@@ -130,7 +130,7 @@ github.com/googleapis/gax-go                        bd5b16380fd03dc758d11cef74ba

 google.golang.org/genproto                          3f1135a288c9a07e340ae8ba4cc6c7065a3160e8

 # containerd

-github.com/containerd/containerd                    d4e78200d6da62480c85bf6f26b7221ea938f396

+github.com/containerd/containerd                    0edc412565dcc6e3d6125ff9e4b009ad4b89c638 # master (v1.5.0-dev)

 github.com/containerd/fifo                          0724c46b320cf96bb172a0550c19a4b1fca4dacb

 github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165

 github.com/containerd/cgroups                       0b889c03f102012f1d93a97ddd3ef71cd6f4f510

@@ -1,6 +1,6 @@

 ![containerd banner](https://raw.githubusercontent.com/cncf/artwork/master/projects/containerd/horizontal/color/containerd-horizontal-color.png)

-[![GoDoc](https://godoc.org/github.com/containerd/containerd?status.svg)](https://godoc.org/github.com/containerd/containerd)

+[![PkgGoDev](https://pkg.go.dev/badge/github.com/containerd/containerd)](https://pkg.go.dev/github.com/containerd/containerd)

 [![Build Status](https://github.com/containerd/containerd/workflows/CI/badge.svg)](https://github.com/containerd/containerd/actions?query=workflow%3ACI)

 [![Windows Build Status](https://ci.appveyor.com/api/projects/status/github/containerd/containerd?branch=master&svg=true)](https://ci.appveyor.com/project/mlaventure/containerd-3g73f?branch=master)

 [![Nightlies](https://github.com/containerd/containerd/workflows/Nightly/badge.svg)](https://github.com/containerd/containerd/actions?query=workflow%3ANightly)

@@ -260,6 +260,26 @@ func BinaryIO(binary string, args map[string]string) Creator {

 	}

 }

+// TerminalBinaryIO forwards container STDOUT|STDERR directly to a logging binary

+// It also sets the terminal option to true

+func TerminalBinaryIO(binary string, args map[string]string) Creator {

+	return func(_ string) (IO, error) {

+		uri, err := LogURIGenerator("binary", binary, args)

+		if err != nil {

+			return nil, err

+		}

+

+		res := uri.String()

+		return &logURI{

+			config: Config{

+				Stdout:   res,

+				Stderr:   res,

+				Terminal: true,

+			},

+		}, nil

+	}

+}

+

 // LogFile creates a file on disk that logs the task's STDOUT,STDERR.

 // If the log file already exists, the logs will be appended to the file.

 func LogFile(path string) Creator {

@@ -87,21 +87,21 @@ func WithRestoreRuntime(ctx context.Context, id string, client *Client, checkpoi

 				return err

 			}

 		}

-		var options *ptypes.Any

+		var options ptypes.Any

 		if m != nil {

 			store := client.ContentStore()

 			data, err := content.ReadBlob(ctx, store, *m)

 			if err != nil {

 				return errors.Wrap(err, "unable to read checkpoint runtime")

 			}

-			if err := proto.Unmarshal(data, options); err != nil {

+			if err := proto.Unmarshal(data, &options); err != nil {

 				return err

 			}

 		}

 		c.Runtime = containers.RuntimeInfo{

 			Name:    name,

-			Options: options,

+			Options: &options,

 		}

 		return nil

 	}

@@ -229,9 +229,47 @@ func seekReader(r io.Reader, offset, size int64) (io.Reader, error) {

 	return r, nil

 }

+// copyWithBuffer is very similar to  io.CopyBuffer https://golang.org/pkg/io/#CopyBuffer

+// but instead of using Read to read from the src, we use ReadAtLeast to make sure we have

+// a full buffer before we do a write operation to dst to reduce overheads associated

+// with the write operations of small buffers.

 func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) {

-	buf := bufPool.Get().(*[]byte)

-	written, err = io.CopyBuffer(dst, src, *buf)

-	bufPool.Put(buf)

+	// If the reader has a WriteTo method, use it to do the copy.

+	// Avoids an allocation and a copy.

+	if wt, ok := src.(io.WriterTo); ok {

+		return wt.WriteTo(dst)

+	}

+	// Similarly, if the writer has a ReadFrom method, use it to do the copy.

+	if rt, ok := dst.(io.ReaderFrom); ok {

+		return rt.ReadFrom(src)

+	}

+	bufRef := bufPool.Get().(*[]byte)

+	defer bufPool.Put(bufRef)

+	buf := *bufRef

+	for {

+		nr, er := io.ReadAtLeast(src, buf, len(buf))

+		if nr > 0 {

+			nw, ew := dst.Write(buf[0:nr])

+			if nw > 0 {

+				written += int64(nw)

+			}

+			if ew != nil {

+				err = ew

+				break

+			}

+			if nr != nw {

+				err = io.ErrShortWrite

+				break

+			}

+		}

+		if er != nil {

+			// If an EOF happens after reading fewer than the requested bytes,

+			// ReadAtLeast returns ErrUnexpectedEOF.

+			if er != io.EOF && er != io.ErrUnexpectedEOF {

+				err = er

+			}

+			break

+		}

+	}

 	return

 }

@@ -1,4 +1,4 @@

-// +build linux solaris darwin freebsd

+// +build linux solaris darwin freebsd netbsd

 /*

    Copyright The containerd Authors.

@@ -40,7 +40,13 @@ func (ra *remoteReaderAt) ReadAt(p []byte, off int64) (n int, err error) {

 		Offset: off,

 		Size_:  int64(len(p)),

 	}

-	rc, err := ra.client.Read(ra.ctx, rr)

+	// we need a child context with cancel, or the eventually called

+	// grpc.NewStream will leak the goroutine until the whole thing is cleared.

+	// See comment at https://godoc.org/google.golang.org/grpc#ClientConn.NewStream

+	childCtx, cancel := context.WithCancel(ra.ctx)

+	// we MUST cancel the child context; see comment above

+	defer cancel()

+	rc, err := ra.client.Read(childCtx, rr)

 	if err != nil {

 		return 0, err

 	}

@@ -232,6 +232,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 				"openat",

 				"openat2",

 				"pause",

+				"pidfd_open",

+				"pidfd_send_signal",

 				"pipe",

 				"pipe2",

 				"poll",

@@ -571,6 +573,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 			s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{

 				Names: []string{

 					"kcmp",

+					"pidfd_getfd",

 					"process_vm_readv",

 					"process_vm_writev",

 					"ptrace",

@@ -106,26 +106,37 @@ func Unmount(target string, flags int) error {

 	return nil

 }

-func isFUSE(dir string) (bool, error) {

-	// fuseSuperMagic is defined in statfs(2)

-	const fuseSuperMagic = 0x65735546

+// fuseSuperMagic is defined in statfs(2)

+const fuseSuperMagic = 0x65735546

+

+func isFUSE(dir string) bool {

 	var st unix.Statfs_t

 	if err := unix.Statfs(dir, &st); err != nil {

-		return false, err

+		return false

 	}

-	return st.Type == fuseSuperMagic, nil

+	return st.Type == fuseSuperMagic

+}

+

+// unmountFUSE attempts to unmount using fusermount/fusermount3 helper binary.

+//

+// For FUSE mounts, using these helper binaries is preferred, see:

+// https://github.com/containerd/containerd/pull/3765#discussion_r342083514

+func unmountFUSE(target string) error {

+	var err error

+	for _, helperBinary := range []string{"fusermount3", "fusermount"} {

+		cmd := exec.Command(helperBinary, "-u", target)

+		err = cmd.Run()

+		if err == nil {

+			return nil

+		}

+	}

+	return err

 }

 func unmount(target string, flags int) error {

-	// For FUSE mounts, attempting to execute fusermount helper binary is preferred

-	// https://github.com/containerd/containerd/pull/3765#discussion_r342083514

-	if ok, err := isFUSE(target); err == nil && ok {

-		for _, helperBinary := range []string{"fusermount3", "fusermount"} {

-			cmd := exec.Command(helperBinary, "-u", target)

-			if err := cmd.Run(); err == nil {

-				return nil

-			}

-			// ignore error and try unix.Unmount

+	if isFUSE(target) {

+		if err := unmountFUSE(target); err == nil {

+			return nil

 		}

 	}

 	for i := 0; i < 50; i++ {

@@ -221,7 +221,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 		if err != nil {

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

-		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {

+		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.id, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {

 			return errors.Wrap(err, "failed to start console copy")

 		}

 	} else {

@@ -157,7 +157,7 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 		if err != nil {

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

-		console, err = p.Platform.CopyConsole(ctx, console, r.Stdin, r.Stdout, r.Stderr, &p.wg)

+		console, err = p.Platform.CopyConsole(ctx, console, p.id, r.Stdin, r.Stdout, r.Stderr, &p.wg)

 		if err != nil {

 			return errors.Wrap(err, "failed to start console copy")

 		}

@@ -172,7 +172,7 @@ func (s *createdCheckpointState) Start(ctx context.Context) error {

 		if err != nil {

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

-		console, err = p.Platform.CopyConsole(ctx, console, sio.Stdin, sio.Stdout, sio.Stderr, &p.wg)

+		console, err = p.Platform.CopyConsole(ctx, console, p.id, sio.Stdin, sio.Stdout, sio.Stderr, &p.wg)

 		if err != nil {

 			return errors.Wrap(err, "failed to start console copy")

 		}

@@ -26,7 +26,7 @@ import (

 // Platform handles platform-specific behavior that may differs across

 // platform implementations

 type Platform interface {

-	CopyConsole(ctx context.Context, console console.Console, stdin, stdout, stderr string,

+	CopyConsole(ctx context.Context, console console.Console, id, stdin, stdout, stderr string,

 		wg *sync.WaitGroup) (console.Console, error)

 	ShutdownConsole(ctx context.Context, console console.Console) error

 	Close() error

@@ -96,6 +96,15 @@ func getCPUVariant() string {

 		return ""

 	}

+	// handle edge case for Raspberry Pi ARMv6 devices (which due to a kernel quirk, report "CPU architecture: 7")

+	// https://www.raspberrypi.org/forums/viewtopic.php?t=12614

+	if runtime.GOARCH == "arm" && variant == "7" {

+		model, err := getCPUInfo("model name")

+		if err == nil && strings.HasPrefix(strings.ToLower(model), "armv6-compatible") {

+			variant = "6"

+		}

+	}

+

 	switch strings.ToLower(variant) {

 	case "8", "aarch64":

 		// special case: if running a 32-bit userspace on aarch64, the variant should be "v7"

@@ -106,10 +106,8 @@ func FetchTokenWithOAuth(ctx context.Context, client *http.Client, headers http.

 		return nil, err

 	}

 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")

-	if headers != nil {

-		for k, v := range headers {

-			req.Header[k] = append(req.Header[k], v...)

-		}

+	for k, v := range headers {

+		req.Header[k] = append(req.Header[k], v...)

 	}

 	resp, err := ctxhttp.Do(ctx, client, req)

@@ -152,10 +150,8 @@ func FetchToken(ctx context.Context, client *http.Client, headers http.Header, t

 		return nil, err

 	}

-	if headers != nil {

-		for k, v := range headers {

-			req.Header[k] = append(req.Header[k], v...)

-		}

+	for k, v := range headers {

+		req.Header[k] = append(req.Header[k], v...)

 	}

 	reqParams := req.URL.Query()

@@ -45,7 +45,7 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R

 		return nil, errors.Wrap(errdefs.ErrNotFound, "no pull hosts")

 	}

-	ctx, err := contextWithRepositoryScope(ctx, r.refspec, false)

+	ctx, err := ContextWithRepositoryScope(ctx, r.refspec, false)

 	if err != nil {

 		return nil, err

 	}

@@ -121,7 +121,7 @@ func (hrs *httpReadSeeker) reader() (io.Reader, error) {

 		rc, err := hrs.open(hrs.offset)

 		if err != nil {

-			return nil, errors.Wrapf(err, "httpReaderSeeker: failed open")

+			return nil, errors.Wrapf(err, "httpReadSeeker: failed open")

 		}

 		if hrs.rc != nil {

@@ -45,7 +45,7 @@ type dockerPusher struct {

 }

 func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (content.Writer, error) {

-	ctx, err := contextWithRepositoryScope(ctx, p.refspec, true)

+	ctx, err := ContextWithRepositoryScope(ctx, p.refspec, true)

 	if err != nil {

 		return nil, err

 	}

@@ -130,7 +130,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten

 		var resp *http.Response

 		if fromRepo := selectRepositoryMountCandidate(p.refspec, desc.Annotations); fromRepo != "" {

 			preq := requestWithMountFrom(req, desc.Digest.String(), fromRepo)

-			pctx := contextWithAppendPullRepositoryScope(ctx, fromRepo)

+			pctx := ContextWithAppendPullRepositoryScope(ctx, fromRepo)

 			// NOTE: the fromRepo might be private repo and

 			// auth service still can grant token without error.

@@ -222,7 +222,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten

 	// TODO: Support chunked upload

 	pr, pw := io.Pipe()

-	respC := make(chan *http.Response, 1)

+	respC := make(chan response, 1)

 	body := ioutil.NopCloser(pr)

 	req.body = func() (io.ReadCloser, error) {

@@ -240,6 +240,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten

 		defer close(respC)

 		resp, err := req.do(ctx)

 		if err != nil {

+			respC <- response{err: err}

 			pr.CloseWithError(err)

 			return

 		}

@@ -251,7 +252,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten

 			log.G(ctx).WithField("resp", resp).WithField("body", string(err.(remoteserrors.ErrUnexpectedStatus).Body)).Debug("unexpected response")

 			pr.CloseWithError(err)

 		}

-		respC <- resp

+		respC <- response{Response: resp}

 	}()

 	return &pushWriter{

@@ -284,12 +285,17 @@ func getManifestPath(object string, dgst digest.Digest) []string {

 	return []string{"manifests", object}

 }

+type response struct {

+	*http.Response

+	err error

+}

+

 type pushWriter struct {

 	base *dockerBase

 	ref  string

 	pipe       *io.PipeWriter

-	responseC  <-chan *http.Response

+	responseC  <-chan response

 	isManifest bool

 	expected digest.Digest

@@ -339,8 +345,8 @@ func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Di

 	// TODO: timeout waiting for response

 	resp := <-pw.responseC

-	if resp == nil {

-		return errors.New("no response")

+	if resp.err != nil {

+		return resp.err

 	}

 	// 201 is specified return status, some registries return

@@ -263,7 +263,7 @@ func (r *dockerResolver) Resolve(ctx context.Context, ref string) (string, ocisp

 		return "", ocispec.Descriptor{}, errors.Wrap(errdefs.ErrNotFound, "no resolve hosts")

 	}

-	ctx, err = contextWithRepositoryScope(ctx, refspec, false)

+	ctx, err = ContextWithRepositoryScope(ctx, refspec, false)

 	if err != nil {

 		return "", ocispec.Descriptor{}, err

 	}

@@ -26,10 +26,10 @@ import (

 	"github.com/containerd/containerd/reference"

 )

-// repositoryScope returns a repository scope string such as "repository:foo/bar:pull"

+// RepositoryScope returns a repository scope string such as "repository:foo/bar:pull"

 // for "host/foo/bar:baz".

 // When push is true, both pull and push are added to the scope.

-func repositoryScope(refspec reference.Spec, push bool) (string, error) {

+func RepositoryScope(refspec reference.Spec, push bool) (string, error) {

 	u, err := url.Parse("dummy://" + refspec.Locator)

 	if err != nil {

 		return "", err

@@ -45,9 +45,9 @@ func repositoryScope(refspec reference.Spec, push bool) (string, error) {

 // value: []string (e.g. {"registry:foo/bar:pull"})

 type tokenScopesKey struct{}

-// contextWithRepositoryScope returns a context with tokenScopesKey{} and the repository scope value.

-func contextWithRepositoryScope(ctx context.Context, refspec reference.Spec, push bool) (context.Context, error) {

-	s, err := repositoryScope(refspec, push)

+// ContextWithRepositoryScope returns a context with tokenScopesKey{} and the repository scope value.

+func ContextWithRepositoryScope(ctx context.Context, refspec reference.Spec, push bool) (context.Context, error) {

+	s, err := RepositoryScope(refspec, push)

 	if err != nil {

 		return nil, err

 	}

@@ -66,9 +66,9 @@ func WithScope(ctx context.Context, scope string) context.Context {

 	return context.WithValue(ctx, tokenScopesKey{}, scopes)

 }

-// contextWithAppendPullRepositoryScope is used to append repository pull

+// ContextWithAppendPullRepositoryScope is used to append repository pull

 // scope into existing scopes indexed by the tokenScopesKey{}.

-func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) context.Context {

+func ContextWithAppendPullRepositoryScope(ctx context.Context, repo string) context.Context {

 	return WithScope(ctx, fmt.Sprintf("repository:%s:pull", repo))

 }

@@ -22,6 +22,7 @@ import (

 	"context"

 	"fmt"

 	"io"

+	"io/ioutil"

 	"net"

 	"os"

 	"os/exec"

@@ -67,22 +68,24 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa

 		}

 		defer f.Close()

-		var stdoutLog io.ReadWriteCloser

-		var stderrLog io.ReadWriteCloser

-		if debug {

-			stdoutLog, err = v1.OpenShimStdoutLog(ctx, config.WorkDir)

-			if err != nil {

-				return nil, nil, errors.Wrapf(err, "failed to create stdout log")

-			}

-

-			stderrLog, err = v1.OpenShimStderrLog(ctx, config.WorkDir)

-			if err != nil {

-				return nil, nil, errors.Wrapf(err, "failed to create stderr log")

-			}

+		stdoutCopy := ioutil.Discard

+		stderrCopy := ioutil.Discard

+		stdoutLog, err := v1.OpenShimStdoutLog(ctx, config.WorkDir)

+		if err != nil {

+			return nil, nil, errors.Wrapf(err, "failed to create stdout log")

+		}

-			go io.Copy(os.Stdout, stdoutLog)

-			go io.Copy(os.Stderr, stderrLog)

+		stderrLog, err := v1.OpenShimStderrLog(ctx, config.WorkDir)

+		if err != nil {

+			return nil, nil, errors.Wrapf(err, "failed to create stderr log")

 		}

+		if debug {

+			stdoutCopy = os.Stdout

+			stderrCopy = os.Stderr

+		}

+

+		go io.Copy(stdoutCopy, stdoutLog)

+		go io.Copy(stderrCopy, stderrLog)

 		cmd, err := newCommand(binary, daemonAddress, debug, config, f, stdoutLog, stderrLog)

 		if err != nil {

@@ -19,10 +19,14 @@ package shim

 import (

 	"context"

 	"io"

+	"net/url"

+	"os"

 	"sync"

 	"syscall"

 	"github.com/containerd/console"

+	"github.com/containerd/containerd/namespaces"

+	"github.com/containerd/containerd/runtime"

 	"github.com/containerd/fifo"

 	"github.com/pkg/errors"

 )

@@ -31,7 +35,7 @@ type linuxPlatform struct {

 	epoller *console.Epoller

 }

-func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console, stdin, stdout, stderr string, wg *sync.WaitGroup) (console.Console, error) {

+func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console, id, stdin, stdout, stderr string, wg *sync.WaitGroup) (cons console.Console, retErr error) {

 	if p.epoller == nil {

 		return nil, errors.New("uninitialized epoller")

 	}

@@ -59,26 +63,98 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console

 		}()

 	}

-	outw, err := fifo.OpenFifo(ctx, stdout, syscall.O_WRONLY, 0)

+	uri, err := url.Parse(stdout)

 	if err != nil {

-		return nil, err

+		return nil, errors.Wrap(err, "unable to parse stdout uri")

 	}

-	outr, err := fifo.OpenFifo(ctx, stdout, syscall.O_RDONLY, 0)

-	if err != nil {

-		return nil, err

+

+	switch uri.Scheme {

+	case "binary":

+		ns, err := namespaces.NamespaceRequired(ctx)

+		if err != nil {

+			return nil, err

+		}

+

+		cmd := runtime.NewBinaryCmd(uri, id, ns)

+

+		// In case of unexpected errors during logging binary start, close open pipes

+		var filesToClose []*os.File

+

+		defer func() {

+			if retErr != nil {

+				runtime.CloseFiles(filesToClose...)

+			}

+		}()

+

+		// Create pipe to be used by logging binary for Stdout

+		outR, outW, err := os.Pipe()

+		if err != nil {

+			return nil, errors.Wrap(err, "failed to create stdout pipes")

+		}

+		filesToClose = append(filesToClose, outR)

+

+		// Stderr is created for logging binary but unused when terminal is true

+		serrR, _, err := os.Pipe()

+		if err != nil {

+			return nil, errors.Wrap(err, "failed to create stderr pipes")

+		}

+		filesToClose = append(filesToClose, serrR)

+

+		r, w, err := os.Pipe()

+		if err != nil {

+			return nil, err

+		}

+		filesToClose = append(filesToClose, r)

+

+		cmd.ExtraFiles = append(cmd.ExtraFiles, outR, serrR, w)

+

+		wg.Add(1)

+		cwg.Add(1)

+		go func() {

+			cwg.Done()

+			io.Copy(outW, epollConsole)

+			outW.Close()

+			wg.Done()

+		}()

+

+		if err := cmd.Start(); err != nil {

+			return nil, errors.Wrap(err, "failed to start logging binary process")

+		}

+

+		// Close our side of the pipe after start

+		if err := w.Close(); err != nil {

+			return nil, errors.Wrap(err, "failed to close write pipe after start")

+		}

+

+		// Wait for the logging binary to be ready

+		b := make([]byte, 1)

+		if _, err := r.Read(b); err != nil && err != io.EOF {

+			return nil, errors.Wrap(err, "failed to read from logging binary")

+		}

+		cwg.Wait()

+

+	default:

+		outw, err := fifo.OpenFifo(ctx, stdout, syscall.O_WRONLY, 0)

+		if err != nil {

+			return nil, err

+		}

+		outr, err := fifo.OpenFifo(ctx, stdout, syscall.O_RDONLY, 0)

+		if err != nil {

+			return nil, err

+		}

+		wg.Add(1)

+		cwg.Add(1)

+		go func() {

+			cwg.Done()

+			p := bufPool.Get().(*[]byte)

+			defer bufPool.Put(p)

+			io.CopyBuffer(outw, epollConsole, *p)

+			outw.Close()

+			outr.Close()

+			wg.Done()

+		}()

+		cwg.Wait()

 	}

-	wg.Add(1)

-	cwg.Add(1)

-	go func() {

-		cwg.Done()

-		p := bufPool.Get().(*[]byte)

-		defer bufPool.Put(p)

-		io.CopyBuffer(outw, epollConsole, *p)

-		outw.Close()

-		outr.Close()

-		wg.Done()

-	}()

-	cwg.Wait()

 	return epollConsole, nil

 }

@@ -21,17 +21,22 @@ package shim

 import (

 	"context"

 	"io"

+	"net/url"

+	"os"

 	"sync"

 	"syscall"

 	"github.com/containerd/console"

+	"github.com/containerd/containerd/namespaces"

+	"github.com/containerd/containerd/runtime"

 	"github.com/containerd/fifo"

+	"github.com/pkg/errors"

 )

 type unixPlatform struct {

 }

-func (p *unixPlatform) CopyConsole(ctx context.Context, console console.Console, stdin, stdout, stderr string, wg *sync.WaitGroup) (console.Console, error) {

+func (p *unixPlatform) CopyConsole(ctx context.Context, console console.Console, id, stdin, stdout, stderr string, wg *sync.WaitGroup) (cons console.Console, retErr error) {

 	var cwg sync.WaitGroup

 	if stdin != "" {

 		in, err := fifo.OpenFifo(ctx, stdin, syscall.O_RDONLY, 0)

@@ -47,28 +52,98 @@ func (p *unixPlatform) CopyConsole(ctx context.Context, console console.Console,

 			io.CopyBuffer(console, in, *p)

 		}()

 	}

-	outw, err := fifo.OpenFifo(ctx, stdout, syscall.O_WRONLY, 0)

+	uri, err := url.Parse(stdout)

 	if err != nil {

-		return nil, err

+		return nil, errors.Wrap(err, "unable to parse stdout uri")

 	}

-	outr, err := fifo.OpenFifo(ctx, stdout, syscall.O_RDONLY, 0)

-	if err != nil {

-		return nil, err

+

+	switch uri.Scheme {

+	case "binary":

+		ns, err := namespaces.NamespaceRequired(ctx)

+		if err != nil {

+			return nil, err

+		}

+

+		cmd := runtime.NewBinaryCmd(uri, id, ns)

+

+		// In case of unexpected errors during logging binary start, close open pipes

+		var filesToClose []*os.File

+

+		defer func() {

+			if retErr != nil {

+				runtime.CloseFiles(filesToClose...)

+			}

+		}()

+

+		// Create pipe to be used by logging binary for Stdout

+		outR, outW, err := os.Pipe()

+		if err != nil {

+			return nil, errors.Wrap(err, "failed to create stdout pipes")

+		}

+		filesToClose = append(filesToClose, outR)

+

+		// Stderr is created for logging binary but unused when terminal is true

+		serrR, _, err := os.Pipe()

+		if err != nil {

+			return nil, errors.Wrap(err, "failed to create stderr pipes")

+		}

+		filesToClose = append(filesToClose, serrR)

+

+		r, w, err := os.Pipe()

+		if err != nil {

+			return nil, err

+		}

+		filesToClose = append(filesToClose, r)

+

+		cmd.ExtraFiles = append(cmd.ExtraFiles, outR, serrR, w)

+

+		wg.Add(1)

+		cwg.Add(1)

+		go func() {

+			cwg.Done()

+			io.Copy(outW, console)

+			outW.Close()

+			wg.Done()

+		}()

+

+		if err := cmd.Start(); err != nil {

+			return nil, errors.Wrap(err, "failed to start logging binary process")

+		}

+

+		// Close our side of the pipe after start

+		if err := w.Close(); err != nil {

+			return nil, errors.Wrap(err, "failed to close write pipe after start")

+		}

+

+		// Wait for the logging binary to be ready

+		b := make([]byte, 1)

+		if _, err := r.Read(b); err != nil && err != io.EOF {

+			return nil, errors.Wrap(err, "failed to read from logging binary")

+		}

+		cwg.Wait()

+

+	default:

+		outw, err := fifo.OpenFifo(ctx, stdout, syscall.O_WRONLY, 0)

+		if err != nil {

+			return nil, err

+		}

+		outr, err := fifo.OpenFifo(ctx, stdout, syscall.O_RDONLY, 0)

+		if err != nil {

+			return nil, err

+		}

+		wg.Add(1)

+		cwg.Add(1)

+		go func() {

+			cwg.Done()

+			p := bufPool.Get().(*[]byte)

+			defer bufPool.Put(p)

+			io.CopyBuffer(outw, console, *p)

+			outw.Close()

+			outr.Close()

+			wg.Done()

+		}()

+		cwg.Wait()

 	}

-	wg.Add(1)

-	cwg.Add(1)

-	go func() {

-		cwg.Done()

-		p := bufPool.Get().(*[]byte)

-		defer bufPool.Put(p)

-

-		io.CopyBuffer(outw, console, *p)

-		console.Close()

-		outr.Close()

-		outw.Close()

-		wg.Done()

-	}()

-	cwg.Wait()

 	return console, nil

 }

@@ -1,4 +1,4 @@

-// +build darwin freebsd

+// +build darwin freebsd netbsd

 /*

    Copyright The containerd Authors.

@@ -1,14 +1,14 @@

 github.com/beorn7/perks                             v1.0.1

 github.com/BurntSushi/toml                          v0.3.1

 github.com/cespare/xxhash/v2                        v2.1.1

-github.com/containerd/btrfs                         153935315f4ab9be5bf03650a1341454b05efa5d

-github.com/containerd/cgroups                       318312a373405e5e91134d8063d04d59768a1bff

-github.com/containerd/console                       v1.0.0

+github.com/containerd/btrfs                         404b9149801e455c8076f615b06dc0abee0a977a

+github.com/containerd/cgroups                       0b889c03f102012f1d93a97ddd3ef71cd6f4f510

+github.com/containerd/console                       v1.0.1

 github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165

-github.com/containerd/fifo                          f15a3290365b9d2627d189e619ab4008e0069caf

+github.com/containerd/fifo                          0724c46b320cf96bb172a0550c19a4b1fca4dacb

 github.com/containerd/go-runc                       7016d3ce2328dd2cb1192b2076ebd565c4e8df0c

-github.com/containerd/nri                           0afc7f031eaf9c7d9c1a381b7ab5462e89c998fc

-github.com/containerd/ttrpc                         v1.0.1

+github.com/containerd/nri                           eb1350a75164f76de48e3605389e7a3fbc85d06e

+github.com/containerd/ttrpc                         v1.0.2

 github.com/containerd/typeurl                       v1.0.1

 github.com/coreos/go-systemd/v22                    v22.1.0

 github.com/cpuguy83/go-md2man/v2                    v2.0.0

@@ -26,10 +26,10 @@ github.com/hashicorp/errwrap                        v1.0.0

 github.com/hashicorp/go-multierror                  v1.0.0

 github.com/hashicorp/golang-lru                     v0.5.3

 github.com/imdario/mergo                            v0.3.7

-github.com/konsorten/go-windows-terminal-sequences  v1.0.3

 github.com/matttproud/golang_protobuf_extensions    v1.0.1

 github.com/Microsoft/go-winio                       v0.4.14

-github.com/Microsoft/hcsshim                        v0.8.9

+github.com/Microsoft/hcsshim                        v0.8.10

+github.com/moby/sys                                 symlink/v0.1.0

 github.com/opencontainers/go-digest                 v1.0.0

 github.com/opencontainers/image-spec                v1.0.1

 github.com/opencontainers/runc                      v1.0.0-rc92

@@ -41,14 +41,14 @@ github.com/prometheus/common                        v0.9.1

 github.com/prometheus/procfs                        v0.0.11

 github.com/russross/blackfriday/v2                  v2.0.1

 github.com/shurcooL/sanitized_anchor_name           v1.0.0

-github.com/sirupsen/logrus                          v1.6.0

+github.com/sirupsen/logrus                          v1.7.0

 github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2

 github.com/urfave/cli                               v1.22.1 # NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092

 go.etcd.io/bbolt                                    v1.3.5

 go.opencensus.io                                    v0.22.0

 golang.org/x/net                                    ab34263943818b32f575efc978a3d24e80b04bd7

 golang.org/x/sync                                   42b317875d0fa942474b76e1b46a6060d720ae6e

-golang.org/x/sys                                    ed371f2e16b4b305ee99df548828de367527b76b

+golang.org/x/sys                                    0aaa2718063a42560507fce2cc04508608ca23b3

 golang.org/x/text                                   v0.3.3

 google.golang.org/genproto                          e50cd9704f63023d62cd06a1994b98227fc4d21a

 google.golang.org/grpc                              v1.27.1

@@ -58,9 +58,7 @@ gotest.tools/v3                                     v3.0.2

 github.com/cilium/ebpf                              1c8d4c9ef7759622653a1d319284a44652333b28

 # cri dependencies

-github.com/containerd/cri                           35e623e6bf7512e8c82b8ac6052cb1d720189f28 # master

 github.com/davecgh/go-spew                          v1.1.1

-github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f

 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528

 github.com/emicklei/go-restful                      v2.9.5

 github.com/go-logr/logr                             v0.2.0

@@ -69,21 +67,24 @@ github.com/json-iterator/go                         v1.1.10

 github.com/modern-go/concurrent                     1.0.3

 github.com/modern-go/reflect2                       v1.0.1

 github.com/opencontainers/selinux                   v1.6.0

+github.com/pmezard/go-difflib                       v1.0.0

+github.com/stretchr/testify                         v1.4.0

 github.com/tchap/go-patricia                        v2.2.6

-github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg

+github.com/willf/bitset                             v1.1.11

 golang.org/x/crypto                                 75b288015ac94e66e3d6715fb68a9b41bf046ec2

 golang.org/x/oauth2                                 858c2ad4c8b6c5d10852cb89079f6ca1c7309787

 golang.org/x/time                                   555d28b269f0569763d25dbe1a237ae74c6bcc82

 gopkg.in/inf.v0                                     v0.9.1

 gopkg.in/yaml.v2                                    v2.2.8

-k8s.io/api                                          v0.19.0-rc.4

-k8s.io/apimachinery                                 v0.19.0-rc.4

-k8s.io/apiserver                                    v0.19.0-rc.4

-k8s.io/client-go                                    v0.19.0-rc.4

-k8s.io/cri-api                                      v0.19.0-rc.4

+k8s.io/api                                          v0.19.4

+k8s.io/apimachinery                                 v0.19.4

+k8s.io/apiserver                                    v0.19.4

+k8s.io/client-go                                    v0.19.4

+k8s.io/component-base                               v0.19.4

+k8s.io/cri-api                                      v0.19.4

 k8s.io/klog/v2                                      v2.2.0

-k8s.io/utils                                        2df71ebbae66f39338aed4cd0bb82d2212ee33cc

-sigs.k8s.io/structured-merge-diff/v3                v3.0.0

+k8s.io/utils                                        d5654de09c73da55eb19ae4ab4f734f7a61747a6

+sigs.k8s.io/structured-merge-diff/v4                v4.0.1