Merged PR 5361442: Update ADO to hcsshim db9908f

Related work items: microsoft#1067, microsoft#1097, microsoft#1119, microsoft#1170, microsoft#1176, microsoft#1180, microsoft#1181, microsoft#1182, microsoft#1183, microsoft#1184, microsoft#1185, microsoft#1186, microsoft#1187, microsoft#1188, microsoft#1189, microsoft#1191, microsoft#1193, microsoft#1194, microsoft#1195, microsoft#1196, microsoft#1197, microsoft#1200, microsoft#1201, microsoft#1202, microsoft#1203, microsoft#1204, microsoft#1205, microsoft#1206, microsoft#1207, microsoft#1209, microsoft#1210, microsoft#1211, microsoft#1218, microsoft#1219, microsoft#1220, microsoft#1223

.github/workflows/ci.yml

@@ -19,8 +19,9 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.42.0 # Has fixes for stylecheck configuration https://github.com/golangci/golangci-lint/pull/2017/files
+          version: v1.42.1 # Has fixes for stylecheck configuration https://github.com/golangci/golangci-lint/pull/2017/files
           args: --timeout=5m -v
+          only-new-issues: true
 
   verify-main-vendor:
     runs-on: 'windows-2019'
@@ -40,7 +41,7 @@ jobs:
             Write-Error "Main modules are not up to date. Please validate your go version >= this job's and run `go mod vendor` followed by `go mod tidy` in the repo root path."
           }
           exit $process.ExitCode
-          
+
   verify-test-vendor:
     runs-on: 'windows-2019'
     env:
@@ -61,7 +62,10 @@ jobs:
           exit $process.ExitCode
 
   test:
-    runs-on: 'windows-2019'
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [windows-2019, windows-2022]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
@@ -84,7 +88,7 @@ jobs:
 
       - uses: actions/upload-artifact@v2
         with:
-          name: test_binaries
+          name: test_binaries_${{ matrix.os }}
           path: |
             test/containerd-shim-runhcs-v1.test.exe
             test/cri-containerd.test.exe
@@ -108,6 +112,7 @@ jobs:
       - run: go build ./cmd/ncproxy
       - run: go build ./cmd/dmverity-vhd
       - run: go build ./internal/tools/grantvmgroupaccess
+      - run: go build ./internal/tools/networkagent
       - run: go build ./internal/tools/securitypolicy
       - run: go build ./internal/tools/uvmboot
       - run: go build ./internal/tools/zapdir
@@ -122,6 +127,7 @@ jobs:
             device-util.exe
             wclayer.exe
             grantvmgroupaccess.exe
+            networkagent.exe
             uvmboot.exe
             zapdir.exe
             ncproxy.exe

.golangci.yml

@@ -25,6 +25,16 @@ issues:
         - stylecheck
       Text: "ST1003:"
 
+    - path: cmd\\ncproxy\\nodenetsvc\\
+      linters:
+        - stylecheck
+      Text: "ST1003:"
+
+    - path: cmd\\ncproxy_mock\\
+      linters:
+        - stylecheck
+      Text: "ST1003:"
+
     - path: internal\\hcs\\schema2\\
       linters:
         - stylecheck

Makefile

@@ -18,7 +18,8 @@ SRCROOT=$(dir $(abspath $(firstword $(MAKEFILE_LIST))))
 
 # The link aliases for gcstools
 GCS_TOOLS=\
-	generichook
+	generichook \
+	install-drivers
 
 .PHONY: all always rootfs test
 

README.md

@@ -101,7 +101,7 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio
 
 ## Dependencies
 
-This project requires Golang 1.9 or newer to build.
+This project requires Golang 1.13 or newer to build.
 
 For system requirements to run this project, see the Microsoft docs on [Windows Container requirements](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/system-requirements).
 

cmd/containerd-shim-runhcs-v1/options/runhcs.proto

@@ -93,6 +93,14 @@ message Options {
 	// logrus log levels: "trace", "debug", "info", "warn", "error", "fatal", "panic". This setting will override
 	// the `debug` field if both are specified, unless the level specified is also "debug", as these are equivalent.
 	string log_level = 16;
+
+	// io_retry_timeout_in_sec is the timeout in seconds for how long to try and reconnect to an upstream IO provider if a connection is lost.
+	// The typical example is if Containerd has restarted but is expected to come back online. A 0 for this field is interpreted as an infinite
+	// timeout.
+	int32 io_retry_timeout_in_sec = 17;
+
+	// default_container_annotations specifies a set of annotations that should be set for every workload container
+	map<string, string> default_container_annotations = 18;
 }
 
 // ProcessDetails contains additional information about a process. This is the additional

cmd/containerd-shim-runhcs-v1/pod.go

@@ -11,6 +11,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/uvm"
 	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 	eventstypes "github.com/containerd/containerd/api/events"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/runtime"
@@ -67,15 +68,15 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 		return nil, errors.Wrapf(
 			errdefs.ErrFailedPrecondition,
 			"expected annotation: '%s': '%s' got '%s'",
-			oci.KubernetesContainerTypeAnnotation,
+			annotations.KubernetesContainerType,
 			oci.KubernetesContainerTypeSandbox,
 			ct)
 	}
 	if sid != req.ID {
 		return nil, errors.Wrapf(
 			errdefs.ErrFailedPrecondition,
 			"expected annotation '%s': '%s' got '%s'",
-			oci.KubernetesSandboxIDAnnotation,
+			annotations.KubernetesSandboxID,
 			req.ID,
 			sid)
 	}
@@ -175,7 +176,7 @@ func createPod(ctx context.Context, events publisher, req *task.CreateTaskReques
 	p.host = parent
 	if parent != nil {
 		cid := req.ID
-		if id, ok := s.Annotations[oci.AnnotationNcproxyContainerID]; ok {
+		if id, ok := s.Annotations[annotations.NcproxyContainerID]; ok {
 			cid = id
 		}
 		caAddr := fmt.Sprintf(uvm.ComputeAgentAddrFmt, cid)
@@ -319,15 +320,15 @@ func (p *pod) CreateTask(ctx context.Context, req *task.CreateTaskRequest, s *sp
 		return nil, errors.Wrapf(
 			errdefs.ErrFailedPrecondition,
 			"expected annotation: '%s': '%s' got '%s'",
-			oci.KubernetesContainerTypeAnnotation,
+			annotations.KubernetesContainerType,
 			oci.KubernetesContainerTypeContainer,
 			ct)
 	}
 	if sid != p.id {
 		return nil, errors.Wrapf(
 			errdefs.ErrFailedPrecondition,
 			"expected annotation '%s': '%s' got '%s'",
-			oci.KubernetesSandboxIDAnnotation,
+			annotations.KubernetesSandboxID,
 			p.id,
 			sid)
 	}

cmd/containerd-shim-runhcs-v1/start.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/Microsoft/go-winio"
 	"github.com/Microsoft/hcsshim/internal/oci"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/containerd/containerd/runtime/v2/shim"
 	"github.com/containerd/containerd/runtime/v2/task"
 	"github.com/containerd/ttrpc"
@@ -102,8 +103,8 @@ The start command can either start a new shim or return an address to an existin
 			if isSandbox && idFlag != sbid {
 				return errors.Errorf(
 					"'id' and '%s' must match for '%s=%s'",
-					oci.KubernetesSandboxIDAnnotation,
-					oci.KubernetesContainerTypeAnnotation,
+					annotations.KubernetesSandboxID,
+					annotations.KubernetesContainerType,
 					oci.KubernetesContainerTypeSandbox)
 			}
 

cmd/containerd-shim-runhcs-v1/task_hcs.go

@@ -37,6 +37,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/shimdiag"
 	"github.com/Microsoft/hcsshim/internal/uvm"
 	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 const bytesPerMB = 1024 * 1024
@@ -52,7 +53,7 @@ func newHcsStandaloneTask(ctx context.Context, events publisher, req *task.Creat
 		return nil, errors.Wrapf(
 			errdefs.ErrFailedPrecondition,
 			"cannot create standalone task, expected no annotation: '%s': got '%s'",
-			oci.KubernetesContainerTypeAnnotation,
+			annotations.KubernetesContainerType,
 			ct)
 	}
 
@@ -165,11 +166,6 @@ func newHcsTask(
 	owner := filepath.Base(os.Args[0])
 	isTemplate := oci.ParseAnnotationsSaveAsTemplate(ctx, s)
 
-	io, err := cmd.NewUpstreamIO(ctx, req.ID, req.Stdout, req.Stderr, req.Stdin, req.Terminal)
-	if err != nil {
-		return nil, err
-	}
-
 	var netNS string
 	if s.Windows != nil &&
 		s.Windows.Network != nil {
@@ -185,22 +181,33 @@ func newHcsTask(
 		shimOpts = v.(*runhcsopts.Options)
 	}
 
+	// Default to an infinite timeout (zero value)
+	var ioRetryTimeout time.Duration
+	if shimOpts != nil {
+		ioRetryTimeout = time.Duration(shimOpts.IoRetryTimeoutInSec) * time.Second
+	}
+	io, err := cmd.NewUpstreamIO(ctx, req.ID, req.Stdout, req.Stderr, req.Stdin, req.Terminal, ioRetryTimeout)
+	if err != nil {
+		return nil, err
+	}
+
 	container, resources, err := createContainer(ctx, req.ID, owner, netNS, s, parent, shimOpts)
 	if err != nil {
 		return nil, err
 	}
 
 	ht := &hcsTask{
-		events:     events,
-		id:         req.ID,
-		isWCOW:     oci.IsWCOW(s),
-		c:          container,
-		cr:         resources,
-		ownsHost:   ownsParent,
-		host:       parent,
-		closed:     make(chan struct{}),
-		taskSpec:   s,
-		isTemplate: isTemplate,
+		events:         events,
+		id:             req.ID,
+		isWCOW:         oci.IsWCOW(s),
+		c:              container,
+		cr:             resources,
+		ownsHost:       ownsParent,
+		host:           parent,
+		closed:         make(chan struct{}),
+		taskSpec:       s,
+		isTemplate:     isTemplate,
+		ioRetryTimeout: ioRetryTimeout,
 	}
 	ht.init = newHcsExec(
 		ctx,
@@ -278,7 +285,21 @@ func newClonedHcsTask(
 		return nil, fmt.Errorf("cloned task can only be created inside a windows host")
 	}
 
-	io, err := cmd.NewNpipeIO(ctx, req.Stdin, req.Stdout, req.Stderr, req.Terminal)
+	var shimOpts *runhcsopts.Options
+	if req.Options != nil {
+		v, err := typeurl.UnmarshalAny(req.Options)
+		if err != nil {
+			return nil, err
+		}
+		shimOpts = v.(*runhcsopts.Options)
+	}
+
+	// Default to an infinite timeout (zero value)
+	var ioRetryTimeout time.Duration
+	if shimOpts != nil {
+		ioRetryTimeout = time.Duration(shimOpts.IoRetryTimeoutInSec) * time.Second
+	}
+	io, err := cmd.NewNpipeIO(ctx, req.Stdin, req.Stdout, req.Stderr, req.Terminal, ioRetryTimeout)
 	if err != nil {
 		return nil, err
 	}
@@ -432,6 +453,9 @@ type hcsTask struct {
 
 	// taskSpec represents the spec/configuration for this task.
 	taskSpec *specs.Spec
+
+	// ioRetryTimeout is the time for how long to try reconnecting to stdio pipes from containerd.
+	ioRetryTimeout time.Duration
 }
 
 func (ht *hcsTask) ID() string {
@@ -452,7 +476,7 @@ func (ht *hcsTask) CreateExec(ctx context.Context, req *task.ExecProcessRequest,
 		return errors.Wrapf(errdefs.ErrFailedPrecondition, "exec: '' in task: '%s' must be running to create additional execs", ht.id)
 	}
 
-	io, err := cmd.NewUpstreamIO(ctx, req.ID, req.Stdout, req.Stderr, req.Stdin, req.Terminal)
+	io, err := cmd.NewUpstreamIO(ctx, req.ID, req.Stdout, req.Stderr, req.Stdin, req.Terminal, ht.ioRetryTimeout)
 	if err != nil {
 		return err
 	}

cmd/dmverity-vhd/main.go

@@ -2,8 +2,6 @@ package main
 
 import (
 	"fmt"
-	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 
@@ -203,12 +201,6 @@ var rootHashVHDCommand = cli.Command{
 		}
 		log.Debugf("%d layers found", len(layers))
 
-		tmpFile, err := ioutil.TempFile("", "")
-		if err != nil {
-			return errors.Wrap(err, "failed to create temporary file")
-		}
-		defer os.Remove(tmpFile.Name())
-
 		for layerNumber, layer := range layers {
 			diffID, err := layer.DiffID()
 			if err != nil {
@@ -221,33 +213,11 @@ var rootHashVHDCommand = cli.Command{
 				return errors.Wrapf(err, "failed to uncompress layer %s", diffID.String())
 			}
 
-			opts := []tar2ext4.Option{
-				tar2ext4.ConvertWhiteout,
-				tar2ext4.MaximumDiskSize(maxVHDSize),
-			}
-
-			if _, err := tmpFile.Seek(0, io.SeekStart); err != nil {
-				return errors.Wrapf(err, "failed seek start on temp file when processing layer %d", layerNumber)
-			}
-			if err := tmpFile.Truncate(0); err != nil {
-				return errors.Wrapf(err, "failed truncate temp file when processing layer %d", layerNumber)
-			}
-
-			if err := tar2ext4.Convert(rc, tmpFile, opts...); err != nil {
-				return errors.Wrap(err, "failed to convert tar to ext4")
-			}
-
-			data, err := ioutil.ReadFile(tmpFile.Name())
-			if err != nil {
-				return errors.Wrap(err, "failed to read temporary VHD file")
-			}
-
-			tree, err := dmverity.MerkleTree(data)
+			hash, err := tar2ext4.ConvertAndComputeRootDigest(rc)
 			if err != nil {
-				return errors.Wrap(err, "failed to create merkle tree")
+				return errors.Wrap(err, "failed to compute root hash")
 			}
-			hash := dmverity.RootHash(tree)
-			fmt.Fprintf(os.Stdout, "Layer %d\nroot hash: %x\n", layerNumber, hash)
+			fmt.Fprintf(os.Stdout, "Layer %d\nroot hash: %s\n", layerNumber, hash)
 		}
 		return nil
 	},