@@ -16,8 +16,8 @@ import (

 	networktypes "github.com/docker/docker/api/types/network"

 	"github.com/docker/docker/daemon/config"

 	"github.com/docker/docker/daemon/container"

+	"github.com/docker/docker/daemon/internal/libcontainerd/local"

 	"github.com/docker/docker/daemon/network"

-	"github.com/docker/docker/libcontainerd/local"

 	"github.com/docker/docker/libcontainerd/remote"

 	"github.com/docker/docker/libnetwork"

 	nwconfig "github.com/docker/docker/libnetwork/config"

new file mode 100644

@@ -0,0 +1,1225 @@

+package local

+

+// This package contains the legacy in-proc calls in HCS using the v1 schema

+// for Windows runtime purposes.

+

+import (

+	"context"

+	"fmt"

+	"io"

+	"os"

+	"path/filepath"

+	"regexp"

+	"runtime"

+	"strings"

+	"sync"

+	"syscall"

+	"time"

+

+	"github.com/Microsoft/hcsshim"

+	containerd "github.com/containerd/containerd/v2/client"

+	"github.com/containerd/containerd/v2/pkg/cio"

+	cerrdefs "github.com/containerd/errdefs"

+	"github.com/containerd/log"

+	"github.com/docker/docker/errdefs"

+	"github.com/docker/docker/libcontainerd/queue"

+	libcontainerdtypes "github.com/docker/docker/libcontainerd/types"

+	"github.com/docker/docker/pkg/system"

+	"github.com/opencontainers/runtime-spec/specs-go"

+	"github.com/pkg/errors"

+	"golang.org/x/sys/windows"

+	"google.golang.org/protobuf/types/known/timestamppb"

+)

+

+type process struct {

+	// mu guards the mutable fields of this struct.

+	//

+	// Always lock mu before ctr's mutex to prevent deadlocks.

+	mu         sync.Mutex

+	id         string                 // Invariants: immutable

+	ctr        *container             // Invariants: immutable, ctr != nil

+	hcsProcess hcsshim.Process        // Is set to nil on process exit

+	exited     *containerd.ExitStatus // Valid iff waitCh is closed

+	waitCh     chan struct{}

+}

+

+type task struct {

+	process

+}

+

+type container struct {

+	mu sync.Mutex

+

+	// The ociSpec is required, as client.Create() needs a spec, but can

+	// be called from the RestartManager context which does not otherwise

+	// have access to the Spec

+	//

+	// A container value with ociSpec == nil represents a container which

+	// has been loaded with (*client).LoadContainer, and is ineligible to

+	// be Start()ed.

+	ociSpec *specs.Spec

+

+	hcsContainer hcsshim.Container // Is set to nil on container delete

+	isPaused     bool

+

+	client           *client

+	id               string

+	terminateInvoked bool

+

+	// task is a reference to the current task for the container. As a

+	// corollary, when task == nil the container has no current task: the

+	// container was never Start()ed or the task was Delete()d.

+	task *task

+}

+

+// defaultOwner is a tag passed to HCS to allow it to differentiate between

+// container creator management stacks. We hard code "docker" in the case

+// of docker.

+const defaultOwner = "docker"

+

+type client struct {

+	backend libcontainerdtypes.Backend

+	logger  *log.Entry

+	eventQ  queue.Queue

+}

+

+// NewClient creates a new local executor for windows

+func NewClient(ctx context.Context, b libcontainerdtypes.Backend) (libcontainerdtypes.Client, error) {

+	return &client{

+		backend: b,

+		logger:  log.G(ctx).WithField("module", "libcontainerd"),

+	}, nil

+}

+

+func (c *client) Version(ctx context.Context) (containerd.Version, error) {

+	return containerd.Version{}, errors.New("not implemented on Windows")

+}

+

+// NewContainer is the entrypoint to create a container from a spec.

+// Table below shows the fields required for HCS JSON calling parameters,

+// where if not populated, is omitted.

+// +-----------------+--------------------------------------------+---------------------------------------------------+

+// |                 | Isolation=Process                          | Isolation=Hyper-V                                 |

+// +-----------------+--------------------------------------------+---------------------------------------------------+

+// | VolumePath      | \\?\\Volume{GUIDa}                         |                                                   |

+// | LayerFolderPath | %root%\windowsfilter\containerID           |                                                   |

+// | Layers[]        | ID=GUIDb;Path=%root%\windowsfilter\layerID | ID=GUIDb;Path=%root%\windowsfilter\layerID        |

+// | HvRuntime       |                                            | ImagePath=%root%\BaseLayerID\UtilityVM            |

+// +-----------------+--------------------------------------------+---------------------------------------------------+

+//

+// Isolation=Process example:

+//

+//	{

+//		"SystemType": "Container",

+//		"Name": "5e0055c814a6005b8e57ac59f9a522066e0af12b48b3c26a9416e23907698776",

+//		"Owner": "docker",

+//		"VolumePath": "\\\\\\\\?\\\\Volume{66d1ef4c-7a00-11e6-8948-00155ddbef9d}",

+//		"IgnoreFlushesDuringBoot": true,

+//		"LayerFolderPath": "C:\\\\control\\\\windowsfilter\\\\5e0055c814a6005b8e57ac59f9a522066e0af12b48b3c26a9416e23907698776",

+//		"Layers": [{

+//			"ID": "18955d65-d45a-557b-bf1c-49d6dfefc526",

+//			"Path": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c"

+//		}],

+//		"HostName": "5e0055c814a6",

+//		"MappedDirectories": [],

+//		"HvPartition": false,

+//		"EndpointList": ["eef2649d-bb17-4d53-9937-295a8efe6f2c"],

+//	}

+//

+// Isolation=Hyper-V example:

+//

+//	{

+//		"SystemType": "Container",

+//		"Name": "475c2c58933b72687a88a441e7e0ca4bd72d76413c5f9d5031fee83b98f6045d",

+//		"Owner": "docker",

+//		"IgnoreFlushesDuringBoot": true,

+//		"Layers": [{

+//			"ID": "18955d65-d45a-557b-bf1c-49d6dfefc526",

+//			"Path": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c"

+//		}],

+//		"HostName": "475c2c58933b",

+//		"MappedDirectories": [],

+//		"HvPartition": true,

+//		"EndpointList": ["e1bb1e61-d56f-405e-b75d-fd520cefa0cb"],

+//		"DNSSearchList": "a.com,b.com,c.com",

+//		"HvRuntime": {

+//			"ImagePath": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c\\\\UtilityVM"

+//		},

+//	}

+func (c *client) NewContainer(_ context.Context, id string, spec *specs.Spec, _ string, _ interface{}, _ ...containerd.NewContainerOpts) (libcontainerdtypes.Container, error) {

+	if spec.Linux != nil {

+		return nil, errors.New("linux containers are not supported on this platform")

+	}

+	ctr, err := c.createWindows(id, spec)

+	if err != nil {

+		return nil, err

+	}

+

+	c.eventQ.Append(id, func() {

+		c.logger.WithFields(log.Fields{

+			"container": id,

+			"event":     libcontainerdtypes.EventCreate,

+		}).Info("sending event")

+

+		err := c.backend.ProcessEvent(id, libcontainerdtypes.EventCreate, libcontainerdtypes.EventInfo{

+			ContainerID: id,

+		})

+		if err != nil {

+			c.logger.WithFields(log.Fields{

+				"container": id,

+				"event":     libcontainerdtypes.EventCreate,

+				"error":     err,

+			}).Error("failed to process event")

+		}

+	})

+	return ctr, nil

+}

+

+func (c *client) createWindows(id string, spec *specs.Spec) (*container, error) {

+	logger := c.logger.WithField("container", id)

+	configuration := &hcsshim.ContainerConfig{

+		SystemType:              "Container",

+		Name:                    id,

+		Owner:                   defaultOwner,

+		IgnoreFlushesDuringBoot: spec.Windows.IgnoreFlushesDuringBoot,

+		HostName:                spec.Hostname,

+		HvPartition:             false,

+	}

+

+	c.extractResourcesFromSpec(spec, configuration)

+

+	if spec.Windows.Resources != nil {

+		if spec.Windows.Resources.Storage != nil {

+			if spec.Windows.Resources.Storage.Bps != nil {

+				configuration.StorageBandwidthMaximum = *spec.Windows.Resources.Storage.Bps

+			}

+			if spec.Windows.Resources.Storage.Iops != nil {

+				configuration.StorageIOPSMaximum = *spec.Windows.Resources.Storage.Iops

+			}

+		}

+	}

+

+	if spec.Windows.HyperV != nil {

+		configuration.HvPartition = true

+	}

+

+	if spec.Windows.Network != nil {

+		configuration.EndpointList = spec.Windows.Network.EndpointList

+		configuration.AllowUnqualifiedDNSQuery = spec.Windows.Network.AllowUnqualifiedDNSQuery

+		if spec.Windows.Network.DNSSearchList != nil {

+			configuration.DNSSearchList = strings.Join(spec.Windows.Network.DNSSearchList, ",")

+		}

+		configuration.NetworkSharedContainerName = spec.Windows.Network.NetworkSharedContainerName

+	}

+

+	if cs, ok := spec.Windows.CredentialSpec.(string); ok {

+		configuration.Credentials = cs

+	}

+

+	// We must have least two layers in the spec, the bottom one being a

+	// base image, the top one being the RW layer.

+	if spec.Windows.LayerFolders == nil || len(spec.Windows.LayerFolders) < 2 {

+		return nil, fmt.Errorf("OCI spec is invalid - at least two LayerFolders must be supplied to the runtime")

+	}

+

+	// Strip off the top-most layer as that's passed in separately to HCS

+	configuration.LayerFolderPath = spec.Windows.LayerFolders[len(spec.Windows.LayerFolders)-1]

+	layerFolders := spec.Windows.LayerFolders[:len(spec.Windows.LayerFolders)-1]

+

+	if configuration.HvPartition {

+		// We don't currently support setting the utility VM image explicitly.

+		// TODO circa RS5, this may be re-locatable.

+		if spec.Windows.HyperV.UtilityVMPath != "" {

+			return nil, errors.New("runtime does not support an explicit utility VM path for Hyper-V containers")

+		}

+

+		// Find the upper-most utility VM image.

+		var uvmImagePath string

+		for _, path := range layerFolders {

+			fullPath := filepath.Join(path, "UtilityVM")

+			_, err := os.Stat(fullPath)

+			if err == nil {

+				uvmImagePath = fullPath

+				break

+			}

+			if !os.IsNotExist(err) {

+				return nil, err

+			}

+		}

+		if uvmImagePath == "" {

+			return nil, errors.New("utility VM image could not be found")

+		}

+		configuration.HvRuntime = &hcsshim.HvRuntime{ImagePath: uvmImagePath}

+

+		if spec.Root.Path != "" {

+			return nil, errors.New("OCI spec is invalid - Root.Path must be omitted for a Hyper-V container")

+		}

+	} else {

+		const volumeGUIDRegex = `^\\\\\?\\(Volume)\{{0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}\}\\$`

+		if _, err := regexp.MatchString(volumeGUIDRegex, spec.Root.Path); err != nil {

+			return nil, fmt.Errorf(`OCI spec is invalid - Root.Path '%s' must be a volume GUID path in the format '\\?\Volume{GUID}\'`, spec.Root.Path)

+		}

+		// HCS API requires the trailing backslash to be removed

+		configuration.VolumePath = spec.Root.Path[:len(spec.Root.Path)-1]

+	}

+

+	if spec.Root.Readonly {

+		return nil, errors.New(`OCI spec is invalid - Root.Readonly must not be set on Windows`)

+	}

+

+	for _, layerPath := range layerFolders {

+		_, filename := filepath.Split(layerPath)

+		g, err := hcsshim.NameToGuid(filename)

+		if err != nil {

+			return nil, err

+		}

+		configuration.Layers = append(configuration.Layers, hcsshim.Layer{

+			ID:   g.ToString(),

+			Path: layerPath,

+		})

+	}

+

+	// Add the mounts (volumes, bind mounts etc) to the structure

+	var mds []hcsshim.MappedDir

+	var mps []hcsshim.MappedPipe

+	for _, mount := range spec.Mounts {

+		const pipePrefix = `\\.\pipe\`

+		if mount.Type != "" {

+			return nil, fmt.Errorf("OCI spec is invalid - Mount.Type '%s' must not be set", mount.Type)

+		}

+		if strings.HasPrefix(mount.Destination, pipePrefix) {

+			mp := hcsshim.MappedPipe{

+				HostPath:          mount.Source,

+				ContainerPipeName: mount.Destination[len(pipePrefix):],

+			}

+			mps = append(mps, mp)

+		} else {

+			md := hcsshim.MappedDir{

+				HostPath:      mount.Source,

+				ContainerPath: mount.Destination,

+				ReadOnly:      false,

+			}

+			for _, o := range mount.Options {

+				if strings.ToLower(o) == "ro" {

+					md.ReadOnly = true

+				}

+			}

+			mds = append(mds, md)

+		}

+	}

+	configuration.MappedDirectories = mds

+	configuration.MappedPipes = mps

+

+	if len(spec.Windows.Devices) > 0 {

+		// Add any device assignments

+		if configuration.HvPartition {

+			return nil, errors.New("device assignment is not supported for HyperV containers")

+		}

+		for _, d := range spec.Windows.Devices {

+			// Per https://github.com/microsoft/hcsshim/blob/v0.9.2/internal/uvm/virtual_device.go#L17-L18,

+			// these represent an Interface Class GUID.

+			if d.IDType != "class" && d.IDType != "vpci-class-guid" {

+				return nil, errors.Errorf("device assignment of type '%s' is not supported", d.IDType)

+			}

+			configuration.AssignedDevices = append(configuration.AssignedDevices, hcsshim.AssignedDevice{InterfaceClassGUID: d.ID})

+		}

+	}

+

+	hcsContainer, err := hcsshim.CreateContainer(id, configuration)

+	if err != nil {

+		return nil, err

+	}

+

+	// Construct a container object for calling start on it.

+	ctr := &container{

+		client:       c,

+		id:           id,

+		ociSpec:      spec,

+		hcsContainer: hcsContainer,

+	}

+

+	logger.Debug("starting container")

+	if err := ctr.hcsContainer.Start(); err != nil {

+		logger.WithError(err).Error("failed to start container")

+		ctr.mu.Lock()

+		if err := ctr.terminateContainer(); err != nil {

+			logger.WithError(err).Error("failed to cleanup after a failed Start")

+		} else {

+			logger.Debug("cleaned up after failed Start by calling Terminate")

+		}

+		ctr.mu.Unlock()

+		return nil, err

+	}

+

+	logger.Debug("createWindows() completed successfully")

+	return ctr, nil

+}

+

+func (c *client) extractResourcesFromSpec(spec *specs.Spec, configuration *hcsshim.ContainerConfig) {

+	if spec.Windows.Resources == nil {

+		return

+	}

+	if spec.Windows.Resources.CPU != nil {

+		if spec.Windows.Resources.CPU.Count != nil {

+			// This check is being done here rather than in adaptContainerSettings

+			// because we don't want to update the HostConfig in case this container

+			// is moved to a host with more CPUs than this one.

+			cpuCount := *spec.Windows.Resources.CPU.Count

+			hostCPUCount := uint64(runtime.NumCPU())

+			if cpuCount > hostCPUCount {

+				c.logger.Warnf("Changing requested CPUCount of %d to current number of processors, %d", cpuCount, hostCPUCount)

+				cpuCount = hostCPUCount

+			}

+			configuration.ProcessorCount = uint32(cpuCount)

+		}

+		if spec.Windows.Resources.CPU.Shares != nil {

+			configuration.ProcessorWeight = uint64(*spec.Windows.Resources.CPU.Shares)

+		}

+		if spec.Windows.Resources.CPU.Maximum != nil {

+			configuration.ProcessorMaximum = int64(*spec.Windows.Resources.CPU.Maximum)

+		}

+	}

+	if spec.Windows.Resources.Memory != nil {

+		if spec.Windows.Resources.Memory.Limit != nil {

+			configuration.MemoryMaximumInMB = int64(*spec.Windows.Resources.Memory.Limit) / 1024 / 1024

+		}

+	}

+}

+

+func (ctr *container) NewTask(_ context.Context, _ string, withStdin bool, attachStdio libcontainerdtypes.StdioCallback) (_ libcontainerdtypes.Task, retErr error) {

+	ctr.mu.Lock()

+	defer ctr.mu.Unlock()

+

+	switch {

+	case ctr.ociSpec == nil:

+		return nil, errors.WithStack(errdefs.NotImplemented(errors.New("a restored container cannot be started")))

+	case ctr.task != nil:

+		return nil, errors.WithStack(errdefs.NotModified(cerrdefs.ErrAlreadyExists))

+	}

+

+	logger := ctr.client.logger.WithField("container", ctr.id)

+

+	// Note we always tell HCS to create stdout as it's required

+	// regardless of '-i' or '-t' options, so that docker can always grab

+	// the output through logs. We also tell HCS to always create stdin,

+	// even if it's not used - it will be closed shortly. Stderr is only

+	// created if it we're not -t.

+	var (

+		emulateConsole   bool

+		createStdErrPipe bool

+	)

+	if ctr.ociSpec.Process != nil {

+		emulateConsole = ctr.ociSpec.Process.Terminal

+		createStdErrPipe = !ctr.ociSpec.Process.Terminal

+	}

+

+	createProcessParms := &hcsshim.ProcessConfig{

+		EmulateConsole:   emulateConsole,

+		WorkingDirectory: ctr.ociSpec.Process.Cwd,

+		CreateStdInPipe:  true,

+		CreateStdOutPipe: true,

+		CreateStdErrPipe: createStdErrPipe,

+	}

+

+	if ctr.ociSpec.Process != nil && ctr.ociSpec.Process.ConsoleSize != nil {

+		createProcessParms.ConsoleSize[0] = uint(ctr.ociSpec.Process.ConsoleSize.Height)

+		createProcessParms.ConsoleSize[1] = uint(ctr.ociSpec.Process.ConsoleSize.Width)

+	}

+

+	// Configure the environment for the process

+	createProcessParms.Environment = setupEnvironmentVariables(ctr.ociSpec.Process.Env)

+

+	// Configure the CommandLine/CommandArgs

+	setCommandLineAndArgs(ctr.ociSpec.Process, createProcessParms)

+	logger.Debugf("start commandLine: %s", createProcessParms.CommandLine)

+

+	createProcessParms.User = ctr.ociSpec.Process.User.Username

+

+	// Start the command running in the container.

+	newProcess, err := ctr.hcsContainer.CreateProcess(createProcessParms)

+	if err != nil {

+		logger.WithError(err).Error("CreateProcess() failed")

+		return nil, err

+	}

+

+	defer func() {

+		if retErr != nil {

+			if err := newProcess.Kill(); err != nil {

+				logger.WithError(err).Error("failed to kill process")

+			}

+			go func() {

+				if err := newProcess.Wait(); err != nil {

+					logger.WithError(err).Error("failed to wait for process")

+				}

+				if err := newProcess.Close(); err != nil {

+					logger.WithError(err).Error("failed to clean process resources")

+				}

+			}()

+		}

+	}()

+

+	pid := newProcess.Pid()

+	logger.WithField("pid", pid).Debug("init process started")

+

+	dio, err := newIOFromProcess(newProcess, ctr.ociSpec.Process.Terminal)

+	if err != nil {

+		logger.WithError(err).Error("failed to get stdio pipes")

+		return nil, err

+	}

+	_, err = attachStdio(dio)

+	if err != nil {

+		logger.WithError(err).Error("failed to attach stdio")

+		return nil, err

+	}

+

+	t := &task{process{

+		id:         ctr.id,

+		ctr:        ctr,

+		hcsProcess: newProcess,

+		waitCh:     make(chan struct{}),

+	}}

+

+	// All fallible operations have succeeded so it is now safe to set the

+	// container's current task.

+	ctr.task = t

+

+	// Spin up a goroutine to notify the backend and clean up resources when

+	// the task exits. Defer until after the start event is sent so that the

+	// exit event is not sent out-of-order.

+	defer func() { go t.reap() }()

+

+	// Generate the associated event

+	ctr.client.eventQ.Append(ctr.id, func() {

+		ei := libcontainerdtypes.EventInfo{

+			ContainerID: ctr.id,

+			ProcessID:   t.id,

+			Pid:         uint32(pid),

+		}

+		ctr.client.logger.WithFields(log.Fields{

+			"container":  ctr.id,

+			"event":      libcontainerdtypes.EventStart,

+			"event-info": ei,

+		}).Info("sending event")

+		err := ctr.client.backend.ProcessEvent(ei.ContainerID, libcontainerdtypes.EventStart, ei)

+		if err != nil {

+			ctr.client.logger.WithError(err).WithFields(log.Fields{

+				"container":  ei.ContainerID,

+				"event":      libcontainerdtypes.EventStart,

+				"event-info": ei,

+			}).Error("failed to process event")

+		}

+	})

+	logger.Debug("start() completed")

+	return t, nil

+}

+

+func (*task) Start(context.Context) error {

+	// No-op on Windows.

+	return nil

+}

+

+func (ctr *container) Task(context.Context) (libcontainerdtypes.Task, error) {

+	ctr.mu.Lock()

+	defer ctr.mu.Unlock()

+	if ctr.task == nil {

+		return nil, errdefs.NotFound(cerrdefs.ErrNotFound)

+	}

+	return ctr.task, nil

+}

+

+// setCommandLineAndArgs configures the HCS ProcessConfig based on an OCI process spec

+func setCommandLineAndArgs(process *specs.Process, createProcessParms *hcsshim.ProcessConfig) {

+	if process.CommandLine != "" {

+		createProcessParms.CommandLine = process.CommandLine

+	} else {

+		createProcessParms.CommandLine = system.EscapeArgs(process.Args)

+	}

+}

+

+func newIOFromProcess(newProcess hcsshim.Process, terminal bool) (*cio.DirectIO, error) {

+	stdin, stdout, stderr, err := newProcess.Stdio()

+	if err != nil {

+		return nil, err

+	}

+

+	dio := cio.NewDirectIO(createStdInCloser(stdin, newProcess), nil, nil, terminal)

+

+	// Convert io.ReadClosers to io.Readers

+	if stdout != nil {

+		dio.Stdout = io.NopCloser(&autoClosingReader{ReadCloser: stdout})

+	}

+	if stderr != nil {

+		dio.Stderr = io.NopCloser(&autoClosingReader{ReadCloser: stderr})

+	}

+	return dio, nil

+}

+

+// Exec launches a process in a running container.

+//

+// The processID argument is entirely informational. As there is no mechanism

+// (exposed through the libcontainerd interfaces) to enumerate or reference an

+// exec'd process by ID, uniqueness is not currently enforced.

+func (t *task) Exec(ctx context.Context, processID string, spec *specs.Process, withStdin bool, attachStdio libcontainerdtypes.StdioCallback) (_ libcontainerdtypes.Process, retErr error) {

+	hcsContainer, err := t.getHCSContainer()

+	if err != nil {

+		return nil, err

+	}

+	logger := t.ctr.client.logger.WithFields(log.Fields{

+		"container": t.ctr.id,

+		"exec":      processID,

+	})

+

+	// Note we always tell HCS to

+	// create stdout as it's required regardless of '-i' or '-t' options, so that

+	// docker can always grab the output through logs. We also tell HCS to always

+	// create stdin, even if it's not used - it will be closed shortly. Stderr

+	// is only created if it we're not -t.

+	createProcessParms := &hcsshim.ProcessConfig{

+		CreateStdInPipe:  true,

+		CreateStdOutPipe: true,

+		CreateStdErrPipe: !spec.Terminal,

+	}

+	if spec.Terminal {

+		createProcessParms.EmulateConsole = true

+		if spec.ConsoleSize != nil {

+			createProcessParms.ConsoleSize[0] = uint(spec.ConsoleSize.Height)

+			createProcessParms.ConsoleSize[1] = uint(spec.ConsoleSize.Width)

+		}

+	}

+

+	// Take working directory from the process to add if it is defined,

+	// otherwise take from the first process.

+	if spec.Cwd != "" {

+		createProcessParms.WorkingDirectory = spec.Cwd

+	} else {

+		createProcessParms.WorkingDirectory = t.ctr.ociSpec.Process.Cwd

+	}

+

+	// Configure the environment for the process

+	createProcessParms.Environment = setupEnvironmentVariables(spec.Env)

+

+	// Configure the CommandLine/CommandArgs

+	setCommandLineAndArgs(spec, createProcessParms)

+	logger.Debugf("exec commandLine: %s", createProcessParms.CommandLine)

+

+	createProcessParms.User = spec.User.Username

+

+	// Start the command running in the container.

+	newProcess, err := hcsContainer.CreateProcess(createProcessParms)

+	if err != nil {

+		logger.WithError(err).Errorf("exec's CreateProcess() failed")

+		return nil, err

+	}

+	defer func() {

+		if retErr != nil {

+			if err := newProcess.Kill(); err != nil {

+				logger.WithError(err).Error("failed to kill process")

+			}

+			go func() {

+				if err := newProcess.Wait(); err != nil {

+					logger.WithError(err).Error("failed to wait for process")

+				}

+				if err := newProcess.Close(); err != nil {

+					logger.WithError(err).Error("failed to clean process resources")

+				}

+			}()

+		}

+	}()

+

+	dio, err := newIOFromProcess(newProcess, spec.Terminal)

+	if err != nil {

+		logger.WithError(err).Error("failed to get stdio pipes")

+		return nil, err

+	}

+	// Tell the engine to attach streams back to the client

+	_, err = attachStdio(dio)

+	if err != nil {

+		return nil, err

+	}

+

+	p := &process{

+		id:         processID,

+		ctr:        t.ctr,

+		hcsProcess: newProcess,

+		waitCh:     make(chan struct{}),

+	}

+

+	// Spin up a goroutine to notify the backend and clean up resources when

+	// the process exits. Defer until after the start event is sent so that

+	// the exit event is not sent out-of-order.

+	defer func() { go p.reap() }()

+

+	pid := newProcess.Pid()

+	t.ctr.client.eventQ.Append(t.ctr.id, func() {

+		ei := libcontainerdtypes.EventInfo{

+			ContainerID: t.ctr.id,

+			ProcessID:   p.id,

+			Pid:         uint32(pid),

+		}

+		t.ctr.client.logger.WithFields(log.Fields{

+			"container":  t.ctr.id,

+			"event":      libcontainerdtypes.EventExecAdded,

+			"event-info": ei,

+		}).Info("sending event")

+		err := t.ctr.client.backend.ProcessEvent(t.ctr.id, libcontainerdtypes.EventExecAdded, ei)

+		if err != nil {

+			t.ctr.client.logger.WithError(err).WithFields(log.Fields{

+				"container":  t.ctr.id,

+				"event":      libcontainerdtypes.EventExecAdded,

+				"event-info": ei,

+			}).Error("failed to process event")

+		}

+		err = t.ctr.client.backend.ProcessEvent(t.ctr.id, libcontainerdtypes.EventExecStarted, ei)

+		if err != nil {

+			t.ctr.client.logger.WithError(err).WithFields(log.Fields{

+				"container":  t.ctr.id,

+				"event":      libcontainerdtypes.EventExecStarted,

+				"event-info": ei,

+			}).Error("failed to process event")

+		}

+	})

+

+	return p, nil

+}

+

+func (p *process) Pid() uint32 {

+	p.mu.Lock()

+	hcsProcess := p.hcsProcess

+	p.mu.Unlock()

+	if hcsProcess == nil {

+		return 0

+	}

+	return uint32(hcsProcess.Pid())

+}

+

+func (p *process) Kill(_ context.Context, signal syscall.Signal) error {

+	p.mu.Lock()

+	hcsProcess := p.hcsProcess

+	p.mu.Unlock()

+	if hcsProcess == nil {

+		return errors.WithStack(errdefs.NotFound(errors.New("process not found")))

+	}

+	return hcsProcess.Kill()

+}

+

+// Kill handles `docker stop` on Windows. While Linux has support for

+// the full range of signals, signals aren't really implemented on Windows.

+// We fake supporting regular stop and -9 to force kill.

+func (t *task) Kill(_ context.Context, signal syscall.Signal) error {

+	hcsContainer, err := t.getHCSContainer()

+	if err != nil {

+		return err

+	}

+

+	logger := t.ctr.client.logger.WithFields(log.Fields{

+		"container": t.ctr.id,

+		"process":   t.id,

+		"pid":       t.Pid(),

+		"signal":    signal,

+	})

+	logger.Debug("Signal()")

+

+	var op string

+	if signal == syscall.SIGKILL {

+		// Terminate the compute system

+		t.ctr.mu.Lock()

+		t.ctr.terminateInvoked = true

+		t.ctr.mu.Unlock()

+		op, err = "terminate", hcsContainer.Terminate()

+	} else {

+		// Shut down the container

+		op, err = "shutdown", hcsContainer.Shutdown()

+	}

+	if err != nil {

+		if !hcsshim.IsPending(err) && !hcsshim.IsAlreadyStopped(err) {

+			// ignore errors

+			logger.WithError(err).Errorf("failed to %s hccshim container", op)

+		}

+	}

+

+	return nil

+}

+

+// Resize handles a CLI event to resize an interactive docker run or docker

+// exec window.

+func (p *process) Resize(_ context.Context, width, height uint32) error {

+	p.mu.Lock()

+	hcsProcess := p.hcsProcess

+	p.mu.Unlock()

+	if hcsProcess == nil {

+		return errors.WithStack(errdefs.NotFound(errors.New("process not found")))

+	}

+

+	p.ctr.client.logger.WithFields(log.Fields{

+		"container": p.ctr.id,

+		"process":   p.id,

+		"height":    height,

+		"width":     width,

+		"pid":       hcsProcess.Pid(),

+	}).Debug("resizing")

+	return hcsProcess.ResizeConsole(uint16(width), uint16(height))

+}

+

+func (p *process) CloseStdin(context.Context) error {

+	p.mu.Lock()

+	hcsProcess := p.hcsProcess

+	p.mu.Unlock()

+	if hcsProcess == nil {

+		return errors.WithStack(errdefs.NotFound(errors.New("process not found")))

+	}

+

+	return hcsProcess.CloseStdin()

+}

+

+// Pause handles pause requests for containers

+func (t *task) Pause(_ context.Context) error {

+	if t.ctr.ociSpec.Windows.HyperV == nil {

+		return errdefs.NotImplemented(errors.WithStack(errors.New("not implemented for containers using process isolation")))

+	}

+

+	t.ctr.mu.Lock()

+	defer t.ctr.mu.Unlock()

+

+	if err := t.assertIsCurrentTask(); err != nil {

+		return err

+	}

+	if t.ctr.hcsContainer == nil {

+		return errdefs.NotFound(errors.WithStack(fmt.Errorf("container %q not found", t.ctr.id)))

+	}

+	if err := t.ctr.hcsContainer.Pause(); err != nil {

+		return err

+	}

+

+	t.ctr.isPaused = true

+

+	t.ctr.client.eventQ.Append(t.ctr.id, func() {

+		err := t.ctr.client.backend.ProcessEvent(t.ctr.id, libcontainerdtypes.EventPaused, libcontainerdtypes.EventInfo{

+			ContainerID: t.ctr.id,

+			ProcessID:   t.id,

+		})

+		t.ctr.client.logger.WithFields(log.Fields{

+			"container": t.ctr.id,

+			"event":     libcontainerdtypes.EventPaused,

+		}).Info("sending event")

+		if err != nil {

+			t.ctr.client.logger.WithError(err).WithFields(log.Fields{

+				"container": t.ctr.id,

+				"event":     libcontainerdtypes.EventPaused,

+			}).Error("failed to process event")

+		}

+	})

+

+	return nil

+}

+

+// Resume handles resume requests for containers

+func (t *task) Resume(ctx context.Context) error {

+	if t.ctr.ociSpec.Windows.HyperV == nil {

+		return errors.New("cannot resume Windows Server Containers")

+	}

+

+	t.ctr.mu.Lock()

+	defer t.ctr.mu.Unlock()

+

+	if err := t.assertIsCurrentTask(); err != nil {

+		return err

+	}

+	if t.ctr.hcsContainer == nil {

+		return errdefs.NotFound(errors.WithStack(fmt.Errorf("container %q not found", t.ctr.id)))

+	}

+	if err := t.ctr.hcsContainer.Resume(); err != nil {

+		return err

+	}

+

+	t.ctr.isPaused = false

+

+	t.ctr.client.eventQ.Append(t.ctr.id, func() {

+		err := t.ctr.client.backend.ProcessEvent(t.ctr.id, libcontainerdtypes.EventResumed, libcontainerdtypes.EventInfo{

+			ContainerID: t.ctr.id,

+			ProcessID:   t.id,

+		})

+		t.ctr.client.logger.WithFields(log.Fields{

+			"container": t.ctr.id,

+			"event":     libcontainerdtypes.EventResumed,

+		}).Info("sending event")

+		if err != nil {

+			t.ctr.client.logger.WithError(err).WithFields(log.Fields{

+				"container": t.ctr.id,

+				"event":     libcontainerdtypes.EventResumed,

+			}).Error("failed to process event")

+		}

+	})

+

+	return nil

+}

+

+// Stats handles stats requests for containers

+func (t *task) Stats(_ context.Context) (*libcontainerdtypes.Stats, error) {

+	hc, err := t.getHCSContainer()

+	if err != nil {

+		return nil, err

+	}

+

+	readAt := time.Now()

+	s, err := hc.Statistics()

+	if err != nil {

+		return nil, err