containerd-shim-v2: add the shim v2 required vendors

Add the vendors required by containerd shim v2.

Signed-off-by: fupan <lifupan@gmail.com>

vendor/github.com/containerd/containerd/runtime/events.go

@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+const (
+	// TaskCreateEventTopic for task create
+	TaskCreateEventTopic = "/tasks/create"
+	// TaskStartEventTopic for task start
+	TaskStartEventTopic = "/tasks/start"
+	// TaskOOMEventTopic for task oom
+	TaskOOMEventTopic = "/tasks/oom"
+	// TaskExitEventTopic for task exit
+	TaskExitEventTopic = "/tasks/exit"
+	// TaskDeleteEventTopic for task delete
+	TaskDeleteEventTopic = "/tasks/delete"
+	// TaskExecAddedEventTopic for task exec create
+	TaskExecAddedEventTopic = "/tasks/exec-added"
+	// TaskExecStartedEventTopic for task exec start
+	TaskExecStartedEventTopic = "/tasks/exec-started"
+	// TaskPausedEventTopic for task pause
+	TaskPausedEventTopic = "/tasks/paused"
+	// TaskResumedEventTopic for task resume
+	TaskResumedEventTopic = "/tasks/resumed"
+	// TaskCheckpointedEventTopic for task checkpoint
+	TaskCheckpointedEventTopic = "/tasks/checkpointed"
+	// TaskUnknownTopic for unknown task events
+	TaskUnknownTopic = "/tasks/?"
+)

vendor/github.com/containerd/containerd/runtime/monitor.go

@@ -0,0 +1,70 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+// TaskMonitor provides an interface for monitoring of containers within containerd
+type TaskMonitor interface {
+	// Monitor adds the provided container to the monitor
+	Monitor(Task) error
+	// Stop stops and removes the provided container from the monitor
+	Stop(Task) error
+}
+
+// NewMultiTaskMonitor returns a new TaskMonitor broadcasting to the provided monitors
+func NewMultiTaskMonitor(monitors ...TaskMonitor) TaskMonitor {
+	return &multiTaskMonitor{
+		monitors: monitors,
+	}
+}
+
+// NewNoopMonitor is a task monitor that does nothing
+func NewNoopMonitor() TaskMonitor {
+	return &noopTaskMonitor{}
+}
+
+type noopTaskMonitor struct {
+}
+
+func (mm *noopTaskMonitor) Monitor(c Task) error {
+	return nil
+}
+
+func (mm *noopTaskMonitor) Stop(c Task) error {
+	return nil
+}
+
+type multiTaskMonitor struct {
+	monitors []TaskMonitor
+}
+
+func (mm *multiTaskMonitor) Monitor(c Task) error {
+	for _, m := range mm.monitors {
+		if err := m.Monitor(c); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (mm *multiTaskMonitor) Stop(c Task) error {
+	for _, m := range mm.monitors {
+		if err := m.Stop(c); err != nil {
+			return err
+		}
+	}
+	return nil
+}

vendor/github.com/containerd/containerd/runtime/runtime.go

@@ -0,0 +1,72 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd/mount"
+	"github.com/gogo/protobuf/types"
+)
+
+// IO holds process IO information
+type IO struct {
+	Stdin    string
+	Stdout   string
+	Stderr   string
+	Terminal bool
+}
+
+// CreateOpts contains task creation data
+type CreateOpts struct {
+	// Spec is the OCI runtime spec
+	Spec *types.Any
+	// Rootfs mounts to perform to gain access to the container's filesystem
+	Rootfs []mount.Mount
+	// IO for the container's main process
+	IO IO
+	// Checkpoint digest to restore container state
+	Checkpoint string
+	// RuntimeOptions for the runtime
+	RuntimeOptions *types.Any
+	// TaskOptions received for the task
+	TaskOptions *types.Any
+	// Runtime to use
+	Runtime string
+}
+
+// Exit information for a process
+type Exit struct {
+	Pid       uint32
+	Status    uint32
+	Timestamp time.Time
+}
+
+// PlatformRuntime is responsible for the creation and management of
+// tasks and processes for a platform.
+type PlatformRuntime interface {
+	// ID of the runtime
+	ID() string
+	// Create creates a task with the provided id and options.
+	Create(ctx context.Context, id string, opts CreateOpts) (Task, error)
+	// Get returns a task.
+	Get(context.Context, string) (Task, error)
+	// Tasks returns all the current tasks for the runtime.
+	// Any container runs at most one task at a time.
+	Tasks(context.Context, bool) ([]Task, error)
+}

vendor/github.com/containerd/containerd/runtime/task.go

@@ -0,0 +1,132 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+import (
+	"context"
+	"time"
+
+	"github.com/gogo/protobuf/types"
+)
+
+// TaskInfo provides task specific information
+type TaskInfo struct {
+	ID        string
+	Runtime   string
+	Spec      []byte
+	Namespace string
+}
+
+// Process is a runtime object for an executing process inside a container
+type Process interface {
+	ID() string
+	// State returns the process state
+	State(context.Context) (State, error)
+	// Kill signals a container
+	Kill(context.Context, uint32, bool) error
+	// Pty resizes the processes pty/console
+	ResizePty(context.Context, ConsoleSize) error
+	// CloseStdin closes the processes stdin
+	CloseIO(context.Context) error
+	// Start the container's user defined process
+	Start(context.Context) error
+	// Wait for the process to exit
+	Wait(context.Context) (*Exit, error)
+	// Delete deletes the process
+	Delete(context.Context) (*Exit, error)
+}
+
+// Task is the runtime object for an executing container
+type Task interface {
+	Process
+
+	// Namespace that the task exists in
+	Namespace() string
+	// Pause pauses the container process
+	Pause(context.Context) error
+	// Resume unpauses the container process
+	Resume(context.Context) error
+	// Exec adds a process into the container
+	Exec(context.Context, string, ExecOpts) (Process, error)
+	// Pids returns all pids
+	Pids(context.Context) ([]ProcessInfo, error)
+	// Checkpoint checkpoints a container to an image with live system data
+	Checkpoint(context.Context, string, *types.Any) error
+	// Update sets the provided resources to a running task
+	Update(context.Context, *types.Any) error
+	// Process returns a process within the task for the provided id
+	Process(context.Context, string) (Process, error)
+	// Stats returns runtime specific metrics for a task
+	Stats(context.Context) (*types.Any, error)
+}
+
+// ExecOpts provides additional options for additional processes running in a task
+type ExecOpts struct {
+	Spec *types.Any
+	IO   IO
+}
+
+// ConsoleSize of a pty or windows terminal
+type ConsoleSize struct {
+	Width  uint32
+	Height uint32
+}
+
+// Status is the runtime status of a task and/or process
+type Status int
+
+const (
+	// CreatedStatus when a process has been created
+	CreatedStatus Status = iota + 1
+	// RunningStatus when a process is running
+	RunningStatus
+	// StoppedStatus when a process has stopped
+	StoppedStatus
+	// DeletedStatus when a process has been deleted
+	DeletedStatus
+	// PausedStatus when a process is paused
+	PausedStatus
+	// PausingStatus when a process is currently pausing
+	PausingStatus
+)
+
+// State information for a process
+type State struct {
+	// Status is the current status of the container
+	Status Status
+	// Pid is the main process id for the container
+	Pid uint32
+	// ExitStatus of the process
+	// Only valid if the Status is Stopped
+	ExitStatus uint32
+	// ExitedAt is the time at which the process exited
+	// Only valid if the Status is Stopped
+	ExitedAt time.Time
+	Stdin    string
+	Stdout   string
+	Stderr   string
+	Terminal bool
+}
+
+// ProcessInfo holds platform specific process information
+type ProcessInfo struct {
+	// Pid is the process ID
+	Pid uint32
+	// Info includes additional process information
+	// Info varies by platform
+	Info interface{}
+}

vendor/github.com/containerd/containerd/runtime/task_list.go

@@ -0,0 +1,130 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+import (
+	"context"
+	"sync"
+
+	"github.com/containerd/containerd/namespaces"
+	"github.com/pkg/errors"
+)
+
+var (
+	// ErrTaskNotExists is returned when a task does not exist
+	ErrTaskNotExists = errors.New("task does not exist")
+	// ErrTaskAlreadyExists is returned when a task already exists
+	ErrTaskAlreadyExists = errors.New("task already exists")
+)
+
+// NewTaskList returns a new TaskList
+func NewTaskList() *TaskList {
+	return &TaskList{
+		tasks: make(map[string]map[string]Task),
+	}
+}
+
+// TaskList holds and provides locking around tasks
+type TaskList struct {
+	mu    sync.Mutex
+	tasks map[string]map[string]Task
+}
+
+// Get a task
+func (l *TaskList) Get(ctx context.Context, id string) (Task, error) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	namespace, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	tasks, ok := l.tasks[namespace]
+	if !ok {
+		return nil, ErrTaskNotExists
+	}
+	t, ok := tasks[id]
+	if !ok {
+		return nil, ErrTaskNotExists
+	}
+	return t, nil
+}
+
+// GetAll tasks under a namespace
+func (l *TaskList) GetAll(ctx context.Context, noNS bool) ([]Task, error) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	var o []Task
+	if noNS {
+		for ns := range l.tasks {
+			for _, t := range l.tasks[ns] {
+				o = append(o, t)
+			}
+		}
+		return o, nil
+	}
+	namespace, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	tasks, ok := l.tasks[namespace]
+	if !ok {
+		return o, nil
+	}
+	for _, t := range tasks {
+		o = append(o, t)
+	}
+	return o, nil
+}
+
+// Add a task
+func (l *TaskList) Add(ctx context.Context, t Task) error {
+	namespace, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return err
+	}
+	return l.AddWithNamespace(namespace, t)
+}
+
+// AddWithNamespace adds a task with the provided namespace
+func (l *TaskList) AddWithNamespace(namespace string, t Task) error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	id := t.ID()
+	if _, ok := l.tasks[namespace]; !ok {
+		l.tasks[namespace] = make(map[string]Task)
+	}
+	if _, ok := l.tasks[namespace][id]; ok {
+		return errors.Wrap(ErrTaskAlreadyExists, id)
+	}
+	l.tasks[namespace][id] = t
+	return nil
+}
+
+// Delete a task
+func (l *TaskList) Delete(ctx context.Context, id string) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	namespace, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return
+	}
+	tasks, ok := l.tasks[namespace]
+	if ok {
+		delete(tasks, id)
+	}
+}

vendor/github.com/containerd/containerd/runtime/typeurl.go

@@ -0,0 +1,34 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runtime
+
+import (
+	"strconv"
+
+	"github.com/containerd/typeurl"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func init() {
+	const prefix = "types.containerd.io"
+	// register TypeUrls for commonly marshaled external types
+	major := strconv.Itoa(specs.VersionMajor)
+	typeurl.Register(&specs.Spec{}, prefix, "opencontainers/runtime-spec", major, "Spec")
+	typeurl.Register(&specs.Process{}, prefix, "opencontainers/runtime-spec", major, "Process")
+	typeurl.Register(&specs.LinuxResources{}, prefix, "opencontainers/runtime-spec", major, "LinuxResources")
+	typeurl.Register(&specs.WindowsResources{}, prefix, "opencontainers/runtime-spec", major, "WindowsResources")
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/reaper_unix.go

@@ -0,0 +1,110 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"os/exec"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/sys"
+	runc "github.com/containerd/go-runc"
+	"github.com/pkg/errors"
+)
+
+// ErrNoSuchProcess is returned when the process no longer exists
+var ErrNoSuchProcess = errors.New("no such process")
+
+const bufferSize = 32
+
+// Reap should be called when the process receives an SIGCHLD.  Reap will reap
+// all exited processes and close their wait channels
+func Reap() error {
+	now := time.Now()
+	exits, err := sys.Reap(false)
+	Default.Lock()
+	for c := range Default.subscribers {
+		for _, e := range exits {
+			c <- runc.Exit{
+				Timestamp: now,
+				Pid:       e.Pid,
+				Status:    e.Status,
+			}
+		}
+
+	}
+	Default.Unlock()
+	return err
+}
+
+// Default is the default monitor initialized for the package
+var Default = &Monitor{
+	subscribers: make(map[chan runc.Exit]struct{}),
+}
+
+// Monitor monitors the underlying system for process status changes
+type Monitor struct {
+	sync.Mutex
+
+	subscribers map[chan runc.Exit]struct{}
+}
+
+// Start starts the command a registers the process with the reaper
+func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
+	ec := m.Subscribe()
+	if err := c.Start(); err != nil {
+		m.Unsubscribe(ec)
+		return nil, err
+	}
+	return ec, nil
+}
+
+// Wait blocks until a process is signal as dead.
+// User should rely on the value of the exit status to determine if the
+// command was successful or not.
+func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
+	for e := range ec {
+		if e.Pid == c.Process.Pid {
+			// make sure we flush all IO
+			c.Wait()
+			m.Unsubscribe(ec)
+			return e.Status, nil
+		}
+	}
+	// return no such process if the ec channel is closed and no more exit
+	// events will be sent
+	return -1, ErrNoSuchProcess
+}
+
+// Subscribe to process exit changes
+func (m *Monitor) Subscribe() chan runc.Exit {
+	c := make(chan runc.Exit, bufferSize)
+	m.Lock()
+	m.subscribers[c] = struct{}{}
+	m.Unlock()
+	return c
+}
+
+// Unsubscribe to process exit changes
+func (m *Monitor) Unsubscribe(c chan runc.Exit) {
+	m.Lock()
+	delete(m.subscribers, c)
+	close(c)
+	m.Unlock()
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/shim.go

@@ -0,0 +1,257 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"runtime"
+	"runtime/debug"
+	"strings"
+	"time"
+
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/namespaces"
+	shimapi "github.com/containerd/containerd/runtime/v2/task"
+	"github.com/containerd/ttrpc"
+	"github.com/gogo/protobuf/proto"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Client for a shim server
+type Client struct {
+	service shimapi.TaskService
+	context context.Context
+	signals chan os.Signal
+}
+
+// Init func for the creation of a shim server
+type Init func(context.Context, string, events.Publisher) (Shim, error)
+
+// Shim server interface
+type Shim interface {
+	shimapi.TaskService
+	Cleanup(ctx context.Context) (*shimapi.DeleteResponse, error)
+	StartShim(ctx context.Context, id, containerdBinary, containerdAddress string) (string, error)
+}
+
+var (
+	debugFlag            bool
+	idFlag               string
+	namespaceFlag        string
+	socketFlag           string
+	addressFlag          string
+	containerdBinaryFlag string
+	action               string
+)
+
+func parseFlags() {
+	flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs")
+	flag.StringVar(&namespaceFlag, "namespace", "", "namespace that owns the shim")
+	flag.StringVar(&idFlag, "id", "", "id of the task")
+	flag.StringVar(&socketFlag, "socket", "", "abstract socket path to serve")
+
+	flag.StringVar(&addressFlag, "address", "", "grpc address back to main containerd")
+	flag.StringVar(&containerdBinaryFlag, "publish-binary", "containerd", "path to publish binary (used for publishing events)")
+
+	flag.Parse()
+	action = flag.Arg(0)
+}
+
+func setRuntime() {
+	debug.SetGCPercent(40)
+	go func() {
+		for range time.Tick(30 * time.Second) {
+			debug.FreeOSMemory()
+		}
+	}()
+	if os.Getenv("GOMAXPROCS") == "" {
+		// If GOMAXPROCS hasn't been set, we default to a value of 2 to reduce
+		// the number of Go stacks present in the shim.
+		runtime.GOMAXPROCS(2)
+	}
+}
+
+func setLogger(ctx context.Context, id string) error {
+	logrus.SetFormatter(&logrus.TextFormatter{
+		TimestampFormat: log.RFC3339NanoFixed,
+		FullTimestamp:   true,
+	})
+	if debugFlag {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	f, err := openLog(ctx, id)
+	if err != nil {
+		return err
+	}
+	logrus.SetOutput(f)
+	return nil
+}
+
+// Run initializes and runs a shim server
+func Run(id string, initFunc Init) {
+	if err := run(id, initFunc); err != nil {
+		fmt.Fprintf(os.Stderr, "%s: %s\n", id, err)
+		os.Exit(1)
+	}
+}
+
+func run(id string, initFunc Init) error {
+	parseFlags()
+	setRuntime()
+
+	signals, err := setupSignals()
+	if err != nil {
+		return err
+	}
+	if err := subreaper(); err != nil {
+		return err
+	}
+	publisher := &remoteEventsPublisher{
+		address:              addressFlag,
+		containerdBinaryPath: containerdBinaryFlag,
+	}
+	if namespaceFlag == "" {
+		return fmt.Errorf("shim namespace cannot be empty")
+	}
+	ctx := namespaces.WithNamespace(context.Background(), namespaceFlag)
+	ctx = log.WithLogger(ctx, log.G(ctx).WithField("runtime", id))
+
+	service, err := initFunc(ctx, idFlag, publisher)
+	if err != nil {
+		return err
+	}
+	switch action {
+	case "delete":
+		logger := logrus.WithFields(logrus.Fields{
+			"pid":       os.Getpid(),
+			"namespace": namespaceFlag,
+		})
+		go handleSignals(logger, signals)
+		response, err := service.Cleanup(ctx)
+		if err != nil {
+			return err
+		}
+		data, err := proto.Marshal(response)
+		if err != nil {
+			return err
+		}
+		if _, err := os.Stdout.Write(data); err != nil {
+			return err
+		}
+		return nil
+	case "start":
+		address, err := service.StartShim(ctx, idFlag, containerdBinaryFlag, addressFlag)
+		if err != nil {
+			return err
+		}
+		if _, err := os.Stdout.WriteString(address); err != nil {
+			return err
+		}
+		return nil
+	default:
+		if err := setLogger(ctx, idFlag); err != nil {
+			return err
+		}
+		client := NewShimClient(ctx, service, signals)
+		return client.Serve()
+	}
+}
+
+// NewShimClient creates a new shim server client
+func NewShimClient(ctx context.Context, svc shimapi.TaskService, signals chan os.Signal) *Client {
+	s := &Client{
+		service: svc,
+		context: ctx,
+		signals: signals,
+	}
+	return s
+}
+
+// Serve the shim server
+func (s *Client) Serve() error {
+	dump := make(chan os.Signal, 32)
+	setupDumpStacks(dump)
+
+	path, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	server, err := newServer()
+	if err != nil {
+		return errors.Wrap(err, "failed creating server")
+	}
+
+	logrus.Debug("registering ttrpc server")
+	shimapi.RegisterTaskService(server, s.service)
+
+	if err := serve(s.context, server, socketFlag); err != nil {
+		return err
+	}
+	logger := logrus.WithFields(logrus.Fields{
+		"pid":       os.Getpid(),
+		"path":      path,
+		"namespace": namespaceFlag,
+	})
+	go func() {
+		for range dump {
+			dumpStacks(logger)
+		}
+	}()
+	return handleSignals(logger, s.signals)
+}
+
+// serve serves the ttrpc API over a unix socket at the provided path
+// this function does not block
+func serve(ctx context.Context, server *ttrpc.Server, path string) error {
+	l, err := serveListener(path)
+	if err != nil {
+		return err
+	}
+	go func() {
+		defer l.Close()
+		if err := server.Serve(ctx, l); err != nil &&
+			!strings.Contains(err.Error(), "use of closed network connection") {
+			logrus.WithError(err).Fatal("containerd-shim: ttrpc server failure")
+		}
+	}()
+	return nil
+}
+
+func dumpStacks(logger *logrus.Entry) {
+	var (
+		buf       []byte
+		stackSize int
+	)
+	bufferLen := 16384
+	for stackSize == len(buf) {
+		buf = make([]byte, bufferLen)
+		stackSize = runtime.Stack(buf, true)
+		bufferLen *= 2
+	}
+	buf = buf[:stackSize]
+	logger.Infof("=== BEGIN goroutine stack dump ===\n%s\n=== END goroutine stack dump ===", buf)
+}
+
+type remoteEventsPublisher struct {
+	address              string
+	containerdBinaryPath string
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/shim_darwin.go

@@ -0,0 +1,29 @@
+// +build darwin
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import "github.com/containerd/ttrpc"
+
+func newServer() (*ttrpc.Server, error) {
+	return ttrpc.NewServer()
+}
+
+func subreaper() error {
+	return nil
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/shim_linux.go

@@ -0,0 +1,30 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"github.com/containerd/containerd/sys"
+	"github.com/containerd/ttrpc"
+)
+
+func newServer() (*ttrpc.Server, error) {
+	return ttrpc.NewServer(ttrpc.WithServerHandshaker(ttrpc.UnixSocketRequireSameUser()))
+}
+
+func subreaper() error {
+	return sys.SetSubreaper(1)
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/shim_unix.go

@@ -0,0 +1,117 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/fifo"
+	"github.com/containerd/typeurl"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// setupSignals creates a new signal handler for all signals and sets the shim as a
+// sub-reaper so that the container processes are reparented
+func setupSignals() (chan os.Signal, error) {
+	signals := make(chan os.Signal, 32)
+	signal.Notify(signals, unix.SIGTERM, unix.SIGINT, unix.SIGCHLD, unix.SIGPIPE)
+	return signals, nil
+}
+
+func setupDumpStacks(dump chan<- os.Signal) {
+	signal.Notify(dump, syscall.SIGUSR1)
+}
+
+func serveListener(path string) (net.Listener, error) {
+	var (
+		l   net.Listener
+		err error
+	)
+	if path == "" {
+		l, err = net.FileListener(os.NewFile(3, "socket"))
+		path = "[inherited from parent]"
+	} else {
+		if len(path) > 106 {
+			return nil, errors.Errorf("%q: unix socket path too long (> 106)", path)
+		}
+		l, err = net.Listen("unix", "\x00"+path)
+	}
+	if err != nil {
+		return nil, err
+	}
+	logrus.WithField("socket", path).Debug("serving api on abstract socket")
+	return l, nil
+}
+
+func handleSignals(logger *logrus.Entry, signals chan os.Signal) error {
+	logger.Info("starting signal loop")
+	for {
+		select {
+		case s := <-signals:
+			switch s {
+			case unix.SIGCHLD:
+				if err := Reap(); err != nil {
+					logger.WithError(err).Error("reap exit status")
+				}
+			case unix.SIGPIPE:
+			}
+		}
+	}
+}
+
+func openLog(ctx context.Context, _ string) (io.Writer, error) {
+	return fifo.OpenFifo(context.Background(), "log", unix.O_WRONLY, 0700)
+}
+
+func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+	ns, _ := namespaces.Namespace(ctx)
+	encoded, err := typeurl.MarshalAny(event)
+	if err != nil {
+		return err
+	}
+	data, err := encoded.Marshal()
+	if err != nil {
+		return err
+	}
+	cmd := exec.CommandContext(ctx, l.containerdBinaryPath, "--address", l.address, "publish", "--topic", topic, "--namespace", ns)
+	cmd.Stdin = bytes.NewReader(data)
+	c, err := Default.Start(cmd)
+	if err != nil {
+		return err
+	}
+	status, err := Default.Wait(cmd, c)
+	if err != nil {
+		return err
+	}
+	if status != 0 {
+		return errors.New("failed to publish event")
+	}
+	return nil
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/shim_windows.go

@@ -0,0 +1,182 @@
+// +build windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"sync"
+	"unsafe"
+
+	winio "github.com/Microsoft/go-winio"
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/ttrpc"
+	"github.com/containerd/typeurl"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+// setupSignals creates a new signal handler for all signals
+func setupSignals() (chan os.Signal, error) {
+	signals := make(chan os.Signal, 32)
+	return signals, nil
+}
+
+func newServer() (*ttrpc.Server, error) {
+	return ttrpc.NewServer()
+}
+
+func subreaper() error {
+	return nil
+}
+
+type fakeSignal struct {
+}
+
+func (fs *fakeSignal) String() string {
+	return ""
+}
+
+func (fs *fakeSignal) Signal() {
+}
+
+func setupDumpStacks(dump chan<- os.Signal) {
+	// Windows does not support signals like *nix systems. So instead of
+	// trapping on SIGUSR1 to dump stacks, we wait on a Win32 event to be
+	// signaled. ACL'd to builtin administrators and local system
+	event := "Global\\containerd-shim-runhcs-v1-" + fmt.Sprint(os.Getpid())
+	ev, _ := windows.UTF16PtrFromString(event)
+	sd, err := winio.SddlToSecurityDescriptor("D:P(A;;GA;;;BA)(A;;GA;;;SY)")
+	if err != nil {
+		logrus.Errorf("failed to get security descriptor for debug stackdump event %s: %s", event, err.Error())
+		return
+	}
+	var sa windows.SecurityAttributes
+	sa.Length = uint32(unsafe.Sizeof(sa))
+	sa.InheritHandle = 1
+	sa.SecurityDescriptor = uintptr(unsafe.Pointer(&sd[0]))
+	h, err := windows.CreateEvent(&sa, 0, 0, ev)
+	if h == 0 || err != nil {
+		logrus.Errorf("failed to create debug stackdump event %s: %s", event, err.Error())
+		return
+	}
+	go func() {
+		logrus.Debugf("Stackdump - waiting signal at %s", event)
+		for {
+			windows.WaitForSingleObject(h, windows.INFINITE)
+			dump <- new(fakeSignal)
+		}
+	}()
+}
+
+// serve serves the ttrpc API over a unix socket at the provided path
+// this function does not block
+func serveListener(path string) (net.Listener, error) {
+	if path == "" {
+		return nil, errors.New("'socket' must be npipe path")
+	}
+	l, err := winio.ListenPipe(path, nil)
+	if err != nil {
+		return nil, err
+	}
+	logrus.WithField("socket", path).Debug("serving api on npipe socket")
+	return l, nil
+}
+
+func handleSignals(logger *logrus.Entry, signals chan os.Signal) error {
+	logger.Info("starting signal loop")
+	for {
+		select {
+		case s := <-signals:
+			switch s {
+			case os.Interrupt:
+				break
+			}
+		}
+	}
+}
+
+type deferredShimWriteLogger struct {
+	ctx context.Context
+
+	wg sync.WaitGroup
+
+	c      net.Conn
+	conerr error
+}
+
+func (dswl *deferredShimWriteLogger) Write(p []byte) (int, error) {
+	dswl.wg.Wait()
+	if dswl.c == nil {
+		return 0, dswl.conerr
+	}
+	return dswl.c.Write(p)
+}
+
+// openLog on Windows acts as the server of the log pipe. This allows the
+// containerd daemon to independently restart and reconnect to the logs.
+func openLog(ctx context.Context, id string) (io.Writer, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	l, err := winio.ListenPipe(fmt.Sprintf("\\\\.\\pipe\\containerd-shim-%s-%s-log", ns, id), nil)
+	if err != nil {
+		return nil, err
+	}
+	dswl := &deferredShimWriteLogger{
+		ctx: ctx,
+	}
+	// TODO: JTERRY75 - this will not work with restarts. Only the first
+	// connection will work and all +1 connections will return 'use of closed
+	// network connection'. Make this reconnect aware.
+	dswl.wg.Add(1)
+	go func() {
+		c, conerr := l.Accept()
+		if conerr != nil {
+			l.Close()
+			dswl.conerr = conerr
+		}
+		dswl.c = c
+		dswl.wg.Done()
+	}()
+	return dswl, nil
+}
+
+func (l *remoteEventsPublisher) Publish(ctx context.Context, topic string, event events.Event) error {
+	ns, _ := namespaces.Namespace(ctx)
+	encoded, err := typeurl.MarshalAny(event)
+	if err != nil {
+		return err
+	}
+	data, err := encoded.Marshal()
+	if err != nil {
+		return err
+	}
+	cmd := exec.CommandContext(ctx, l.containerdBinaryPath, "--address", l.address, "publish", "--topic", topic, "--namespace", ns)
+	cmd.Stdin = bytes.NewReader(data)
+	return cmd.Run()
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/util.go

@@ -0,0 +1,120 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/containerd/containerd/namespaces"
+	"github.com/pkg/errors"
+)
+
+const shimBinaryFormat = "containerd-shim-%s-%s"
+
+// Command returns the shim command with the provided args and configuration
+func Command(ctx context.Context, runtime, containerdAddress, path string, cmdArgs ...string) (*exec.Cmd, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	self, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+	args := []string{
+		"-namespace", ns,
+		"-address", containerdAddress,
+		"-publish-binary", self,
+	}
+	args = append(args, cmdArgs...)
+	name := BinaryName(runtime)
+	var cmdPath string
+	var lerr error
+	if cmdPath, lerr = exec.LookPath(name); lerr != nil {
+		if eerr, ok := lerr.(*exec.Error); ok {
+			if eerr.Err == exec.ErrNotFound {
+				return nil, errors.Wrapf(os.ErrNotExist, "runtime %q binary not installed %q", runtime, name)
+			}
+		}
+	}
+	cmdPath, err = filepath.Abs(cmdPath)
+	if err != nil {
+		return nil, err
+	}
+	cmd := exec.Command(cmdPath, args...)
+	cmd.Dir = path
+	cmd.Env = append(os.Environ(), "GOMAXPROCS=2")
+	cmd.SysProcAttr = getSysProcAttr()
+	return cmd, nil
+}
+
+// BinaryName returns the shim binary name from the runtime name
+func BinaryName(runtime string) string {
+	parts := strings.Split(runtime, ".")
+	// TODO: add validation for runtime
+	return fmt.Sprintf(shimBinaryFormat, parts[len(parts)-2], parts[len(parts)-1])
+}
+
+// Connect to the provided address
+func Connect(address string, d func(string, time.Duration) (net.Conn, error)) (net.Conn, error) {
+	return d(address, 100*time.Second)
+}
+
+// WritePidFile writes a pid file atomically
+func WritePidFile(path string, pid int) error {
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return err
+	}
+	tempPath := filepath.Join(filepath.Dir(path), fmt.Sprintf(".%s", filepath.Base(path)))
+	f, err := os.OpenFile(tempPath, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666)
+	if err != nil {
+		return err
+	}
+	_, err = fmt.Fprintf(f, "%d", pid)
+	f.Close()
+	if err != nil {
+		return err
+	}
+	return os.Rename(tempPath, path)
+}
+
+// WriteAddress writes a address file atomically
+func WriteAddress(path, address string) error {
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return err
+	}
+	tempPath := filepath.Join(filepath.Dir(path), fmt.Sprintf(".%s", filepath.Base(path)))
+	f, err := os.OpenFile(tempPath, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666)
+	if err != nil {
+		return err
+	}
+	_, err = f.WriteString(address)
+	f.Close()
+	if err != nil {
+		return err
+	}
+	return os.Rename(tempPath, path)
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/util_unix.go

@@ -0,0 +1,70 @@
+// +build !windows
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"context"
+	"net"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/sys"
+	"github.com/pkg/errors"
+)
+
+func getSysProcAttr() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+// SetScore sets the oom score for a process
+func SetScore(pid int) error {
+	return sys.SetOOMScore(pid, sys.OOMScoreMaxKillable)
+}
+
+// SocketAddress returns an abstract socket address
+func SocketAddress(ctx context.Context, id string) (string, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(string(filepath.Separator), "containerd-shim", ns, id, "shim.sock"), nil
+}
+
+// AnonDialer returns a dialer for an abstract socket
+func AnonDialer(address string, timeout time.Duration) (net.Conn, error) {
+	address = strings.TrimPrefix(address, "unix://")
+	return net.DialTimeout("unix", "\x00"+address, timeout)
+}
+
+// NewSocket returns a new socket
+func NewSocket(address string) (*net.UnixListener, error) {
+	if len(address) > 106 {
+		return nil, errors.Errorf("%q: unix socket path too long (> 106)", address)
+	}
+	l, err := net.Listen("unix", "\x00"+address)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to listen to abstract unix socket %q", address)
+	}
+	return l.(*net.UnixListener), nil
+}

vendor/github.com/containerd/containerd/runtime/v2/shim/util_windows.go

@@ -0,0 +1,80 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package shim
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"syscall"
+	"time"
+
+	winio "github.com/Microsoft/go-winio"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/pkg/errors"
+)
+
+func getSysProcAttr() *syscall.SysProcAttr {
+	return nil
+}
+
+// SetScore sets the oom score for a process
+func SetScore(pid int) error {
+	return nil
+}
+
+// SocketAddress returns a npipe address
+func SocketAddress(ctx context.Context, id string) (string, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("\\\\.\\pipe\\containerd-shim-%s-%s-pipe", ns, id), nil
+}
+
+// AnonDialer returns a dialer for a npipe
+func AnonDialer(address string, timeout time.Duration) (net.Conn, error) {
+	var c net.Conn
+	var lastError error
+	start := time.Now()
+	for {
+		remaining := timeout - time.Now().Sub(start)
+		if remaining <= 0 {
+			lastError = errors.Errorf("timed out waiting for npipe %s", address)
+			break
+		}
+		c, lastError = winio.DialPipe(address, &remaining)
+		if lastError == nil {
+			break
+		}
+		if !os.IsNotExist(lastError) {
+			break
+		}
+		time.Sleep(10 * time.Millisecond)
+	}
+	return c, lastError
+}
+
+// NewSocket returns a new npipe listener
+func NewSocket(address string) (net.Listener, error) {
+	l, err := winio.ListenPipe(address, nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to listen to npipe %s", address)
+	}
+	return l, nil
+}

vendor/github.com/containerd/containerd/runtime/v2/task/doc.go

@@ -0,0 +1,17 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package task