linux kernel if no umask is specified - umask := "0022" - if process.User.Umask != nil { - umask = fmt.Sprintf("%04o", *process.User.Umask) - } - - if process.User.Username != "" { - uid, gid, err := specGuest.ParseUserStr(rootPath, process.User.Username) - if err == nil { - userIDName := IDName{ID: strconv.FormatUint(uint64(uid), 10)} - groupIDName := IDName{ID: strconv.FormatUint(uint64(gid), 10)} - return userIDName, []IDName{groupIDName}, umask, nil - } - log.G(context.Background()).WithError(err).Warn("failed to parse user str, fallback to lookup") - } - - // fallback UID/GID lookup - uid := process.User.UID - userIDName := IDName{ID: strconv.FormatUint(uint64(uid), 10), Name: ""} - if _, err := os.Stat(passwdPath); err == nil { - userInfo, err := getUser(passwdPath, func(user user.User) bool { - return uint32(user.Uid) == uid - }) - - if err != nil { - return userIDName, nil, "", err - } - - userIDName.Name = userInfo.Name - } - - gid := process.User.GID - groupIDName := IDName{ID: strconv.FormatUint(uint64(gid), 10), Name: ""} - - checkGroup := true - if _, err := os.Stat(groupPath); err == nil { - groupInfo, err := getGroup(groupPath, func(group user.Group) bool { - return uint32(group.Gid) == gid - }) - - if err != nil { - return userIDName, nil, "", err - } - groupIDName.Name = groupInfo.Name - } else { - checkGroup = false - } - - groupIDNames := []IDName{groupIDName} - additionalGIDs := process.User.AdditionalGids - if len(additionalGIDs) > 0 { - for _, gid := range additionalGIDs { - groupIDName = IDName{ID: strconv.FormatUint(uint64(gid), 10), Name: ""} - if checkGroup { - groupInfo, err := getGroup(groupPath, func(group user.Group) bool { - return uint32(group.Gid) == gid - }) - if err != nil { - return userIDName, nil, "", err - } - groupIDName.Name = groupInfo.Name - } - groupIDNames = append(groupIDNames, groupIDName) - } - } - - return userIDName, groupIDNames, umask, nil + return GetAllUserInfo(containerID, process) } diff --git a/pkg/securitypolicy/version_api b/pkg/securitypolicy/version_api index 2774f8587f..142464bf22 100644 --- a/pkg/securitypolicy/version_api +++ b/pkg/securitypolicy/version_api @@ -1 +1 @@ -0.10.0 \ No newline at end of file +0.11.0 \ No newline at end of file diff --git a/pkg/securitypolicy/version_framework b/pkg/securitypolicy/version_framework index 9325c3ccda..60a2d3e96c 100644 --- a/pkg/securitypolicy/version_framework +++ b/pkg/securitypolicy/version_framework @@ -1 +1 @@ -0.3.0 \ No newline at end of file +0.4.0 \ No newline at end of file From ae683b281ae1911a782c8cfa09004abe247fbf2f Mon Sep 17 00:00:00 2001 From: Kirtana Ashok Date: Sun, 20 Apr 2025 17:58:34 -0700 Subject: [PATCH 10/20] Send container spec while creating container Signed-off-by: Kirtana Ashok --- internal/gcs-sidecar/handlers.go | 31 ++++++++++++++++---- internal/hcsoci/create.go | 24 ++++++++++++--- internal/protocol/guestresource/resources.go | 5 ++++ 3 files changed, 50 insertions(+), 10 deletions(-) diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 2349efa104..b8b17a9611 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -42,17 +42,18 @@ func (b *Bridge) createContainer(req *request) (err error) { defer span.End() defer func() { oc.SetSpanStatus(span, err) }() - var r prot.ContainerCreate + var createContainerRequest prot.ContainerCreate var containerConfig json.RawMessage - r.ContainerConfig.Value = &containerConfig - if err = commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { + createContainerRequest.ContainerConfig.Value = &containerConfig + if err = commonutils.UnmarshalJSONWithHresult(req.message, &createContainerRequest); err != nil { return errors.Wrap(err, "failed to unmarshal createContainer") } // containerConfig can be of type uvnConfig or hcsschema.HostedSystem var ( - uvmConfig prot.UvmConfig - hostedSystemConfig hcsschema.HostedSystem + uvmConfig prot.UvmConfig + hostedSystemConfig hcsschema.HostedSystem + cwcowHostedSystemConfig guestresource.CWCOWHostedSystem ) if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &uvmConfig); err == nil && uvmConfig.SystemType != "" { @@ -63,7 +64,25 @@ func (b *Bridge) createContainer(req *request) (err error) { hostedSystemConfig.SchemaVersion != nil && hostedSystemConfig.Container != nil { schemaVersion := hostedSystemConfig.SchemaVersion container := hostedSystemConfig.Container - log.G(ctx).Tracef("createContainer: HostedSystemConfig: {schemaVersion: %v, container: %v}}", schemaVersion, container) + log.G(ctx).Tracef("rpcCreate: HostedSystemConfig: {schemaVersion: %v, container: %v}}", schemaVersion, container) + } else if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &cwcowHostedSystemConfig); err == nil { + cwcowHostedSystem := cwcowHostedSystemConfig.CWCOWHostedSystem + schemaVersion := cwcowHostedSystem.SchemaVersion + container := cwcowHostedSystem.Container + log.G(ctx).Tracef("rpcCreate: CWCOWHostedSystemConfig {schemaVersion: %v, container: %v}}", schemaVersion, container) + + // Strip the spec field before forwarding to gcs + createContainerRequest.ContainerConfig = prot.AnyInString{cwcowHostedSystem} + buf, err := json.Marshal(createContainerRequest) + if err != nil { + return fmt.Errorf("failed to marshal rpcCreatecontainer: %v", req) + } + var newRequest request + newRequest.ctx = req.ctx + newRequest.header = req.header + newRequest.header.Size = uint32(len(buf)) + prot.HdrSize + newRequest.message = buf + req = &newRequest } else { return fmt.Errorf("invalid request to createContainer") } diff --git a/internal/hcsoci/create.go b/internal/hcsoci/create.go index ab0fa6c272..cd9ea39a37 100644 --- a/internal/hcsoci/create.go +++ b/internal/hcsoci/create.go @@ -23,6 +23,7 @@ import ( "github.com/Microsoft/hcsshim/internal/layers" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/oci" + "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/resources" "github.com/Microsoft/hcsshim/internal/schemaversion" "github.com/Microsoft/hcsshim/internal/uvm" @@ -264,10 +265,25 @@ func CreateContainer(ctx context.Context, createOptions *CreateOptions) (_ cow.C // v1 Argon or Xenon. Pass the document directly to HCS. hcsDocument = v1 } else if coi.HostingSystem != nil { - // v2 Xenon. Pass the container object to the UVM. - gcsDocument = &hcsschema.HostedSystem{ - SchemaVersion: schemaversion.SchemaV21(), - Container: v2, + isCWCOWUVM := false + if createOptions.HostingSystem.WCOWconfidentialUVMOptions != nil { + isCWCOWUVM = true + } + if isCWCOWUVM { + // confidential wcow uvm + gcsDocument = &guestresource.CWCOWHostedSystem{ + Spec: *createOptions.Spec, + CWCOWHostedSystem: hcsschema.HostedSystem{ + SchemaVersion: schemaversion.SchemaV21(), + Container: v2, + }, + } + } else { + // v2 Xenon. Pass the container object to the UVM. + gcsDocument = &hcsschema.HostedSystem{ + SchemaVersion: schemaversion.SchemaV21(), + Container: v2, + } } } else { // v2 Argon. Pass the container object to the HCS. diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 83abf3b111..38910c86b0 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -82,6 +82,11 @@ type CWCOWCombinedLayers struct { CombinedLayers WCOWCombinedLayers `json:"CombinedLayers,omitempty"` } +type CWCOWHostedSystem struct { + Spec specs.Spec + CWCOWHostedSystem hcsschema.HostedSystem +} + // Defines the schema for hosted settings passed to GCS and/or OpenGCS // SCSIDevice represents a SCSI device that is attached to the system. From e639940ac25a9438abcfad902ae5d98b8466dc0e Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Mon, 28 Apr 2025 17:43:17 +0100 Subject: [PATCH 11/20] CWCOW: Implement security policy Signed-off-by: Mahati Chamarthy --- internal/gcs-sidecar/bridge.go | 21 ++ internal/gcs-sidecar/handlers.go | 312 ++++++++++++++++-- internal/gcs-sidecar/host.go | 168 +++++++++- internal/guest/runtime/hcsv2/uvm.go | 1 + internal/protocol/guestresource/resources.go | 4 + .../regopolicyinterpreter.go | 14 + internal/tools/policyenginesimulator/main.go | 1 + pkg/securitypolicy/framework.rego | 96 +++++- pkg/securitypolicy/regopolicy_test.go | 131 +++++--- pkg/securitypolicy/securitypolicyenforcer.go | 142 +++++++- .../securitypolicyenforcer_rego.go | 190 ++++++++--- 11 files changed, 960 insertions(+), 120 deletions(-) diff --git a/internal/gcs-sidecar/bridge.go b/internal/gcs-sidecar/bridge.go index 502d81a8e2..ae7b4b965a 100644 --- a/internal/gcs-sidecar/bridge.go +++ b/internal/gcs-sidecar/bridge.go @@ -32,6 +32,9 @@ import ( type Bridge struct { mu sync.Mutex + pendingMu sync.Mutex + pending map[sequenceID]*prot.ContainerExecuteProcessResponse + hostState *Host // List of handlers for handling different rpc message requests. rpcHandlerList map[prot.RPCProc]HandlerFunc @@ -77,6 +80,7 @@ type request struct { func NewBridge(shimConn io.ReadWriteCloser, inboxGCSConn io.ReadWriteCloser, initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Bridge { hostState := NewHost(initialEnforcer) return &Bridge{ + pending: make(map[sequenceID]*prot.ContainerExecuteProcessResponse), rpcHandlerList: make(map[prot.RPCProc]HandlerFunc), hostState: hostState, shimConn: shimConn, @@ -378,6 +382,23 @@ func (b *Bridge) ListenAndServeShimRequests() error { logrus.Error(recverr) break } + // If this is a ContainerExecuteProcessResponse, notify + const MsgExecuteProcessResponse prot.MsgType = prot.MsgTypeResponse | prot.MsgType(prot.RPCExecuteProcess) + + if header.Type == MsgExecuteProcessResponse { + logrus.Tracef("Printing after inbox exec resp") + var procResp prot.ContainerExecuteProcessResponse + if err := json.Unmarshal(message, &procResp); err != nil { + logrus.Tracef("unmarshal failed") + } + + b.pendingMu.Lock() + if _, exists := b.pending[header.ID]; exists { + logrus.Tracef("Header ID in pending exists") + b.pending[header.ID] = &procResp + } + b.pendingMu.Unlock() + } // Forward to shim resp := bridgeResponse{ diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index b8b17a9611..6fc5936b85 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -8,6 +8,7 @@ import ( "fmt" "os" "path/filepath" + "strings" "time" "github.com/Microsoft/hcsshim/hcn" @@ -17,17 +18,22 @@ import ( hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" "github.com/Microsoft/hcsshim/internal/oc" + "github.com/Microsoft/hcsshim/internal/oci" "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/windevice" + "github.com/Microsoft/hcsshim/pkg/annotations" "github.com/Microsoft/hcsshim/pkg/cimfs" + "github.com/Microsoft/hcsshim/pkg/securitypolicy" "github.com/pkg/errors" + "golang.org/x/sys/windows" ) const ( sandboxStateDirName = "WcSandboxState" hivesDirName = "Hives" devPathFormat = "\\\\.\\PHYSICALDRIVE%d" + UVMContainerID = "00000000-0000-0000-0000-000000000000" ) // - Handler functions handle the incoming message requests. It @@ -49,7 +55,7 @@ func (b *Bridge) createContainer(req *request) (err error) { return errors.Wrap(err, "failed to unmarshal createContainer") } - // containerConfig can be of type uvnConfig or hcsschema.HostedSystem + // containerConfig can be of type uvnConfig or hcsschema.HostedSystem or guestresource.CWCOWHostedSystem var ( uvmConfig prot.UvmConfig hostedSystemConfig hcsschema.HostedSystem @@ -65,17 +71,110 @@ func (b *Bridge) createContainer(req *request) (err error) { schemaVersion := hostedSystemConfig.SchemaVersion container := hostedSystemConfig.Container log.G(ctx).Tracef("rpcCreate: HostedSystemConfig: {schemaVersion: %v, container: %v}}", schemaVersion, container) - } else if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &cwcowHostedSystemConfig); err == nil { + } else if err = commonutils.UnmarshalJSONWithHresult(containerConfig, &cwcowHostedSystemConfig); err == nil && + cwcowHostedSystemConfig.Spec.Version != "" && cwcowHostedSystemConfig.CWCOWHostedSystem.Container != nil { cwcowHostedSystem := cwcowHostedSystemConfig.CWCOWHostedSystem schemaVersion := cwcowHostedSystem.SchemaVersion container := cwcowHostedSystem.Container - log.G(ctx).Tracef("rpcCreate: CWCOWHostedSystemConfig {schemaVersion: %v, container: %v}}", schemaVersion, container) + spec := cwcowHostedSystemConfig.Spec + containerID := createContainerRequest.ContainerID + log.G(ctx).Tracef("rpcCreate: CWCOWHostedSystemConfig {spec: %v, schemaVersion: %v, container: %v}}", string(req.message), schemaVersion, container) + if b.hostState.isSecurityPolicyEnforcerInitialized() { + user := securitypolicy.IDName{ + Name: spec.Process.User.Username, + } + log.G(ctx).Tracef("user test: %v", user) + _, _, _, err := b.hostState.securityPolicyEnforcer.EnforceCreateContainerPolicyV2(req.ctx, containerID, spec.Process.Args, spec.Process.Env, spec.Process.Cwd, spec.Mounts, user, nil) + + if err != nil { + return fmt.Errorf("CreateContainer operation is denied by policy: %v", err) + } + c := &Container{ + id: containerID, + spec: spec, + processes: make(map[uint32]*containerProcess), + } + log.G(ctx).Tracef("Adding ContainerID: %v", containerID) + if err := b.hostState.AddContainer(req.ctx, containerID, c); err != nil { + log.G(ctx).Tracef("Container exists in the map!") + } + defer func(err error) { + if err != nil { + b.hostState.RemoveContainer(containerID) + } + }(err) + // Write security policy, signed UVM reference and host AMD certificate to + // container's rootfs, so that application and sidecar containers can have + // access to it. The security policy is required by containers which need to + // extract init-time claims found in the security policy. The directory path + // containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var. + // It may be an error to have a security policy but not expose it to the + // container as in that case it can never be checked as correct by a verifier. + if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.UVMSecurityPolicyEnv, true) { + encodedPolicy := b.hostState.securityPolicyEnforcer.EncodedSecurityPolicy() + hostAMDCert := spec.Annotations[annotations.HostAMDCertificate] + if len(encodedPolicy) > 0 || len(hostAMDCert) > 0 || len(b.hostState.uvmReferenceInfo) > 0 { + // Use os.MkdirTemp to make sure that the directory is unique. + securityContextDir, err := os.MkdirTemp(spec.Root.Path, securitypolicy.SecurityContextDirTemplate) + if err != nil { + return fmt.Errorf("failed to create security context directory: %w", err) + } + // Make sure that files inside directory are readable + if err := os.Chmod(securityContextDir, 0755); err != nil { + return fmt.Errorf("failed to chmod security context directory: %w", err) + } + + if len(encodedPolicy) > 0 { + if err := writeFileInDir(securityContextDir, securitypolicy.PolicyFilename, []byte(encodedPolicy), 0777); err != nil { + return fmt.Errorf("failed to write security policy: %w", err) + } + } + if len(b.hostState.uvmReferenceInfo) > 0 { + if err := writeFileInDir(securityContextDir, securitypolicy.ReferenceInfoFilename, []byte(b.hostState.uvmReferenceInfo), 0777); err != nil { + return fmt.Errorf("failed to write UVM reference info: %w", err) + } + } + + if len(hostAMDCert) > 0 { + if err := writeFileInDir(securityContextDir, securitypolicy.HostAMDCertFilename, []byte(hostAMDCert), 0777); err != nil { + return fmt.Errorf("failed to write host AMD certificate: %w", err) + } + } + + containerCtxDir := fmt.Sprintf("/%s", filepath.Base(securityContextDir)) + secCtxEnv := fmt.Sprintf("UVM_SECURITY_CONTEXT_DIR=%s", containerCtxDir) + spec.Process.Env = append(spec.Process.Env, secCtxEnv) + } + } + } + + // Strip the spec field + hostedSystemBytes, err := json.Marshal(cwcowHostedSystem) + + if err != nil { + return fmt.Errorf("failed to marshal hostedSystem: %w", err) + } - // Strip the spec field before forwarding to gcs - createContainerRequest.ContainerConfig = prot.AnyInString{cwcowHostedSystem} - buf, err := json.Marshal(createContainerRequest) + // marshal it again into a JSON-escaped string which inbox GCS expects + hostedSystemEscapedBytes, err := json.Marshal(string(hostedSystemBytes)) if err != nil { - return fmt.Errorf("failed to marshal rpcCreatecontainer: %v", req) + return fmt.Errorf("failed to marshal hostedSystem JSON: %w", err) + } + + // Prepare a fixed struct that takes in raw message + type containerCreateModified struct { + prot.RequestBase + ContainerConfig json.RawMessage + } + createContainerRequestModified := containerCreateModified{ + RequestBase: createContainerRequest.RequestBase, + ContainerConfig: hostedSystemEscapedBytes, + } + + buf, err := json.Marshal(createContainerRequestModified) + log.G(ctx).Tracef("marshaled request buffer: %s", string(buf)) + if err != nil { + return fmt.Errorf("failed to marshal rpcCreatecontainer: %v", err) } var newRequest request newRequest.ctx = req.ctx @@ -91,6 +190,34 @@ func (b *Bridge) createContainer(req *request) (err error) { return err } +func writeFileInDir(dir string, filename string, data []byte, perm os.FileMode) error { + st, err := os.Stat(dir) + if err != nil { + return err + } + + if !st.IsDir() { + return fmt.Errorf("not a directory %q", dir) + } + + targetFilename := filepath.Join(dir, filename) + return os.WriteFile(targetFilename, data, perm) +} + +// processParamEnvToOCIEnv converts an Environment field from ProcessParameters +// (a map from environment variable to value) into an array of environment +// variable assignments (where each is in the form "=") which +// can be used by an oci.Process. +func processParamEnvToOCIEnv(environment map[string]string) []string { + environmentList := make([]string, 0, len(environment)) + for k, v := range environment { + // TODO: Do we need to escape things like quotation marks in + // environment variable values? + environmentList = append(environmentList, fmt.Sprintf("%s=%s", k, v)) + } + return environmentList +} + func (b *Bridge) startContainer(req *request) (err error) { _, span := oc.StartSpan(req.ctx, "sidecar::startContainer") defer span.End() @@ -143,6 +270,15 @@ func (b *Bridge) shutdownForced(req *request) (err error) { return nil } +// escapeArgs makes a Windows-style escaped command line from a set of arguments. +func escapeArgs(args []string) string { + escapedArgs := make([]string, len(args)) + for i, a := range args { + escapedArgs[i] = windows.EscapeArg(a) + } + return strings.Join(escapedArgs, " ") +} + func (b *Bridge) executeProcess(req *request) (err error) { _, span := oc.StartSpan(req.ctx, "sidecar::executeProcess") defer span.End() @@ -154,13 +290,103 @@ func (b *Bridge) executeProcess(req *request) (err error) { if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { return errors.Wrap(err, "failed to unmarshal executeProcess") } - + containerID := r.RequestBase.ContainerID var processParams hcsschema.ProcessParameters if err := commonutils.UnmarshalJSONWithHresult(processParamSettings, &processParams); err != nil { return errors.Wrap(err, "executeProcess: invalid params type for request") } - b.forwardRequestToGcs(req) + commandLine := []string{processParams.CommandLine} + + if b.hostState.isSecurityPolicyEnforcerInitialized() { + if containerID == UVMContainerID { + log.G(req.ctx).Tracef("Enforcing policy on external exec process") + _, _, err := b.hostState.securityPolicyEnforcer.EnforceExecExternalProcessPolicy( + req.ctx, + commandLine, + processParamEnvToOCIEnv(processParams.Environment), + processParams.WorkingDirectory, + ) + if err != nil { + return errors.Wrapf(err, "exec is denied due to policy") + } + b.forwardRequestToGcs(req) + } else { + // fetch the container command line + c, err := b.hostState.GetCreatedContainer(req.ctx, containerID) + if err != nil { + log.G(req.ctx).Tracef("Container not found during exec: %v", containerID) + return errors.Wrapf(err, "containerID doesn't exist") + } + + // if this is an exec of Container command line, then it's already enforced + // during container creation, hence skip it here + containerCommandLine := escapeArgs(c.spec.Process.Args) + if processParams.CommandLine != containerCommandLine { + opts := &securitypolicy.ExecOptions{ + User: &securitypolicy.IDName{ + Name: processParams.User, + }, + } + log.G(req.ctx).Tracef("Enforcing policy on exec in container") + _, _, _, err = b.hostState.securityPolicyEnforcer. + EnforceExecInContainerPolicyV2( + req.ctx, + containerID, + commandLine, + processParamEnvToOCIEnv(processParams.Environment), + processParams.WorkingDirectory, + opts, + ) + if err != nil { + return errors.Wrapf(err, "exec in container denied due to policy") + } + } + headerID := req.header.ID + + // initiate process ID + b.pendingMu.Lock() + b.pending[headerID] = nil // nil means not yet received + b.pendingMu.Unlock() + + defer func() { + b.pendingMu.Lock() + delete(b.pending, headerID) + b.pendingMu.Unlock() + }() + + // forward the request to gcs + b.forwardRequestToGcs(req) + + // fetch the process ID from response + deadline := time.Now().Add(5 * time.Second) + for time.Now().Before(deadline) { + log.G(req.ctx).Tracef("waiting for exec resp") + b.pendingMu.Lock() + resp := b.pending[headerID] + b.pendingMu.Unlock() + + // capture the Process details, so that we can later enforce + // on the allowed signals on the Process + if resp != nil { + log.G(req.ctx).Tracef("Got response: %+v", resp) + c.processesMutex.Lock() + defer c.processesMutex.Unlock() + c.processes[resp.ProcessID] = &containerProcess{ + processspec: processParams, + cid: c.id, + pid: resp.ProcessID, + } + return nil + } + time.Sleep(10 * time.Millisecond) // backoff + } + + return errors.Wrap(err, "timedout waiting for exec response") + } + } else { + b.forwardRequestToGcs(req) + } return nil } @@ -189,14 +415,38 @@ func (b *Bridge) signalProcess(req *request) (err error) { if err := commonutils.UnmarshalJSONWithHresult(req.message, &r); err != nil { return errors.Wrap(err, "failed to unmarshal signalProcess") } - var wcowOptions guestresource.SignalProcessOptionsWCOW if rawOpts != nil { if err := commonutils.UnmarshalJSONWithHresult(rawOpts, &wcowOptions); err != nil { return errors.Wrap(err, "signalProcess: invalid Options type for request") } - } + if b.hostState.isSecurityPolicyEnforcerInitialized() { + log.G(req.ctx).Tracef("RawOpts are not nil") + containerID := r.RequestBase.ContainerID + c, err := b.hostState.GetCreatedContainer(req.ctx, containerID) + if err != nil { + return err + } + + p, err := c.GetProcess(r.ProcessID) + if err != nil { + log.G(req.ctx).Tracef("Process not found %v", r.ProcessID) + return err + } + cmdLine := p.processspec.CommandLine + opts := &securitypolicy.SignalContainerOptions{ + IsInitProcess: false, + WindowsSignal: wcowOptions.Signal, + WindowsCommand: cmdLine, + } + err = b.hostState.securityPolicyEnforcer.EnforceSignalContainerProcessPolicyV2(req.ctx, containerID, opts) + if err != nil { + return err + } + } + + } b.forwardRequestToGcs(req) return nil } @@ -220,6 +470,13 @@ func (b *Bridge) getProperties(req *request) (err error) { defer span.End() defer func() { oc.SetSpanStatus(span, err) }() + if b.hostState.isSecurityPolicyEnforcerInitialized() { + err := b.hostState.securityPolicyEnforcer.EnforceGetPropertiesPolicy(req.ctx) + if err != nil { + return errors.Wrapf(err, "get properties denied due to policy") + } + } + var getPropReqV2 prot.ContainerGetPropertiesV2 if err := commonutils.UnmarshalJSONWithHresult(req.message, &getPropReqV2); err != nil { return errors.Wrapf(err, "failed to unmarshal getProperties: %v", string(req.message)) @@ -268,6 +525,15 @@ func (b *Bridge) deleteContainerState(req *request) (err error) { return errors.Wrap(err, "failed to unmarshal deleteContainerState") } + //TODO: Remove container state locally before passing it to inbox-gcs + /* + c, err := b.hostState.GetCreatedContainer(request.ContainerID) + if err != nil { + return nil, err + } + // remove container state regardless of delete's success + defer b.hostState.RemoveContainer(request.ContainerID)*/ + b.forwardRequestToGcs(req) return nil } @@ -357,12 +623,6 @@ func (b *Bridge) modifySettings(req *request) (err error) { if err != nil { return errors.Wrap(err, "error creating enforcer") } - /* - // ignore the returned err temporarily as it fails with "unknown policy rego" error - ; err != nil { - return err - } - */ // Send response back to shim resp := &prot.ResponseBase{ Result: 0, // 0 means success @@ -373,7 +633,12 @@ func (b *Bridge) modifySettings(req *request) (err error) { return errors.Wrap(err, "error sending response to hcsshim") } return nil - + case guestresource.ResourceTypePolicyFragment: + r, ok := modifyGuestSettingsRequest.Settings.(*guestresource.LCOWSecurityPolicyFragment) + if !ok { + return errors.New("the request settings are not of type LCOWSecurityPolicyFragment") + } + return b.hostState.InjectFragment(ctx, r) case guestresource.ResourceTypeWCOWBlockCims: // This is request to mount the merged cim at given volumeGUID wcowBlockCimMounts := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWBlockCIMMounts) @@ -386,7 +651,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { var layerCIMs []*cimfs.BlockCIM layerHashes := make([]string, len(wcowBlockCimMounts.BlockCIMs)) ctx := req.ctx - for _, blockCimDevice := range wcowBlockCimMounts.BlockCIMs { + for i, blockCimDevice := range wcowBlockCimMounts.BlockCIMs { // Get the scsi device path for the blockCim lun devNumber, err := windevice.GetDeviceNumberFromControllerLUN( ctx, @@ -401,9 +666,16 @@ func (b *Bridge) modifySettings(req *request) (err error) { CimName: blockCimDevice.CimName, } layerCIMs = append(layerCIMs, &layerCim) + layerHashes[i] = blockCimDevice.Digest + } + + // skip the merged cim and verify individual layer hashes + hashesToVerify := layerHashes + if len(layerHashes) > 1 { + hashesToVerify = layerHashes[1:] } - err := b.hostState.securityPolicyEnforcer.EnforceVerifiedCIMsPolicy(req.ctx, containerID, layerHashes) + err := b.hostState.securityPolicyEnforcer.EnforceVerifiedCIMsPolicy(req.ctx, containerID, hashesToVerify) if err != nil { return errors.Wrap(err, "CIM mount is denied by policy") } diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go index 245835c0a6..c1e0e6e8c3 100644 --- a/internal/gcs-sidecar/host.go +++ b/internal/gcs-sidecar/host.go @@ -5,36 +5,133 @@ package bridge import ( "context" + "crypto/sha256" + "encoding/base64" "fmt" + "os" + "path/filepath" "sync" + "time" + "github.com/Microsoft/cosesign1go/pkg/cosesign1" + didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver" + "github.com/Microsoft/hcsshim/internal/bridgeutils/gcserr" + hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2" "github.com/Microsoft/hcsshim/internal/log" + "github.com/Microsoft/hcsshim/internal/logfields" "github.com/Microsoft/hcsshim/internal/protocol/guestresource" "github.com/Microsoft/hcsshim/internal/pspdriver" "github.com/Microsoft/hcsshim/pkg/securitypolicy" + oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) type Host struct { + containersMutex sync.Mutex + containers map[string]*Container + // state required for the security policy enforcement policyMutex sync.Mutex securityPolicyEnforcer securitypolicy.SecurityPolicyEnforcer securityPolicyEnforcerSet bool + uvmReferenceInfo string } -type SecurityPoliyEnforcer struct { - // State required for the security policy enforcement - securityPolicyEnforcer securitypolicy.SecurityPolicyEnforcer - securityPolicyEnforcerSet bool +type Container struct { + id string + spec oci.Spec + processesMutex sync.Mutex + processes map[uint32]*containerProcess +} + +// Process is a struct that defines the lifetime and operations associated with +// an oci.Process. +type containerProcess struct { + processspec hcsschema.ProcessParameters + // cid is the container id that owns this process. + cid string + pid uint32 } func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Host { return &Host{ + containers: make(map[string]*Container), securityPolicyEnforcer: initialEnforcer, securityPolicyEnforcerSet: false, } } +// InjectFragment extends current security policy with additional constraints +// from the incoming fragment. Note that it is base64 encoded over the bridge/ +// +// There are three checking steps: +// 1 - Unpack the cose document and check it was actually signed with the cert +// chain inside its header +// 2 - Check that the issuer field did:x509 identifier is for that cert chain +// (ie fingerprint of a non leaf cert and the subject matches the leaf cert) +// 3 - Check that this issuer/feed match the requirement of the user provided +// security policy (done in the regoby LoadFragment) +func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error) { + log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment") + + raw, err := base64.StdEncoding.DecodeString(fragment.Fragment) + if err != nil { + return err + } + blob := []byte(fragment.Fragment) + // keep a copy of the fragment, so we can manually figure out what went wrong + // will be removed eventually. Give it a unique name to avoid any potential + // race conditions. + sha := sha256.New() + sha.Write(blob) + timestamp := time.Now() + fragmentPath := fmt.Sprintf("fragment-%x-%d.blob", sha.Sum(nil), timestamp.UnixMilli()) + _ = os.WriteFile(filepath.Join(os.TempDir(), fragmentPath), blob, 0644) + + unpacked, err := cosesign1.UnpackAndValidateCOSE1CertChain(raw) + if err != nil { + return fmt.Errorf("InjectFragment failed COSE validation: %w", err) + } + + payloadString := string(unpacked.Payload[:]) + issuer := unpacked.Issuer + feed := unpacked.Feed + chainPem := unpacked.ChainPem + + log.G(ctx).WithFields(logrus.Fields{ + "issuer": issuer, // eg the DID:x509:blah.... + "feed": feed, + "cty": unpacked.ContentType, + "chainPem": chainPem, + }).Debugf("unpacked COSE1 cert chain") + + log.G(ctx).WithFields(logrus.Fields{ + "payload": payloadString, + }).Tracef("unpacked COSE1 payload") + + if len(issuer) == 0 || len(feed) == 0 { // must both be present + return fmt.Errorf("either issuer and feed must both be provided in the COSE_Sign1 protected header") + } + + // Resolve returns a did doc that we don't need + // we only care if there was an error or not + _, err = didx509resolver.Resolve(unpacked.ChainPem, issuer, true) + if err != nil { + log.G(ctx).Printf("Badly formed fragment - did resolver failed to match fragment did:x509 from chain with purported issuer %s, feed %s - err %s", issuer, feed, err.Error()) + return err + } + + // now offer the payload fragment to the policy + err = h.securityPolicyEnforcer.LoadFragment(ctx, issuer, feed, payloadString) + if err != nil { + return fmt.Errorf("InjectFragment failed policy load: %w", err) + } + log.G(ctx).Printf("passed fragment into the enforcer.") + + return nil +} + func (h *Host) isSecurityPolicyEnforcerInitialized() bool { return h.securityPolicyEnforcer != nil } @@ -74,13 +171,76 @@ func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicy DefaultCRIMounts(), DefaultCRIPrivilegedMounts(), maxErrorMessageLength, + "windows", ) if err != nil { return fmt.Errorf("error creating security policy enforcer: %w", err) } + if err = p.EnforceRuntimeLoggingPolicy(ctx); err == nil { + // TODO: enable OTL logging + //logrus.SetOutput(h.logWriter) + } else { + // TODO: disable OTL logging + //logrus.SetOutput(io.Discard) + } + h.securityPolicyEnforcer = p h.securityPolicyEnforcerSet = true return nil } + +func (h *Host) AddContainer(ctx context.Context, id string, c *Container) error { + h.containersMutex.Lock() + defer h.containersMutex.Unlock() + + if _, ok := h.containers[id]; ok { + log.G(ctx).Tracef("Container exists in the map: %v", ok) + } + log.G(ctx).Tracef("AddContainer: ID: %v", id) + h.containers[id] = c + return nil +} + +func (h *Host) RemoveContainer(id string) { + h.containersMutex.Lock() + defer h.containersMutex.Unlock() + + _, ok := h.containers[id] + if !ok { + return + } + + delete(h.containers, id) +} + +func (h *Host) GetCreatedContainer(ctx context.Context, id string) (*Container, error) { + h.containersMutex.Lock() + defer h.containersMutex.Unlock() + + c, ok := h.containers[id] + if !ok { + return nil, gcserr.NewHresultError(gcserr.HrVmcomputeSystemNotFound) + } + return c, nil +} + +// GetProcess returns the Process with the matching 'pid'. If the 'pid' does +// not exit returns error. +func (c *Container) GetProcess(pid uint32) (*containerProcess, error) { + //todo: thread a context to this function call + logrus.WithFields(logrus.Fields{ + logfields.ContainerID: c.id, + logfields.ProcessID: pid, + }).Info("opengcs::Container::GetProcess") + + c.processesMutex.Lock() + defer c.processesMutex.Unlock() + + p, ok := c.processes[pid] + if !ok { + return nil, gcserr.NewHresultError(gcserr.HrErrNotFound) + } + return p, nil +} diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index c35e981bbc..3c8e4eee39 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -120,6 +120,7 @@ func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.L policy.DefaultCRIMounts(), policy.DefaultCRIPrivilegedMounts(), maxErrorMessageLength, + "linux", ) if err != nil { return err diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go index 38910c86b0..caf6215ac2 100644 --- a/internal/protocol/guestresource/resources.go +++ b/internal/protocol/guestresource/resources.go @@ -253,3 +253,7 @@ type WCOWConfidentialOptions struct { WCOWSecurityPolicyEnforcer string NoSecurityHardware bool } + +type WCOWSecurityPolicyFragment struct { + Fragment string `json:"Fragment,omitempty"` +} diff --git a/internal/regopolicyinterpreter/regopolicyinterpreter.go b/internal/regopolicyinterpreter/regopolicyinterpreter.go index 47dbee28ea..047a4a27b7 100644 --- a/internal/regopolicyinterpreter/regopolicyinterpreter.go +++ b/internal/regopolicyinterpreter/regopolicyinterpreter.go @@ -269,6 +269,20 @@ func (m regoMetadata) getOrCreate(name string) map[string]interface{} { return metadata } +func (r *RegoPolicyInterpreter) UpdateOSType(os string) error { + r.dataAndModulesMutex.Lock() + defer r.dataAndModulesMutex.Unlock() + ops := []*regoMetadataOperation{ + { + Action: metadataAdd, + Name: "operatingsystem", + Key: "ostype", + Value: os, + }, + } + return r.updateMetadata(ops) +} + func (r *RegoPolicyInterpreter) updateMetadata(ops []*regoMetadataOperation) error { // dataAndModulesMutex must be held before calling this diff --git a/internal/tools/policyenginesimulator/main.go b/internal/tools/policyenginesimulator/main.go index 7eec934631..e374560939 100644 --- a/internal/tools/policyenginesimulator/main.go +++ b/internal/tools/policyenginesimulator/main.go @@ -90,6 +90,7 @@ func createInterpreter() *rpi.RegoPolicyInterpreter { } r, err := rpi.NewRegoPolicyInterpreter(policyCode, data) + r.UpdateOSType("linux") if err != nil { log.Fatal(err) } diff --git a/pkg/securitypolicy/framework.rego b/pkg/securitypolicy/framework.rego index 96ed4330e4..830d6015d0 100644 --- a/pkg/securitypolicy/framework.rego +++ b/pkg/securitypolicy/framework.rego @@ -250,23 +250,37 @@ workingDirectory_ok(working_dir) { } privileged_ok(elevation_allowed) { + is_linux not input.privileged } privileged_ok(elevation_allowed) { + is_linux input.privileged input.privileged == elevation_allowed } +privileged_ok(no_new_privileges) { + # no-op for windows + is_windows +} + noNewPrivileges_ok(no_new_privileges) { + is_linux no_new_privileges input.noNewPrivileges } noNewPrivileges_ok(no_new_privileges) { + is_linux no_new_privileges == false } +noNewPrivileges_ok(no_new_privileges) { + # no-op for windows + is_windows +} + idName_ok(pattern, "any", value) { true } @@ -284,6 +298,7 @@ idName_ok(pattern, "re2", value) { } user_ok(user) { + is_linux user.umask == input.umask idName_ok(user.user_idname.pattern, user.user_idname.strategy, input.user) every group in input.groups { @@ -292,10 +307,20 @@ user_ok(user) { } } +user_ok(user) { + is_windows + input.user == user +} + seccomp_ok(seccomp_profile_sha256) { + is_linux input.seccompProfileSHA256 == seccomp_profile_sha256 } +seccomp_ok(seccomp_profile_sha256) { + is_windows +} + default container_started := false container_started { @@ -405,6 +430,7 @@ all_caps_sets_are_equal(sets) := caps { } valid_caps_for_all(containers, privileged) := caps { + is_linux allow_capability_dropping # find largest matching capabilities sets aka "the most specific" @@ -416,13 +442,21 @@ valid_caps_for_all(containers, privileged) := caps { } valid_caps_for_all(containers, privileged) := caps { + is_linux not allow_capability_dropping # no dropping allowed, so we just return the input caps := input.capabilities } +valid_caps_for_all(containers, privileged) := caps { + # no-op for windows + is_windows + caps := input.capabilities +} + caps_ok(allowed_caps, requested_caps) { + is_linux capsList_ok(allowed_caps.bounding, requested_caps.bounding) capsList_ok(allowed_caps.effective, requested_caps.effective) capsList_ok(allowed_caps.inheritable, requested_caps.inheritable) @@ -430,6 +464,10 @@ caps_ok(allowed_caps, requested_caps) { capsList_ok(allowed_caps.ambient, requested_caps.ambient) } +caps_ok(allowed_caps, requested_caps) { + is_windows +} + get_capabilities(container, privileged) := capabilities { container.capabilities != null capabilities := container.capabilities @@ -514,11 +552,10 @@ create_container := {"metadata": [updateMatches, addStarted], # check to see if the capabilities variables match, dropping # them if allowed (and necessary) - caps_list := valid_caps_for_all(possible_after_env_containers, input.privileged) - possible_after_caps_containers := [container | - container := possible_after_env_containers[_] - caps_ok(get_capabilities(container, input.privileged), caps_list) - ] + caps_result := possible_container_after_caps(possible_after_env_containers, input.privileged) + + possible_after_caps_containers := caps_result.containers + caps_list := caps_result.caps_list count(possible_after_caps_containers) > 0 @@ -550,6 +587,24 @@ create_container := {"metadata": [updateMatches, addStarted], }, } } +possible_container_after_caps(env_containers, privileged) := { + "containers": env_containers, + "caps_list": [] +} { + is_windows +} + +possible_container_after_caps(env_containers, privileged) := { + "containers": filtered, + "caps_list": caps_list +} { + is_linux + caps_list := valid_caps_for_all(env_containers, privileged) + filtered := [container | + container := env_containers[_] + caps_ok(get_capabilities(container, privileged), caps_list) + ] +} mountSource_ok(constraint, source) { startswith(constraint, data.sandboxPrefix) @@ -612,10 +667,23 @@ mount_ok(mounts, allow_elevated, mount) { } mountList_ok(mounts, allow_elevated) { + is_linux every mount in input.mounts { mount_ok(mounts, allow_elevated, mount) } } +mountList_ok(mounts, allow_elevated) { + # no-op for windows + is_windows +} + +is_linux { + data.metadata.operatingsystem[ostype] == "linux" +} + +is_windows { + data.metadata.operatingsystem[ostype] == "windows" +} default exec_in_container := {"allowed": false} @@ -652,11 +720,10 @@ exec_in_container := {"metadata": [updateMatches], # check to see if the capabilities variables match, dropping # them if allowed (and necessary) - caps_list := valid_caps_for_all(possible_after_env_containers, container_privileged) - possible_after_caps_containers := [container | - container := possible_after_env_containers[_] - caps_ok(get_capabilities(container, container_privileged), caps_list) - ] + caps_result := possible_container_after_caps(possible_after_env_containers, container_privileged) + + possible_after_caps_containers := caps_result.containers + caps_list := caps_result.caps_list count(possible_after_caps_containers) > 0 @@ -1112,6 +1179,7 @@ privileged_matches { } errors["privileged escalation not allowed"] { + is_linux input.rule in ["create_container"] not privileged_matches } @@ -1289,6 +1357,7 @@ mount_matches(mount) { } errors[mountError] { + is_linux input.rule == "create_container" bad_mounts := [mount.destination | mount := input.mounts[_] @@ -1437,6 +1506,7 @@ errors[fragment_framework_version_error] { } errors["containers only distinguishable by allow_stdio_access"] { + is_linux input.rule == "create_container" not container_started @@ -1526,6 +1596,7 @@ noNewPrivileges_matches { } errors["invalid noNewPrivileges"] { + is_linux input.rule in ["create_container", "exec_in_container"] not noNewPrivileges_matches } @@ -1548,11 +1619,13 @@ user_matches { } errors["invalid user"] { + is_linux input.rule in ["create_container", "exec_in_container"] not user_matches } errors["capabilities don't match"] { + is_linux input.rule == "create_container" not container_started @@ -1592,6 +1665,7 @@ errors["capabilities don't match"] { } errors["capabilities don't match"] { + is_linux input.rule == "exec_in_container" container_started @@ -1631,6 +1705,7 @@ errors["capabilities don't match"] { # covers exec_in_container as well. it shouldn't be possible to ever get # an exec_in_container as it "inherits" capabilities rules from create_container errors["containers only distinguishable by capabilties"] { + is_linux input.rule == "create_container" allow_capability_dropping @@ -1676,6 +1751,7 @@ seccomp_matches { } errors["invalid seccomp"] { + is_linux input.rule == "create_container" not seccomp_matches } diff --git a/pkg/securitypolicy/regopolicy_test.go b/pkg/securitypolicy/regopolicy_test.go index fa6a9560ca..da75863595 100644 --- a/pkg/securitypolicy/regopolicy_test.go +++ b/pkg/securitypolicy/regopolicy_test.go @@ -37,6 +37,7 @@ const ( maxGeneratedFragmentIssuerLength = 16 maxPlan9MountTargetLength = 64 maxPlan9MountIndex = 16 + osType = "linux" ) func Test_RegoTemplates(t *testing.T) { @@ -146,7 +147,8 @@ func Test_MarshalRego_Policy(t *testing.T) { return false } - _, err = newRegoPolicy(expected, defaultMounts, privilegedMounts) + _, err = newRegoPolicy(expected, defaultMounts, privilegedMounts, osType) + if err != nil { t.Errorf("unable to convert policy to rego: %v", err) return false @@ -232,7 +234,8 @@ func Test_MarshalRego_Fragment(t *testing.T) { func Test_Rego_EnforceDeviceMountPolicy_No_Matches(t *testing.T) { f := func(p *generatedConstraints) bool { securityPolicy := p.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Errorf("unable to convert policy to rego: %v", err) return false @@ -257,7 +260,8 @@ func Test_Rego_EnforceDeviceMountPolicy_No_Matches(t *testing.T) { func Test_Rego_EnforceDeviceMountPolicy_Matches(t *testing.T) { f := func(p *generatedConstraints) bool { securityPolicy := p.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Errorf("unable to convert policy to rego: %v", err) return false @@ -280,7 +284,8 @@ func Test_Rego_EnforceDeviceMountPolicy_Matches(t *testing.T) { func Test_Rego_EnforceDeviceUmountPolicy_Removes_Device_Entries(t *testing.T) { f := func(p *generatedConstraints) bool { securityPolicy := p.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Error(err) return false @@ -318,7 +323,8 @@ func Test_Rego_EnforceDeviceUmountPolicy_Removes_Device_Entries(t *testing.T) { func Test_Rego_EnforceDeviceMountPolicy_Duplicate_Device_Target(t *testing.T) { f := func(p *generatedConstraints) bool { securityPolicy := p.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Errorf("unable to convert policy to rego: %v", err) return false @@ -413,7 +419,8 @@ func Test_Rego_EnforceOverlayMountPolicy_Layers_With_Same_Root_Hash(t *testing.T constraints.containers = []*securityPolicyContainer{container} constraints.externalProcesses = generateExternalProcesses(testRand) securityPolicy := constraints.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatal("Unable to create security policy") } @@ -449,7 +456,8 @@ func Test_Rego_EnforceOverlayMountPolicy_Layers_Shared_Layers(t *testing.T) { constraints.externalProcesses = generateExternalProcesses(testRand) securityPolicy := constraints.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatal("Unable to create security policy") } @@ -559,7 +567,7 @@ func Test_Rego_EnforceOverlayMountPolicy_Reusing_ID_Across_Overlays(t *testing.T policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), osType) if err != nil { t.Fatal(err) } @@ -611,7 +619,8 @@ func Test_Rego_EnforceOverlayMountPolicy_Multiple_Instances_Same_Container(t *te } securityPolicy := constraints.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("failed create enforcer") } @@ -899,7 +908,7 @@ func Test_Rego_EnforceCreateContainer_Start_All_Containers(t *testing.T) { policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), osType) if err != nil { t.Error(err) return false @@ -1779,7 +1788,8 @@ func Test_Rego_MountPolicy_MountPrivilegedWhenNotAllowed(t *testing.T) { func Test_Rego_Version_Unregistered_Enforcement_Point(t *testing.T) { gc := generateConstraints(testRand, maxContainersInGeneratedConstraints) securityPolicy := gc.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -1800,7 +1810,8 @@ func Test_Rego_Version_Unregistered_Enforcement_Point(t *testing.T) { func Test_Rego_Version_Future_Enforcement_Point(t *testing.T) { gc := generateConstraints(testRand, maxContainersInGeneratedConstraints) securityPolicy := gc.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -1829,7 +1840,8 @@ func Test_Rego_Version_Future_Enforcement_Point(t *testing.T) { // by their respective version information. func Test_Rego_Version_Unavailable_Enforcement_Point(t *testing.T) { code := "package policy\n\napi_version := \"0.0.1\"" - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -1862,7 +1874,8 @@ func Test_Rego_Version_Unavailable_Enforcement_Point(t *testing.T) { func Test_Rego_Enforcement_Point_Allowed(t *testing.T) { code := "package policy\n\napi_version := \"0.0.1\"" - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -1913,7 +1926,8 @@ api_version := "0.0.1" __fixture_for_allowed_extra__ := {"allowed": true} ` - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -1950,7 +1964,8 @@ __fixture_for_allowed_extra__ := {"allowed": true} func Test_Rego_No_API_Version(t *testing.T) { code := "package policy" - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create a new Rego policy: %v", err) } @@ -2433,7 +2448,8 @@ exec_external := { strings.Join(generateEnvs(envSet), `","`), strings.Join(generateEnvs(envSet), `","`)) - policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Errorf("error creating policy: %v", err) return false @@ -2490,7 +2506,8 @@ func Test_Rego_InvalidEnvList(t *testing.T) { "env_list": true }`, apiVersion, frameworkVersion) - policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("error creating policy: %v", err) } @@ -2539,7 +2556,8 @@ func Test_Rego_InvalidEnvList_Member(t *testing.T) { "env_list": ["one", ["two"], "three"] }`, apiVersion, frameworkVersion) - policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(rego, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("error creating policy: %v", err) } @@ -2796,7 +2814,8 @@ func Test_Rego_ExecExternalProcessPolicy_DropEnvs_Multiple(t *testing.T) { policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatal(err) } @@ -2840,7 +2859,8 @@ func Test_Rego_ExecExternalProcessPolicy_DropEnvs_Multiple_NoMatch(t *testing.T) policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatal(err) } @@ -3796,7 +3816,7 @@ func Test_Rego_LoadFragment_SemverVersion(t *testing.T) { defaultMounts := toOCIMounts(generateMounts(testRand)) privilegedMounts := toOCIMounts(generateMounts(testRand)) - policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts, osType) if err != nil { t.Fatalf("error compiling policy: %v", err) @@ -4159,7 +4179,8 @@ load_fragment := {"allowed": true, "add_module": true} { mount_device := data.fragment.mount_device `, apiVersion, frameworkVersion, issuer, feed) - policy, err := newRegoPolicy(policyCode, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(policyCode, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create Rego policy: %v", err) } @@ -4441,7 +4462,8 @@ func Test_Rego_ExecExternal_StdioAccess_NotAllowed(t *testing.T) { gc.externalProcesses = append(gc.externalProcesses, gc.externalProcesses[0].clone()) gc.externalProcesses[0].allowStdioAccess = !gc.externalProcesses[0].allowStdioAccess - policy, err := newRegoPolicy(gc.toPolicy().marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(gc.toPolicy().marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("error marshaling policy: %v", err) } @@ -4851,7 +4873,8 @@ func Test_Rego_MissingEnvList(t *testing.T) { exec_external := {"allowed": true} `, apiVersion) - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("error compiling the rego policy: %v", err) } @@ -5004,7 +5027,8 @@ func Test_Rego_ExecExternalProcessPolicy_ConflictingAllowStdioAccessHasErrorMess policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatal(err) } @@ -5121,7 +5145,8 @@ func Test_Rego_ExecExternalProcessPolicy_RequiredEnvMissingHasErrorMessage(t *te policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatal(err) } @@ -5597,7 +5622,8 @@ func Test_Rego_FrameworkSVN(t *testing.T) { policy, err := newRegoPolicy(code, toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatalf("unable to create policy: %v", err) } @@ -5627,7 +5653,7 @@ func Test_Rego_Fragment_FrameworkSVN(t *testing.T) { defaultMounts := toOCIMounts(generateMounts(testRand)) privilegedMounts := toOCIMounts(generateMounts(testRand)) - policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts, osType) if err != nil { t.Fatalf("error compiling policy: %v", err) @@ -5675,7 +5701,8 @@ func Test_Rego_APISVN(t *testing.T) { policy, err := newRegoPolicy(code, toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { t.Fatalf("unable to create policy: %v", err) } @@ -5702,7 +5729,8 @@ func Test_Rego_NoReason(t *testing.T) { mount_device := {"allowed": false} ` - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create policy: %v", err) } @@ -5795,7 +5823,8 @@ func Test_Rego_ErrorTruncation_CustomPolicy(t *testing.T) { reason := {"custom_error": "%s"} `, randString(testRand, 2048)) - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create policy: %v", err) } @@ -5823,7 +5852,8 @@ func Test_Rego_Missing_Enforcement_Point(t *testing.T) { reason := {"errors": data.framework.errors} ` - policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(code, []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { t.Fatalf("unable to create policy: %v", err) } @@ -6101,7 +6131,8 @@ type regoOverlayTestConfig struct { func setupRegoOverlayTest(gc *generatedConstraints, valid bool) (tc *regoOverlayTestConfig, err error) { securityPolicy := gc.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { return nil, err } @@ -6164,7 +6195,8 @@ func setupRegoCreateContainerTest(gc *generatedConstraints, testContainer *secur policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6230,7 +6262,8 @@ func setupRegoRunningContainerTest(gc *generatedConstraints, privileged bool) (t policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6331,7 +6364,8 @@ func setupExternalProcessTest(gc *generatedConstraints) (tc *regoExternalPolicyT policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6358,7 +6392,8 @@ func setupPlan9MountTest(gc *generatedConstraints) (tc *regoPlan9MountTestConfig policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6439,7 +6474,8 @@ func setupGetPropertiesTest(gc *generatedConstraints, allowPropertiesAccess bool policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6462,7 +6498,8 @@ func setupDumpStacksTest(constraints *generatedConstraints, allowDumpStacks bool policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err } @@ -6500,7 +6537,8 @@ type regoPolicyOnlyTestConfig struct { func setupRegoPolicyOnlyTest(gc *generatedConstraints) (tc *regoPolicyOnlyTestConfig, err error) { securityPolicy := gc.toPolicy() - policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { return nil, err } @@ -6664,7 +6702,7 @@ func setupRegoFragmentTestConfig(gc *generatedConstraints, numFragments int, inc securityPolicy := gc.toPolicy() defaultMounts := toOCIMounts(generateMounts(testRand)) privilegedMounts := toOCIMounts(generateMounts(testRand)) - policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), defaultMounts, privilegedMounts, osType) if err != nil { return nil, err @@ -6748,7 +6786,8 @@ func setupRegoDropEnvsTest(disjoint bool) (*regoContainerTestConfig, error) { policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), - toOCIMounts(privilegedMounts)) + toOCIMounts(privilegedMounts), + osType) if err != nil { return nil, err @@ -6842,7 +6881,8 @@ func setupFrameworkVersionTest(gc *generatedConstraints, policyVersion string, v } securityPolicy := gc.toPolicy() - policy, err := newRegoPolicy(setFrameworkVersion(securityPolicy.marshalRego(), policyVersion), []oci.Mount{}, []oci.Mount{}) + policy, err := newRegoPolicy(setFrameworkVersion(securityPolicy.marshalRego(), policyVersion), []oci.Mount{}, []oci.Mount{}, osType) + if err != nil { return nil, err } @@ -7286,7 +7326,8 @@ func setupRegoScratchMountTest( defaultMounts := generateMounts(testRand) privilegedMounts := generateMounts(testRand) - policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), toOCIMounts(privilegedMounts)) + policy, err := newRegoPolicy(securityPolicy.marshalRego(), toOCIMounts(defaultMounts), toOCIMounts(privilegedMounts), osType) + if err != nil { return nil, err } diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go index e590233634..d3f89a4577 100644 --- a/pkg/securitypolicy/securitypolicyenforcer.go +++ b/pkg/securitypolicy/securitypolicyenforcer.go @@ -10,14 +10,43 @@ import ( "sync" "syscall" + "github.com/Microsoft/hcsshim/internal/protocol/guestrequest" oci "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" ) -type createEnforcerFunc func(base64EncodedPolicy string, criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int) (SecurityPolicyEnforcer, error) +type createEnforcerFunc func(base64EncodedPolicy string, criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int, osType string) (SecurityPolicyEnforcer, error) type EnvList []string +type ExecOptions struct { + User *IDName // for linux, optional: nil means "not set". for windows, only name is set + Groups []IDName // optional: empty slice or nil + Umask string // optional: "" means unspecified + Capabilities *oci.LinuxCapabilities // optional: nil means "none" + NoNewPrivileges *bool // optional: nil means "not set" +} + +type CreateContainerOptions struct { + SandboxID string + Privileged *bool + NoNewPrivileges *bool + Groups []IDName + Umask string + Capabilities *oci.LinuxCapabilities + SeccompProfileSHA256 string +} + +type SignalContainerOptions struct { + IsInitProcess bool + // One of these will be set depending on platform + LinuxSignal syscall.Signal + WindowsSignal guestrequest.SignalValueWCOW + + LinuxStartupArgs []string + WindowsCommand string +} + const ( openDoorEnforcer = "open_door" standardEnforcer = "standard" @@ -54,6 +83,16 @@ type SecurityPolicyEnforcer interface { capabilities *oci.LinuxCapabilities, seccompProfileSHA256 string, ) (EnvList, *oci.LinuxCapabilities, bool, error) + EnforceCreateContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + mounts []oci.Mount, + user IDName, + opts *CreateContainerOptions, + ) (EnvList, *oci.LinuxCapabilities, bool, error) ExtendDefaultMounts([]oci.Mount) error EncodedSecurityPolicy() string EnforceExecInContainerPolicy( @@ -68,9 +107,18 @@ type SecurityPolicyEnforcer interface { umask string, capabilities *oci.LinuxCapabilities, ) (EnvList, *oci.LinuxCapabilities, bool, error) + EnforceExecInContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + opts *ExecOptions, + ) (EnvList, *oci.LinuxCapabilities, bool, error) EnforceExecExternalProcessPolicy(ctx context.Context, argList []string, envList []string, workingDir string) (EnvList, bool, error) EnforceShutdownContainerPolicy(ctx context.Context, containerID string) error EnforceSignalContainerProcessPolicy(ctx context.Context, containerID string, signal syscall.Signal, isInitProcess bool, startupArgList []string) error + EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error EnforcePlan9MountPolicy(ctx context.Context, target string) (err error) EnforcePlan9UnmountPolicy(ctx context.Context, target string) (err error) EnforceGetPropertiesPolicy(ctx context.Context) error @@ -119,7 +167,7 @@ func newSecurityPolicyFromBase64JSON(base64EncodedPolicy string) (*SecurityPolic // createAllowAllEnforcer creates and returns OpenDoorSecurityPolicyEnforcer instance. // Both AllowAll and Containers cannot be set at the same time. -func createOpenDoorEnforcer(base64EncodedPolicy string, _, _ []oci.Mount, _ int) (SecurityPolicyEnforcer, error) { +func createOpenDoorEnforcer(base64EncodedPolicy string, _, _ []oci.Mount, _ int, _ string) (SecurityPolicyEnforcer, error) { // This covers the case when an "open_door" enforcer was requested, but no // actual security policy was passed. This can happen e.g. when a container // scratch is created for the first time. @@ -169,6 +217,7 @@ func createStandardEnforcer( criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int, + osType string, ) (SecurityPolicyEnforcer, error) { securityPolicy, err := newSecurityPolicyFromBase64JSON(base64EncodedPolicy) if err != nil { @@ -176,7 +225,7 @@ func createStandardEnforcer( } if securityPolicy.AllowAll { - return createOpenDoorEnforcer(base64EncodedPolicy, criMounts, criPrivilegedMounts, maxErrorMessageLength) + return createOpenDoorEnforcer(base64EncodedPolicy, criMounts, criPrivilegedMounts, maxErrorMessageLength, osType) } containers, err := securityPolicy.Containers.toInternal() @@ -206,6 +255,7 @@ func CreateSecurityPolicyEnforcer( criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int, + osType string, ) (SecurityPolicyEnforcer, error) { if enforcer == "" { enforcer = defaultEnforcer @@ -216,7 +266,7 @@ func CreateSecurityPolicyEnforcer( if createEnforcer, ok := registeredEnforcers[enforcer]; !ok { return nil, fmt.Errorf("unknown enforcer: %q", enforcer) } else { - return createEnforcer(base64EncodedPolicy, criMounts, criPrivilegedMounts, maxErrorMessageLength) + return createEnforcer(base64EncodedPolicy, criMounts, criPrivilegedMounts, maxErrorMessageLength, osType) } } @@ -509,12 +559,36 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy( return envList, caps, true, nil } +func (*StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + mounts []oci.Mount, + user IDName, + opts *CreateContainerOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return envList, opts.Capabilities, true, nil +} + // Stub. We are deprecating the standard enforcer. Newly added enforcement // points are simply allowed. func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error) { return envList, caps, true, nil } +func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + opts *ExecOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return envList, opts.Capabilities, true, nil +} + // Stub. We are deprecating the standard enforcer. Newly added enforcement // points are simply allowed. func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error) { @@ -533,6 +607,10 @@ func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(conte return nil } +func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error { + return nil +} + // Stub. We are deprecating the standard enforcer. Newly added enforcement // points are simply allowed. func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error { @@ -900,10 +978,34 @@ func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ context.Con return envList, caps, true, nil } +func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + mounts []oci.Mount, + user IDName, + opts *CreateContainerOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return envList, opts.Capabilities, true, nil +} + func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error) { return envList, caps, true, nil } +func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + opts *ExecOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return envList, opts.Capabilities, true, nil +} + func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error) { return envList, true, nil } @@ -916,6 +1018,10 @@ func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(conte return nil } +func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error { + return nil +} + func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error { return nil } @@ -990,10 +1096,34 @@ func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(context.Con return nil, nil, false, errors.New("running commands is denied by policy") } +func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + mounts []oci.Mount, + user IDName, + opts *CreateContainerOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return nil, nil, false, errors.New("running commands is denied by policy") +} + func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(context.Context, string, []string, []string, string, bool, IDName, []IDName, string, *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error) { return nil, nil, false, errors.New("starting additional processes in a container is denied by policy") } +func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + opts *ExecOptions, +) (EnvList, *oci.LinuxCapabilities, bool, error) { + return nil, nil, false, errors.New("starting additional processes in a container is denied by policy") +} + func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(context.Context, []string, []string, string) (EnvList, bool, error) { return nil, false, errors.New("starting additional processes in uvm is denied by policy") } @@ -1006,6 +1136,10 @@ func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(con return errors.New("signalling container processes is denied by policy") } +func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error { + return errors.New("signalling container processes is denied by policy") +} + func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error { return errors.New("mounting is denied by policy") } diff --git a/pkg/securitypolicy/securitypolicyenforcer_rego.go b/pkg/securitypolicy/securitypolicyenforcer_rego.go index 28dc1136df..94ddff7126 100644 --- a/pkg/securitypolicy/securitypolicyenforcer_rego.go +++ b/pkg/securitypolicy/securitypolicyenforcer_rego.go @@ -54,6 +54,8 @@ type regoEnforcer struct { stdio map[string]bool // Maximum error message length maxErrorMessageLength int + // OS type + osType string } var _ SecurityPolicyEnforcer = (*regoEnforcer)(nil) @@ -104,6 +106,7 @@ func createRegoEnforcer(base64EncodedPolicy string, defaultMounts []oci.Mount, privilegedMounts []oci.Mount, maxErrorMessageLength int, + osType string, ) (SecurityPolicyEnforcer, error) { // base64 decode the incoming policy string // It will either be (legacy) JSON or Rego. @@ -118,7 +121,7 @@ func createRegoEnforcer(base64EncodedPolicy string, err = json.Unmarshal(rawPolicy, securityPolicy) if err == nil { if securityPolicy.AllowAll { - return createOpenDoorEnforcer(base64EncodedPolicy, defaultMounts, privilegedMounts, maxErrorMessageLength) + return createOpenDoorEnforcer(base64EncodedPolicy, defaultMounts, privilegedMounts, maxErrorMessageLength, osType) } containers := make([]*Container, securityPolicy.Containers.Length) @@ -160,7 +163,7 @@ func createRegoEnforcer(base64EncodedPolicy string, code = string(rawPolicy) } - regoPolicy, err := newRegoPolicy(code, defaultMounts, privilegedMounts) + regoPolicy, err := newRegoPolicy(code, defaultMounts, privilegedMounts, osType) if err != nil { return nil, fmt.Errorf("error creating Rego policy: %w", err) } @@ -173,9 +176,10 @@ func (policy *regoEnforcer) enableLogging(path string, logLevel rpi.LogLevel) { policy.rego.EnableLogging(path, logLevel) } -func newRegoPolicy(code string, defaultMounts []oci.Mount, privilegedMounts []oci.Mount) (policy *regoEnforcer, err error) { +func newRegoPolicy(code string, defaultMounts []oci.Mount, privilegedMounts []oci.Mount, osType string) (policy *regoEnforcer, err error) { policy = new(regoEnforcer) + policy.osType = osType policy.defaultMounts = make([]oci.Mount, len(defaultMounts)) copy(policy.defaultMounts, defaultMounts) @@ -192,6 +196,7 @@ func newRegoPolicy(code string, defaultMounts []oci.Mount, privilegedMounts []oc } policy.rego, err = rpi.NewRegoPolicyInterpreter(code, data) + policy.rego.UpdateOSType(osType) if err != nil { return nil, err } @@ -706,25 +711,70 @@ func (policy *regoEnforcer) EnforceCreateContainerPolicy( capsToKeep *oci.LinuxCapabilities, stdioAccessAllowed bool, err error) { - if capabilities == nil { + opts := &CreateContainerOptions{ + SandboxID: sandboxID, + Privileged: &privileged, + NoNewPrivileges: &noNewPrivileges, + Groups: groups, + Umask: umask, + Capabilities: capabilities, + SeccompProfileSHA256: seccompProfileSHA256, + } + return policy.EnforceCreateContainerPolicyV2(ctx, containerID, argList, envList, workingDir, mounts, user, opts) +} + +func (policy *regoEnforcer) EnforceCreateContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + mounts []oci.Mount, + user IDName, + opts *CreateContainerOptions, +) (envToKeep EnvList, + capsToKeep *oci.LinuxCapabilities, + stdioAccessAllowed bool, + err error) { + + if policy.osType == "linux" && opts.Capabilities == nil { return nil, nil, false, errors.New(capabilitiesNilError) } - input := inputData{ - "containerID": containerID, - "argList": argList, - "envList": envList, - "workingDir": workingDir, - "sandboxDir": SandboxMountsDir(sandboxID), - "hugePagesDir": HugePagesMountsDir(sandboxID), - "mounts": appendMountData([]interface{}{}, mounts), - "privileged": privileged, - "noNewPrivileges": noNewPrivileges, - "user": user.toInput(), - "groups": groupsToInputs(groups), - "umask": umask, - "capabilities": mapifyCapabilities(capabilities), - "seccompProfileSHA256": seccompProfileSHA256, + var input inputData + + switch policy.osType { + case "linux": + input = inputData{ + "containerID": containerID, + "argList": argList, + "envList": envList, + "workingDir": workingDir, + "sandboxDir": SandboxMountsDir(opts.SandboxID), + "hugePagesDir": HugePagesMountsDir(opts.SandboxID), + "mounts": appendMountData([]interface{}{}, mounts), + "privileged": opts.Privileged, + "noNewPrivileges": opts.NoNewPrivileges, + "user": user.toInput(), + "groups": groupsToInputs(opts.Groups), + "umask": opts.Umask, + "capabilities": mapifyCapabilities(opts.Capabilities), + "seccompProfileSHA256": opts.SeccompProfileSHA256, + } + case "windows": + if envList == nil { + envList = []string{} + } + input = inputData{ + "containerID": containerID, + "argList": argList, + "envList": envList, + "workingDir": workingDir, + "privileged": true, + "user": user.Name, + } + default: + return nil, nil, false, errors.Errorf("unsupported OS value in options: %q", policy.osType) } results, err := policy.enforce(ctx, "create_container", input) @@ -737,9 +787,11 @@ func (policy *regoEnforcer) EnforceCreateContainerPolicy( return nil, nil, false, err } - capsToKeep, err = getCapsToKeep(capabilities, results) - if err != nil { - return nil, nil, false, err + if policy.osType == "linux" { + capsToKeep, err = getCapsToKeep(opts.Capabilities, results) + if err != nil { + return nil, nil, false, err + } } stdioAccessAllowed, err = results.Bool("allow_stdio_access") @@ -802,20 +854,57 @@ func (policy *regoEnforcer) EnforceExecInContainerPolicy( capsToKeep *oci.LinuxCapabilities, stdioAccessAllowed bool, err error) { - if capabilities == nil { + opts := &ExecOptions{ + User: &user, + Groups: groups, + Umask: umask, + Capabilities: capabilities, + NoNewPrivileges: &noNewPrivileges, + } + return policy.EnforceExecInContainerPolicyV2(ctx, containerID, argList, envList, workingDir, opts) +} + +func (policy *regoEnforcer) EnforceExecInContainerPolicyV2( + ctx context.Context, + containerID string, + argList []string, + envList []string, + workingDir string, + opts *ExecOptions, +) (envToKeep EnvList, + capsToKeep *oci.LinuxCapabilities, + stdioAccessAllowed bool, + err error) { + + if policy.osType == "linux" && opts.Capabilities == nil { return nil, nil, false, errors.New(capabilitiesNilError) } - input := inputData{ - "containerID": containerID, - "argList": argList, - "envList": envList, - "workingDir": workingDir, - "noNewPrivileges": noNewPrivileges, - "user": user.toInput(), - "groups": groupsToInputs(groups), - "umask": umask, - "capabilities": mapifyCapabilities(capabilities), + var input inputData + + switch policy.osType { + case "linux": + input = inputData{ + "containerID": containerID, + "argList": argList, + "envList": envList, + "workingDir": workingDir, + "noNewPrivileges": opts.NoNewPrivileges, + "user": opts.User.toInput(), + "groups": groupsToInputs(opts.Groups), + "umask": opts.Umask, + "capabilities": mapifyCapabilities(opts.Capabilities), + } + case "windows": + input = inputData{ + "containerID": containerID, + "argList": argList, + "envList": envList, + "workingDir": workingDir, + "user": opts.User.Name, + } + default: + return nil, nil, false, errors.Errorf("unsupported OS value in options: %q", policy.osType) } results, err := policy.enforce(ctx, "exec_in_container", input) @@ -828,11 +917,12 @@ func (policy *regoEnforcer) EnforceExecInContainerPolicy( return nil, nil, false, err } - capsToKeep, err = getCapsToKeep(capabilities, results) - if err != nil { - return nil, nil, false, err + if policy.osType == "linux" { + capsToKeep, err = getCapsToKeep(opts.Capabilities, results) + if err != nil { + return nil, nil, false, err + } } - return envToKeep, capsToKeep, policy.stdio[containerID], nil } @@ -882,6 +972,32 @@ func (policy *regoEnforcer) EnforceSignalContainerProcessPolicy(ctx context.Cont return err } +func (policy *regoEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error { + var input inputData + + switch policy.osType { + case "linux": + input = inputData{ + "containerID": containerID, + "signal": opts.LinuxSignal, + "isInitProcess": opts.IsInitProcess, + "argList": opts.LinuxStartupArgs, + } + case "windows": + input = inputData{ + "containerID": containerID, + "signal": opts.WindowsSignal, + "isInitProcess": opts.IsInitProcess, + "cmdLine": opts.WindowsCommand, + } + default: + return errors.Errorf("unsupported OS value in options: %q", policy.osType) + } + + _, err := policy.enforce(ctx, "signal_container_process", input) + return err +} + func (policy *regoEnforcer) EnforcePlan9MountPolicy(ctx context.Context, target string) error { mountPathPrefix := strings.Replace(guestpath.LCOWMountPathPrefixFmt, "%d", "[0-9]+", 1) input := inputData{ From 58dc6fb3c6fe3ef55ddb97fcc563244d10b9d640 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 12/20] Initial support for verified CIMs Block CIMs can now provide integrity checking (via a hash/Merkel tree, similar to dm-verity on Linux). A block CIM written with integrity checking enabled is called a verified CIM. A verified CIM is written once and then sealed to prevent any further modifications. When such a CIM is sealed it returns a digest of its contents. Such a CIM can then be mounted by passing in this digest. Every read on that mounted volume will then be verified against this digest to ensure the integrity of the contents of that CIM. Signed-off-by: Amit Barve (cherry picked from commit dc7cf5cc9bb3a516e4d09124591204927b9c0b76) --- internal/winapi/cimfs.go | 3 + internal/winapi/zsyscall_windows.go | 80 +++++++++++++ pkg/cimfs/cim_test.go | 83 +++++++++++++ pkg/cimfs/cim_writer_windows.go | 175 ++++++++++++++++++++++++---- pkg/cimfs/cimfs.go | 11 ++ pkg/cimfs/common.go | 4 + pkg/cimfs/doc.go | 10 ++ pkg/cimfs/mount_cim.go | 29 +++++ 8 files changed, 372 insertions(+), 23 deletions(-) diff --git a/internal/winapi/cimfs.go b/internal/winapi/cimfs.go index 6c026d9822..cc3d254120 100644 --- a/internal/winapi/cimfs.go +++ b/internal/winapi/cimfs.go @@ -56,3 +56,6 @@ type CimFsImagePath struct { //sys CimMergeMountImage(numCimPaths uint32, backingImagePaths *CimFsImagePath, flags uint32, volumeID *g) (hr error) = cimfs.CimMergeMountImage? //sys CimTombstoneFile(cimFSHandle FsHandle, path string) (hr error) = cimfs.CimTombstoneFile? //sys CimCreateMergeLink(cimFSHandle FsHandle, newPath string, oldPath string) (hr error) = cimfs.CimCreateMergeLink? +//sys CimSealImage(blockCimPath string, hashSize *uint64, fixedHeaderSize *uint64, hash *byte) (hr error) = cimfs.CimSealImage? +//sys CimGetVerificationInformation(blockCimPath string, isSealed *uint32, hashSize *uint64, signatureSize *uint64, fixedHeaderSize *uint64, hash *byte, signature *byte) (hr error) = cimfs.CimGetVerificationInformation? +//sys CimMountVerifiedImage(imagePath string, fsName string, flags uint32, volumeID *g, hashSize uint16, hash *byte) (hr error) = cimfs.CimMountVerifiedImage? diff --git a/internal/winapi/zsyscall_windows.go b/internal/winapi/zsyscall_windows.go index db4fc1c961..a7eea44ec7 100644 --- a/internal/winapi/zsyscall_windows.go +++ b/internal/winapi/zsyscall_windows.go @@ -68,8 +68,11 @@ var ( procCimCreateMergeLink = modcimfs.NewProc("CimCreateMergeLink") procCimDeletePath = modcimfs.NewProc("CimDeletePath") procCimDismountImage = modcimfs.NewProc("CimDismountImage") + procCimGetVerificationInformation = modcimfs.NewProc("CimGetVerificationInformation") procCimMergeMountImage = modcimfs.NewProc("CimMergeMountImage") procCimMountImage = modcimfs.NewProc("CimMountImage") + procCimMountVerifiedImage = modcimfs.NewProc("CimMountVerifiedImage") + procCimSealImage = modcimfs.NewProc("CimSealImage") procCimTombstoneFile = modcimfs.NewProc("CimTombstoneFile") procCimWriteStream = modcimfs.NewProc("CimWriteStream") procSetJobCompartmentId = modiphlpapi.NewProc("SetJobCompartmentId") @@ -491,6 +494,30 @@ func CimDismountImage(volumeID *g) (hr error) { return } +func CimGetVerificationInformation(blockCimPath string, isSealed *uint32, hashSize *uint64, signatureSize *uint64, fixedHeaderSize *uint64, hash *byte, signature *byte) (hr error) { + var _p0 *uint16 + _p0, hr = syscall.UTF16PtrFromString(blockCimPath) + if hr != nil { + return + } + return _CimGetVerificationInformation(_p0, isSealed, hashSize, signatureSize, fixedHeaderSize, hash, signature) +} + +func _CimGetVerificationInformation(blockCimPath *uint16, isSealed *uint32, hashSize *uint64, signatureSize *uint64, fixedHeaderSize *uint64, hash *byte, signature *byte) (hr error) { + hr = procCimGetVerificationInformation.Find() + if hr != nil { + return + } + r0, _, _ := syscall.SyscallN(procCimGetVerificationInformation.Addr(), uintptr(unsafe.Pointer(blockCimPath)), uintptr(unsafe.Pointer(isSealed)), uintptr(unsafe.Pointer(hashSize)), uintptr(unsafe.Pointer(signatureSize)), uintptr(unsafe.Pointer(fixedHeaderSize)), uintptr(unsafe.Pointer(hash)), uintptr(unsafe.Pointer(signature))) + if int32(r0) < 0 { + if r0&0x1fff0000 == 0x00070000 { + r0 &= 0xffff + } + hr = syscall.Errno(r0) + } + return +} + func CimMergeMountImage(numCimPaths uint32, backingImagePaths *CimFsImagePath, flags uint32, volumeID *g) (hr error) { hr = procCimMergeMountImage.Find() if hr != nil { @@ -535,6 +562,59 @@ func _CimMountImage(imagePath *uint16, fsName *uint16, flags uint32, volumeID *g return } +func CimMountVerifiedImage(imagePath string, fsName string, flags uint32, volumeID *g, hashSize uint16, hash *byte) (hr error) { + var _p0 *uint16 + _p0, hr = syscall.UTF16PtrFromString(imagePath) + if hr != nil { + return + } + var _p1 *uint16 + _p1, hr = syscall.UTF16PtrFromString(fsName) + if hr != nil { + return + } + return _CimMountVerifiedImage(_p0, _p1, flags, volumeID, hashSize, hash) +} + +func _CimMountVerifiedImage(imagePath *uint16, fsName *uint16, flags uint32, volumeID *g, hashSize uint16, hash *byte) (hr error) { + hr = procCimMountVerifiedImage.Find() + if hr != nil { + return + } + r0, _, _ := syscall.SyscallN(procCimMountVerifiedImage.Addr(), uintptr(unsafe.Pointer(imagePath)), uintptr(unsafe.Pointer(fsName)), uintptr(flags), uintptr(unsafe.Pointer(volumeID)), uintptr(hashSize), uintptr(unsafe.Pointer(hash))) + if int32(r0) < 0 { + if r0&0x1fff0000 == 0x00070000 { + r0 &= 0xffff + } + hr = syscall.Errno(r0) + } + return +} + +func CimSealImage(blockCimPath string, hashSize *uint64, fixedHeaderSize *uint64, hash *byte) (hr error) { + var _p0 *uint16 + _p0, hr = syscall.UTF16PtrFromString(blockCimPath) + if hr != nil { + return + } + return _CimSealImage(_p0, hashSize, fixedHeaderSize, hash) +} + +func _CimSealImage(blockCimPath *uint16, hashSize *uint64, fixedHeaderSize *uint64, hash *byte) (hr error) { + hr = procCimSealImage.Find() + if hr != nil { + return + } + r0, _, _ := syscall.SyscallN(procCimSealImage.Addr(), uintptr(unsafe.Pointer(blockCimPath)), uintptr(unsafe.Pointer(hashSize)), uintptr(unsafe.Pointer(fixedHeaderSize)), uintptr(unsafe.Pointer(hash))) + if int32(r0) < 0 { + if r0&0x1fff0000 == 0x00070000 { + r0 &= 0xffff + } + hr = syscall.Errno(r0) + } + return +} + func CimTombstoneFile(cimFSHandle FsHandle, path string) (hr error) { var _p0 *uint16 _p0, hr = syscall.UTF16PtrFromString(path) diff --git a/pkg/cimfs/cim_test.go b/pkg/cimfs/cim_test.go index 7e194421c8..af43a932f6 100644 --- a/pkg/cimfs/cim_test.go +++ b/pkg/cimfs/cim_test.go @@ -5,6 +5,7 @@ package cimfs import ( "bytes" + "context" "errors" "fmt" "io" @@ -53,6 +54,14 @@ func (t *testBlockCIM) cimPath() string { return filepath.Join(t.BlockPath, t.CimName) } +type testVerifiedBlockCIM struct { + BlockCIM +} + +func (t *testVerifiedBlockCIM) cimPath() string { + return filepath.Join(t.BlockPath, t.CimName) +} + // A utility function to create a file/directory and write data to it in the given cim. func createCimFileUtil(c *CimFsWriter, fileTuple tuple) error { // create files inside the cim @@ -99,6 +108,8 @@ func openNewCIM(t *testing.T, newCIM testCIM) *CimFsWriter { writer, err = Create(val.imageDir, val.parentName, val.imageName) case *testBlockCIM: writer, err = CreateBlockCIM(val.BlockPath, val.CimName, val.Type) + case *testVerifiedBlockCIM: + writer, err = CreateBlockCIMWithOptions(context.Background(), &val.BlockCIM, WithDataIntegrity()) } if err != nil { t.Fatalf("failed while creating a cim: %s", err) @@ -666,3 +677,75 @@ func TestMergedLinksInMergedBlockCIMs(rootT *testing.T) { rootT.Logf("file contents don't match!") } } + +func TestVerifiedSingleFileBlockCIM(t *testing.T) { + if !IsVerifiedCimSupported() { + t.Skipf("verified CIMs are not supported") + } + + // contents to write to the CIM + testContents := []tuple{ + {"foo.txt", []byte("foo1"), false}, + {"bar.txt", []byte("bar"), false}, + } + + root := t.TempDir() + blockPath := filepath.Join(root, "layer.bcim") + tc := &testVerifiedBlockCIM{ + BlockCIM: BlockCIM{ + Type: BlockCIMTypeSingleFile, + BlockPath: blockPath, + CimName: "layer.cim", + }} + writer := openNewCIM(t, tc) + writeCIM(t, writer, testContents) + + mountvol := mountCIM(t, tc, CimMountVerifiedCim|CimMountSingleFileCim) + + compareContent(t, mountvol, testContents) +} + +func TestVerifiedSingleFileBlockCIMMount(t *testing.T) { + if !IsVerifiedCimSupported() { + t.Skipf("verified CIMs are not supported") + } + + // contents to write to the CIM + testContents := []tuple{ + {"foo.txt", []byte("foo1"), false}, + {"bar.txt", []byte("bar"), false}, + } + + root := t.TempDir() + blockPath := filepath.Join(root, "layer.bcim") + tc := &testVerifiedBlockCIM{ + BlockCIM: BlockCIM{ + Type: BlockCIMTypeSingleFile, + BlockPath: blockPath, + CimName: "layer.cim", + }} + writer := openNewCIM(t, tc) + writeCIM(t, writer, testContents) + + rootHash, err := getVerificationInfo(blockPath) + if err != nil { + t.Fatalf("failed to get verification info: %s", err) + } + + // mount and read the contents of the cim + volumeGUID, err := guid.NewV4() + if err != nil { + t.Fatalf("generate cim mount GUID: %s", err) + } + + mountvol, err := MountVerifiedBlockCIM(&tc.BlockCIM, CimMountSingleFileCim, volumeGUID, rootHash) + if err != nil { + t.Fatalf("mount verified cim : %s", err) + } + t.Cleanup(func() { + if err := Unmount(mountvol); err != nil { + t.Logf("CIM unmount failed: %s", err) + } + }) + compareContent(t, mountvol, testContents) +} diff --git a/pkg/cimfs/cim_writer_windows.go b/pkg/cimfs/cim_writer_windows.go index 4204e87773..8dda2be0c3 100644 --- a/pkg/cimfs/cim_writer_windows.go +++ b/pkg/cimfs/cim_writer_windows.go @@ -32,6 +32,8 @@ type CimFsWriter struct { activeStream winapi.StreamHandle // amount of bytes that can be written to the activeStream. activeLeft uint64 + // if true the CIM will be sealed after the writer is closed. + sealOnClose bool } // Create creates a new cim image. The CimFsWriter returned can then be used to do @@ -63,39 +65,108 @@ func Create(imagePath string, oldFSName string, newFSName string) (_ *CimFsWrite return &CimFsWriter{handle: handle, name: filepath.Join(imagePath, fsName)}, nil } -// Create creates a new block CIM and opens it for writing. The CimFsWriter -// returned can then be used to add/remove files to/from this CIM. -func CreateBlockCIM(blockPath, name string, blockType BlockCIMType) (_ *CimFsWriter, err error) { +// blockCIMConfig represents options for creating or merging block CIMs +type blockCIMConfig struct { + // ensures that the generted CIM is identical every time when created from the same source data. + // This is mostly required for image layers. Dissabled by default. + consistentCIM bool + // enables data integrity checking, which means the CIM will be verified and sealed on close. + // This is useful for ensuring that the CIM is tamper-proof. Disabled by default. + dataIntegrity bool +} + +// BlockCIMOpt is a function type for configuring block CIM creation options +type BlockCIMOpt func(*blockCIMConfig) error + +// enabled consistent CIM creation, this ensures that CIMs created from identical source data will always be identical (i.e. SHA256 digest of the CIM will remain same) +func WithConsistentCIM() BlockCIMOpt { + return func(opts *blockCIMConfig) error { + opts.consistentCIM = true + return nil + } +} + +// WithDataIntegrity enables data integrity checking (verified CIM with sealing on close) +func WithDataIntegrity() BlockCIMOpt { + return func(opts *blockCIMConfig) error { + opts.dataIntegrity = true + return nil + } +} + +// CreateBlockCIMWithOptions creates a new block CIM with the specified options and opens it for writing. +// The CimFsWriter returned can then be used to add/remove files to/from this CIM. +func CreateBlockCIMWithOptions(ctx context.Context, bCIM *BlockCIM, options ...BlockCIMOpt) (_ *CimFsWriter, err error) { + // Apply default options + config := &blockCIMConfig{} + + // Apply provided options + for _, option := range options { + option(config) + } + + // Validate options + if bCIM.BlockPath == "" || bCIM.CimName == "" { + return nil, fmt.Errorf("both blockPath & name must be non empty: %w", os.ErrInvalid) + } + + if bCIM.Type == BlockCIMTypeNone { + return nil, fmt.Errorf("invalid block CIM type `%d`: %w", bCIM.Type, os.ErrInvalid) + } + + // Check OS support if !IsBlockCimSupported() { return nil, fmt.Errorf("block CIM not supported on this OS version") } - if blockPath == "" || name == "" { - return nil, fmt.Errorf("both blockPath & name must be non empty: %w", os.ErrInvalid) + + if config.dataIntegrity && !IsVerifiedCimSupported() { + return nil, fmt.Errorf("verified CIMs are not supported on this OS version") } - // When creating block CIMs we always want them to be consistent CIMs i.e a CIMs - // created from the same layer tar will always be identical. - var createFlags uint32 = CimCreateFlagConsistentCim - switch blockType { + // Build create flags based on options + var createFlags uint32 + if config.consistentCIM { + createFlags |= CimCreateFlagConsistentCim + } + if config.dataIntegrity { + createFlags |= CimCreateFlagVerifiedCim + } + + switch bCIM.Type { case BlockCIMTypeDevice: createFlags |= CimCreateFlagBlockDeviceCim case BlockCIMTypeSingleFile: createFlags |= CimCreateFlagSingleFileCim default: - return nil, fmt.Errorf("invalid block CIM type `%d`: %w", blockType, os.ErrInvalid) + return nil, fmt.Errorf("invalid block CIM type `%d`: %w", bCIM.Type, os.ErrInvalid) } var newNameUTF16 *uint16 - newNameUTF16, err = windows.UTF16PtrFromString(name) + newNameUTF16, err = windows.UTF16PtrFromString(bCIM.CimName) if err != nil { return nil, err } var handle winapi.FsHandle - if err := winapi.CimCreateImage2(blockPath, createFlags, nil, newNameUTF16, &handle); err != nil { - return nil, fmt.Errorf("failed to create block CIM at path %s,%s: %w", blockPath, name, err) + if err := winapi.CimCreateImage2(bCIM.BlockPath, createFlags, nil, newNameUTF16, &handle); err != nil { + return nil, fmt.Errorf("failed to create block CIM at path %s,%s: %w", bCIM.BlockPath, bCIM.CimName, err) } - return &CimFsWriter{handle: handle, name: name}, nil + + return &CimFsWriter{ + handle: handle, + name: filepath.Join(bCIM.BlockPath, bCIM.CimName), + sealOnClose: config.dataIntegrity, // Seal on close if data integrity is enabled + }, nil +} + +// Create creates a new block CIM and opens it for writing. The CimFsWriter +// returned can then be used to add/remove files to/from this CIM. +func CreateBlockCIM(blockPath, name string, blockType BlockCIMType) (_ *CimFsWriter, err error) { + return CreateBlockCIMWithOptions(context.Background(), &BlockCIM{ + Type: blockType, + BlockPath: blockPath, + CimName: name, + }, WithConsistentCIM()) } // CreateAlternateStream creates alternate stream of given size at the given path inside the cim. This will @@ -268,7 +339,15 @@ func (c *CimFsWriter) Close() (err error) { } err = winapi.CimCloseImage(c.handle) c.handle = 0 - return err + if err != nil { + return &OpError{Cim: c.name, Op: "close", Err: err} + } + if c.sealOnClose { + if err = sealBlockCIM(filepath.Dir(c.name)); err != nil { + return &OpError{Cim: c.name, Op: "seal", Err: err} + } + } + return nil } // DestroyCim finds out the region files, object files of this cim and then delete the @@ -351,13 +430,27 @@ func GetCimUsage(ctx context.Context, cimPath string) (uint64, error) { // considered the base CIM. (i.e file with the same path in CIM at index 0 will shadow // files with the same path at all other CIMs) When mounting this merged CIM the source // CIMs MUST be provided in the exact same order. -func MergeBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM) (err error) { +func MergeBlockCIMsWithOpts(ctx context.Context, mergedCIM *BlockCIM, sourceCIMs []*BlockCIM, opts ...BlockCIMOpt) (err error) { if !IsMergedCimSupported() { return fmt.Errorf("merged CIMs aren't supported on this OS version") } else if len(sourceCIMs) < 2 { return fmt.Errorf("need at least 2 source CIMs, got %d: %w", len(sourceCIMs), os.ErrInvalid) } + // Apply default options + config := &blockCIMConfig{} + + // Apply provided options + for _, opt := range opts { + opt(config) + } + + for _, sCIM := range sourceCIMs { + if sCIM.Type != mergedCIM.Type { + return fmt.Errorf("source CIM (%s) type MUST match with merged CIM type: %w", sCIM.String(), os.ErrInvalid) + } + } + var mergeFlag uint32 switch mergedCIM.Type { case BlockCIMTypeDevice: @@ -368,13 +461,7 @@ func MergeBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM) (err error) { return fmt.Errorf("invalid block CIM type `%d`: %w", mergedCIM.Type, os.ErrInvalid) } - for _, sCIM := range sourceCIMs { - if sCIM.Type != mergedCIM.Type { - return fmt.Errorf("source CIM (%s) type doesn't match with merged CIM type: %w", sCIM.String(), os.ErrInvalid) - } - } - - cim, err := CreateBlockCIM(mergedCIM.BlockPath, mergedCIM.CimName, mergedCIM.Type) + cim, err := CreateBlockCIMWithOptions(ctx, mergedCIM, opts...) if err != nil { return fmt.Errorf("create merged CIM: %w", err) } @@ -395,3 +482,45 @@ func MergeBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM) (err error) { } return nil } + +// MergeBlockCIMs creates a new merged BlockCIM from the provided source BlockCIMs. CIM +// at index 0 is considered to be topmost CIM and the CIM at index `length-1` is +// considered the base CIM. (i.e file with the same path in CIM at index 0 will shadow +// files with the same path at all other CIMs) When mounting this merged CIM the source +// CIMs MUST be provided in the exact same order. +func MergeBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM) (err error) { + return MergeBlockCIMsWithOpts(context.Background(), mergedCIM, sourceCIMs, WithConsistentCIM()) +} + +// sealBlockCIM seals a blockCIM at the given path so that no further modifications are allowed on it. This also writes a +// root hash in the block header so that in future any reads happening on the CIM can be easily verified against this root hash +// to detect tampering. +func sealBlockCIM(blockPath string) error { + var hashSize, fixedHeaderSize uint64 + hashBuf := make([]byte, cimHashSize) + if err := winapi.CimSealImage(blockPath, &hashSize, &fixedHeaderSize, &hashBuf[0]); err != nil { + return fmt.Errorf("failed to seal block CIM: %w", err) + } else if hashSize != cimHashSize { + return fmt.Errorf("unexpected cim hash size %d", hashSize) + } + return nil +} + +// getDigest returns the digest of a sealed CIM. +func getVerificationInfo(blockPath string) ([]byte, error) { + var ( + isSealed uint32 + hashSize uint64 + signatureSize uint64 + fixedHeaderSize uint64 + hash = make([]byte, cimHashSize) + ) + if err := winapi.CimGetVerificationInformation(blockPath, &isSealed, &hashSize, &signatureSize, &fixedHeaderSize, &hash[0], nil); err != nil { + return nil, fmt.Errorf("failed to get verification info from the CIM: %w", err) + } else if hashSize != cimHashSize { + return nil, fmt.Errorf("unexpected cim hash size %d", hashSize) + } else if isSealed == 0 { + return nil, fmt.Errorf("cim is not sealed") + } + return hash, nil +} diff --git a/pkg/cimfs/cimfs.go b/pkg/cimfs/cimfs.go index f301764387..57269607b0 100644 --- a/pkg/cimfs/cimfs.go +++ b/pkg/cimfs/cimfs.go @@ -31,6 +31,15 @@ func IsBlockCimSupported() bool { return build >= 27766 } +// IsVerifiedCimSupported returns true if block CIM format supports also writing verification information in the CIM. +func IsVerifiedCimSupported() bool { + build := osversion.Build() + // TODO(ambarve): Currently we are checking against a higher build number since there is no + // official build with block CIM support yet. Once we have that build, we should + // update the build number here. + return build >= 27800 +} + func IsMergedCimSupported() bool { // The merged CIM support was originally added before block CIM support. However, // some of the merged CIM features that we use (e.g. merged hard links) were added @@ -49,6 +58,7 @@ const ( CimMountFlagEnableDax uint32 = 0x2 CimMountBlockDeviceCim uint32 = 0x10 CimMountSingleFileCim uint32 = 0x20 + CimMountVerifiedCim uint32 = 0x80 CimCreateFlagNone uint32 = 0x0 CimCreateFlagDoNotExpandPEImages uint32 = 0x1 @@ -56,6 +66,7 @@ const ( CimCreateFlagBlockDeviceCim uint32 = 0x4 CimCreateFlagSingleFileCim uint32 = 0x8 CimCreateFlagConsistentCim uint32 = 0x10 + CimCreateFlagVerifiedCim uint32 = 0x40 CimMergeFlagNone uint32 = 0x0 CimMergeFlagSingleFile uint32 = 0x1 diff --git a/pkg/cimfs/common.go b/pkg/cimfs/common.go index 0a05f5a9d2..ab988aff06 100644 --- a/pkg/cimfs/common.go +++ b/pkg/cimfs/common.go @@ -15,6 +15,10 @@ import ( "github.com/Microsoft/hcsshim/pkg/cimfs/format" ) +const ( + cimHashSize = 32 // size of a hash of a verified CIM in bytes +) + var ( // Equivalent to SDDL of "D:NO_ACCESS_CONTROL". nullSd = []byte{1, 0, 4, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} diff --git a/pkg/cimfs/doc.go b/pkg/cimfs/doc.go index bb9ce57717..c40f38cc69 100644 --- a/pkg/cimfs/doc.go +++ b/pkg/cimfs/doc.go @@ -24,6 +24,16 @@ newFSName string) (_ *CimFsWriter, err error)` function defined in this package, block CIMs can be created with the `func CreateBlockCIM(blockPath, oldName, newName string, blockType BlockCIMType) (_ *CimFsWriter, err error)` function. +Verified CIMs: +A block CIM can also provide integrity checking (via a hash/Merkel tree, +similar to dm-verity on Linux). If a CIM is written and sealed, it generates a +root hash of all of its contents and shares it back with the client. Any +verified CIM can be mounted by passing a hash that we expect to be its root +hash. All read operations on such a mounted CIM will then validate that the +generated root hash matches with the one that was provided at mount time. If it +doesn't match the read fails. This allows us to guarantee that the CIM based +layered aren't being modified underneath us. + Forking & Merging CIMs: In container world, CIMs are used for storing container image layers. Usually, one layer is stored in one CIM. This means we need a way to combine multiple CIMs to create the diff --git a/pkg/cimfs/mount_cim.go b/pkg/cimfs/mount_cim.go index 424857de52..905357eb6c 100644 --- a/pkg/cimfs/mount_cim.go +++ b/pkg/cimfs/mount_cim.go @@ -122,3 +122,32 @@ func MountMergedBlockCIMs(mergedCIM *BlockCIM, sourceCIMs []*BlockCIM, mountFlag } return fmt.Sprintf(VolumePathFormat, volumeGUID.String()), nil } + +// Mounts a verified block CIM with the provided root hash. The root hash is usually +// returned when the CIM is sealed or the root hash can be queries from a block CIM. +// Every read on the mounted volume will be verified to match against the provided root +// hash if it doesn't, the read will fail. The CIM MUST have been created with the +// verified creation flag. +func MountVerifiedBlockCIM(bCIM *BlockCIM, mountFlags uint32, volumeGUID guid.GUID, rootHash []byte) (string, error) { + if len(rootHash) != cimHashSize { + return "", fmt.Errorf("unexpected root hash size %d, expected size is %d", len(rootHash), cimHashSize) + } + + // The CimMountVerifiedCim flag should only be used when using the regular mount + // CIM API. That flag is required to tell that API that this is a verified + // CIM. This API doesn't need that flag as it is already assumed that the CIM is + // verified. + switch bCIM.Type { + case BlockCIMTypeDevice: + mountFlags |= CimMountBlockDeviceCim + case BlockCIMTypeSingleFile: + mountFlags |= CimMountSingleFileCim + default: + return "", fmt.Errorf("invalid block CIM type `%d`: %w", bCIM.Type, os.ErrInvalid) + } + + if err := winapi.CimMountVerifiedImage(bCIM.BlockPath, bCIM.CimName, mountFlags, &volumeGUID, cimHashSize, &rootHash[0]); err != nil { + return "", &MountError{Cim: bCIM.String(), Op: "MountVerifiedCIM", Err: err} + } + return fmt.Sprintf("\\\\?\\Volume{%s}\\", volumeGUID.String()), nil +} From 6bfae484afe4f0a4b960efff124e1e1693cbfde6 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 13/20] Query root digest of the layer CIM Currently we mock the root digest of layer CIMs. With the support for verified CIMs we don't have to mock it anymore. Now the gcs sidecar will directly query the root digest of attached layer CIMs and check that against the policy. Signed-off-by: Amit Barve --- internal/gcs-sidecar/handlers.go | 11 +++++++++-- internal/uvm/cimfs.go | 8 -------- pkg/cimfs/cim_writer_windows.go | 2 +- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index 6fc5936b85..a102a7e859 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -4,6 +4,7 @@ package bridge import ( + "encoding/base64" "encoding/json" "fmt" "os" @@ -660,13 +661,19 @@ func (b *Bridge) modifySettings(req *request) (err error) { if err != nil { return errors.Wrap(err, "err getting scsiDevPath") } + physicalDevPath := fmt.Sprintf(devPathFormat, devNumber) layerCim := cimfs.BlockCIM{ Type: cimfs.BlockCIMTypeDevice, - BlockPath: fmt.Sprintf(devPathFormat, devNumber), + BlockPath: physicalDevPath, CimName: blockCimDevice.CimName, } + cimRootDigestBytes, err := cimfs.GetVerificationInfo(physicalDevPath) + if err != nil { + return fmt.Errorf("failed to get CIM verification info: %w", err) + } + layerHashes[i] = base64.URLEncoding.EncodeToString(cimRootDigestBytes) layerCIMs = append(layerCIMs, &layerCim) - layerHashes[i] = blockCimDevice.Digest + log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", layerHashes[i], physicalDevPath) } // skip the merged cim and verify individual layer hashes diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go index 8826a82ec1..47cc29ec03 100644 --- a/internal/uvm/cimfs.go +++ b/internal/uvm/cimfs.go @@ -5,8 +5,6 @@ package uvm import ( "context" - "crypto/sha256" - "encoding/base64" "fmt" "github.com/Microsoft/go-winio/pkg/guid" @@ -64,14 +62,9 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block return nil, fmt.Errorf("failed to attach block CIM %s: %w", bcim.BlockPath, err) } - hasher := sha256.New() - hasher.Write([]byte(bcim.BlockPath)) - layerDigest := base64.URLEncoding.EncodeToString(hasher.Sum(nil)) - log.G(ctx).WithFields(logrus.Fields{ "block path": bcim.BlockPath, "cim name": bcim.CimName, - "layer digest": layerDigest, "scsi controller": sm.Controller(), "scsi LUN": sm.LUN(), }).Debugf("attached block CIM VHD") @@ -79,7 +72,6 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block settings.BlockCIMs = append(settings.BlockCIMs, guestresource.BlockCIMDevice{ CimName: bcim.CimName, Lun: int32(sm.LUN()), - Digest: layerDigest, }) umb.scsiMounts = append(umb.scsiMounts, sm) defer func() { diff --git a/pkg/cimfs/cim_writer_windows.go b/pkg/cimfs/cim_writer_windows.go index 8dda2be0c3..846718e62f 100644 --- a/pkg/cimfs/cim_writer_windows.go +++ b/pkg/cimfs/cim_writer_windows.go @@ -507,7 +507,7 @@ func sealBlockCIM(blockPath string) error { } // getDigest returns the digest of a sealed CIM. -func getVerificationInfo(blockPath string) ([]byte, error) { +func GetVerificationInfo(blockPath string) ([]byte, error) { var ( isSealed uint32 hashSize uint64 From bef3f36d3d222c9e0f3aa4eeb6a9cde45adedf5d Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 14/20] Use VBS isolation and secure boot by default. Signed-off-by: Amit Barve --- internal/uvm/create_wcow.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index 9a523e0d63..ea83ab17a8 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -115,8 +115,8 @@ func SetDefaultConfidentialWCOWBootConfig(opts *OptionsWCOW) error { } //TODO(ambarve): for testing only remove later - opts.IsolationType = "GuestStateOnly" - opts.DisableSecureBoot = true + opts.IsolationType = "VirtualizationBasedSecurity" + opts.DisableSecureBoot = false opts.ConsolePipe = "\\\\.\\pipe\\uvmpipe" opts.NoSecurityHardware = true return nil From 3923d8f6558193f13ffc0d2ec3d0fd0f6c18338e Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 15/20] Linter fixes Signed-off-by: Amit Barve --- internal/uvm/cimfs.go | 5 ++++- internal/wclayer/cim/process.go | 2 -- internal/wclayer/cim/registry.go | 6 +++--- pkg/cimfs/cim_test.go | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go index 47cc29ec03..91bcf8e96f 100644 --- a/internal/uvm/cimfs.go +++ b/internal/uvm/cimfs.go @@ -76,7 +76,10 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block umb.scsiMounts = append(umb.scsiMounts, sm) defer func() { if err != nil { - sm.Release(ctx) + relErr := sm.Release(ctx) + if relErr != nil { + log.G(ctx).WithError(err).Warnf("cleanup on failure error: %w", relErr) + } } }() } diff --git a/internal/wclayer/cim/process.go b/internal/wclayer/cim/process.go index 03c8706352..f4ad6cb293 100644 --- a/internal/wclayer/cim/process.go +++ b/internal/wclayer/cim/process.go @@ -13,8 +13,6 @@ import ( "golang.org/x/sys/windows" ) -const defaultVHDXBlockSizeInMB = 1 - // processUtilityVMLayer will handle processing of UVM specific files when we start // supporting UVM based containers with CimFS in the future. func processUtilityVMLayer(ctx context.Context, layerPath string) error { diff --git a/internal/wclayer/cim/registry.go b/internal/wclayer/cim/registry.go index d7b7f56191..54c7a05607 100644 --- a/internal/wclayer/cim/registry.go +++ b/internal/wclayer/cim/registry.go @@ -62,7 +62,7 @@ func getOsBuildNumberFromRegistry(regHivePath string) (_ string, err error) { dataBuf := make([]byte, dataLen) if err = winapi.OROpenHive(regHivePath, &storeHandle); err != nil { - return "", fmt.Errorf("failed to open registry store at %s: %s", regHivePath, err) + return "", fmt.Errorf("failed to open registry store at %s: %w", regHivePath, err) } defer func() { if closeErr := winapi.ORCloseHive(storeHandle); closeErr != nil { @@ -74,7 +74,7 @@ func getOsBuildNumberFromRegistry(regHivePath string) (_ string, err error) { }() if err = winapi.OROpenKey(storeHandle, keyPath, &keyHandle); err != nil { - return "", fmt.Errorf("failed to open key at %s: %s", keyPath, err) + return "", fmt.Errorf("failed to open key at %s: %w", keyPath, err) } defer func() { if closeErr := winapi.ORCloseKey(keyHandle); closeErr != nil { @@ -88,7 +88,7 @@ func getOsBuildNumberFromRegistry(regHivePath string) (_ string, err error) { }() if err = winapi.ORGetValue(keyHandle, "", valueName, &dataType, &dataBuf[0], &dataLen); err != nil { - return "", fmt.Errorf("failed to get value of %s: %s", valueName, err) + return "", fmt.Errorf("failed to get value of %s: %w", valueName, err) } if dataType != uint32(winapi.REG_TYPE_SZ) { diff --git a/pkg/cimfs/cim_test.go b/pkg/cimfs/cim_test.go index af43a932f6..1ed0aa83db 100644 --- a/pkg/cimfs/cim_test.go +++ b/pkg/cimfs/cim_test.go @@ -727,7 +727,7 @@ func TestVerifiedSingleFileBlockCIMMount(t *testing.T) { writer := openNewCIM(t, tc) writeCIM(t, writer, testContents) - rootHash, err := getVerificationInfo(blockPath) + rootHash, err := GetVerificationInfo(blockPath) if err != nil { t.Fatalf("failed to get verification info: %s", err) } From abe39e1bf520f80dafd7a8526f30ff573a832608 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 16/20] Use new verified CIM mount API Signed-off-by: Amit Barve --- internal/gcs-sidecar/handlers.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go index a102a7e859..d2b3688656 100644 --- a/internal/gcs-sidecar/handlers.go +++ b/internal/gcs-sidecar/handlers.go @@ -651,6 +651,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { var layerCIMs []*cimfs.BlockCIM layerHashes := make([]string, len(wcowBlockCimMounts.BlockCIMs)) + layerDigests := make([][]byte, len(wcowBlockCimMounts.BlockCIMs)) ctx := req.ctx for i, blockCimDevice := range wcowBlockCimMounts.BlockCIMs { // Get the scsi device path for the blockCim lun @@ -671,6 +672,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { if err != nil { return fmt.Errorf("failed to get CIM verification info: %w", err) } + layerDigests[i] = cimRootDigestBytes layerHashes[i] = base64.URLEncoding.EncodeToString(cimRootDigestBytes) layerCIMs = append(layerCIMs, &layerCim) log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", layerHashes[i], physicalDevPath) @@ -694,7 +696,7 @@ func (b *Bridge) modifySettings(req *request) (err error) { return errors.Wrap(err, "error mounting multilayer block cims") } } else { - _, err := cimfs.Mount(filepath.Join(layerCIMs[0].BlockPath, layerCIMs[0].CimName), wcowBlockCimMounts.VolumeGuid, wcowBlockCimMounts.MountFlags) + _, err := cimfs.MountVerifiedBlockCIM(layerCIMs[0], wcowBlockCimMounts.MountFlags, wcowBlockCimMounts.VolumeGuid, layerDigests[0]) if err != nil { return errors.Wrap(err, "error mounting merged block cims") } From 37f9cc95a1b565ff2cf8104bccf87fb562bd0fde Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 17/20] format container scratch in superfloppy mode Signed-off-by: Amit Barve --- internal/fsformatter/formatter_driver.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/fsformatter/formatter_driver.go b/internal/fsformatter/formatter_driver.go index 14f743cf0b..7317e4c779 100644 --- a/internal/fsformatter/formatter_driver.go +++ b/internal/fsformatter/formatter_driver.go @@ -60,12 +60,17 @@ func (filesystemType kernelFormatVolumeFilesystemTypes) String() string { type kernelFormatVolumeFormatInputBufferFlags uint32 -const kernelFormatVolumeFormatInputBufferFlagNone = kernelFormatVolumeFormatInputBufferFlags(0x00000000) +const ( + kernelFormatVolumeFormatInputBufferFlagNone = kernelFormatVolumeFormatInputBufferFlags(0x00000000) + kernelFormatVolumeFormatInputBufferFlagSuperFloppy = kernelFormatVolumeFormatInputBufferFlags(0x00000001) +) func (flag kernelFormatVolumeFormatInputBufferFlags) String() string { switch flag { case kernelFormatVolumeFormatInputBufferFlagNone: return "kernelFormatVolumeFormatInputBufferFlagNone" + case kernelFormatVolumeFormatInputBufferFlagSuperFloppy: + return "kernelFormatVolumeFormatInputBufferFlagSuperFloppy" default: return "Unknown" } @@ -211,7 +216,7 @@ func KmFmtCreateFormatInputBuffer(diskPath string) *KernelFormatVolumeFormatInpu inputBuffer := (*KernelFormatVolumeFormatInputBuffer)(unsafe.Pointer(&buf[0])) inputBuffer.Size = uint64(bufferSize) - inputBuffer.Flags = kernelFormatVolumeFormatInputBufferFlagNone + inputBuffer.Flags = kernelFormatVolumeFormatInputBufferFlagSuperFloppy inputBuffer.FsParameters.FileSystemType = kernelFormatVolumeFilesystemTypeRefs inputBuffer.FsParameters.VolumeLabelLength = 0 From 1bfd0af105ee6cd186b5be418ceac0582221ec86 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:21:45 -0400 Subject: [PATCH 18/20] Fix the incorrect mount flag when mounting in the UVM Signed-off-by: Amit Barve --- internal/uvm/cimfs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go index 91bcf8e96f..b97ee0d00b 100644 --- a/internal/uvm/cimfs.go +++ b/internal/uvm/cimfs.go @@ -47,7 +47,7 @@ func (uvm *UtilityVM) MountBlockCIMs(ctx context.Context, mergedCIM *cimfs.Block settings := &guestresource.WCOWBlockCIMMounts{ BlockCIMs: []guestresource.BlockCIMDevice{}, VolumeGuid: volumeGUID, - MountFlags: cimfs.CimMountBlockDeviceCim, + MountFlags: cimfs.CimMountVerifiedCim, ContainerID: containerID, } From 0dae66cf91dd2141bde467196c041649aa04c299 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 10 Jul 2025 14:26:02 -0400 Subject: [PATCH 19/20] Add default allow all policy to uvmboot With the latest changes to sidecar GCS, we can't boot the UVM anymore without a proper policy. uvmboot tool can't be used to test/debug CWCOW uvm boots if there is no policy provided. This commits adds a default policy and a flag to override it if required while creating UVMs with the tool. Signed-off-by: Amit Barve --- internal/tools/uvmboot/conf_wcow.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/tools/uvmboot/conf_wcow.go b/internal/tools/uvmboot/conf_wcow.go index 7d76b7cf3b..6ff390d1c0 100644 --- a/internal/tools/uvmboot/conf_wcow.go +++ b/internal/tools/uvmboot/conf_wcow.go @@ -19,6 +19,9 @@ const ( vmgsFilePathArgName = "vmgs-path" disableSBArgName = "disable-secure-boot" isolationTypeArgName = "isolation-type" + + // default policy (that allows all operations) used when no policy is provided + allowAllPolicy = "cGFja2FnZSBwb2xpY3kKCmFwaV92ZXJzaW9uIDo9ICIwLjExLjAiCmZyYW1ld29ya192ZXJzaW9uIDo9ICIwLjQuMCIKCm1vdW50X2NpbXMgOj0geyJhbGxvd2VkIjogdHJ1ZX0KbW91bnRfZGV2aWNlIDo9IHsiYWxsb3dlZCI6IHRydWV9Cm1vdW50X292ZXJsYXkgOj0geyJhbGxvd2VkIjogdHJ1ZX0KY3JlYXRlX2NvbnRhaW5lciA6PSB7ImFsbG93ZWQiOiB0cnVlLCAiZW52X2xpc3QiOiBudWxsLCAiYWxsb3dfc3RkaW9fYWNjZXNzIjogdHJ1ZX0KdW5tb3VudF9kZXZpY2UgOj0geyJhbGxvd2VkIjogdHJ1ZX0KdW5tb3VudF9vdmVybGF5IDo9IHsiYWxsb3dlZCI6IHRydWV9CmV4ZWNfaW5fY29udGFpbmVyIDo9IHsiYWxsb3dlZCI6IHRydWUsICJlbnZfbGlzdCI6IG51bGx9CmV4ZWNfZXh0ZXJuYWwgOj0geyJhbGxvd2VkIjogdHJ1ZSwgImVudl9saXN0IjogbnVsbCwgImFsbG93X3N0ZGlvX2FjY2VzcyI6IHRydWV9CnNodXRkb3duX2NvbnRhaW5lciA6PSB7ImFsbG93ZWQiOiB0cnVlfQpzaWduYWxfY29udGFpbmVyX3Byb2Nlc3MgOj0geyJhbGxvd2VkIjogdHJ1ZX0KcGxhbjlfbW91bnQgOj0geyJhbGxvd2VkIjogdHJ1ZX0KcGxhbjlfdW5tb3VudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQpnZXRfcHJvcGVydGllcyA6PSB7ImFsbG93ZWQiOiB0cnVlfQpkdW1wX3N0YWNrcyA6PSB7ImFsbG93ZWQiOiB0cnVlfQpydW50aW1lX2xvZ2dpbmcgOj0geyJhbGxvd2VkIjogdHJ1ZX0KbG9hZF9mcmFnbWVudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQpzY3JhdGNoX21vdW50IDo9IHsiYWxsb3dlZCI6IHRydWV9CnNjcmF0Y2hfdW5tb3VudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQo=" ) var ( @@ -28,6 +31,7 @@ var ( cwcowVMGSPath string cwcowDisableSecureBoot bool cwcowIsolationMode string + cwcowSecurityPolicy string ) var cwcowCommand = cli.Command{ @@ -79,6 +83,16 @@ var cwcowCommand = cli.Command{ Destination: &cwcowIsolationMode, Required: true, }, + cli.StringFlag{ + Name: securityPolicyArgName, + Usage: "Security policy that should be enforced inside the UVM. If none is provided, default policy that allows all operations will be used.", + Destination: &cwcowSecurityPolicy, + Value: allowAllPolicy, + }, + cli.BoolFlag{ + Name: securityHardwareFlag, + Usage: "If set, UVM won't boot on non-SNP hardware. Set to false by default", + }, }, Action: func(c *cli.Context) error { runMany(c, func(id string) error { @@ -91,6 +105,11 @@ var cwcowCommand = cli.Command{ // confidential specific options options.SecurityPolicyEnabled = true + options.SecurityPolicy = cwcowSecurityPolicy + options.NoSecurityHardware = true + if c.IsSet(securityHardwareFlag) { + options.NoSecurityHardware = false + } options.DisableSecureBoot = cwcowDisableSecureBoot options.GuestStateFilePath = cwcowVMGSPath options.IsolationType = cwcowIsolationMode From e7c9e65853f50f608b68746734493b131f554f43 Mon Sep 17 00:00:00 2001 From: Amit Barve Date: Thu, 24 Jul 2025 12:29:52 -0400 Subject: [PATCH 20/20] Attach EFI VHD as read-only Signed-off-by: Amit Barve --- internal/uvm/create_wcow.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go index ea83ab17a8..294535f6ee 100644 --- a/internal/uvm/create_wcow.go +++ b/internal/uvm/create_wcow.go @@ -414,8 +414,9 @@ func prepareSecurityConfigDoc(ctx context.Context, uvm *UtilityVM, opts *Options Type_: "VirtualDisk", } doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["1"] = hcsschema.Attachment{ - Path: opts.BootFiles.BlockCIMFiles.EFIVHDPath, - Type_: "VirtualDisk", + Path: opts.BootFiles.BlockCIMFiles.EFIVHDPath, + Type_: "VirtualDisk", + ReadOnly: true, } doc.VirtualMachine.Devices.Scsi[guestrequest.ScsiControllerGuids[0]].Attachments["2"] = hcsschema.Attachment{ Path: opts.BootFiles.BlockCIMFiles.BootCIMVHDPath,