vendor: github.com/Microsoft/hcsshim v0.8.16

full diff: https://github.com/Microsoft/hcsshim/compare/v0.8.9...v0.8.16

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor.conf

@@ -44,7 +44,7 @@ github.com/jaguilar/vt100                           ad4c4a5743050fb7f88ce968dca9
 github.com/json-iterator/go                         a1ca0830781e007c66b225121d2cdb3a649421f6 # v1.1.10
 github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
 github.com/Microsoft/go-winio                       5c2e05d71961716a6c392a06ada435aaf5d5302c # v0.4.19
-github.com/Microsoft/hcsshim                        5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9
+github.com/Microsoft/hcsshim                        e811ee705ec77df2ae28857ade553043fb564d91 # v0.8.16
 github.com/miekg/pkcs11                             210dc1e16747c5ba98a03bcbcf728c38086ea357 # v1.0.3
 github.com/mitchellh/mapstructure                   d16e9488127408e67948eb43b6d3fbb9f222da10 # v1.3.2
 github.com/moby/buildkit                            8142d66b5ebde79846b869fba30d9d30633e74aa # v0.8.1

vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go

@@ -0,0 +1,161 @@
+// +build windows
+
+package security
+
+import (
+	"os"
+	"syscall"
+	"unsafe"
+
+	"github.com/pkg/errors"
+)
+
+type (
+	accessMask          uint32
+	accessMode          uint32
+	desiredAccess       uint32
+	inheritMode         uint32
+	objectType          uint32
+	shareMode           uint32
+	securityInformation uint32
+	trusteeForm         uint32
+	trusteeType         uint32
+
+	explicitAccess struct {
+		accessPermissions accessMask
+		accessMode        accessMode
+		inheritance       inheritMode
+		trustee           trustee
+	}
+
+	trustee struct {
+		multipleTrustee          *trustee
+		multipleTrusteeOperation int32
+		trusteeForm              trusteeForm
+		trusteeType              trusteeType
+		name                     uintptr
+	}
+)
+
+const (
+	accessMaskDesiredPermission accessMask = 1 << 31 // GENERIC_READ
+
+	accessModeGrant accessMode = 1
+
+	desiredAccessReadControl desiredAccess = 0x20000
+	desiredAccessWriteDac    desiredAccess = 0x40000
+
+	gvmga = "GrantVmGroupAccess:"
+
+	inheritModeNoInheritance                  inheritMode = 0x0
+	inheritModeSubContainersAndObjectsInherit inheritMode = 0x3
+
+	objectTypeFileObject objectType = 0x1
+
+	securityInformationDACL securityInformation = 0x4
+
+	shareModeRead  shareMode = 0x1
+	shareModeWrite shareMode = 0x2
+
+	sidVmGroup = "S-1-5-83-0"
+
+	trusteeFormIsSid trusteeForm = 0
+
+	trusteeTypeWellKnownGroup trusteeType = 5
+)
+
+// GrantVMGroupAccess sets the DACL for a specified file or directory to
+// include Grant ACE entries for the VM Group SID. This is a golang re-
+// implementation of the same function in vmcompute, just not exported in
+// RS5. Which kind of sucks. Sucks a lot :/
+func GrantVmGroupAccess(name string) error {
+	// Stat (to determine if `name` is a directory).
+	s, err := os.Stat(name)
+	if err != nil {
+		return errors.Wrapf(err, "%s os.Stat %s", gvmga, name)
+	}
+
+	// Get a handle to the file/directory. Must defer Close on success.
+	fd, err := createFile(name, s.IsDir())
+	if err != nil {
+		return err // Already wrapped
+	}
+	defer syscall.CloseHandle(fd)
+
+	// Get the current DACL and Security Descriptor. Must defer LocalFree on success.
+	ot := objectTypeFileObject
+	si := securityInformationDACL
+	sd := uintptr(0)
+	origDACL := uintptr(0)
+	if err := getSecurityInfo(fd, uint32(ot), uint32(si), nil, nil, &origDACL, nil, &sd); err != nil {
+		return errors.Wrapf(err, "%s GetSecurityInfo %s", gvmga, name)
+	}
+	defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(sd)))
+
+	// Generate a new DACL which is the current DACL with the required ACEs added.
+	// Must defer LocalFree on success.
+	newDACL, err := generateDACLWithAcesAdded(name, s.IsDir(), origDACL)
+	if err != nil {
+		return err // Already wrapped
+	}
+	defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(newDACL)))
+
+	// And finally use SetSecurityInfo to apply the updated DACL.
+	if err := setSecurityInfo(fd, uint32(ot), uint32(si), uintptr(0), uintptr(0), newDACL, uintptr(0)); err != nil {
+		return errors.Wrapf(err, "%s SetSecurityInfo %s", gvmga, name)
+	}
+
+	return nil
+}
+
+// createFile is a helper function to call [Nt]CreateFile to get a handle to
+// the file or directory.
+func createFile(name string, isDir bool) (syscall.Handle, error) {
+	namep := syscall.StringToUTF16(name)
+	da := uint32(desiredAccessReadControl | desiredAccessWriteDac)
+	sm := uint32(shareModeRead | shareModeWrite)
+	fa := uint32(syscall.FILE_ATTRIBUTE_NORMAL)
+	if isDir {
+		fa = uint32(fa | syscall.FILE_FLAG_BACKUP_SEMANTICS)
+	}
+	fd, err := syscall.CreateFile(&namep[0], da, sm, nil, syscall.OPEN_EXISTING, fa, 0)
+	if err != nil {
+		return 0, errors.Wrapf(err, "%s syscall.CreateFile %s", gvmga, name)
+	}
+	return fd, nil
+}
+
+// generateDACLWithAcesAdded generates a new DACL with the two needed ACEs added.
+// The caller is responsible for LocalFree of the returned DACL on success.
+func generateDACLWithAcesAdded(name string, isDir bool, origDACL uintptr) (uintptr, error) {
+	// Generate pointers to the SIDs based on the string SIDs
+	sid, err := syscall.StringToSid(sidVmGroup)
+	if err != nil {
+		return 0, errors.Wrapf(err, "%s syscall.StringToSid %s %s", gvmga, name, sidVmGroup)
+	}
+
+	inheritance := inheritModeNoInheritance
+	if isDir {
+		inheritance = inheritModeSubContainersAndObjectsInherit
+	}
+
+	eaArray := []explicitAccess{
+		explicitAccess{
+			accessPermissions: accessMaskDesiredPermission,
+			accessMode:        accessModeGrant,
+			inheritance:       inheritance,
+			trustee: trustee{
+				trusteeForm: trusteeFormIsSid,
+				trusteeType: trusteeTypeWellKnownGroup,
+				name:        uintptr(unsafe.Pointer(sid)),
+			},
+		},
+	}
+
+	modifiedDACL := uintptr(0)
+	if err := setEntriesInAcl(uintptr(uint32(1)), uintptr(unsafe.Pointer(&eaArray[0])), origDACL, &modifiedDACL); err != nil {
+		return 0, errors.Wrapf(err, "%s SetEntriesInAcl %s", gvmga, name)
+	}
+
+	return modifiedDACL, nil
+}

vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go

@@ -0,0 +1,7 @@
+package security
+
+//go:generate go run mksyscall_windows.go -output zsyscall_windows.go syscall_windows.go
+
+//sys getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo
+//sys setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) [failretval!=0] = advapi32.SetSecurityInfo
+//sys setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) [failretval!=0] = advapi32.SetEntriesInAclW

vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go

@@ -0,0 +1,70 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package security
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+
+	procGetSecurityInfo  = modadvapi32.NewProc("GetSecurityInfo")
+	procSetEntriesInAclW = modadvapi32.NewProc("SetEntriesInAclW")
+	procSetSecurityInfo  = modadvapi32.NewProc("SetSecurityInfo")
+)
+
+func getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall9(procGetSecurityInfo.Addr(), 8, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(unsafe.Pointer(ppsidOwner)), uintptr(unsafe.Pointer(ppsidGroup)), uintptr(unsafe.Pointer(ppDacl)), uintptr(unsafe.Pointer(ppSacl)), uintptr(unsafe.Pointer(ppSecurityDescriptor)), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall6(procSetEntriesInAclW.Addr(), 4, uintptr(count), uintptr(pListOfEEs), uintptr(oldAcl), uintptr(unsafe.Pointer(newAcl)), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall9(procSetSecurityInfo.Addr(), 7, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(psidOwner), uintptr(psidGroup), uintptr(pDacl), uintptr(pSacl), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}

vendor/github.com/Microsoft/hcsshim/README.md

@@ -1,6 +1,6 @@
 # hcsshim
 
-[![Build status](https://ci.appveyor.com/api/projects/status/nbcw28mnkqml0loa/branch/master?svg=true)](https://ci.appveyor.com/project/WindowsVirtualization/hcsshim/branch/master)
+[![Build status](https://github.com/microsoft/hcsshim/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/microsoft/hcsshim/actions?query=branch%3Amaster)
 
 This package contains the Golang interface for using the Windows [Host Compute Service](https://techcommunity.microsoft.com/t5/containers/introducing-the-host-compute-service-hcs/ba-p/382332) (HCS) to launch and manage [Windows Containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/). It also contains other helpers and functions for managing Windows Containers such as the Golang interface for the Host Network Service (HNS).
 

vendor/github.com/Microsoft/hcsshim/computestorage/attach.go

@@ -0,0 +1,38 @@
+package computestorage
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// AttachLayerStorageFilter sets up the layer storage filter on a writable
+// container layer.
+//
+// `layerPath` is a path to a directory the writable layer is mounted. If the
+// path does not end in a `\` the platform will append it automatically.
+//
+// `layerData` is the parent read-only layer data.
+func AttachLayerStorageFilter(ctx context.Context, layerPath string, layerData LayerData) (err error) {
+	title := "hcsshim.AttachLayerStorageFilter"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+	)
+
+	bytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	err = hcsAttachLayerStorageFilter(layerPath, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to attach layer storage filter")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/destroy.go

@@ -0,0 +1,26 @@
+package computestorage
+
+import (
+	"context"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// DestroyLayer deletes a container layer.
+//
+// `layerPath` is a path to a directory containing the layer to export.
+func DestroyLayer(ctx context.Context, layerPath string) (err error) {
+	title := "hcsshim.DestroyLayer"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("layerPath", layerPath))
+
+	err = hcsDestroyLayer(layerPath)
+	if err != nil {
+		return errors.Wrap(err, "failed to destroy layer")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/detach.go

@@ -0,0 +1,26 @@
+package computestorage
+
+import (
+	"context"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// DetachLayerStorageFilter detaches the layer storage filter on a writable container layer.
+//
+// `layerPath` is a path to a directory containing the layer to export.
+func DetachLayerStorageFilter(ctx context.Context, layerPath string) (err error) {
+	title := "hcsshim.DetachLayerStorageFilter"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("layerPath", layerPath))
+
+	err = hcsDetachLayerStorageFilter(layerPath)
+	if err != nil {
+		return errors.Wrap(err, "failed to detach layer storage filter")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/export.go

@@ -0,0 +1,46 @@
+package computestorage
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// ExportLayer exports a container layer.
+//
+// `layerPath` is a path to a directory containing the layer to export.
+//
+// `exportFolderPath` is a pre-existing folder to export the layer to.
+//
+// `layerData` is the parent layer data.
+//
+// `options` are the export options applied to the exported layer.
+func ExportLayer(ctx context.Context, layerPath, exportFolderPath string, layerData LayerData, options ExportLayerOptions) (err error) {
+	title := "hcsshim.ExportLayer"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+		trace.StringAttribute("exportFolderPath", exportFolderPath),
+	)
+
+	ldbytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	obytes, err := json.Marshal(options)
+	if err != nil {
+		return err
+	}
+
+	err = hcsExportLayer(layerPath, exportFolderPath, string(ldbytes), string(obytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to export layer")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/format.go

@@ -0,0 +1,26 @@
+package computestorage
+
+import (
+	"context"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+	"golang.org/x/sys/windows"
+)
+
+// FormatWritableLayerVhd formats a virtual disk for use as a writable container layer.
+//
+// If the VHD is not mounted it will be temporarily mounted.
+func FormatWritableLayerVhd(ctx context.Context, vhdHandle windows.Handle) (err error) {
+	title := "hcsshim.FormatWritableLayerVhd"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+
+	err = hcsFormatWritableLayerVhd(vhdHandle)
+	if err != nil {
+		return errors.Wrap(err, "failed to format writable layer vhd")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/helpers.go

@@ -0,0 +1,193 @@
+package computestorage
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	"github.com/Microsoft/go-winio/pkg/security"
+	"github.com/Microsoft/go-winio/vhd"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
+)
+
+const defaultVHDXBlockSizeInMB = 1
+
+// SetupContainerBaseLayer is a helper to setup a containers scratch. It
+// will create and format the vhdx's inside and the size is configurable with the sizeInGB
+// parameter.
+//
+// `layerPath` is the path to the base container layer on disk.
+//
+// `baseVhdPath` is the path to where the base vhdx for the base layer should be created.
+//
+// `diffVhdPath` is the path where the differencing disk for the base layer should be created.
+//
+// `sizeInGB` is the size in gigabytes to make the base vhdx.
+func SetupContainerBaseLayer(ctx context.Context, layerPath, baseVhdPath, diffVhdPath string, sizeInGB uint64) (err error) {
+	var (
+		hivesPath  = filepath.Join(layerPath, "Hives")
+		layoutPath = filepath.Join(layerPath, "Layout")
+	)
+
+	// We need to remove the hives directory and layout file as `SetupBaseOSLayer` fails if these files
+	// already exist. `SetupBaseOSLayer` will create these files internally. We also remove the base and
+	// differencing disks if they exist in case we're asking for a different size.
+	if _, err := os.Stat(hivesPath); err == nil {
+		if err := os.RemoveAll(hivesPath); err != nil {
+			return errors.Wrap(err, "failed to remove prexisting hives directory")
+		}
+	}
+	if _, err := os.Stat(layoutPath); err == nil {
+		if err := os.RemoveAll(layoutPath); err != nil {
+			return errors.Wrap(err, "failed to remove prexisting layout file")
+		}
+	}
+
+	if _, err := os.Stat(baseVhdPath); err == nil {
+		if err := os.RemoveAll(baseVhdPath); err != nil {
+			return errors.Wrap(err, "failed to remove base vhdx path")
+		}
+	}
+	if _, err := os.Stat(diffVhdPath); err == nil {
+		if err := os.RemoveAll(diffVhdPath); err != nil {
+			return errors.Wrap(err, "failed to remove differencing vhdx")
+		}
+	}
+
+	createParams := &vhd.CreateVirtualDiskParameters{
+		Version: 2,
+		Version2: vhd.CreateVersion2{
+			MaximumSize:      sizeInGB * 1024 * 1024 * 1024,
+			BlockSizeInBytes: defaultVHDXBlockSizeInMB * 1024 * 1024,
+		},
+	}
+	handle, err := vhd.CreateVirtualDisk(baseVhdPath, vhd.VirtualDiskAccessNone, vhd.CreateVirtualDiskFlagNone, createParams)
+	if err != nil {
+		return errors.Wrap(err, "failed to create vhdx")
+	}
+
+	defer func() {
+		if err != nil {
+			_ = syscall.CloseHandle(handle)
+			os.RemoveAll(baseVhdPath)
+			os.RemoveAll(diffVhdPath)
+		}
+	}()
+
+	if err = FormatWritableLayerVhd(ctx, windows.Handle(handle)); err != nil {
+		return err
+	}
+	// Base vhd handle must be closed before calling SetupBaseLayer in case of Container layer
+	if err = syscall.CloseHandle(handle); err != nil {
+		return errors.Wrap(err, "failed to close vhdx handle")
+	}
+
+	options := OsLayerOptions{
+		Type: OsLayerTypeContainer,
+	}
+
+	// SetupBaseOSLayer expects an empty vhd handle for a container layer and will
+	// error out otherwise.
+	if err = SetupBaseOSLayer(ctx, layerPath, 0, options); err != nil {
+		return err
+	}
+	// Create the differencing disk that will be what's copied for the final rw layer
+	// for a container.
+	if err = vhd.CreateDiffVhd(diffVhdPath, baseVhdPath, defaultVHDXBlockSizeInMB); err != nil {
+		return errors.Wrap(err, "failed to create differencing disk")
+	}
+
+	if err = security.GrantVmGroupAccess(baseVhdPath); err != nil {
+		return errors.Wrapf(err, "failed to grant vm group access to %s", baseVhdPath)
+	}
+	if err = security.GrantVmGroupAccess(diffVhdPath); err != nil {
+		return errors.Wrapf(err, "failed to grant vm group access to %s", diffVhdPath)
+	}
+	return nil
+}
+
+// SetupUtilityVMBaseLayer is a helper to setup a UVMs scratch space. It will create and format
+// the vhdx inside and the size is configurable by the sizeInGB parameter.
+//
+// `uvmPath` is the path to the UtilityVM filesystem.
+//
+// `baseVhdPath` is the path to where the base vhdx for the UVM should be created.
+//
+// `diffVhdPath` is the path where the differencing disk for the UVM should be created.
+//
+// `sizeInGB` specifies the size in gigabytes to make the base vhdx.
+func SetupUtilityVMBaseLayer(ctx context.Context, uvmPath, baseVhdPath, diffVhdPath string, sizeInGB uint64) (err error) {
+	// Remove the base and differencing disks if they exist in case we're asking for a different size.
+	if _, err := os.Stat(baseVhdPath); err == nil {
+		if err := os.RemoveAll(baseVhdPath); err != nil {
+			return errors.Wrap(err, "failed to remove base vhdx")
+		}
+	}
+	if _, err := os.Stat(diffVhdPath); err == nil {
+		if err := os.RemoveAll(diffVhdPath); err != nil {
+			return errors.Wrap(err, "failed to remove differencing vhdx")
+		}
+	}
+
+	// Just create the vhdx for utilityVM layer, no need to format it.
+	createParams := &vhd.CreateVirtualDiskParameters{
+		Version: 2,
+		Version2: vhd.CreateVersion2{
+			MaximumSize:      sizeInGB * 1024 * 1024 * 1024,
+			BlockSizeInBytes: defaultVHDXBlockSizeInMB * 1024 * 1024,
+		},
+	}
+	handle, err := vhd.CreateVirtualDisk(baseVhdPath, vhd.VirtualDiskAccessNone, vhd.CreateVirtualDiskFlagNone, createParams)
+	if err != nil {
+		return errors.Wrap(err, "failed to create vhdx")
+	}
+
+	defer func() {
+		if err != nil {
+			_ = syscall.CloseHandle(handle)
+			os.RemoveAll(baseVhdPath)
+			os.RemoveAll(diffVhdPath)
+		}
+	}()
+
+	// If it is a UtilityVM layer then the base vhdx must be attached when calling
+	// `SetupBaseOSLayer`
+	attachParams := &vhd.AttachVirtualDiskParameters{
+		Version: 2,
+	}
+	if err := vhd.AttachVirtualDisk(handle, vhd.AttachVirtualDiskFlagNone, attachParams); err != nil {
+		return errors.Wrapf(err, "failed to attach virtual disk")
+	}
+
+	options := OsLayerOptions{
+		Type: OsLayerTypeVM,
+	}
+	if err := SetupBaseOSLayer(ctx, uvmPath, windows.Handle(handle), options); err != nil {
+		return err
+	}
+
+	// Detach and close the handle after setting up the layer as we don't need the handle
+	// for anything else and we no longer need to be attached either.
+	if err = vhd.DetachVirtualDisk(handle); err != nil {
+		return errors.Wrap(err, "failed to detach vhdx")
+	}
+	if err = syscall.CloseHandle(handle); err != nil {
+		return errors.Wrap(err, "failed to close vhdx handle")
+	}
+
+	// Create the differencing disk that will be what's copied for the final rw layer
+	// for a container.
+	if err = vhd.CreateDiffVhd(diffVhdPath, baseVhdPath, defaultVHDXBlockSizeInMB); err != nil {
+		return errors.Wrap(err, "failed to create differencing disk")
+	}
+
+	if err := security.GrantVmGroupAccess(baseVhdPath); err != nil {
+		return errors.Wrapf(err, "failed to grant vm group access to %s", baseVhdPath)
+	}
+	if err := security.GrantVmGroupAccess(diffVhdPath); err != nil {
+		return errors.Wrapf(err, "failed to grant vm group access to %s", diffVhdPath)
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/import.go

@@ -0,0 +1,41 @@
+package computestorage
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// ImportLayer imports a container layer.
+//
+// `layerPath` is a path to a directory to import the layer to. If the directory
+// does not exist it will be automatically created.
+//
+// `sourceFolderpath` is a pre-existing folder that contains the layer to
+// import.
+//
+// `layerData` is the parent layer data.
+func ImportLayer(ctx context.Context, layerPath, sourceFolderPath string, layerData LayerData) (err error) {
+	title := "hcsshim.ImportLayer"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+		trace.StringAttribute("sourceFolderPath", sourceFolderPath),
+	)
+
+	bytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	err = hcsImportLayer(layerPath, sourceFolderPath, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to import layer")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/initialize.go

@@ -0,0 +1,38 @@
+package computestorage
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+)
+
+// InitializeWritableLayer initializes a writable layer for a container.
+//
+// `layerPath` is a path to a directory the layer is mounted. If the
+// path does not end in a `\` the platform will append it automatically.
+//
+// `layerData` is the parent read-only layer data.
+func InitializeWritableLayer(ctx context.Context, layerPath string, layerData LayerData) (err error) {
+	title := "hcsshim.InitializeWritableLayer"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+	)
+
+	bytes, err := json.Marshal(layerData)
+	if err != nil {
+		return err
+	}
+
+	// Options are not used in the platform as of RS5
+	err = hcsInitializeWritableLayer(layerPath, string(bytes), "")
+	if err != nil {
+		return errors.Wrap(err, "failed to intitialize container layer")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/mount.go

@@ -0,0 +1,27 @@
+package computestorage
+
+import (
+	"context"
+
+	"github.com/Microsoft/hcsshim/internal/interop"
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+	"golang.org/x/sys/windows"
+)
+
+// GetLayerVhdMountPath returns the volume path for a virtual disk of a writable container layer.
+func GetLayerVhdMountPath(ctx context.Context, vhdHandle windows.Handle) (path string, err error) {
+	title := "hcsshim.GetLayerVhdMountPath"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+
+	var mountPath *uint16
+	err = hcsGetLayerVhdMountPath(vhdHandle, &mountPath)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get vhd mount path")
+	}
+	path = interop.ConvertAndFreeCoTaskMemString(mountPath)
+	return path, nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/setup.go

@@ -0,0 +1,74 @@
+package computestorage
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/pkg/errors"
+	"go.opencensus.io/trace"
+	"golang.org/x/sys/windows"
+)
+
+// SetupBaseOSLayer sets up a layer that contains a base OS for a container.
+//
+// `layerPath` is a path to a directory containing the layer.
+//
+// `vhdHandle` is an empty file handle of `options.Type == OsLayerTypeContainer`
+// or else it is a file handle to the 'SystemTemplateBase.vhdx' if `options.Type
+// == OsLayerTypeVm`.
+//
+// `options` are the options applied while processing the layer.
+func SetupBaseOSLayer(ctx context.Context, layerPath string, vhdHandle windows.Handle, options OsLayerOptions) (err error) {
+	title := "hcsshim.SetupBaseOSLayer"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+	)
+
+	bytes, err := json.Marshal(options)
+	if err != nil {
+		return err
+	}
+
+	err = hcsSetupBaseOSLayer(layerPath, vhdHandle, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to setup base OS layer")
+	}
+	return nil
+}
+
+// SetupBaseOSVolume sets up a volume that contains a base OS for a container.
+//
+// `layerPath` is a path to a directory containing the layer.
+//
+// `volumePath` is the path to the volume to be used for setup.
+//
+// `options` are the options applied while processing the layer.
+func SetupBaseOSVolume(ctx context.Context, layerPath, volumePath string, options OsLayerOptions) (err error) {
+	if osversion.Get().Build < 19645 {
+		return errors.New("SetupBaseOSVolume is not present on builds older than 19645")
+	}
+	title := "hcsshim.SetupBaseOSVolume"
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("layerPath", layerPath),
+		trace.StringAttribute("volumePath", volumePath),
+	)
+
+	bytes, err := json.Marshal(options)
+	if err != nil {
+		return err
+	}
+
+	err = hcsSetupBaseOSVolume(layerPath, volumePath, string(bytes))
+	if err != nil {
+		return errors.Wrap(err, "failed to setup base OS layer")
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/computestorage/storage.go

@@ -0,0 +1,50 @@
+// Package computestorage is a wrapper around the HCS storage APIs. These are new storage APIs introduced
+// separate from the original graphdriver calls intended to give more freedom around creating
+// and managing container layers and scratch spaces.
+package computestorage
+
+import (
+	hcsschema "github.com/Microsoft/hcsshim/internal/schema2"
+)
+
+//go:generate go run ../mksyscall_windows.go -output zsyscall_windows.go storage.go
+
+//sys hcsImportLayer(layerPath string, sourceFolderPath string, layerData string) (hr error) = computestorage.HcsImportLayer?
+//sys hcsExportLayer(layerPath string, exportFolderPath string, layerData string, options string) (hr error) = computestorage.HcsExportLayer?
+//sys hcsDestroyLayer(layerPath string) (hr error) = computestorage.HcsDestoryLayer?
+//sys hcsSetupBaseOSLayer(layerPath string, handle windows.Handle, options string) (hr error) = computestorage.HcsSetupBaseOSLayer?
+//sys hcsInitializeWritableLayer(writableLayerPath string, layerData string, options string) (hr error) = computestorage.HcsInitializeWritableLayer?
+//sys hcsAttachLayerStorageFilter(layerPath string, layerData string) (hr error) = computestorage.HcsAttachLayerStorageFilter?
+//sys hcsDetachLayerStorageFilter(layerPath string) (hr error) = computestorage.HcsDetachLayerStorageFilter?
+//sys hcsFormatWritableLayerVhd(handle windows.Handle) (hr error) = computestorage.HcsFormatWritableLayerVhd?
+//sys hcsGetLayerVhdMountPath(vhdHandle windows.Handle, mountPath **uint16) (hr error) = computestorage.HcsGetLayerVhdMountPath?
+//sys hcsSetupBaseOSVolume(layerPath string, volumePath string, options string) (hr error) = computestorage.HcsSetupBaseOSVolume?
+
+// LayerData is the data used to describe parent layer information.
+type LayerData struct {
+	SchemaVersion hcsschema.Version `json:"SchemaVersion,omitempty"`
+	Layers        []hcsschema.Layer `json:"Layers,omitempty"`
+}
+
+// ExportLayerOptions are the set of options that are used with the `computestorage.HcsExportLayer` syscall.
+type ExportLayerOptions struct {
+	IsWritableLayer bool `json:"IsWritableLayer,omitempty"`
+}
+
+// OsLayerType is the type of layer being operated on.
+type OsLayerType string
+
+const (
+	// OsLayerTypeContainer is a container layer.
+	OsLayerTypeContainer OsLayerType = "Container"
+	// OsLayerTypeVM is a virtual machine layer.
+	OsLayerTypeVM OsLayerType = "Vm"
+)
+
+// OsLayerOptions are the set of options that are used with the `SetupBaseOSLayer` and
+// `SetupBaseOSVolume` calls.
+type OsLayerOptions struct {
+	Type                       OsLayerType `json:"Type,omitempty"`
+	DisableCiCacheOptimization bool        `json:"DisableCiCacheOptimization,omitempty"`
+	SkipUpdateBcdForBoot       bool        `json:"SkipUpdateBcdForBoot,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/computestorage/zsyscall_windows.go

@@ -0,0 +1,319 @@
+// Code generated mksyscall_windows.exe DO NOT EDIT
+
+package computestorage
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modcomputestorage = windows.NewLazySystemDLL("computestorage.dll")
+
+	procHcsImportLayer              = modcomputestorage.NewProc("HcsImportLayer")
+	procHcsExportLayer              = modcomputestorage.NewProc("HcsExportLayer")
+	procHcsDestoryLayer             = modcomputestorage.NewProc("HcsDestoryLayer")
+	procHcsSetupBaseOSLayer         = modcomputestorage.NewProc("HcsSetupBaseOSLayer")
+	procHcsInitializeWritableLayer  = modcomputestorage.NewProc("HcsInitializeWritableLayer")
+	procHcsAttachLayerStorageFilter = modcomputestorage.NewProc("HcsAttachLayerStorageFilter")
+	procHcsDetachLayerStorageFilter = modcomputestorage.NewProc("HcsDetachLayerStorageFilter")
+	procHcsFormatWritableLayerVhd   = modcomputestorage.NewProc("HcsFormatWritableLayerVhd")
+	procHcsGetLayerVhdMountPath     = modcomputestorage.NewProc("HcsGetLayerVhdMountPath")
+	procHcsSetupBaseOSVolume        = modcomputestorage.NewProc("HcsSetupBaseOSVolume")
+)
+
+func hcsImportLayer(layerPath string, sourceFolderPath string, layerData string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(sourceFolderPath)
+	if hr != nil {
+		return
+	}
+	var _p2 *uint16
+	_p2, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	return _hcsImportLayer(_p0, _p1, _p2)
+}
+
+func _hcsImportLayer(layerPath *uint16, sourceFolderPath *uint16, layerData *uint16) (hr error) {
+	if hr = procHcsImportLayer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsImportLayer.Addr(), 3, uintptr(unsafe.Pointer(layerPath)), uintptr(unsafe.Pointer(sourceFolderPath)), uintptr(unsafe.Pointer(layerData)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsExportLayer(layerPath string, exportFolderPath string, layerData string, options string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(exportFolderPath)
+	if hr != nil {
+		return
+	}
+	var _p2 *uint16
+	_p2, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	var _p3 *uint16
+	_p3, hr = syscall.UTF16PtrFromString(options)
+	if hr != nil {
+		return
+	}
+	return _hcsExportLayer(_p0, _p1, _p2, _p3)
+}
+
+func _hcsExportLayer(layerPath *uint16, exportFolderPath *uint16, layerData *uint16, options *uint16) (hr error) {
+	if hr = procHcsExportLayer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall6(procHcsExportLayer.Addr(), 4, uintptr(unsafe.Pointer(layerPath)), uintptr(unsafe.Pointer(exportFolderPath)), uintptr(unsafe.Pointer(layerData)), uintptr(unsafe.Pointer(options)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsDestroyLayer(layerPath string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	return _hcsDestroyLayer(_p0)
+}
+
+func _hcsDestroyLayer(layerPath *uint16) (hr error) {
+	if hr = procHcsDestoryLayer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsDestoryLayer.Addr(), 1, uintptr(unsafe.Pointer(layerPath)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsSetupBaseOSLayer(layerPath string, handle windows.Handle, options string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(options)
+	if hr != nil {
+		return
+	}
+	return _hcsSetupBaseOSLayer(_p0, handle, _p1)
+}
+
+func _hcsSetupBaseOSLayer(layerPath *uint16, handle windows.Handle, options *uint16) (hr error) {
+	if hr = procHcsSetupBaseOSLayer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsSetupBaseOSLayer.Addr(), 3, uintptr(unsafe.Pointer(layerPath)), uintptr(handle), uintptr(unsafe.Pointer(options)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsInitializeWritableLayer(writableLayerPath string, layerData string, options string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(writableLayerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	var _p2 *uint16
+	_p2, hr = syscall.UTF16PtrFromString(options)
+	if hr != nil {
+		return
+	}
+	return _hcsInitializeWritableLayer(_p0, _p1, _p2)
+}
+
+func _hcsInitializeWritableLayer(writableLayerPath *uint16, layerData *uint16, options *uint16) (hr error) {
+	if hr = procHcsInitializeWritableLayer.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsInitializeWritableLayer.Addr(), 3, uintptr(unsafe.Pointer(writableLayerPath)), uintptr(unsafe.Pointer(layerData)), uintptr(unsafe.Pointer(options)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsAttachLayerStorageFilter(layerPath string, layerData string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(layerData)
+	if hr != nil {
+		return
+	}
+	return _hcsAttachLayerStorageFilter(_p0, _p1)
+}
+
+func _hcsAttachLayerStorageFilter(layerPath *uint16, layerData *uint16) (hr error) {
+	if hr = procHcsAttachLayerStorageFilter.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsAttachLayerStorageFilter.Addr(), 2, uintptr(unsafe.Pointer(layerPath)), uintptr(unsafe.Pointer(layerData)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsDetachLayerStorageFilter(layerPath string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	return _hcsDetachLayerStorageFilter(_p0)
+}
+
+func _hcsDetachLayerStorageFilter(layerPath *uint16) (hr error) {
+	if hr = procHcsDetachLayerStorageFilter.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsDetachLayerStorageFilter.Addr(), 1, uintptr(unsafe.Pointer(layerPath)), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsFormatWritableLayerVhd(handle windows.Handle) (hr error) {
+	if hr = procHcsFormatWritableLayerVhd.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsFormatWritableLayerVhd.Addr(), 1, uintptr(handle), 0, 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsGetLayerVhdMountPath(vhdHandle windows.Handle, mountPath **uint16) (hr error) {
+	if hr = procHcsGetLayerVhdMountPath.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsGetLayerVhdMountPath.Addr(), 2, uintptr(vhdHandle), uintptr(unsafe.Pointer(mountPath)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
+func hcsSetupBaseOSVolume(layerPath string, volumePath string, options string) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(layerPath)
+	if hr != nil {
+		return
+	}
+	var _p1 *uint16
+	_p1, hr = syscall.UTF16PtrFromString(volumePath)
+	if hr != nil {
+		return
+	}
+	var _p2 *uint16
+	_p2, hr = syscall.UTF16PtrFromString(options)
+	if hr != nil {
+		return
+	}
+	return _hcsSetupBaseOSVolume(_p0, _p1, _p2)
+}
+
+func _hcsSetupBaseOSVolume(layerPath *uint16, volumePath *uint16, options *uint16) (hr error) {
+	if hr = procHcsSetupBaseOSVolume.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsSetupBaseOSVolume.Addr(), 3, uintptr(unsafe.Pointer(layerPath)), uintptr(unsafe.Pointer(volumePath)), uintptr(unsafe.Pointer(options)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}

vendor/github.com/Microsoft/hcsshim/errors.go

@@ -83,7 +83,6 @@ type NetworkNotFoundError = hns.NetworkNotFoundError
 type ProcessError struct {
 	Process   *process
 	Operation string
-	ExtraInfo string
 	Err       error
 	Events    []hcs.ErrorEvent
 }
@@ -92,7 +91,6 @@ type ProcessError struct {
 type ContainerError struct {
 	Container *container
 	Operation string
-	ExtraInfo string
 	Err       error
 	Events    []hcs.ErrorEvent
 }
@@ -125,22 +123,9 @@ func (e *ContainerError) Error() string {
 		s += "\n" + ev.String()
 	}
 
-	if e.ExtraInfo != "" {
-		s += " extra info: " + e.ExtraInfo
-	}
-
 	return s
 }
 
-func makeContainerError(container *container, operation string, extraInfo string, err error) error {
-	// Don't double wrap errors
-	if _, ok := err.(*ContainerError); ok {
-		return err
-	}
-	containerError := &ContainerError{Container: container, Operation: operation, ExtraInfo: extraInfo, Err: err}
-	return containerError
-}
-
 func (e *ProcessError) Error() string {
 	if e == nil {
 		return "<nil>"
@@ -171,15 +156,6 @@ func (e *ProcessError) Error() string {
 	return s
 }
 
-func makeProcessError(process *process, operation string, extraInfo string, err error) error {
-	// Don't double wrap errors
-	if _, ok := err.(*ProcessError); ok {
-		return err
-	}
-	processError := &ProcessError{Process: process, Operation: operation, ExtraInfo: extraInfo, Err: err}
-	return processError
-}
-
 // IsNotExist checks if an error is caused by the Container or Process not existing.
 // Note: Currently, ErrElementNotFound can mean that a Process has either
 // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist
@@ -230,6 +206,18 @@ func IsNotSupported(err error) bool {
 	return hcs.IsNotSupported(getInnerError(err))
 }
 
+// IsOperationInvalidState returns true when err is caused by
+// `ErrVmcomputeOperationInvalidState`.
+func IsOperationInvalidState(err error) bool {
+	return hcs.IsOperationInvalidState(getInnerError(err))
+}
+
+// IsAccessIsDenied returns true when err is caused by
+// `ErrVmcomputeOperationAccessIsDenied`.
+func IsAccessIsDenied(err error) bool {
+	return hcs.IsAccessIsDenied(getInnerError(err))
+}
+
 func getInnerError(err error) error {
 	switch pe := err.(type) {
 	case nil:
@@ -244,7 +232,7 @@ func getInnerError(err error) error {
 
 func convertSystemError(err error, c *container) error {
 	if serr, ok := err.(*hcs.SystemError); ok {
-		return &ContainerError{Container: c, Operation: serr.Op, ExtraInfo: serr.Extra, Err: serr.Err, Events: serr.Events}
+		return &ContainerError{Container: c, Operation: serr.Op, Err: serr.Err, Events: serr.Events}
 	}
 	return err
 }

vendor/github.com/Microsoft/hcsshim/go.mod

@@ -3,33 +3,20 @@ module github.com/Microsoft/hcsshim
 go 1.13
 
 require (
-	github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5
+	github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3
-	github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f
+	github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68
-	github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1
+	github.com/containerd/console v1.0.1
-	github.com/containerd/containerd v1.3.2
+	github.com/containerd/containerd v1.5.0-beta.4
-	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
+	github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0
-	github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448 // indirect
+	github.com/containerd/ttrpc v1.0.2
-	github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3
+	github.com/containerd/typeurl v1.0.1
-	github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de
+	github.com/gogo/protobuf v1.3.2
-	github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd
+	github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
-	github.com/gogo/protobuf v1.3.1
+	github.com/pkg/errors v0.9.1
-	github.com/golang/protobuf v1.3.2 // indirect
+	github.com/sirupsen/logrus v1.7.0
-	github.com/kr/pretty v0.1.0 // indirect
+	github.com/urfave/cli v1.22.2
-	github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 // indirect
+	go.opencensus.io v0.22.3
-	github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f // indirect
+	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
-	github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700
+	golang.org/x/sys v0.0.0-20210324051608-47abb6519492
-	github.com/pkg/errors v0.8.1
+	google.golang.org/grpc v1.33.2
-	github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7 // indirect
-	github.com/sirupsen/logrus v1.4.2
-	github.com/stretchr/testify v1.4.0 // indirect
-	github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5
-	go.opencensus.io v0.22.0
-	golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 // indirect
-	golang.org/x/sync v0.0.0-20190423024810-112230192c58
-	golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3
-	google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873 // indirect
-	google.golang.org/grpc v1.23.1
-	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
-	gopkg.in/yaml.v2 v2.2.8 // indirect
-	gotest.tools v2.2.0+incompatible // indirect
 )

vendor/github.com/Microsoft/hcsshim/hnsendpoint.go

@@ -40,6 +40,9 @@ func HNSListEndpointRequest() ([]HNSEndpoint, error) {
 // HotAttachEndpoint makes a HCS Call to attach the endpoint to the container
 func HotAttachEndpoint(containerID string, endpointID string) error {
 	endpoint, err := GetHNSEndpointByID(endpointID)
+	if err != nil {
+		return err
+	}
 	isAttached, err := endpoint.IsAttached(containerID)
 	if isAttached {
 		return err
@@ -50,6 +53,9 @@ func HotAttachEndpoint(containerID string, endpointID string) error {
 // HotDetachEndpoint makes a HCS Call to detach the endpoint from the container
 func HotDetachEndpoint(containerID string, endpointID string) error {
 	endpoint, err := GetHNSEndpointByID(endpointID)
+	if err != nil {
+		return err
+	}
 	isAttached, err := endpoint.IsAttached(containerID)
 	if !isAttached {
 		return err

vendor/github.com/Microsoft/hcsshim/internal/cow/cow.go

@@ -80,4 +80,6 @@ type Container interface {
 	// container to be terminated by some error condition (including calling
 	// Close).
 	Wait() error
+	// Modify sends a request to modify container resources
+	Modify(ctx context.Context, config interface{}) error
 }

vendor/github.com/Microsoft/hcsshim/internal/hcs/callback.go

@@ -106,6 +106,7 @@ func newSystemChannels() notificationChannels {
 		hcsNotificationSystemStartCompleted,
 		hcsNotificationSystemPauseCompleted,
 		hcsNotificationSystemResumeCompleted,
+		hcsNotificationSystemSaveCompleted,
 	} {
 		channels[notif] = make(notificationChannel, 1)
 	}

vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go

@@ -171,7 +171,6 @@ type SystemError struct {
 	ID     string
 	Op     string
 	Err    error
-	Extra  string
 	Events []ErrorEvent
 }
 
@@ -182,9 +181,6 @@ func (e *SystemError) Error() string {
 	for _, ev := range e.Events {
 		s += "\n" + ev.String()
 	}
-	if e.Extra != "" {
-		s += "\n(extra info: " + e.Extra + ")"
-	}
 	return s
 }
 
@@ -198,7 +194,7 @@ func (e *SystemError) Timeout() bool {
 	return ok && err.Timeout()
 }
 
-func makeSystemError(system *System, op string, extra string, err error, events []ErrorEvent) error {
+func makeSystemError(system *System, op string, err error, events []ErrorEvent) error {
 	// Don't double wrap errors
 	if _, ok := err.(*SystemError); ok {
 		return err
@@ -206,7 +202,6 @@ func makeSystemError(system *System, op string, extra string, err error, events
 	return &SystemError{
 		ID:     system.ID(),
 		Op:     op,
-		Extra:  extra,
 		Err:    err,
 		Events: events,
 	}
@@ -312,6 +307,13 @@ func IsOperationInvalidState(err error) bool {
 	return err == ErrVmcomputeOperationInvalidState
 }
 
+// IsAccessIsDenied returns true when err is caused by
+// `ErrVmcomputeOperationAccessIsDenied`.
+func IsAccessIsDenied(err error) bool {
+	err = getInnerError(err)
+	return err == ErrVmcomputeOperationAccessIsDenied
+}
+
 func getInnerError(err error) error {
 	switch pe := err.(type) {
 	case nil:
@@ -325,12 +327,3 @@ func getInnerError(err error) error {
 	}
 	return err
 }
-
-func getOperationLogResult(err error) (string, error) {
-	switch err {
-	case nil:
-		return "Success", nil
-	default:
-		return "Error", err
-	}
-}

vendor/github.com/Microsoft/hcsshim/internal/hcs/process.go

@@ -64,11 +64,7 @@ type processStatus struct {
 	LastWaitResult int32
 }
 
-const (
+const stdIn string = "StdIn"
-	stdIn  string = "StdIn"
-	stdOut string = "StdOut"
-	stdErr string = "StdErr"
-)
 
 const (
 	modifyConsoleSize string = "ConsoleSize"
@@ -176,8 +172,10 @@ func (process *Process) waitBackground() {
 		trace.Int64Attribute("pid", int64(process.processID)))
 
 	var (
-		err      error
+		err            error
-		exitCode = -1
+		exitCode       = -1
+		propertiesJSON string
+		resultJSON     string
 	)
 
 	err = waitForNotification(ctx, process.callbackNumber, hcsNotificationProcessExited, nil)
@@ -190,15 +188,15 @@ func (process *Process) waitBackground() {
 
 		// Make sure we didnt race with Close() here
 		if process.handle != 0 {
-			propertiesJSON, resultJSON, err := vmcompute.HcsGetProcessProperties(ctx, process.handle)
+			propertiesJSON, resultJSON, err = vmcompute.HcsGetProcessProperties(ctx, process.handle)
 			events := processHcsResult(ctx, resultJSON)
 			if err != nil {
-				err = makeProcessError(process, operation, err, events)
+				err = makeProcessError(process, operation, err, events) //nolint:ineffassign
 			} else {
 				properties := &processStatus{}
 				err = json.Unmarshal([]byte(propertiesJSON), properties)
 				if err != nil {
-					err = makeProcessError(process, operation, err, nil)
+					err = makeProcessError(process, operation, err, nil) //nolint:ineffassign
 				} else {
 					if properties.LastWaitResult != 0 {
 						log.G(ctx).WithField("wait-result", properties.LastWaitResult).Warning("non-zero last wait result")
@@ -468,7 +466,7 @@ func (process *Process) unregisterCallback(ctx context.Context) error {
 	delete(callbackMap, callbackNumber)
 	callbackMapLock.Unlock()
 
-	handle = 0
+	handle = 0 //nolint:ineffassign
 
 	return nil
 }

vendor/github.com/Microsoft/hcsshim/internal/hcs/service.go

@@ -0,0 +1,49 @@
+package hcs
+
+import (
+	"context"
+	"encoding/json"
+
+	hcsschema "github.com/Microsoft/hcsshim/internal/schema2"
+	"github.com/Microsoft/hcsshim/internal/vmcompute"
+)
+
+// GetServiceProperties returns properties of the host compute service.
+func GetServiceProperties(ctx context.Context, q hcsschema.PropertyQuery) (*hcsschema.ServiceProperties, error) {
+	operation := "hcsshim::GetServiceProperties"
+
+	queryb, err := json.Marshal(q)
+	if err != nil {
+		return nil, err
+	}
+	propertiesJSON, resultJSON, err := vmcompute.HcsGetServiceProperties(ctx, string(queryb))
+	events := processHcsResult(ctx, resultJSON)
+	if err != nil {
+		return nil, &HcsError{Op: operation, Err: err, Events: events}
+	}
+
+	if propertiesJSON == "" {
+		return nil, ErrUnexpectedValue
+	}
+	properties := &hcsschema.ServiceProperties{}
+	if err := json.Unmarshal([]byte(propertiesJSON), properties); err != nil {
+		return nil, err
+	}
+	return properties, nil
+}
+
+// ModifyServiceSettings modifies settings of the host compute service.
+func ModifyServiceSettings(ctx context.Context, settings hcsschema.ModificationRequest) error {
+	operation := "hcsshim::ModifyServiceSettings"
+
+	settingsJSON, err := json.Marshal(settings)
+	if err != nil {
+		return err
+	}
+	resultJSON, err := vmcompute.HcsModifyServiceSettings(ctx, string(settingsJSON))
+	events := processHcsResult(ctx, resultJSON)
+	if err != nil {
+		return &HcsError{Op: operation, Err: err, Events: events}
+	}
+	return nil
+}

vendor/github.com/Microsoft/hcsshim/internal/hcs/syscall.go

@@ -1,5 +0,0 @@
-package hcs
-
-//go:generate go run ../../mksyscall_windows.go -output zsyscall_windows.go syscall.go
-
-//sys hcsFormatWritableLayerVhd(handle uintptr) (hr error) = computestorage.HcsFormatWritableLayerVhd

vendor/github.com/Microsoft/hcsshim/internal/hcs/system.go

@@ -28,8 +28,7 @@ type System struct {
 	waitBlock      chan struct{}
 	waitError      error
 	exitError      error
-
+	os, typ        string
-	os, typ string
 }
 
 func newSystem(id string) *System {
@@ -74,8 +73,8 @@ func CreateComputeSystem(ctx context.Context, id string, hcsDocumentInterface in
 		if err = computeSystem.registerCallback(ctx); err != nil {
 			// Terminate the compute system if it still exists. We're okay to
 			// ignore a failure here.
-			computeSystem.Terminate(ctx)
+			_ = computeSystem.Terminate(ctx)
-			return nil, makeSystemError(computeSystem, operation, "", err, nil)
+			return nil, makeSystemError(computeSystem, operation, err, nil)
 		}
 	}
 
@@ -84,9 +83,9 @@ func CreateComputeSystem(ctx context.Context, id string, hcsDocumentInterface in
 		if err == ErrTimeout {
 			// Terminate the compute system if it still exists. We're okay to
 			// ignore a failure here.
-			computeSystem.Terminate(ctx)
+			_ = computeSystem.Terminate(ctx)
 		}
-		return nil, makeSystemError(computeSystem, operation, hcsDocument, err, events)
+		return nil, makeSystemError(computeSystem, operation, err, events)
 	}
 	go computeSystem.waitBackground()
 	if err = computeSystem.getCachedProperties(ctx); err != nil {
@@ -103,7 +102,7 @@ func OpenComputeSystem(ctx context.Context, id string) (*System, error) {
 	handle, resultJSON, err := vmcompute.HcsOpenComputeSystem(ctx, id)
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, events)
+		return nil, makeSystemError(computeSystem, operation, err, events)
 	}
 	computeSystem.handle = handle
 	defer func() {
@@ -112,7 +111,7 @@ func OpenComputeSystem(ctx context.Context, id string) (*System, error) {
 		}
 	}()
 	if err = computeSystem.registerCallback(ctx); err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 	go computeSystem.waitBackground()
 	if err = computeSystem.getCachedProperties(ctx); err != nil {
@@ -188,13 +187,13 @@ func (computeSystem *System) Start(ctx context.Context) (err error) {
 	defer computeSystem.handleLock.RUnlock()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	resultJSON, err := vmcompute.HcsStartComputeSystem(ctx, computeSystem.handle, "")
 	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemStartCompleted, &timeout.SystemStart)
 	if err != nil {
-		return makeSystemError(computeSystem, operation, "", err, events)
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 
 	return nil
@@ -221,7 +220,7 @@ func (computeSystem *System) Shutdown(ctx context.Context) error {
 	switch err {
 	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
 	default:
-		return makeSystemError(computeSystem, operation, "", err, events)
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 	return nil
 }
@@ -242,7 +241,7 @@ func (computeSystem *System) Terminate(ctx context.Context) error {
 	switch err {
 	case nil, ErrVmcomputeAlreadyStopped, ErrComputeSystemDoesNotExist, ErrVmcomputeOperationPending:
 	default:
-		return makeSystemError(computeSystem, operation, "", err, events)
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 	return nil
 }
@@ -264,10 +263,10 @@ func (computeSystem *System) waitBackground() {
 		log.G(ctx).Debug("system exited")
 	case ErrVmcomputeUnexpectedExit:
 		log.G(ctx).Debug("unexpected system exit")
-		computeSystem.exitError = makeSystemError(computeSystem, operation, "", err, nil)
+		computeSystem.exitError = makeSystemError(computeSystem, operation, err, nil)
 		err = nil
 	default:
-		err = makeSystemError(computeSystem, operation, "", err, nil)
+		err = makeSystemError(computeSystem, operation, err, nil)
 	}
 	computeSystem.closedWaitOnce.Do(func() {
 		computeSystem.waitError = err
@@ -305,13 +304,13 @@ func (computeSystem *System) Properties(ctx context.Context, types ...schema1.Pr
 
 	queryBytes, err := json.Marshal(schema1.PropertyQuery{PropertyTypes: types})
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	propertiesJSON, resultJSON, err := vmcompute.HcsGetComputeSystemProperties(ctx, computeSystem.handle, string(queryBytes))
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, events)
+		return nil, makeSystemError(computeSystem, operation, err, events)
 	}
 
 	if propertiesJSON == "" {
@@ -319,7 +318,7 @@ func (computeSystem *System) Properties(ctx context.Context, types ...schema1.Pr
 	}
 	properties := &schema1.ContainerProperties{}
 	if err := json.Unmarshal([]byte(propertiesJSON), properties); err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	return properties, nil
@@ -334,13 +333,13 @@ func (computeSystem *System) PropertiesV2(ctx context.Context, types ...hcsschem
 
 	queryBytes, err := json.Marshal(hcsschema.PropertyQuery{PropertyTypes: types})
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	propertiesJSON, resultJSON, err := vmcompute.HcsGetComputeSystemProperties(ctx, computeSystem.handle, string(queryBytes))
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, events)
+		return nil, makeSystemError(computeSystem, operation, err, events)
 	}
 
 	if propertiesJSON == "" {
@@ -348,7 +347,7 @@ func (computeSystem *System) PropertiesV2(ctx context.Context, types ...hcsschem
 	}
 	properties := &hcsschema.Properties{}
 	if err := json.Unmarshal([]byte(propertiesJSON), properties); err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	return properties, nil
@@ -369,13 +368,13 @@ func (computeSystem *System) Pause(ctx context.Context) (err error) {
 	defer computeSystem.handleLock.RUnlock()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	resultJSON, err := vmcompute.HcsPauseComputeSystem(ctx, computeSystem.handle, "")
 	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemPauseCompleted, &timeout.SystemPause)
 	if err != nil {
-		return makeSystemError(computeSystem, operation, "", err, events)
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 
 	return nil
@@ -396,13 +395,45 @@ func (computeSystem *System) Resume(ctx context.Context) (err error) {
 	defer computeSystem.handleLock.RUnlock()
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	resultJSON, err := vmcompute.HcsResumeComputeSystem(ctx, computeSystem.handle, "")
 	events, err := processAsyncHcsResult(ctx, err, resultJSON, computeSystem.callbackNumber, hcsNotificationSystemResumeCompleted, &timeout.SystemResume)
 	if err != nil {
-		return makeSystemError(computeSystem, operation, "", err, events)
+		return makeSystemError(computeSystem, operation, err, events)
+	}
+
+	return nil
+}
+
+// Save the compute system
+func (computeSystem *System) Save(ctx context.Context, options interface{}) (err error) {
+	operation := "hcsshim::System::Save"
+
+	// hcsSaveComputeSystemContext is an async peration. Start the outer span
+	// here to measure the full save time.
+	ctx, span := trace.StartSpan(ctx, operation)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(trace.StringAttribute("cid", computeSystem.id))
+
+	saveOptions, err := json.Marshal(options)
+	if err != nil {
+		return err
+	}
+
+	computeSystem.handleLock.RLock()
+	defer computeSystem.handleLock.RUnlock()
+
+	if computeSystem.handle == 0 {
+		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
+	}
+
+	result, err := vmcompute.HcsSaveComputeSystem(ctx, computeSystem.handle, string(saveOptions))
+	events, err := processAsyncHcsResult(ctx, err, result, computeSystem.callbackNumber, hcsNotificationSystemSaveCompleted, &timeout.SystemSave)
+	if err != nil {
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 
 	return nil
@@ -413,19 +444,19 @@ func (computeSystem *System) createProcess(ctx context.Context, operation string
 	defer computeSystem.handleLock.RUnlock()
 
 	if computeSystem.handle == 0 {
-		return nil, nil, makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return nil, nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	configurationb, err := json.Marshal(c)
 	if err != nil {
-		return nil, nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	configuration := string(configurationb)
 	processInfo, processHandle, resultJSON, err := vmcompute.HcsCreateProcess(ctx, computeSystem.handle, configuration)
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return nil, nil, makeSystemError(computeSystem, operation, configuration, err, events)
+		return nil, nil, makeSystemError(computeSystem, operation, err, events)
 	}
 
 	log.G(ctx).WithField("pid", processInfo.ProcessId).Debug("created process pid")
@@ -447,7 +478,7 @@ func (computeSystem *System) CreateProcess(ctx context.Context, c interface{}) (
 
 	pipes, err := makeOpenFiles([]syscall.Handle{processInfo.StdInput, processInfo.StdOutput, processInfo.StdError})
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 	process.stdin = pipes[0]
 	process.stdout = pipes[1]
@@ -455,7 +486,7 @@ func (computeSystem *System) CreateProcess(ctx context.Context, c interface{}) (
 	process.hasCachedStdio = true
 
 	if err = process.registerCallback(ctx); err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 	go process.waitBackground()
 
@@ -470,18 +501,18 @@ func (computeSystem *System) OpenProcess(ctx context.Context, pid int) (*Process
 	operation := "hcsshim::System::OpenProcess"
 
 	if computeSystem.handle == 0 {
-		return nil, makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return nil, makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	processHandle, resultJSON, err := vmcompute.HcsOpenProcess(ctx, computeSystem.handle, uint32(pid))
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, events)
+		return nil, makeSystemError(computeSystem, operation, err, events)
 	}
 
 	process := newProcess(processHandle, pid, computeSystem)
 	if err = process.registerCallback(ctx); err != nil {
-		return nil, makeSystemError(computeSystem, operation, "", err, nil)
+		return nil, makeSystemError(computeSystem, operation, err, nil)
 	}
 	go process.waitBackground()
 
@@ -505,12 +536,12 @@ func (computeSystem *System) Close() (err error) {
 	}
 
 	if err = computeSystem.unregisterCallback(ctx); err != nil {
-		return makeSystemError(computeSystem, operation, "", err, nil)
+		return makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	err = vmcompute.HcsCloseComputeSystem(ctx, computeSystem.handle)
 	if err != nil {
-		return makeSystemError(computeSystem, operation, "", err, nil)
+		return makeSystemError(computeSystem, operation, err, nil)
 	}
 
 	computeSystem.handle = 0
@@ -574,7 +605,7 @@ func (computeSystem *System) unregisterCallback(ctx context.Context) error {
 	delete(callbackMap, callbackNumber)
 	callbackMapLock.Unlock()
 
-	handle = 0
+	handle = 0 //nolint:ineffassign
 
 	return nil
 }
@@ -587,7 +618,7 @@ func (computeSystem *System) Modify(ctx context.Context, config interface{}) err
 	operation := "hcsshim::System::Modify"
 
 	if computeSystem.handle == 0 {
-		return makeSystemError(computeSystem, operation, "", ErrAlreadyClosed, nil)
+		return makeSystemError(computeSystem, operation, ErrAlreadyClosed, nil)
 	}
 
 	requestBytes, err := json.Marshal(config)
@@ -599,7 +630,7 @@ func (computeSystem *System) Modify(ctx context.Context, config interface{}) err
 	resultJSON, err := vmcompute.HcsModifyComputeSystem(ctx, computeSystem.handle, requestJSON)
 	events := processHcsResult(ctx, resultJSON)
 	if err != nil {
-		return makeSystemError(computeSystem, operation, requestJSON, err, events)
+		return makeSystemError(computeSystem, operation, err, events)
 	}
 
 	return nil

vendor/github.com/Microsoft/hcsshim/internal/hcs/utils.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/Microsoft/go-winio"
 	diskutil "github.com/Microsoft/go-winio/vhd"
+	"github.com/Microsoft/hcsshim/computestorage"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 )
@@ -36,7 +37,7 @@ func makeOpenFiles(hs []syscall.Handle) (_ []io.ReadWriteCloser, err error) {
 	return fs, nil
 }
 
-// creates a VHD formatted with NTFS of size `sizeGB` at the given `vhdPath`.
+// CreateNTFSVHD creates a VHD formatted with NTFS of size `sizeGB` at the given `vhdPath`.
 func CreateNTFSVHD(ctx context.Context, vhdPath string, sizeGB uint32) (err error) {
 	if err := diskutil.CreateVhdx(vhdPath, sizeGB, 1); err != nil {
 		return errors.Wrap(err, "failed to create VHD")
@@ -53,7 +54,7 @@ func CreateNTFSVHD(ctx context.Context, vhdPath string, sizeGB uint32) (err erro
 		}
 	}()
 
-	if err := hcsFormatWritableLayerVhd(uintptr(vhd)); err != nil {
+	if err := computestorage.FormatWritableLayerVhd(ctx, windows.Handle(vhd)); err != nil {
 		return errors.Wrap(err, "failed to format VHD")
 	}
 

vendor/github.com/Microsoft/hcsshim/internal/hcs/waithelper.go

@@ -65,5 +65,4 @@ func waitForNotification(ctx context.Context, callbackNumber uintptr, expectedNo
 	case <-c:
 		return ErrTimeout
 	}
-	return nil
 }

vendor/github.com/Microsoft/hcsshim/internal/hcs/zsyscall_windows.go

@@ -1,54 +0,0 @@
-// Code generated mksyscall_windows.exe DO NOT EDIT
-
-package hcs
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return nil
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modcomputestorage = windows.NewLazySystemDLL("computestorage.dll")
-
-	procHcsFormatWritableLayerVhd = modcomputestorage.NewProc("HcsFormatWritableLayerVhd")
-)
-
-func hcsFormatWritableLayerVhd(handle uintptr) (hr error) {
-	r0, _, _ := syscall.Syscall(procHcsFormatWritableLayerVhd.Addr(), 1, uintptr(handle), 0, 0)
-	if int32(r0) < 0 {
-		if r0&0x1fff0000 == 0x00070000 {
-			r0 &= 0xffff
-		}
-		hr = syscall.Errno(r0)
-	}
-	return
-}

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsendpoint.go

@@ -17,12 +17,15 @@ type HNSEndpoint struct {
 	Policies           []json.RawMessage `json:",omitempty"`
 	MacAddress         string            `json:",omitempty"`
 	IPAddress          net.IP            `json:",omitempty"`
+	IPv6Address        net.IP            `json:",omitempty"`
 	DNSSuffix          string            `json:",omitempty"`
 	DNSServerList      string            `json:",omitempty"`
 	GatewayAddress     string            `json:",omitempty"`
+	GatewayAddressV6   string            `json:",omitempty"`
 	EnableInternalDNS  bool              `json:",omitempty"`
 	DisableICC         bool              `json:",omitempty"`
 	PrefixLength       uint8             `json:",omitempty"`
+	IPv6PrefixLength   uint8             `json:",omitempty"`
 	IsRemoteEndpoint   bool              `json:",omitempty"`
 	EnableLowMetric    bool              `json:",omitempty"`
 	Namespace          *Namespace        `json:",omitempty"`

vendor/github.com/Microsoft/hcsshim/internal/hns/hnsnetwork.go

@@ -39,12 +39,6 @@ type HNSNetwork struct {
 	AutomaticDNS         bool              `json:",omitempty"`
 }
 
-type hnsNetworkResponse struct {
-	Success bool
-	Error   string
-	Output  HNSNetwork
-}
-
 type hnsResponse struct {
 	Success bool
 	Error   string

vendor/github.com/Microsoft/hcsshim/internal/hns/namespace.go

@@ -27,9 +27,10 @@ type namespaceResourceRequest struct {
 }
 
 type Namespace struct {
-	ID           string
+	ID            string
-	IsDefault    bool                `json:",omitempty"`
+	IsDefault     bool                `json:",omitempty"`
-	ResourceList []NamespaceResource `json:",omitempty"`
+	ResourceList  []NamespaceResource `json:",omitempty"`
+	CompartmentId uint32              `json:",omitempty"`
 }
 
 func issueNamespaceRequest(id *string, method, subpath string, request interface{}) (*Namespace, error) {

vendor/github.com/Microsoft/hcsshim/internal/safefile/safeopen.go

@@ -11,72 +11,11 @@ import (
 	"unsafe"
 
 	"github.com/Microsoft/hcsshim/internal/longpath"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 
 	winio "github.com/Microsoft/go-winio"
 )
 
-//go:generate go run $GOROOT\src\syscall\mksyscall_windows.go -output zsyscall_windows.go safeopen.go
-
-//sys ntCreateFile(handle *uintptr, accessMask uint32, oa *objectAttributes, iosb *ioStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) = ntdll.NtCreateFile
-//sys ntSetInformationFile(handle uintptr, iosb *ioStatusBlock, information uintptr, length uint32, class uint32) (status uint32) = ntdll.NtSetInformationFile
-//sys rtlNtStatusToDosError(status uint32) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
-//sys localAlloc(flags uint32, size int) (ptr uintptr) = kernel32.LocalAlloc
-//sys localFree(ptr uintptr) = kernel32.LocalFree
-
-type ioStatusBlock struct {
-	Status, Information uintptr
-}
-
-type objectAttributes struct {
-	Length             uintptr
-	RootDirectory      uintptr
-	ObjectName         uintptr
-	Attributes         uintptr
-	SecurityDescriptor uintptr
-	SecurityQoS        uintptr
-}
-
-type unicodeString struct {
-	Length        uint16
-	MaximumLength uint16
-	Buffer        uintptr
-}
-
-type fileLinkInformation struct {
-	ReplaceIfExists bool
-	RootDirectory   uintptr
-	FileNameLength  uint32
-	FileName        [1]uint16
-}
-
-type fileDispositionInformationEx struct {
-	Flags uintptr
-}
-
-const (
-	_FileLinkInformation          = 11
-	_FileDispositionInformationEx = 64
-
-	FILE_READ_ATTRIBUTES  = 0x0080
-	FILE_WRITE_ATTRIBUTES = 0x0100
-	DELETE                = 0x10000
-
-	FILE_OPEN   = 1
-	FILE_CREATE = 2
-
-	FILE_DIRECTORY_FILE          = 0x00000001
-	FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020
-	FILE_DELETE_ON_CLOSE         = 0x00001000
-	FILE_OPEN_FOR_BACKUP_INTENT  = 0x00004000
-	FILE_OPEN_REPARSE_POINT      = 0x00200000
-
-	FILE_DISPOSITION_DELETE = 0x00000001
-
-	_OBJ_DONT_REPARSE = 0x1000
-
-	_STATUS_REPARSE_POINT_ENCOUNTERED = 0xC000050B
-)
-
 func OpenRoot(path string) (*os.File, error) {
 	longpath, err := longpath.LongAbs(path)
 	if err != nil {
@@ -85,16 +24,24 @@ func OpenRoot(path string) (*os.File, error) {
 	return winio.OpenForBackup(longpath, syscall.GENERIC_READ, syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE, syscall.OPEN_EXISTING)
 }
 
-func ntRelativePath(path string) ([]uint16, error) {
+func cleanGoStringRelativePath(path string) (string, error) {
 	path = filepath.Clean(path)
 	if strings.Contains(path, ":") {
 		// Since alternate data streams must follow the file they
 		// are attached to, finding one here (out of order) is invalid.
-		return nil, errors.New("path contains invalid character `:`")
+		return "", errors.New("path contains invalid character `:`")
 	}
 	fspath := filepath.FromSlash(path)
 	if len(fspath) > 0 && fspath[0] == '\\' {
-		return nil, errors.New("expected relative path")
+		return "", errors.New("expected relative path")
+	}
+	return fspath, nil
+}
+
+func ntRelativePath(path string) ([]uint16, error) {
+	fspath, err := cleanGoStringRelativePath(path)
+	if err != nil {
+		return nil, err
 	}
 
 	path16 := utf16.Encode(([]rune)(fspath))
@@ -110,11 +57,11 @@ func ntRelativePath(path string) ([]uint16, error) {
 func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFlags uint32, createDisposition uint32, flags uint32) (*os.File, error) {
 	var (
 		h    uintptr
-		iosb ioStatusBlock
+		iosb winapi.IOStatusBlock
-		oa   objectAttributes
+		oa   winapi.ObjectAttributes
 	)
 
-	path16, err := ntRelativePath(path)
+	cleanRelativePath, err := cleanGoStringRelativePath(path)
 	if err != nil {
 		return nil, err
 	}
@@ -123,20 +70,16 @@ func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFl
 		return nil, errors.New("missing root directory")
 	}
 
-	upathBuffer := localAlloc(0, int(unsafe.Sizeof(unicodeString{}))+len(path16)*2)
+	pathUnicode, err := winapi.NewUnicodeString(cleanRelativePath)
-	defer localFree(upathBuffer)
+	if err != nil {
-
+		return nil, err
-	upath := (*unicodeString)(unsafe.Pointer(upathBuffer))
+	}
-	upath.Length = uint16(len(path16) * 2)
-	upath.MaximumLength = upath.Length
-	upath.Buffer = upathBuffer + unsafe.Sizeof(*upath)
-	copy((*[32768]uint16)(unsafe.Pointer(upath.Buffer))[:], path16)
 
 	oa.Length = unsafe.Sizeof(oa)
-	oa.ObjectName = upathBuffer
+	oa.ObjectName = pathUnicode
 	oa.RootDirectory = uintptr(root.Fd())
-	oa.Attributes = _OBJ_DONT_REPARSE
+	oa.Attributes = winapi.OBJ_DONT_REPARSE
-	status := ntCreateFile(
+	status := winapi.NtCreateFile(
 		&h,
 		accessMask|syscall.SYNCHRONIZE,
 		&oa,
@@ -145,12 +88,12 @@ func openRelativeInternal(path string, root *os.File, accessMask uint32, shareFl
 		0,
 		shareFlags,
 		createDisposition,
-		FILE_OPEN_FOR_BACKUP_INTENT|FILE_SYNCHRONOUS_IO_NONALERT|flags,
+		winapi.FILE_OPEN_FOR_BACKUP_INTENT|winapi.FILE_SYNCHRONOUS_IO_NONALERT|flags,
 		nil,
 		0,
 	)
 	if status != 0 {
-		return nil, rtlNtStatusToDosError(status)
+		return nil, winapi.RtlNtStatusToDosError(status)
 	}
 
 	fullPath, err := longpath.LongAbs(filepath.Join(root.Name(), path))
@@ -182,7 +125,7 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 		oldroot,
 		syscall.FILE_WRITE_ATTRIBUTES,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
 		0,
 	)
 	if err != nil {
@@ -199,8 +142,8 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 			newroot,
 			syscall.GENERIC_READ,
 			syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-			FILE_OPEN,
+			winapi.FILE_OPEN,
-			FILE_DIRECTORY_FILE)
+			winapi.FILE_DIRECTORY_FILE)
 		if err != nil {
 			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: err}
 		}
@@ -211,7 +154,7 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 			return err
 		}
 		if (fi.FileAttributes & syscall.FILE_ATTRIBUTE_REPARSE_POINT) != 0 {
-			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: rtlNtStatusToDosError(_STATUS_REPARSE_POINT_ENCOUNTERED)}
+			return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(newroot.Name(), newname), Err: winapi.RtlNtStatusToDosError(winapi.STATUS_REPARSE_POINT_ENCOUNTERED)}
 		}
 
 	} else {
@@ -227,24 +170,25 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 		return err
 	}
 
-	size := int(unsafe.Offsetof(fileLinkInformation{}.FileName)) + len(newbase16)*2
+	size := int(unsafe.Offsetof(winapi.FileLinkInformation{}.FileName)) + len(newbase16)*2
-	linkinfoBuffer := localAlloc(0, size)
+	linkinfoBuffer := winapi.LocalAlloc(0, size)
-	defer localFree(linkinfoBuffer)
+	defer winapi.LocalFree(linkinfoBuffer)
-	linkinfo := (*fileLinkInformation)(unsafe.Pointer(linkinfoBuffer))
+
+	linkinfo := (*winapi.FileLinkInformation)(unsafe.Pointer(linkinfoBuffer))
 	linkinfo.RootDirectory = parent.Fd()
 	linkinfo.FileNameLength = uint32(len(newbase16) * 2)
-	copy((*[32768]uint16)(unsafe.Pointer(&linkinfo.FileName[0]))[:], newbase16)
+	copy(winapi.Uint16BufferToSlice(&linkinfo.FileName[0], len(newbase16)), newbase16)
 
-	var iosb ioStatusBlock
+	var iosb winapi.IOStatusBlock
-	status := ntSetInformationFile(
+	status := winapi.NtSetInformationFile(
 		oldf.Fd(),
 		&iosb,
 		linkinfoBuffer,
 		uint32(size),
-		_FileLinkInformation,
+		winapi.FileLinkInformationClass,
 	)
 	if status != 0 {
-		return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(parent.Name(), newbase), Err: rtlNtStatusToDosError(status)}
+		return &os.LinkError{Op: "link", Old: oldf.Name(), New: filepath.Join(parent.Name(), newbase), Err: winapi.RtlNtStatusToDosError(status)}
 	}
 
 	return nil
@@ -252,17 +196,17 @@ func LinkRelative(oldname string, oldroot *os.File, newname string, newroot *os.
 
 // deleteOnClose marks a file to be deleted when the handle is closed.
 func deleteOnClose(f *os.File) error {
-	disposition := fileDispositionInformationEx{Flags: FILE_DISPOSITION_DELETE}
+	disposition := winapi.FileDispositionInformationEx{Flags: winapi.FILE_DISPOSITION_DELETE}
-	var iosb ioStatusBlock
+	var iosb winapi.IOStatusBlock
-	status := ntSetInformationFile(
+	status := winapi.NtSetInformationFile(
 		f.Fd(),
 		&iosb,
 		uintptr(unsafe.Pointer(&disposition)),
 		uint32(unsafe.Sizeof(disposition)),
-		_FileDispositionInformationEx,
+		winapi.FileDispositionInformationExClass,
 	)
 	if status != 0 {
-		return rtlNtStatusToDosError(status)
+		return winapi.RtlNtStatusToDosError(status)
 	}
 	return nil
 }
@@ -291,16 +235,16 @@ func RemoveRelative(path string, root *os.File) error {
 	f, err := openRelativeInternal(
 		path,
 		root,
-		FILE_READ_ATTRIBUTES|FILE_WRITE_ATTRIBUTES|DELETE,
+		winapi.FILE_READ_ATTRIBUTES|winapi.FILE_WRITE_ATTRIBUTES|winapi.DELETE,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
-		FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err == nil {
 		defer f.Close()
 		err = deleteOnClose(f)
 		if err == syscall.ERROR_ACCESS_DENIED {
 			// Maybe the file is marked readonly. Clear the bit and retry.
-			clearReadOnly(f)
+			_ = clearReadOnly(f)
 			err = deleteOnClose(f)
 		}
 	}
@@ -385,8 +329,8 @@ func MkdirRelative(path string, root *os.File) error {
 		root,
 		0,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_CREATE,
+		winapi.FILE_CREATE,
-		FILE_DIRECTORY_FILE)
+		winapi.FILE_DIRECTORY_FILE)
 	if err == nil {
 		f.Close()
 	} else {
@@ -401,10 +345,10 @@ func LstatRelative(path string, root *os.File) (os.FileInfo, error) {
 	f, err := openRelativeInternal(
 		path,
 		root,
-		FILE_READ_ATTRIBUTES,
+		winapi.FILE_READ_ATTRIBUTES,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
-		FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err != nil {
 		return nil, &os.PathError{Op: "stat", Path: filepath.Join(root.Name(), path), Err: err}
 	}
@@ -421,7 +365,7 @@ func EnsureNotReparsePointRelative(path string, root *os.File) error {
 		root,
 		0,
 		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE|syscall.FILE_SHARE_DELETE,
-		FILE_OPEN,
+		winapi.FILE_OPEN,
 		0)
 	if err != nil {
 		return err

vendor/github.com/Microsoft/hcsshim/internal/safefile/zsyscall_windows.go

@@ -1,79 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package safefile
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return nil
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-
-	procNtCreateFile               = modntdll.NewProc("NtCreateFile")
-	procNtSetInformationFile       = modntdll.NewProc("NtSetInformationFile")
-	procRtlNtStatusToDosErrorNoTeb = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
-	procLocalAlloc                 = modkernel32.NewProc("LocalAlloc")
-	procLocalFree                  = modkernel32.NewProc("LocalFree")
-)
-
-func ntCreateFile(handle *uintptr, accessMask uint32, oa *objectAttributes, iosb *ioStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) {
-	r0, _, _ := syscall.Syscall12(procNtCreateFile.Addr(), 11, uintptr(unsafe.Pointer(handle)), uintptr(accessMask), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(unsafe.Pointer(allocationSize)), uintptr(fileAttributes), uintptr(shareAccess), uintptr(createDisposition), uintptr(createOptions), uintptr(unsafe.Pointer(eaBuffer)), uintptr(eaLength), 0)
-	status = uint32(r0)
-	return
-}
-
-func ntSetInformationFile(handle uintptr, iosb *ioStatusBlock, information uintptr, length uint32, class uint32) (status uint32) {
-	r0, _, _ := syscall.Syscall6(procNtSetInformationFile.Addr(), 5, uintptr(handle), uintptr(unsafe.Pointer(iosb)), uintptr(information), uintptr(length), uintptr(class), 0)
-	status = uint32(r0)
-	return
-}
-
-func rtlNtStatusToDosError(status uint32) (winerr error) {
-	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
-	if r0 != 0 {
-		winerr = syscall.Errno(r0)
-	}
-	return
-}
-
-func localAlloc(flags uint32, size int) (ptr uintptr) {
-	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(flags), uintptr(size), 0)
-	ptr = uintptr(r0)
-	return
-}
-
-func localFree(ptr uintptr) {
-	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(ptr), 0, 0)
-	return
-}

vendor/github.com/Microsoft/hcsshim/internal/schema1/schema1.go

@@ -119,9 +119,9 @@ type PropertyType string
 
 const (
 	PropertyTypeStatistics        PropertyType = "Statistics"        // V1 and V2
-	PropertyTypeProcessList                    = "ProcessList"       // V1 and V2
+	PropertyTypeProcessList       PropertyType = "ProcessList"       // V1 and V2
-	PropertyTypeMappedVirtualDisk              = "MappedVirtualDisk" // Not supported in V2 schema call
+	PropertyTypeMappedVirtualDisk PropertyType = "MappedVirtualDisk" // Not supported in V2 schema call
-	PropertyTypeGuestConnection                = "GuestConnection"   // V1 and V2. Nil return from HCS before RS5
+	PropertyTypeGuestConnection   PropertyType = "GuestConnection"   // V1 and V2. Nil return from HCS before RS5
 )
 
 type PropertyQuery struct {
@@ -218,6 +218,7 @@ type GuestDefinedCapabilities struct {
 	SignalProcessSupported        bool `json:",omitempty"`
 	DumpStacksSupported           bool `json:",omitempty"`
 	DeleteContainerStateSupported bool `json:",omitempty"`
+	UpdateContainerSupported      bool `json:",omitempty"`
 }
 
 // GuestConnectionInfo is the structure of an iterm return by a GuestConnection call on a utility VM

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_add_instance_request.go

@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardAddInstanceRequest struct {
+	Id             string `json:"Id,omitempty"`
+	CredentialSpec string `json:"CredentialSpec,omitempty"`
+	Transport      string `json:"Transport,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_hv_socket_service_config.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardHvSocketServiceConfig struct {
+	ServiceId     string                 `json:"ServiceId,omitempty"`
+	ServiceConfig *HvSocketServiceConfig `json:"ServiceConfig,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_instance.go

@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardInstance struct {
+	Id              string                                         `json:"Id,omitempty"`
+	CredentialGuard *ContainerCredentialGuardState                 `json:"CredentialGuard,omitempty"`
+	HvSocketConfig  *ContainerCredentialGuardHvSocketServiceConfig `json:"HvSocketConfig,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_modify_operation.go

@@ -0,0 +1,17 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardModifyOperation string
+
+const (
+	AddInstance    ContainerCredentialGuardModifyOperation = "AddInstance"
+	RemoveInstance ContainerCredentialGuardModifyOperation = "RemoveInstance"
+)

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_operation_request.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardOperationRequest struct {
+	Operation        ContainerCredentialGuardModifyOperation `json:"Operation,omitempty"`
+	OperationDetails interface{}                             `json:"OperationDetails,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_remove_instance_request.go

@@ -0,0 +1,14 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardRemoveInstanceRequest struct {
+	Id string `json:"Id,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/container_credential_guard_system_info.go

@@ -0,0 +1,14 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ContainerCredentialGuardSystemInfo struct {
+	Instances []ContainerCredentialGuardInstance `json:"Instances,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// CPU groups allow Hyper-V administrators to better manage and allocate the host's CPU resources across guest virtual machines
+type CpuGroup struct {
+	Id string `json:"Id,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group_affinity.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type CpuGroupAffinity struct {
+	LogicalProcessorCount int32   `json:"LogicalProcessorCount,omitempty"`
+	LogicalProcessors     []int32 `json:"LogicalProcessors,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group_config.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type CpuGroupConfig struct {
+	GroupId         string             `json:"GroupId,omitempty"`
+	Affinity        *CpuGroupAffinity  `json:"Affinity,omitempty"`
+	GroupProperties []CpuGroupProperty `json:"GroupProperties,omitempty"`
+	// Hypervisor CPU group IDs exposed to clients
+	HypervisorGroupId int32 `json:"HypervisorGroupId,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group_configurations.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// Structure used to return cpu groups for a Service property query
+type CpuGroupConfigurations struct {
+	CpuGroups []CpuGroupConfig `json:"CpuGroups,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group_operations.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type CPUGroupOperation string
+
+const (
+	CreateGroup CPUGroupOperation = "CreateGroup"
+	DeleteGroup CPUGroupOperation = "DeleteGroup"
+	SetProperty CPUGroupOperation = "SetProperty"
+)

vendor/github.com/Microsoft/hcsshim/internal/schema2/cpu_group_property.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type CpuGroupProperty struct {
+	PropertyCode  uint32 `json:"PropertyCode,omitempty"`
+	PropertyValue uint32 `json:"PropertyValue,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/create_group_operation.go

@@ -0,0 +1,17 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// Create group operation settings
+type CreateGroupOperation struct {
+	GroupId               string   `json:"GroupId,omitempty"`
+	LogicalProcessorCount uint32   `json:"LogicalProcessorCount,omitempty"`
+	LogicalProcessors     []uint32 `json:"LogicalProcessors,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/delete_group_operation.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// Delete group operation settings
+type DeleteGroupOperation struct {
+	GroupId string `json:"GroupId,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/device.go

@@ -9,8 +9,19 @@
 
 package hcsschema
 
-type Device struct {
+type DeviceType string
 
-	//  The interface class guid of the device to assign to container.
+const (
+	ClassGUID      DeviceType = "ClassGuid"
+	DeviceInstance DeviceType = "DeviceInstance"
+	GPUMirror      DeviceType = "GpuMirror"
+)
+
+type Device struct {
+	//  The type of device to assign to the container.
+	Type DeviceType `json:"Type,omitempty"`
+	//  The interface class guid of the device interfaces to assign to the  container.  Only used when Type is ClassGuid.
 	InterfaceClassGuid string `json:"InterfaceClassGuid,omitempty"`
+	//  The location path of the device to assign to the container.  Only used when Type is DeviceInstance.
+	LocationPath string `json:"LocationPath,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/host_processor_modify_request.go

@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// Structure used to request a service processor modification
+type HostProcessorModificationRequest struct {
+	Operation        CPUGroupOperation `json:"Operation,omitempty"`
+	OperationDetails interface{}       `json:"OperationDetails,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/hv_socket_address.go

@@ -0,0 +1,17 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+//  This class defines address settings applied to a VM
+//  by the GCS every time a VM starts or restores.
+type HvSocketAddress struct {
+	LocalAddress  string `json:"LocalAddress,omitempty"`
+	ParentAddress string `json:"ParentAddress,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/hv_socket_service_config.go

@@ -19,4 +19,10 @@ type HvSocketServiceConfig struct {
 
 	//  If true, HvSocket will process wildcard binds for this service/system combination.  Wildcard binds are secured in the registry at  SOFTWARE/Microsoft/Windows NT/CurrentVersion/Virtualization/HvSocket/WildcardDescriptors
 	AllowWildcardBinds bool `json:"AllowWildcardBinds,omitempty"`
+
+	// Disabled controls whether the HvSocket service is accepting connection requests.
+	// This set to true will make the service refuse all incoming connections as well as cancel
+	// any connections already established. The service itself will still be active however
+	// and can be re-enabled at a future time.
+	Disabled bool `json:"Disabled,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/interrupt_moderation_mode.go

@@ -0,0 +1,42 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type InterruptModerationName string
+
+// The valid interrupt moderation modes for I/O virtualization (IOV) offloading.
+const (
+	DefaultName  InterruptModerationName = "Default"
+	AdaptiveName InterruptModerationName = "Adaptive"
+	OffName      InterruptModerationName = "Off"
+	LowName      InterruptModerationName = "Low"
+	MediumName   InterruptModerationName = "Medium"
+	HighName     InterruptModerationName = "High"
+)
+
+type InterruptModerationValue uint32
+
+const (
+	DefaultValue InterruptModerationValue = iota
+	AdaptiveValue
+	OffValue
+	LowValue    InterruptModerationValue = 100
+	MediumValue InterruptModerationValue = 200
+	HighValue   InterruptModerationValue = 300
+)
+
+var InterruptModerationValueToName = map[InterruptModerationValue]InterruptModerationName{
+	DefaultValue:  DefaultName,
+	AdaptiveValue: AdaptiveName,
+	OffValue:      OffName,
+	LowValue:      LowName,
+	MediumValue:   MediumName,
+	HighValue:     HighName,
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/iov_settings.go

@@ -0,0 +1,22 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type IovSettings struct {
+	// The weight assigned to this port for I/O virtualization (IOV) offloading.
+	// Setting this to 0 disables IOV offloading.
+	OffloadWeight *uint32 `json:"OffloadWeight,omitempty"`
+
+	// The number of queue pairs requested for this port for I/O virtualization (IOV) offloading.
+	QueuePairsRequested *uint32 `json:"QueuePairsRequested,omitempty"`
+
+	// The interrupt moderation mode for I/O virtualization (IOV) offloading.
+	InterruptModeration *InterruptModerationName `json:"InterruptModeration,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/logical_processor.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type LogicalProcessor struct {
+	LpIndex     uint32 `json:"LpIndex,omitempty"`
+	NodeNumber  uint8  `json:"NodeNumber,omitempty"`
+	PackageId   uint32 `json:"PackageId,omitempty"`
+	CoreId      uint32 `json:"CoreId,omitempty"`
+	RootVpIndex int32  `json:"RootVpIndex,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/memory.go

@@ -10,5 +10,5 @@
 package hcsschema
 
 type Memory struct {
-	SizeInMB int32 `json:"SizeInMB,omitempty"`
+	SizeInMB uint64 `json:"SizeInMB,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/memory_2.go

@@ -10,7 +10,7 @@
 package hcsschema
 
 type Memory2 struct {
-	SizeInMB int32 `json:"SizeInMB,omitempty"`
+	SizeInMB uint64 `json:"SizeInMB,omitempty"`
 
 	AllowOvercommit bool `json:"AllowOvercommit,omitempty"`
 

vendor/github.com/Microsoft/hcsshim/internal/schema2/modification_request.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ModificationRequest struct {
+	PropertyType PropertyType `json:"PropertyType,omitempty"`
+	Settings     interface{}  `json:"Settings,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/network_adapter.go

@@ -11,6 +11,7 @@ package hcsschema
 
 type NetworkAdapter struct {
 	EndpointId string `json:"EndpointId,omitempty"`
-
 	MacAddress string `json:"MacAddress,omitempty"`
+	// The I/O virtualization (IOV) offloading configuration.
+	IovSettings *IovSettings `json:"IovSettings,omitempty"`
 }

vendor/github.com/Microsoft/hcsshim/internal/schema2/processor_topology.go

@@ -0,0 +1,15 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type ProcessorTopology struct {
+	LogicalProcessorCount uint32             `json:"LogicalProcessorCount,omitempty"`
+	LogicalProcessors     []LogicalProcessor `json:"LogicalProcessors,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/property_type.go

@@ -18,6 +18,9 @@ const (
 	PTProcessList                 PropertyType = "ProcessList"
 	PTTerminateOnLastHandleClosed PropertyType = "TerminateOnLastHandleClosed"
 	PTSharedMemoryRegion          PropertyType = "SharedMemoryRegion"
+	PTContainerCredentialGuard    PropertyType = "ContainerCredentialGuard" // This field is not generated by swagger. This was added manually.
 	PTGuestConnection             PropertyType = "GuestConnection"
 	PTICHeartbeatStatus           PropertyType = "ICHeartbeatStatus"
+	PTProcessorTopology           PropertyType = "ProcessorTopology"
+	PTCPUGroup                    PropertyType = "CpuGroup"
 )

vendor/github.com/Microsoft/hcsshim/internal/schema2/service_properties.go

@@ -0,0 +1,18 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+import "encoding/json"
+
+type ServiceProperties struct {
+	// Changed Properties field to []json.RawMessage from []interface{} to avoid having to
+	// remarshal sp.Properties[n] and unmarshal into the type(s) we want.
+	Properties []json.RawMessage `json:"Properties,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/schema2/vm_processor_limits.go

@@ -0,0 +1,22 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+// ProcessorLimits is used when modifying processor scheduling limits of a virtual machine.
+type ProcessorLimits struct {
+	// Maximum amount of host CPU resources that the virtual machine can use.
+	Limit uint64 `json:"Limit,omitempty"`
+	// Value describing the relative priority of this virtual machine compared to other virtual machines.
+	Weight uint64 `json:"Weight,omitempty"`
+	// Minimum amount of host CPU resources that the virtual machine is guaranteed.
+	Reservation uint64 `json:"Reservation,omitempty"`
+	// Provides the target maximum CPU frequency, in MHz, for a virtual machine.
+	MaximumFrequencyMHz uint32 `json:"MaximumFrequencyMHz,omitempty"`
+}

vendor/github.com/Microsoft/hcsshim/internal/timeout/timeout.go

@@ -29,6 +29,9 @@ var (
 	// SystemResume is the timeout for resuming a compute system
 	SystemResume time.Duration = defaultTimeout
 
+	// SystemSave is the timeout for saving a compute system
+	SystemSave time.Duration = defaultTimeout
+
 	// SyscallWatcher is the timeout before warning of a potential stuck platform syscall.
 	SyscallWatcher time.Duration = defaultTimeout
 
@@ -51,6 +54,7 @@ func init() {
 	SystemStart = durationFromEnvironment("HCSSHIM_TIMEOUT_SYSTEMSTART", SystemStart)
 	SystemPause = durationFromEnvironment("HCSSHIM_TIMEOUT_SYSTEMPAUSE", SystemPause)
 	SystemResume = durationFromEnvironment("HCSSHIM_TIMEOUT_SYSTEMRESUME", SystemResume)
+	SystemSave = durationFromEnvironment("HCSSHIM_TIMEOUT_SYSTEMSAVE", SystemSave)
 	SyscallWatcher = durationFromEnvironment("HCSSHIM_TIMEOUT_SYSCALLWATCHER", SyscallWatcher)
 	Tar2VHD = durationFromEnvironment("HCSSHIM_TIMEOUT_TAR2VHD", Tar2VHD)
 	ExternalCommandToStart = durationFromEnvironment("HCSSHIM_TIMEOUT_EXTERNALCOMMANDSTART", ExternalCommandToStart)

vendor/github.com/Microsoft/hcsshim/internal/vmcompute/vmcompute.go

@@ -26,8 +26,10 @@ import (
 //sys hcsResumeComputeSystem(computeSystem HcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsResumeComputeSystem?
 //sys hcsGetComputeSystemProperties(computeSystem HcsSystem, propertyQuery string, properties **uint16, result **uint16) (hr error) = vmcompute.HcsGetComputeSystemProperties?
 //sys hcsModifyComputeSystem(computeSystem HcsSystem, configuration string, result **uint16) (hr error) = vmcompute.HcsModifyComputeSystem?
+//sys hcsModifyServiceSettings(settings string, result **uint16) (hr error) = vmcompute.HcsModifyServiceSettings?
 //sys hcsRegisterComputeSystemCallback(computeSystem HcsSystem, callback uintptr, context uintptr, callbackHandle *HcsCallback) (hr error) = vmcompute.HcsRegisterComputeSystemCallback?
 //sys hcsUnregisterComputeSystemCallback(callbackHandle HcsCallback) (hr error) = vmcompute.HcsUnregisterComputeSystemCallback?
+//sys hcsSaveComputeSystem(computeSystem HcsSystem, options string, result **uint16) (hr error) = vmcompute.HcsSaveComputeSystem?
 
 //sys hcsCreateProcess(computeSystem HcsSystem, processParameters string, processInformation *HcsProcessInformation, process *HcsProcess, result **uint16) (hr error) = vmcompute.HcsCreateProcess?
 //sys hcsOpenProcess(computeSystem HcsSystem, pid uint32, process *HcsProcess, result **uint16) (hr error) = vmcompute.HcsOpenProcess?
@@ -60,7 +62,7 @@ type HcsCallback syscall.Handle
 type HcsProcessInformation struct {
 	// ProcessId is the pid of the created process.
 	ProcessId uint32
-	reserved  uint32
+	reserved  uint32 //nolint:structcheck
 	// StdInput is the handle associated with the stdin of the process.
 	StdInput syscall.Handle
 	// StdOutput is the handle associated with the stdout of the process.
@@ -337,6 +339,27 @@ func HcsModifyComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, confi
 	})
 }
 
+func HcsModifyServiceSettings(ctx gcontext.Context, settings string) (result string, hr error) {
+	ctx, span := trace.StartSpan(ctx, "HcsModifyServiceSettings")
+	defer span.End()
+	defer func() {
+		if result != "" {
+			span.AddAttributes(trace.StringAttribute("result", result))
+		}
+		oc.SetSpanStatus(span, hr)
+	}()
+	span.AddAttributes(trace.StringAttribute("settings", settings))
+
+	return result, execute(ctx, timeout.SyscallWatcher, func() error {
+		var resultp *uint16
+		err := hcsModifyServiceSettings(settings, &resultp)
+		if resultp != nil {
+			result = interop.ConvertAndFreeCoTaskMemString(resultp)
+		}
+		return err
+	})
+}
+
 func HcsRegisterComputeSystemCallback(ctx gcontext.Context, computeSystem HcsSystem, callback uintptr, context uintptr) (callbackHandle HcsCallback, hr error) {
 	ctx, span := trace.StartSpan(ctx, "HcsRegisterComputeSystemCallback")
 	defer span.End()
@@ -563,3 +586,25 @@ func HcsUnregisterProcessCallback(ctx gcontext.Context, callbackHandle HcsCallba
 		return hcsUnregisterProcessCallback(callbackHandle)
 	})
 }
+
+func HcsSaveComputeSystem(ctx gcontext.Context, computeSystem HcsSystem, options string) (result string, hr error) {
+	ctx, span := trace.StartSpan(ctx, "HcsSaveComputeSystem")
+	defer span.End()
+	defer func() {
+		if result != "" {
+			span.AddAttributes(trace.StringAttribute("result", result))
+		}
+		if hr != errVmcomputeOperationPending {
+			oc.SetSpanStatus(span, hr)
+		}
+	}()
+
+	return result, execute(ctx, timeout.SyscallWatcher, func() error {
+		var resultp *uint16
+		err := hcsSaveComputeSystem(computeSystem, options, &resultp)
+		if resultp != nil {
+			result = interop.ConvertAndFreeCoTaskMemString(resultp)
+		}
+		return err
+	})
+}

vendor/github.com/Microsoft/hcsshim/internal/vmcompute/zsyscall_windows.go

@@ -50,8 +50,10 @@ var (
 	procHcsResumeComputeSystem             = modvmcompute.NewProc("HcsResumeComputeSystem")
 	procHcsGetComputeSystemProperties      = modvmcompute.NewProc("HcsGetComputeSystemProperties")
 	procHcsModifyComputeSystem             = modvmcompute.NewProc("HcsModifyComputeSystem")
+	procHcsModifyServiceSettings           = modvmcompute.NewProc("HcsModifyServiceSettings")
 	procHcsRegisterComputeSystemCallback   = modvmcompute.NewProc("HcsRegisterComputeSystemCallback")
 	procHcsUnregisterComputeSystemCallback = modvmcompute.NewProc("HcsUnregisterComputeSystemCallback")
+	procHcsSaveComputeSystem               = modvmcompute.NewProc("HcsSaveComputeSystem")
 	procHcsCreateProcess                   = modvmcompute.NewProc("HcsCreateProcess")
 	procHcsOpenProcess                     = modvmcompute.NewProc("HcsOpenProcess")
 	procHcsCloseProcess                    = modvmcompute.NewProc("HcsCloseProcess")
@@ -314,6 +316,29 @@ func _hcsModifyComputeSystem(computeSystem HcsSystem, configuration *uint16, res
 	return
 }
 
+func hcsModifyServiceSettings(settings string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(settings)
+	if hr != nil {
+		return
+	}
+	return _hcsModifyServiceSettings(_p0, result)
+}
+
+func _hcsModifyServiceSettings(settings *uint16, result **uint16) (hr error) {
+	if hr = procHcsModifyServiceSettings.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsModifyServiceSettings.Addr(), 2, uintptr(unsafe.Pointer(settings)), uintptr(unsafe.Pointer(result)), 0)
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func hcsRegisterComputeSystemCallback(computeSystem HcsSystem, callback uintptr, context uintptr, callbackHandle *HcsCallback) (hr error) {
 	if hr = procHcsRegisterComputeSystemCallback.Find(); hr != nil {
 		return
@@ -342,6 +367,29 @@ func hcsUnregisterComputeSystemCallback(callbackHandle HcsCallback) (hr error) {
 	return
 }
 
+func hcsSaveComputeSystem(computeSystem HcsSystem, options string, result **uint16) (hr error) {
+	var _p0 *uint16
+	_p0, hr = syscall.UTF16PtrFromString(options)
+	if hr != nil {
+		return
+	}
+	return _hcsSaveComputeSystem(computeSystem, _p0, result)
+}
+
+func _hcsSaveComputeSystem(computeSystem HcsSystem, options *uint16, result **uint16) (hr error) {
+	if hr = procHcsSaveComputeSystem.Find(); hr != nil {
+		return
+	}
+	r0, _, _ := syscall.Syscall(procHcsSaveComputeSystem.Addr(), 3, uintptr(computeSystem), uintptr(unsafe.Pointer(options)), uintptr(unsafe.Pointer(result)))
+	if int32(r0) < 0 {
+		if r0&0x1fff0000 == 0x00070000 {
+			r0 &= 0xffff
+		}
+		hr = syscall.Errno(r0)
+	}
+	return
+}
+
 func hcsCreateProcess(computeSystem HcsSystem, processParameters string, processInformation *HcsProcessInformation, process *HcsProcess, result **uint16) (hr error) {
 	var _p0 *uint16
 	_p0, hr = syscall.UTF16PtrFromString(processParameters)

vendor/github.com/Microsoft/hcsshim/internal/wclayer/activatelayer.go

@@ -14,7 +14,7 @@ import (
 // An activated layer must later be deactivated via DeactivateLayer.
 func ActivateLayer(ctx context.Context, path string) (err error) {
 	title := "hcsshim::ActivateLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/baselayer.go

@@ -11,6 +11,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/hcserror"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/safefile"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 	"go.opencensus.io/trace"
 )
 
@@ -37,7 +38,7 @@ type dirInfo struct {
 func reapplyDirectoryTimes(root *os.File, dis []dirInfo) error {
 	for i := range dis {
 		di := &dis[len(dis)-i-1] // reverse order: process child directories first
-		f, err := safefile.OpenRelative(di.path, root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, safefile.FILE_OPEN, safefile.FILE_DIRECTORY_FILE)
+		f, err := safefile.OpenRelative(di.path, root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, winapi.FILE_OPEN, winapi.FILE_DIRECTORY_FILE|syscall.FILE_FLAG_OPEN_REPARSE_POINT)
 		if err != nil {
 			return err
 		}
@@ -47,6 +48,7 @@ func reapplyDirectoryTimes(root *os.File, dis []dirInfo) error {
 		if err != nil {
 			return err
 		}
+
 	}
 	return nil
 }
@@ -92,14 +94,12 @@ func (w *baseLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) (err e
 
 	extraFlags := uint32(0)
 	if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_DIRECTORY != 0 {
-		extraFlags |= safefile.FILE_DIRECTORY_FILE
+		extraFlags |= winapi.FILE_DIRECTORY_FILE
-		if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_REPARSE_POINT == 0 {
+		w.dirInfo = append(w.dirInfo, dirInfo{name, *fileInfo})
-			w.dirInfo = append(w.dirInfo, dirInfo{name, *fileInfo})
-		}
 	}
 
 	mode := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE | winio.WRITE_DAC | winio.WRITE_OWNER | winio.ACCESS_SYSTEM_SECURITY)
-	f, err = safefile.OpenRelative(name, w.root, mode, syscall.FILE_SHARE_READ, safefile.FILE_CREATE, extraFlags)
+	f, err = safefile.OpenRelative(name, w.root, mode, syscall.FILE_SHARE_READ, winapi.FILE_CREATE, extraFlags)
 	if err != nil {
 		return hcserror.New(err, "Failed to safefile.OpenRelative", name)
 	}

vendor/github.com/Microsoft/hcsshim/internal/wclayer/createlayer.go

@@ -12,7 +12,7 @@ import (
 // the parent layer provided.
 func CreateLayer(ctx context.Context, path, parent string) (err error) {
 	title := "hcsshim::CreateLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(

vendor/github.com/Microsoft/hcsshim/internal/wclayer/createscratchlayer.go

@@ -10,9 +10,7 @@ import (
 )
 
 // CreateScratchLayer creates and populates new read-write layer for use by a container.
-// This requires both the id of the direct parent layer, as well as the full list
+// This requires the full list of paths to all parent layers up to the base
-// of paths to all parent layers up to the base (and including the direct parent
-// whose id was provided).
 func CreateScratchLayer(ctx context.Context, path string, parentLayerPaths []string) (err error) {
 	title := "hcsshim::CreateScratchLayer"
 	ctx, span := trace.StartSpan(ctx, title)

vendor/github.com/Microsoft/hcsshim/internal/wclayer/deactivatelayer.go

@@ -11,7 +11,7 @@ import (
 // DeactivateLayer will dismount a layer that was mounted via ActivateLayer.
 func DeactivateLayer(ctx context.Context, path string) (err error) {
 	title := "hcsshim::DeactivateLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/destroylayer.go

@@ -12,7 +12,7 @@ import (
 // path, including that layer's containing folder, if any.
 func DestroyLayer(ctx context.Context, path string) (err error) {
 	title := "hcsshim::DestroyLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/getlayermountpath.go

@@ -21,8 +21,7 @@ func GetLayerMountPath(ctx context.Context, path string) (_ string, err error) {
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))
 
-	var mountPathLength uintptr
+	var mountPathLength uintptr = 0
-	mountPathLength = 0
 
 	// Call the procedure itself.
 	log.G(ctx).Debug("Calling proc (1)")

vendor/github.com/Microsoft/hcsshim/internal/wclayer/getsharedbaseimages.go

@@ -14,7 +14,7 @@ import (
 // of registering them with the graphdriver, graph, and tagstore.
 func GetSharedBaseImages(ctx context.Context) (_ string, err error) {
 	title := "hcsshim::GetSharedBaseImages"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 

vendor/github.com/Microsoft/hcsshim/internal/wclayer/grantvmaccess.go

@@ -11,7 +11,7 @@ import (
 // GrantVmAccess adds access to a file for a given VM
 func GrantVmAccess(ctx context.Context, vmid string, filepath string) (err error) {
 	title := "hcsshim::GrantVmAccess"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(

vendor/github.com/Microsoft/hcsshim/internal/wclayer/importlayer.go

@@ -93,6 +93,19 @@ func (r *legacyLayerWriterWrapper) Close() (err error) {
 			return err
 		}
 	}
+
+	// The reapplyDirectoryTimes must be called AFTER we are done with Tombstone
+	// deletion and hard link creation. This is because Tombstone deletion and hard link
+	// creation updates the directory last write timestamps so that will change the
+	// timestamps added by the `Add` call. Some container applications depend on the
+	// correctness of these timestamps and so we should change the timestamps back to
+	// the original value (i.e the value provided in the Add call) after this
+	// processing is done.
+	err = reapplyDirectoryTimes(r.destRoot, r.changedDi)
+	if err != nil {
+		return err
+	}
+
 	// Prepare the utility VM for use if one is present in the layer.
 	if r.HasUtilityVM {
 		err := safefile.EnsureNotReparsePointRelative("UtilityVM", r.destRoot)

vendor/github.com/Microsoft/hcsshim/internal/wclayer/layerexists.go

@@ -12,7 +12,7 @@ import (
 // to the system.
 func LayerExists(ctx context.Context, path string) (_ bool, err error) {
 	title := "hcsshim::LayerExists"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/legacy.go

@@ -15,6 +15,7 @@ import (
 	"github.com/Microsoft/go-winio"
 	"github.com/Microsoft/hcsshim/internal/longpath"
 	"github.com/Microsoft/hcsshim/internal/safefile"
+	"github.com/Microsoft/hcsshim/internal/winapi"
 )
 
 var errorIterationCanceled = errors.New("")
@@ -341,7 +342,7 @@ type legacyLayerWriter struct {
 	backupWriter    *winio.BackupFileWriter
 	Tombstones      []string
 	HasUtilityVM    bool
-	uvmDi           []dirInfo
+	changedDi       []dirInfo
 	addedFiles      map[string]bool
 	PendingLinks    []pendingLink
 	pendingDirs     []pendingDir
@@ -389,7 +390,7 @@ func (w *legacyLayerWriter) CloseRoots() {
 		w.destRoot = nil
 	}
 	for i := range w.parentRoots {
-		w.parentRoots[i].Close()
+		_ = w.parentRoots[i].Close()
 	}
 	w.parentRoots = nil
 }
@@ -472,8 +473,8 @@ func copyFileWithMetadata(srcRoot, destRoot *os.File, subPath string, isDir bool
 		srcRoot,
 		syscall.GENERIC_READ|winio.ACCESS_SYSTEM_SECURITY,
 		syscall.FILE_SHARE_READ,
-		safefile.FILE_OPEN,
+		winapi.FILE_OPEN,
-		safefile.FILE_OPEN_REPARSE_POINT)
+		winapi.FILE_OPEN_REPARSE_POINT)
 	if err != nil {
 		return nil, err
 	}
@@ -488,14 +489,14 @@ func copyFileWithMetadata(srcRoot, destRoot *os.File, subPath string, isDir bool
 
 	extraFlags := uint32(0)
 	if isDir {
-		extraFlags |= safefile.FILE_DIRECTORY_FILE
+		extraFlags |= winapi.FILE_DIRECTORY_FILE
 	}
 	dest, err := safefile.OpenRelative(
 		subPath,
 		destRoot,
 		syscall.GENERIC_READ|syscall.GENERIC_WRITE|winio.WRITE_DAC|winio.WRITE_OWNER|winio.ACCESS_SYSTEM_SECURITY,
 		syscall.FILE_SHARE_READ,
-		safefile.FILE_CREATE,
+		winapi.FILE_CREATE,
 		extraFlags)
 	if err != nil {
 		return nil, err
@@ -555,7 +556,7 @@ func cloneTree(srcRoot *os.File, destRoot *os.File, subPath string, mutatedFiles
 			if err != nil {
 				return err
 			}
-			if isDir && !isReparsePoint {
+			if isDir {
 				di = append(di, dirInfo{path: relPath, fileInfo: *fi})
 			}
 		} else {
@@ -583,6 +584,10 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		return w.initUtilityVM()
 	}
 
+	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
+		w.changedDi = append(w.changedDi, dirInfo{path: name, fileInfo: *fileInfo})
+	}
+
 	name = filepath.Clean(name)
 	if hasPathPrefix(name, utilityVMPath) {
 		if !w.HasUtilityVM {
@@ -591,7 +596,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		if !hasPathPrefix(name, utilityVMFilesPath) && name != utilityVMFilesPath {
 			return errors.New("invalid UtilityVM layer")
 		}
-		createDisposition := uint32(safefile.FILE_OPEN)
+		createDisposition := uint32(winapi.FILE_OPEN)
 		if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
 			st, err := safefile.LstatRelative(name, w.destRoot)
 			if err != nil && !os.IsNotExist(err) {
@@ -612,16 +617,13 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 					return err
 				}
 			}
-			if fileInfo.FileAttributes&syscall.FILE_ATTRIBUTE_REPARSE_POINT == 0 {
-				w.uvmDi = append(w.uvmDi, dirInfo{path: name, fileInfo: *fileInfo})
-			}
 		} else {
 			// Overwrite any existing hard link.
 			err := safefile.RemoveRelative(name, w.destRoot)
 			if err != nil && !os.IsNotExist(err) {
 				return err
 			}
-			createDisposition = safefile.FILE_CREATE
+			createDisposition = winapi.FILE_CREATE
 		}
 
 		f, err := safefile.OpenRelative(
@@ -630,7 +632,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 			syscall.GENERIC_READ|syscall.GENERIC_WRITE|winio.WRITE_DAC|winio.WRITE_OWNER|winio.ACCESS_SYSTEM_SECURITY,
 			syscall.FILE_SHARE_READ,
 			createDisposition,
-			safefile.FILE_OPEN_REPARSE_POINT,
+			winapi.FILE_OPEN_REPARSE_POINT,
 		)
 		if err != nil {
 			return err
@@ -638,7 +640,7 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		defer func() {
 			if f != nil {
 				f.Close()
-				safefile.RemoveRelative(name, w.destRoot)
+				_ = safefile.RemoveRelative(name, w.destRoot)
 			}
 		}()
 
@@ -667,14 +669,14 @@ func (w *legacyLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo) erro
 		w.currentIsDir = true
 	}
 
-	f, err := safefile.OpenRelative(fname, w.root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, safefile.FILE_CREATE, 0)
+	f, err := safefile.OpenRelative(fname, w.root, syscall.GENERIC_READ|syscall.GENERIC_WRITE, syscall.FILE_SHARE_READ, winapi.FILE_CREATE, 0)
 	if err != nil {
 		return err
 	}
 	defer func() {
 		if f != nil {
 			f.Close()
-			safefile.RemoveRelative(fname, w.root)
+			_ = safefile.RemoveRelative(fname, w.root)
 		}
 	}()
 
@@ -805,11 +807,5 @@ func (w *legacyLayerWriter) Close() error {
 			return err
 		}
 	}
-	if w.HasUtilityVM {
-		err := reapplyDirectoryTimes(w.destRoot, w.uvmDi)
-		if err != nil {
-			return err
-		}
-	}
 	return nil
 }

vendor/github.com/Microsoft/hcsshim/internal/wclayer/nametoguid.go

@@ -14,7 +14,7 @@ import (
 // across all clients.
 func NameToGuid(ctx context.Context, name string) (_ guid.GUID, err error) {
 	title := "hcsshim::NameToGuid"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("name", name))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/processimage.go

@@ -12,7 +12,7 @@ import (
 // The files should have been extracted to <path>\Files.
 func ProcessBaseLayer(ctx context.Context, path string) (err error) {
 	title := "hcsshim::ProcessBaseLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))
@@ -28,7 +28,7 @@ func ProcessBaseLayer(ctx context.Context, path string) (err error) {
 // The files should have been extracted to <path>\Files.
 func ProcessUtilityVMImage(ctx context.Context, path string) (err error) {
 	title := "hcsshim::ProcessUtilityVMImage"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/unpreparelayer.go

@@ -12,7 +12,7 @@ import (
 // the given id.
 func UnprepareLayer(ctx context.Context, path string) (err error) {
 	title := "hcsshim::UnprepareLayer"
-	ctx, span := trace.StartSpan(ctx, title)
+	ctx, span := trace.StartSpan(ctx, title) //nolint:ineffassign,staticcheck
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("path", path))

vendor/github.com/Microsoft/hcsshim/internal/wclayer/wclayer.go

@@ -1,3 +1,6 @@
+// Package wclayer provides bindings to HCS's legacy layer management API and
+// provides a higher level interface around these calls for container layer
+// management.
 package wclayer
 
 import "github.com/Microsoft/go-winio/pkg/guid"

vendor/github.com/Microsoft/hcsshim/internal/winapi/devices.go

@@ -0,0 +1,13 @@
+package winapi
+
+import "github.com/Microsoft/go-winio/pkg/guid"
+
+//sys CMGetDeviceIDListSize(pulLen *uint32, pszFilter *byte, uFlags uint32) (hr error) = cfgmgr32.CM_Get_Device_ID_List_SizeA
+//sys CMGetDeviceIDList(pszFilter *byte, buffer *byte, bufferLen uint32, uFlags uint32) (hr error)= cfgmgr32.CM_Get_Device_ID_ListA
+//sys CMLocateDevNode(pdnDevInst *uint32, pDeviceID string, uFlags uint32) (hr error) = cfgmgr32.CM_Locate_DevNodeW
+//sys CMGetDevNodeProperty(dnDevInst uint32, propertyKey *DevPropKey, propertyType *uint32, propertyBuffer *uint16, propertyBufferSize *uint32, uFlags uint32) (hr error) = cfgmgr32.CM_Get_DevNode_PropertyW
+
+type DevPropKey struct {
+	Fmtid guid.GUID
+	Pid   uint32
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/errors.go

@@ -0,0 +1,15 @@
+package winapi
+
+import "syscall"
+
+//sys RtlNtStatusToDosError(status uint32) (winerr error) = ntdll.RtlNtStatusToDosError
+
+const (
+	STATUS_REPARSE_POINT_ENCOUNTERED               = 0xC000050B
+	ERROR_NO_MORE_ITEMS                            = 0x103
+	ERROR_MORE_DATA                  syscall.Errno = 234
+)
+
+func NTSuccess(status uint32) bool {
+	return status == 0
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/filesystem.go

@@ -0,0 +1,110 @@
+package winapi
+
+//sys NtCreateFile(handle *uintptr, accessMask uint32, oa *ObjectAttributes, iosb *IOStatusBlock, allocationSize *uint64, fileAttributes uint32, shareAccess uint32, createDisposition uint32, createOptions uint32, eaBuffer *byte, eaLength uint32) (status uint32) = ntdll.NtCreateFile
+//sys NtSetInformationFile(handle uintptr, iosb *IOStatusBlock, information uintptr, length uint32, class uint32) (status uint32) = ntdll.NtSetInformationFile
+
+//sys NtOpenDirectoryObject(handle *uintptr, accessMask uint32, oa *ObjectAttributes) (status uint32) = ntdll.NtOpenDirectoryObject
+//sys NtQueryDirectoryObject(handle uintptr, buffer *byte, length uint32, singleEntry bool, restartScan bool, context *uint32, returnLength *uint32)(status uint32) = ntdll.NtQueryDirectoryObject
+
+const (
+	FileLinkInformationClass          = 11
+	FileDispositionInformationExClass = 64
+
+	FILE_READ_ATTRIBUTES  = 0x0080
+	FILE_WRITE_ATTRIBUTES = 0x0100
+	DELETE                = 0x10000
+
+	FILE_OPEN   = 1
+	FILE_CREATE = 2
+
+	FILE_LIST_DIRECTORY          = 0x00000001
+	FILE_DIRECTORY_FILE          = 0x00000001
+	FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020
+	FILE_OPEN_FOR_BACKUP_INTENT  = 0x00004000
+	FILE_OPEN_REPARSE_POINT      = 0x00200000
+
+	FILE_DISPOSITION_DELETE = 0x00000001
+
+	OBJ_DONT_REPARSE = 0x1000
+
+	STATUS_MORE_ENTRIES    = 0x105
+	STATUS_NO_MORE_ENTRIES = 0x8000001a
+)
+
+// Select entries from FILE_INFO_BY_HANDLE_CLASS.
+//
+// C declaration:
+//   typedef enum _FILE_INFO_BY_HANDLE_CLASS {
+//       FileBasicInfo,
+//       FileStandardInfo,
+//       FileNameInfo,
+//       FileRenameInfo,
+//       FileDispositionInfo,
+//       FileAllocationInfo,
+//       FileEndOfFileInfo,
+//       FileStreamInfo,
+//       FileCompressionInfo,
+//       FileAttributeTagInfo,
+//       FileIdBothDirectoryInfo,
+//       FileIdBothDirectoryRestartInfo,
+//       FileIoPriorityHintInfo,
+//       FileRemoteProtocolInfo,
+//       FileFullDirectoryInfo,
+//       FileFullDirectoryRestartInfo,
+//       FileStorageInfo,
+//       FileAlignmentInfo,
+//       FileIdInfo,
+//       FileIdExtdDirectoryInfo,
+//       FileIdExtdDirectoryRestartInfo,
+//       FileDispositionInfoEx,
+//       FileRenameInfoEx,
+//       FileCaseSensitiveInfo,
+//       FileNormalizedNameInfo,
+//       MaximumFileInfoByHandleClass
+//   } FILE_INFO_BY_HANDLE_CLASS, *PFILE_INFO_BY_HANDLE_CLASS;
+//
+// Documentation: https://docs.microsoft.com/en-us/windows/win32/api/minwinbase/ne-minwinbase-file_info_by_handle_class
+const (
+	FileIdInfo = 18
+)
+
+type FileDispositionInformationEx struct {
+	Flags uintptr
+}
+
+type IOStatusBlock struct {
+	Status, Information uintptr
+}
+
+type ObjectAttributes struct {
+	Length             uintptr
+	RootDirectory      uintptr
+	ObjectName         *UnicodeString
+	Attributes         uintptr
+	SecurityDescriptor uintptr
+	SecurityQoS        uintptr
+}
+
+type ObjectDirectoryInformation struct {
+	Name     UnicodeString
+	TypeName UnicodeString
+}
+
+type FileLinkInformation struct {
+	ReplaceIfExists bool
+	RootDirectory   uintptr
+	FileNameLength  uint32
+	FileName        [1]uint16
+}
+
+// C declaration:
+//   typedef struct _FILE_ID_INFO {
+//       ULONGLONG   VolumeSerialNumber;
+//       FILE_ID_128 FileId;
+//   } FILE_ID_INFO, *PFILE_ID_INFO;
+//
+// Documentation: https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-file_id_info
+type FILE_ID_INFO struct {
+	VolumeSerialNumber uint64
+	FileID             [16]byte
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/iocp.go

@@ -0,0 +1,3 @@
+package winapi
+
+//sys GetQueuedCompletionStatus(cphandle windows.Handle, qty *uint32, key *uintptr, overlapped **windows.Overlapped, timeout uint32) (err error)

vendor/github.com/Microsoft/hcsshim/internal/winapi/jobobject.go

@@ -0,0 +1,215 @@
+package winapi
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// Messages that can be received from an assigned io completion port.
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_associate_completion_port
+const (
+	JOB_OBJECT_MSG_END_OF_JOB_TIME       uint32 = 1
+	JOB_OBJECT_MSG_END_OF_PROCESS_TIME   uint32 = 2
+	JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT  uint32 = 3
+	JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO   uint32 = 4
+	JOB_OBJECT_MSG_NEW_PROCESS           uint32 = 6
+	JOB_OBJECT_MSG_EXIT_PROCESS          uint32 = 7
+	JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS uint32 = 8
+	JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT  uint32 = 9
+	JOB_OBJECT_MSG_JOB_MEMORY_LIMIT      uint32 = 10
+	JOB_OBJECT_MSG_NOTIFICATION_LIMIT    uint32 = 11
+)
+
+// Access rights for creating or opening job objects.
+//
+// https://docs.microsoft.com/en-us/windows/win32/procthread/job-object-security-and-access-rights
+const JOB_OBJECT_ALL_ACCESS = 0x1F001F
+
+// IO limit flags
+//
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/ns-jobapi2-jobobject_io_rate_control_information
+const JOB_OBJECT_IO_RATE_CONTROL_ENABLE = 0x1
+
+const JOBOBJECT_IO_ATTRIBUTION_CONTROL_ENABLE uint32 = 0x1
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_cpu_rate_control_information
+const (
+	JOB_OBJECT_CPU_RATE_CONTROL_ENABLE uint32 = 1 << iota
+	JOB_OBJECT_CPU_RATE_CONTROL_WEIGHT_BASED
+	JOB_OBJECT_CPU_RATE_CONTROL_HARD_CAP
+	JOB_OBJECT_CPU_RATE_CONTROL_NOTIFY
+	JOB_OBJECT_CPU_RATE_CONTROL_MIN_MAX_RATE
+)
+
+// JobObjectInformationClass values. Used for a call to QueryInformationJobObject
+//
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/nf-jobapi2-queryinformationjobobject
+const (
+	JobObjectBasicAccountingInformation      uint32 = 1
+	JobObjectBasicProcessIdList              uint32 = 3
+	JobObjectBasicAndIoAccountingInformation uint32 = 8
+	JobObjectLimitViolationInformation       uint32 = 13
+	JobObjectMemoryUsageInformation          uint32 = 28
+	JobObjectNotificationLimitInformation2   uint32 = 33
+	JobObjectIoAttribution                   uint32 = 42
+)
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_limit_information
+type JOBOBJECT_BASIC_LIMIT_INFORMATION struct {
+	PerProcessUserTimeLimit int64
+	PerJobUserTimeLimit     int64
+	LimitFlags              uint32
+	MinimumWorkingSetSize   uintptr
+	MaximumWorkingSetSize   uintptr
+	ActiveProcessLimit      uint32
+	Affinity                uintptr
+	PriorityClass           uint32
+	SchedulingClass         uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_cpu_rate_control_information
+type JOBOBJECT_CPU_RATE_CONTROL_INFORMATION struct {
+	ControlFlags uint32
+	Value        uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/jobapi2/ns-jobapi2-jobobject_io_rate_control_information
+type JOBOBJECT_IO_RATE_CONTROL_INFORMATION struct {
+	MaxIops         int64
+	MaxBandwidth    int64
+	ReservationIops int64
+	BaseIOSize      uint32
+	VolumeName      string
+	ControlFlags    uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_process_id_list
+type JOBOBJECT_BASIC_PROCESS_ID_LIST struct {
+	NumberOfAssignedProcesses uint32
+	NumberOfProcessIdsInList  uint32
+	ProcessIdList             [1]uintptr
+}
+
+// AllPids returns all the process Ids in the job object.
+func (p *JOBOBJECT_BASIC_PROCESS_ID_LIST) AllPids() []uintptr {
+	return (*[(1 << 27) - 1]uintptr)(unsafe.Pointer(&p.ProcessIdList[0]))[:p.NumberOfProcessIdsInList]
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_accounting_information
+type JOBOBJECT_BASIC_ACCOUNTING_INFORMATION struct {
+	TotalUserTime             int64
+	TotalKernelTime           int64
+	ThisPeriodTotalUserTime   int64
+	ThisPeriodTotalKernelTime int64
+	TotalPageFaultCount       uint32
+	TotalProcesses            uint32
+	ActiveProcesses           uint32
+	TotalTerminateProcesses   uint32
+}
+
+//https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_basic_and_io_accounting_information
+type JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION struct {
+	BasicInfo JOBOBJECT_BASIC_ACCOUNTING_INFORMATION
+	IoInfo    windows.IO_COUNTERS
+}
+
+// typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION {
+//     ULONG64 JobMemory;
+//     ULONG64 PeakJobMemoryUsed;
+// } JOBOBJECT_MEMORY_USAGE_INFORMATION, *PJOBOBJECT_MEMORY_USAGE_INFORMATION;
+//
+type JOBOBJECT_MEMORY_USAGE_INFORMATION struct {
+	JobMemory         uint64
+	PeakJobMemoryUsed uint64
+}
+
+// typedef struct _JOBOBJECT_IO_ATTRIBUTION_STATS {
+//     ULONG_PTR IoCount;
+//     ULONGLONG TotalNonOverlappedQueueTime;
+//     ULONGLONG TotalNonOverlappedServiceTime;
+//     ULONGLONG TotalSize;
+// } JOBOBJECT_IO_ATTRIBUTION_STATS, *PJOBOBJECT_IO_ATTRIBUTION_STATS;
+//
+type JOBOBJECT_IO_ATTRIBUTION_STATS struct {
+	IoCount                       uintptr
+	TotalNonOverlappedQueueTime   uint64
+	TotalNonOverlappedServiceTime uint64
+	TotalSize                     uint64
+}
+
+// typedef struct _JOBOBJECT_IO_ATTRIBUTION_INFORMATION {
+//     ULONG ControlFlags;
+//     JOBOBJECT_IO_ATTRIBUTION_STATS ReadStats;
+//     JOBOBJECT_IO_ATTRIBUTION_STATS WriteStats;
+// } JOBOBJECT_IO_ATTRIBUTION_INFORMATION, *PJOBOBJECT_IO_ATTRIBUTION_INFORMATION;
+//
+type JOBOBJECT_IO_ATTRIBUTION_INFORMATION struct {
+	ControlFlags uint32
+	ReadStats    JOBOBJECT_IO_ATTRIBUTION_STATS
+	WriteStats   JOBOBJECT_IO_ATTRIBUTION_STATS
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-jobobject_associate_completion_port
+type JOBOBJECT_ASSOCIATE_COMPLETION_PORT struct {
+	CompletionKey  windows.Handle
+	CompletionPort windows.Handle
+}
+
+// BOOL IsProcessInJob(
+// 		HANDLE ProcessHandle,
+// 		HANDLE JobHandle,
+// 		PBOOL  Result
+// );
+//
+//sys IsProcessInJob(procHandle windows.Handle, jobHandle windows.Handle, result *bool) (err error) = kernel32.IsProcessInJob
+
+// BOOL QueryInformationJobObject(
+//		HANDLE             hJob,
+//		JOBOBJECTINFOCLASS JobObjectInformationClass,
+//		LPVOID             lpJobObjectInformation,
+//		DWORD              cbJobObjectInformationLength,
+//		LPDWORD            lpReturnLength
+// );
+//
+//sys QueryInformationJobObject(jobHandle windows.Handle, infoClass uint32, jobObjectInfo uintptr, jobObjectInformationLength uint32, lpReturnLength *uint32) (err error) = kernel32.QueryInformationJobObject
+
+// HANDLE OpenJobObjectW(
+//		DWORD   dwDesiredAccess,
+//		BOOL    bInheritHandle,
+//		LPCWSTR lpName
+// );
+//
+//sys OpenJobObject(desiredAccess uint32, inheritHandle bool, lpName *uint16) (handle windows.Handle, err error) = kernel32.OpenJobObjectW
+
+// DWORD SetIoRateControlInformationJobObject(
+//		HANDLE                                hJob,
+//		JOBOBJECT_IO_RATE_CONTROL_INFORMATION *IoRateControlInfo
+// );
+//
+//sys SetIoRateControlInformationJobObject(jobHandle windows.Handle, ioRateControlInfo *JOBOBJECT_IO_RATE_CONTROL_INFORMATION) (ret uint32, err error) = kernel32.SetIoRateControlInformationJobObject
+
+// DWORD QueryIoRateControlInformationJobObject(
+// 		HANDLE                                hJob,
+// 		PCWSTR                                VolumeName,
+//		JOBOBJECT_IO_RATE_CONTROL_INFORMATION **InfoBlocks,
+// 		ULONG                                 *InfoBlockCount
+// );
+//sys QueryIoRateControlInformationJobObject(jobHandle windows.Handle, volumeName *uint16, ioRateControlInfo **JOBOBJECT_IO_RATE_CONTROL_INFORMATION, infoBlockCount *uint32) (ret uint32, err error) = kernel32.QueryIoRateControlInformationJobObject
+
+// NTSTATUS
+// NtOpenJobObject (
+//     _Out_ PHANDLE JobHandle,
+//     _In_ ACCESS_MASK DesiredAccess,
+//     _In_ POBJECT_ATTRIBUTES ObjectAttributes
+// );
+//sys NtOpenJobObject(jobHandle *windows.Handle, desiredAccess uint32, objAttributes *ObjectAttributes) (status uint32) = ntdll.NtOpenJobObject
+
+// NTSTATUS
+// NTAPI
+// NtCreateJobObject (
+//     _Out_ PHANDLE JobHandle,
+//     _In_ ACCESS_MASK DesiredAccess,
+//     _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes
+// );
+//sys NtCreateJobObject(jobHandle *windows.Handle, desiredAccess uint32, objAttributes *ObjectAttributes) (status uint32) = ntdll.NtCreateJobObject

vendor/github.com/Microsoft/hcsshim/internal/winapi/logon.go

@@ -0,0 +1,30 @@
+package winapi
+
+// BOOL LogonUserA(
+// 	LPCWSTR  lpszUsername,
+// 	LPCWSTR  lpszDomain,
+// 	LPCWSTR  lpszPassword,
+// 	DWORD   dwLogonType,
+// 	DWORD   dwLogonProvider,
+// 	PHANDLE phToken
+// );
+//
+//sys LogonUser(username *uint16, domain *uint16, password *uint16, logonType uint32, logonProvider uint32, token *windows.Token) (err error) = advapi32.LogonUserW
+
+// Logon types
+const (
+	LOGON32_LOGON_INTERACTIVE       uint32 = 2
+	LOGON32_LOGON_NETWORK           uint32 = 3
+	LOGON32_LOGON_BATCH             uint32 = 4
+	LOGON32_LOGON_SERVICE           uint32 = 5
+	LOGON32_LOGON_UNLOCK            uint32 = 7
+	LOGON32_LOGON_NETWORK_CLEARTEXT uint32 = 8
+	LOGON32_LOGON_NEW_CREDENTIALS   uint32 = 9
+)
+
+// Logon providers
+const (
+	LOGON32_PROVIDER_DEFAULT uint32 = 0
+	LOGON32_PROVIDER_WINNT40 uint32 = 2
+	LOGON32_PROVIDER_WINNT50 uint32 = 3
+)

vendor/github.com/Microsoft/hcsshim/internal/winapi/memory.go

@@ -0,0 +1,27 @@
+package winapi
+
+// VOID RtlMoveMemory(
+// 	_Out_       VOID UNALIGNED *Destination,
+// 	_In_  const VOID UNALIGNED *Source,
+// 	_In_        SIZE_T         Length
+// );
+//sys RtlMoveMemory(destination *byte, source *byte, length uintptr) (err error) = kernel32.RtlMoveMemory
+
+//sys LocalAlloc(flags uint32, size int) (ptr uintptr) = kernel32.LocalAlloc
+//sys LocalFree(ptr uintptr) = kernel32.LocalFree
+
+// BOOL QueryWorkingSet(
+//	HANDLE hProcess,
+//	PVOID  pv,
+//	DWORD  cb
+// );
+//sys QueryWorkingSet(handle windows.Handle, pv uintptr, cb uint32) (err error) = psapi.QueryWorkingSet
+
+type PSAPI_WORKING_SET_INFORMATION struct {
+	NumberOfEntries uintptr
+	WorkingSetInfo  [1]PSAPI_WORKING_SET_BLOCK
+}
+
+type PSAPI_WORKING_SET_BLOCK struct {
+	Flags uintptr
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/net.go

@@ -0,0 +1,3 @@
+package winapi
+
+//sys SetJobCompartmentId(handle windows.Handle, compartmentId uint32) (win32Err error) = iphlpapi.SetJobCompartmentId

vendor/github.com/Microsoft/hcsshim/internal/winapi/path.go

@@ -0,0 +1,11 @@
+package winapi
+
+// DWORD SearchPathW(
+// 	LPCWSTR lpPath,
+// 	LPCWSTR lpFileName,
+// 	LPCWSTR lpExtension,
+// 	DWORD   nBufferLength,
+// 	LPWSTR  lpBuffer,
+// 	LPWSTR  *lpFilePart
+// );
+//sys SearchPath(lpPath *uint16, lpFileName *uint16, lpExtension *uint16, nBufferLength uint32, lpBuffer *uint16, lpFilePath *uint16) (size uint32, err error) = kernel32.SearchPathW

vendor/github.com/Microsoft/hcsshim/internal/winapi/process.go

@@ -0,0 +1,10 @@
+package winapi
+
+const PROCESS_ALL_ACCESS uint32 = 2097151
+
+// DWORD GetProcessImageFileNameW(
+//	HANDLE hProcess,
+//	LPWSTR lpImageFileName,
+//	DWORD  nSize
+// );
+//sys GetProcessImageFileName(hProcess windows.Handle, imageFileName *uint16, nSize uint32) (size uint32, err error) = kernel32.GetProcessImageFileNameW

vendor/github.com/Microsoft/hcsshim/internal/winapi/processor.go

@@ -0,0 +1,7 @@
+package winapi
+
+// Get count from all processor groups.
+// https://docs.microsoft.com/en-us/windows/win32/procthread/processor-groups
+const ALL_PROCESSOR_GROUPS = 0xFFFF
+
+//sys GetActiveProcessorCount(groupNumber uint16) (amount uint32) = kernel32.GetActiveProcessorCount

vendor/github.com/Microsoft/hcsshim/internal/winapi/system.go

@@ -0,0 +1,52 @@
+package winapi
+
+import "golang.org/x/sys/windows"
+
+const SystemProcessInformation = 5
+
+const STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
+
+// __kernel_entry NTSTATUS NtQuerySystemInformation(
+// 	SYSTEM_INFORMATION_CLASS SystemInformationClass,
+// 	PVOID                    SystemInformation,
+// 	ULONG                    SystemInformationLength,
+// 	PULONG                   ReturnLength
+// );
+//sys NtQuerySystemInformation(systemInfoClass int, systemInformation uintptr, systemInfoLength uint32, returnLength *uint32) (status uint32) = ntdll.NtQuerySystemInformation
+
+type SYSTEM_PROCESS_INFORMATION struct {
+	NextEntryOffset              uint32         // ULONG
+	NumberOfThreads              uint32         // ULONG
+	WorkingSetPrivateSize        int64          // LARGE_INTEGER
+	HardFaultCount               uint32         // ULONG
+	NumberOfThreadsHighWatermark uint32         // ULONG
+	CycleTime                    uint64         // ULONGLONG
+	CreateTime                   int64          // LARGE_INTEGER
+	UserTime                     int64          // LARGE_INTEGER
+	KernelTime                   int64          // LARGE_INTEGER
+	ImageName                    UnicodeString  // UNICODE_STRING
+	BasePriority                 int32          // KPRIORITY
+	UniqueProcessID              windows.Handle // HANDLE
+	InheritedFromUniqueProcessID windows.Handle // HANDLE
+	HandleCount                  uint32         // ULONG
+	SessionID                    uint32         // ULONG
+	UniqueProcessKey             *uint32        // ULONG_PTR
+	PeakVirtualSize              uintptr        // SIZE_T
+	VirtualSize                  uintptr        // SIZE_T
+	PageFaultCount               uint32         // ULONG
+	PeakWorkingSetSize           uintptr        // SIZE_T
+	WorkingSetSize               uintptr        // SIZE_T
+	QuotaPeakPagedPoolUsage      uintptr        // SIZE_T
+	QuotaPagedPoolUsage          uintptr        // SIZE_T
+	QuotaPeakNonPagedPoolUsage   uintptr        // SIZE_T
+	QuotaNonPagedPoolUsage       uintptr        // SIZE_T
+	PagefileUsage                uintptr        // SIZE_T
+	PeakPagefileUsage            uintptr        // SIZE_T
+	PrivatePageCount             uintptr        // SIZE_T
+	ReadOperationCount           int64          // LARGE_INTEGER
+	WriteOperationCount          int64          // LARGE_INTEGER
+	OtherOperationCount          int64          // LARGE_INTEGER
+	ReadTransferCount            int64          // LARGE_INTEGER
+	WriteTransferCount           int64          // LARGE_INTEGER
+	OtherTransferCount           int64          // LARGE_INTEGER
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/thread.go

@@ -0,0 +1,12 @@
+package winapi
+
+// HANDLE CreateRemoteThread(
+// 	HANDLE                 hProcess,
+// 	LPSECURITY_ATTRIBUTES  lpThreadAttributes,
+// 	SIZE_T                 dwStackSize,
+// 	LPTHREAD_START_ROUTINE lpStartAddress,
+// 	LPVOID                 lpParameter,
+// 	DWORD                  dwCreationFlags,
+// 	LPDWORD                lpThreadId
+// );
+//sys CreateRemoteThread(process windows.Handle, sa *windows.SecurityAttributes, stackSize uint32, startAddr uintptr, parameter uintptr, creationFlags uint32, threadID *uint32) (handle windows.Handle, err error) = kernel32.CreateRemoteThread

vendor/github.com/Microsoft/hcsshim/internal/winapi/utils.go

@@ -0,0 +1,75 @@
+package winapi
+
+import (
+	"errors"
+	"reflect"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// Uint16BufferToSlice wraps a uint16 pointer-and-length into a slice
+// for easier interop with Go APIs
+func Uint16BufferToSlice(buffer *uint16, bufferLength int) (result []uint16) {
+	hdr := (*reflect.SliceHeader)(unsafe.Pointer(&result))
+	hdr.Data = uintptr(unsafe.Pointer(buffer))
+	hdr.Cap = bufferLength
+	hdr.Len = bufferLength
+
+	return
+}
+
+type UnicodeString struct {
+	Length        uint16
+	MaximumLength uint16
+	Buffer        *uint16
+}
+
+//String converts a UnicodeString to a golang string
+func (uni UnicodeString) String() string {
+	// UnicodeString is not guaranteed to be null terminated, therefore
+	// use the UnicodeString's Length field
+	return syscall.UTF16ToString(Uint16BufferToSlice(uni.Buffer, int(uni.Length/2)))
+}
+
+// NewUnicodeString allocates a new UnicodeString and copies `s` into
+// the buffer of the new UnicodeString.
+func NewUnicodeString(s string) (*UnicodeString, error) {
+	// Get length of original `s` to use in the UnicodeString since the `buf`
+	// created later will have an additional trailing null character
+	length := len(s)
+	if length > 32767 {
+		return nil, syscall.ENAMETOOLONG
+	}
+
+	buf, err := windows.UTF16FromString(s)
+	if err != nil {
+		return nil, err
+	}
+	uni := &UnicodeString{
+		Length:        uint16(length * 2),
+		MaximumLength: uint16(length * 2),
+		Buffer:        &buf[0],
+	}
+	return uni, nil
+}
+
+// ConvertStringSetToSlice is a helper function used to convert the contents of
+// `buf` into a string slice. `buf` contains a set of null terminated strings
+// with an additional null at the end to indicate the end of the set.
+func ConvertStringSetToSlice(buf []byte) ([]string, error) {
+	var results []string
+	prev := 0
+	for i := range buf {
+		if buf[i] == 0 {
+			if prev == i {
+				// found two null characters in a row, return result
+				return results, nil
+			}
+			results = append(results, string(buf[prev:i]))
+			prev = i + 1
+		}
+	}
+	return nil, errors.New("string set malformed: missing null terminator at end of buffer")
+}

vendor/github.com/Microsoft/hcsshim/internal/winapi/winapi.go

@@ -0,0 +1,5 @@
+// Package winapi contains various low-level bindings to Windows APIs. It can
+// be thought of as an extension to golang.org/x/sys/windows.
+package winapi
+
+//go:generate go run ..\..\mksyscall_windows.go -output zsyscall_windows.go system.go net.go path.go thread.go iocp.go jobobject.go logon.go memory.go process.go processor.go devices.go filesystem.go errors.go