@@ -122,8 +122,8 @@ github.com/googleapis/gax-go                        317e0006254c44a0ac427cc52a0e

 google.golang.org/genproto                          3f1135a288c9a07e340ae8ba4cc6c7065a3160e8

 # containerd

-github.com/containerd/containerd                    c80284d4b5291a351bb471bcdabb5c1d95e7a583 # master / v1.4.0-dev

-github.com/containerd/fifo                          ff969a566b00877c63489baf6e8c35d60af6142c

+github.com/containerd/containerd                    779ef60231a555f7eb9ba82b052d59b69ca2ef10 # master / v1.4.0-beta.1-150-g779ef602

+github.com/containerd/fifo                          f15a3290365b9d2627d189e619ab4008e0069caf

 github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165

 github.com/containerd/cgroups                       318312a373405e5e91134d8063d04d59768a1bff

 github.com/containerd/console                       8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6 # v1.0.0

@@ -154,7 +154,7 @@ Taking a container object and turning it into a runnable process on a system is

 ```go

 // create a new task

-task, err := redis.NewTask(context, cio.Stdio)

+task, err := redis.NewTask(context, cio.NewCreator(cio.WithStdio))

 defer task.Delete(context)

 // the task is now running and has a pid that can be use to setup networking

@@ -184,7 +184,7 @@ checkpoint, err := client.Pull(context, "myregistry/checkpoints/redis:master")

 redis, err = client.NewContainer(context, "redis-master", containerd.WithNewSnapshot("redis-rootfs", checkpoint))

 defer container.Delete(context)

-task, err = redis.NewTask(context, cio.Stdio, containerd.WithTaskCheckpoint(checkpoint))

+task, err = redis.NewTask(context, cio.NewCreator(cio.WithStdio), containerd.WithTaskCheckpoint(checkpoint))

 defer task.Delete(context)

 err := task.Start(context)

@@ -245,19 +245,11 @@ func LogURI(uri *url.URL) Creator {

 // BinaryIO forwards container STDOUT|STDERR directly to a logging binary

 func BinaryIO(binary string, args map[string]string) Creator {

 	return func(_ string) (IO, error) {

-		binary = filepath.Clean(binary)

-		if !strings.HasPrefix(binary, "/") {

-			return nil, errors.New("absolute path needed")

-		}

-		uri := &url.URL{

-			Scheme: "binary",

-			Path:   binary,

-		}

-		q := uri.Query()

-		for k, v := range args {

-			q.Set(k, v)

+		uri, err := LogURIGenerator("binary", binary, args)

+		if err != nil {

+			return nil, err

 		}

-		uri.RawQuery = q.Encode()

+

 		res := uri.String()

 		return &logURI{

 			config: Config{

@@ -272,14 +264,11 @@ func BinaryIO(binary string, args map[string]string) Creator {

 // If the log file already exists, the logs will be appended to the file.

 func LogFile(path string) Creator {

 	return func(_ string) (IO, error) {

-		path = filepath.Clean(path)

-		if !strings.HasPrefix(path, "/") {

-			return nil, errors.New("absolute path needed")

-		}

-		uri := &url.URL{

-			Scheme: "file",

-			Path:   path,

+		uri, err := LogURIGenerator("file", path, nil)

+		if err != nil {

+			return nil, err

 		}

+

 		res := uri.String()

 		return &logURI{

 			config: Config{

@@ -290,6 +279,30 @@ func LogFile(path string) Creator {

 	}

 }

+// LogURIGenerator is the helper to generate log uri with specific scheme.

+func LogURIGenerator(scheme string, path string, args map[string]string) (*url.URL, error) {

+	path = filepath.Clean(path)

+	if !strings.HasPrefix(path, "/") {

+		return nil, errors.New("absolute path needed")

+	}

+

+	uri := &url.URL{

+		Scheme: scheme,

+		Path:   path,

+	}

+

+	if len(args) == 0 {

+		return uri, nil

+	}

+

+	q := uri.Query()

+	for k, v := range args {

+		q.Set(k, v)

+	}

+	uri.RawQuery = q.Encode()

+	return uri, nil

+}

+

 type logURI struct {

 	config Config

 }

@@ -132,7 +132,7 @@ func openFifos(ctx context.Context, fifos *FIFOSet) (pipes, error) {

 			}

 		}()

 	}

-	if fifos.Stderr != "" {

+	if !fifos.Terminal && fifos.Stderr != "" {

 		if f.Stderr, err = fifo.OpenFifo(ctx, fifos.Stderr, syscall.O_RDONLY|syscall.O_CREAT|syscall.O_NONBLOCK, 0700); err != nil {

 			return f, errors.Wrapf(err, "failed to open stderr fifo")

 		}

@@ -351,6 +351,10 @@ type RemoteContext struct {

 	// AllMetadata downloads all manifests and known-configuration files

 	AllMetadata bool

+

+	// ChildLabelMap sets the labels used to reference child objects in the content

+	// store. By default, all GC reference labels will be set for all fetched content.

+	ChildLabelMap func(ocispec.Descriptor) []string

 }

 func defaultRemoteContext() *RemoteContext {

@@ -23,6 +23,7 @@ import (

 	"github.com/containerd/containerd/platforms"

 	"github.com/containerd/containerd/remotes"

 	"github.com/containerd/containerd/snapshots"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 	"google.golang.org/grpc"

 )

@@ -175,6 +176,18 @@ func WithPullLabels(labels map[string]string) RemoteOpt {

 	}

 }

+// WithChildLabelMap sets the map function used to define the labels set

+// on referenced child content in the content store. This can be used

+// to overwrite the default GC labels or filter which labels get set

+// for content.

+// The default is `images.ChildGCLabels`.

+func WithChildLabelMap(fn func(ocispec.Descriptor) []string) RemoteOpt {

+	return func(_ *Client, c *RemoteContext) error {

+		c.ChildLabelMap = fn

+		return nil

+	}

+}

+

 // WithSchema1Conversion is used to convert Docker registry schema 1

 // manifests to oci manifests on pull. Without this option schema 1

 // manifests will return a not supported error.

@@ -290,6 +290,7 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N

 		client: c.client,

 		io:     i,

 		id:     c.id,

+		c:      c,

 	}

 	if info.Checkpoint != nil {

 		request.Checkpoint = info.Checkpoint

@@ -407,6 +408,7 @@ func (c *container) loadTask(ctx context.Context, ioAttach cio.Attach) (Task, er

 		io:     i,

 		id:     response.Process.ID,

 		pid:    response.Process.Pid,

+		c:      c,

 	}

 	return t, nil

 }

@@ -47,7 +47,7 @@ func arches() []specs.Arch {

 	}

 }

-// DefaultProfile defines the whitelist for the default seccomp profile.

+// DefaultProfile defines the allowed syscalls for the default seccomp profile.

 func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 	syscalls := []specs.LinuxSyscall{

 		{

@@ -64,6 +64,8 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 				"chmod",

 				"chown",

 				"chown32",

+				"clock_adjtime",

+				"clock_adjtime64",

 				"clock_getres",

 				"clock_getres_time64",

 				"clock_gettime",

@@ -253,6 +255,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 				"renameat2",

 				"restart_syscall",

 				"rmdir",

+				"rseq",

 				"rt_sigaction",

 				"rt_sigpending",

 				"rt_sigprocmask",

@@ -513,7 +516,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 					"delete_module",

 					"init_module",

 					"finit_module",

-					"query_module",

 				},

 				Action: specs.ActAllow,

 				Args:   []specs.LinuxSeccompArg{},

@@ -20,7 +20,7 @@ package seccomp

 import specs "github.com/opencontainers/runtime-spec/specs-go"

-// DefaultProfile defines the whitelist for the default seccomp profile.

+// DefaultProfile defines the allowed syscalls for the default seccomp profile.

 func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 	return &specs.LinuxSeccomp{}

 }

@@ -203,24 +203,26 @@ func (i *image) Usage(ctx context.Context, opts ...UsageOpt) (int64, error) {

 				desc.Size = info.Size

 			}

-			for k, v := range info.Labels {

-				const prefix = "containerd.io/gc.ref.snapshot."

-				if !strings.HasPrefix(k, prefix) {

-					continue

-				}

+			if config.snapshots {

+				for k, v := range info.Labels {

+					const prefix = "containerd.io/gc.ref.snapshot."

+					if !strings.HasPrefix(k, prefix) {

+						continue

+					}

-				sn := i.client.SnapshotService(k[len(prefix):])

-				if sn == nil {

-					continue

-				}

+					sn := i.client.SnapshotService(k[len(prefix):])

+					if sn == nil {

+						continue

+					}

-				u, err := sn.Usage(ctx, v)

-				if err != nil {

-					if !errdefs.IsNotFound(err) && !errdefs.IsInvalidArgument(err) {

-						return nil, err

+					u, err := sn.Usage(ctx, v)

+					if err != nil {

+						if !errdefs.IsNotFound(err) && !errdefs.IsInvalidArgument(err) {

+							return nil, err

+						}

+					} else {

+						usage += u.Size

 					}

-				} else {

-					usage += u.Size

 				}

 			}

 		}

@@ -170,6 +170,19 @@ func ChildrenHandler(provider content.Provider) HandlerFunc {

 // the children returned by the handler and passes through the children.

 // Must follow a handler that returns the children to be labeled.

 func SetChildrenLabels(manager content.Manager, f HandlerFunc) HandlerFunc {

+	return SetChildrenMappedLabels(manager, f, nil)

+}

+

+// SetChildrenMappedLabels is a handler wrapper which sets labels for the content on

+// the children returned by the handler and passes through the children.

+// Must follow a handler that returns the children to be labeled.

+// The label map allows the caller to control the labels per child descriptor.

+// For returned labels, the index of the child will be appended to the end

+// except for the first index when the returned label does not end with '.'.

+func SetChildrenMappedLabels(manager content.Manager, f HandlerFunc, labelMap func(ocispec.Descriptor) []string) HandlerFunc {

+	if labelMap == nil {

+		labelMap = ChildGCLabels

+	}

 	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

 		children, err := f(ctx, desc)

 		if err != nil {

@@ -177,14 +190,26 @@ func SetChildrenLabels(manager content.Manager, f HandlerFunc) HandlerFunc {

 		}

 		if len(children) > 0 {

-			info := content.Info{

-				Digest: desc.Digest,

-				Labels: map[string]string{},

-			}

-			fields := []string{}

-			for i, ch := range children {

-				info.Labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i)] = ch.Digest.String()

-				fields = append(fields, fmt.Sprintf("labels.containerd.io/gc.ref.content.%d", i))

+			var (

+				info = content.Info{

+					Digest: desc.Digest,

+					Labels: map[string]string{},

+				}

+				fields = []string{}

+				keys   = map[string]uint{}

+			)

+			for _, ch := range children {

+				labelKeys := labelMap(ch)

+				for _, key := range labelKeys {

+					idx := keys[key]

+					keys[key] = idx + 1

+					if idx > 0 || key[len(key)-1] == '.' {

+						key = fmt.Sprintf("%s%d", key, idx)

+					}

+

+					info.Labels[key] = ch.Digest.String()

+					fields = append(fields, "labels."+key)

+				}

 			}

 			_, err := manager.Update(ctx, info, fields...)

@@ -362,7 +362,7 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr

 			// childless data types.

 			return nil, nil

 		}

-		log.G(ctx).Warnf("encountered unknown type %v; children may not be fetched", desc.MediaType)

+		log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType)

 	}

 	return descs, nil

@@ -23,6 +23,7 @@ import (

 	"github.com/containerd/containerd/errdefs"

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"github.com/pkg/errors"

 )

 // mediatype definitions for image components handled in containerd.

@@ -81,7 +82,7 @@ func DiffCompression(ctx context.Context, mediaType string) (string, error) {

 		}

 		return "", nil

 	default:

-		return "", errdefs.ErrNotImplemented

+		return "", errors.Wrapf(errdefs.ErrNotImplemented, "unrecognised mediatype %s", mediaType)

 	}

 }

@@ -124,3 +125,31 @@ func IsKnownConfig(mt string) bool {

 	}

 	return false

 }

+

+// ChildGCLabels returns the label for a given descriptor to reference it

+func ChildGCLabels(desc ocispec.Descriptor) []string {

+	mt := desc.MediaType

+	if IsKnownConfig(mt) {

+		return []string{"containerd.io/gc.ref.content.config"}

+	}

+

+	switch mt {

+	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:

+		return []string{"containerd.io/gc.ref.content.m."}

+	}

+

+	if IsLayerType(mt) {

+		return []string{"containerd.io/gc.ref.content.l."}

+	}

+

+	return []string{"containerd.io/gc.ref.content."}

+}

+

+// ChildGCLabelsFilterLayers returns the labels for a given descriptor to

+// reference it, skipping layer media types

+func ChildGCLabelsFilterLayers(desc ocispec.Descriptor) []string {

+	if IsLayerType(desc.MediaType) {

+		return nil

+	}

+	return ChildGCLabels(desc)

+}

@@ -363,10 +363,34 @@ func (m *Mount) mountWithHelper(helperBinary, typePrefix, target string) error {

 		args = append(args, "-o", o)

 	}

 	args = append(args, "-t", strings.TrimPrefix(m.Type, typePrefix))

-	cmd := exec.Command(helperBinary, args...)

-	out, err := cmd.CombinedOutput()

+

+	infoBeforeMount, err := Lookup(target)

 	if err != nil {

-		return errors.Wrapf(err, "mount helper [%s %v] failed: %q", helperBinary, args, string(out))

+		return err

 	}

-	return nil

+

+	// cmd.CombinedOutput() may intermittently return ECHILD because of our signal handling in shim.

+	// See #4387 and wait(2).

+	const retriesOnECHILD = 10

+	for i := 0; i < retriesOnECHILD; i++ {

+		cmd := exec.Command(helperBinary, args...)

+		out, err := cmd.CombinedOutput()

+		if err == nil {

+			return nil

+		}

+		if !errors.Is(err, unix.ECHILD) {

+			return errors.Wrapf(err, "mount helper [%s %v] failed: %q", helperBinary, args, string(out))

+		}

+		// We got ECHILD, we are not sure whether the mount was successful.

+		// If the mount ID has changed, we are sure we got some new mount, but still not sure it is fully completed.

+		// So we attempt to unmount the new mount before retrying.

+		infoAfterMount, err := Lookup(target)

+		if err != nil {

+			return err

+		}

+		if infoAfterMount.ID != infoBeforeMount.ID {

+			_ = unmount(target, 0)

+		}

+	}

+	return errors.Errorf("mount helper [%s %v] failed with ECHILD (retired %d times)", helperBinary, args, retriesOnECHILD)

 }

@@ -81,11 +81,11 @@ func parseInfoFile(r io.Reader) ([]Info, error) {

 		p.Major, _ = strconv.Atoi(mm[0])

 		p.Minor, _ = strconv.Atoi(mm[1])

-		p.Root, err = strconv.Unquote(`"` + fields[3] + `"`)

+		p.Root, err = strconv.Unquote(`"` + strings.Replace(fields[3], `"`, `\"`, -1) + `"`)

 		if err != nil {

 			return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote root field", fields[3])

 		}

-		p.Mountpoint, err = strconv.Unquote(`"` + fields[4] + `"`)

+		p.Mountpoint, err = strconv.Unquote(`"` + strings.Replace(fields[4], `"`, `\"`, -1) + `"`)

 		if err != nil {

 			return nil, errors.Wrapf(err, "parsing '%s' failed: unable to unquote mount point field", fields[4])

 		}

@@ -118,3 +118,10 @@ func deviceFromPath(path, permissions string) (*specs.LinuxDevice, error) {

 		GID:      &stat.Gid,

 	}, nil

 }

+

+// WithCPUCFS sets the container's Completely fair scheduling (CFS) quota and period

+func WithCPUCFS(quota int64, period uint64) SpecOpts {

+	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {

+		return nil

+	}

+}

@@ -52,7 +52,7 @@ func WithWindowsIgnoreFlushesDuringBoot() SpecOpts {

 	}

 }

-// WithWindowNetworksAllowUnqualifiedDNSQuery sets `Windows.IgnoreFlushesDuringBoot`.

+// WithWindowNetworksAllowUnqualifiedDNSQuery sets `Windows.Network.AllowUnqualifiedDNSQuery`.

 func WithWindowNetworksAllowUnqualifiedDNSQuery() SpecOpts {

 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {

 		if s.Windows == nil {

@@ -27,7 +27,6 @@ import (

 	"path/filepath"

 	"strings"

 	"sync"

-	"syscall"

 	"time"

 	"github.com/containerd/console"

@@ -39,6 +38,7 @@ import (

 	google_protobuf "github.com/gogo/protobuf/types"

 	specs "github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/pkg/errors"

+	"golang.org/x/sys/unix"

 )

 // Init represents an initial process for a container

@@ -87,7 +87,7 @@ func NewRunc(root, path, namespace, runtime, criu string, systemd bool) *runc.Ru

 		Command:       runtime,

 		Log:           filepath.Join(path, "log.json"),

 		LogFormat:     runc.JSON,

-		PdeathSignal:  syscall.SIGKILL,

+		PdeathSignal:  unix.SIGKILL,

 		Root:          filepath.Join(root, namespace),

 		Criu:          criu,

 		SystemdCgroup: systemd,

@@ -176,7 +176,7 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 }

 func (p *Init) openStdin(path string) error {

-	sc, err := fifo.OpenFifo(context.Background(), path, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

+	sc, err := fifo.OpenFifo(context.Background(), path, unix.O_WRONLY|unix.O_NONBLOCK, 0)

 	if err != nil {

 		return errors.Wrapf(err, "failed to open stdin fifo %s", path)

 	}

@@ -361,7 +361,7 @@ func (p *Init) KillAll(ctx context.Context) error {

 	p.mu.Lock()

 	defer p.mu.Unlock()

-	err := p.runtime.Kill(ctx, p.id, int(syscall.SIGKILL), &runc.KillOpts{

+	err := p.runtime.Kill(ctx, p.id, int(unix.SIGKILL), &runc.KillOpts{

 		All: true,

 	})

 	return p.runtimeError(err, "OCI runtime killall failed")

@@ -381,7 +381,7 @@ func (b *binaryIO) cancel() error {

 		return result.ErrorOrNil()

 	}

-	done := make(chan error)

+	done := make(chan error, 1)

 	go func() {

 		done <- b.cmd.Wait()

 	}()

@@ -137,6 +137,8 @@ func checkKillError(err error) error {

 		strings.Contains(strings.ToLower(err.Error()), "no such process") ||

 		err == unix.ESRCH {

 		return errors.Wrapf(errdefs.ErrNotFound, "process already finished")

+	} else if strings.Contains(err.Error(), "does not exist") {

+		return errors.Wrapf(errdefs.ErrNotFound, "no such container")

 	}

 	return errors.Wrapf(err, "unknown error after kill")

 }

@@ -74,8 +74,8 @@ func getCPUInfo(pattern string) (info string, err error) {

 }

 func getCPUVariant() string {

-	if runtime.GOOS == "windows" {

-		// Windows only supports v7 for ARM32 and v8 for ARM64 and so we can use

+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {

+		// Windows/Darwin only supports v7 for ARM32 and v8 for ARM64 and so we can use

 		// runtime.GOARCH to determine the variants

 		var variant string

 		switch runtime.GOARCH {

@@ -159,7 +159,7 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 		// Get all the children for a descriptor

 		childrenHandler := images.ChildrenHandler(store)

 		// Set any children labels for that content

-		childrenHandler = images.SetChildrenLabels(store, childrenHandler)

+		childrenHandler = images.SetChildrenMappedLabels(store, childrenHandler, rCtx.ChildLabelMap)

 		if rCtx.AllMetadata {

 			// Filter manifests by platforms but allow to handle manifest

 			// and configuration for not-target platforms

@@ -235,7 +235,7 @@ func (p dockerPusher) Push(ctx context.Context, desc ocispec.Descriptor) (conten

 	go func() {

 		defer close(respC)

-		resp, err = req.do(ctx)

+		resp, err := req.do(ctx)

 		if err != nil {

 			pr.CloseWithError(err)

 			return

@@ -70,6 +70,7 @@ type RegistryHost struct {

 	Scheme       string

 	Path         string

 	Capabilities HostCapabilities

+	Header       http.Header

 }

 // RegistryHosts fetches the registry hosts for a given namespace,

@@ -450,6 +450,9 @@ func (r *dockerBase) request(host RegistryHost, method string, ps ...string) *re

 	for key, value := range r.header {

 		header[key] = append(header[key], value...)

 	}

+	for key, value := range host.Header {

+		header[key] = append(header[key], value...)

+	}

 	parts := append([]string{"/", host.Path, r.namespace}, ps...)

 	p := path.Join(parts...)

 	// Join strips trailing slash, re-add ending "/" if included

@@ -324,21 +324,31 @@ func (c *Client) signalShim(ctx context.Context, sig syscall.Signal) error {

 	select {

 	case <-ctx.Done():

 		return ctx.Err()

-	case <-c.waitForExit(pid):

+	case <-c.waitForExit(ctx, pid):

 		return nil

 	}

 }

-func (c *Client) waitForExit(pid int) <-chan struct{} {

-	c.exitOnce.Do(func() {

+func (c *Client) waitForExit(ctx context.Context, pid int) <-chan struct{} {

+	go c.exitOnce.Do(func() {

+		defer close(c.exitCh)

+

+		ticker := time.NewTicker(10 * time.Millisecond)

+		defer ticker.Stop()

+

 		for {

 			// use kill(pid, 0) here because the shim could have been reparented

 			// and we are no longer able to waitpid(pid, ...) on the shim

 			if err := unix.Kill(pid, 0); err == unix.ESRCH {

-				close(c.exitCh)

 				return

 			}

-			time.Sleep(10 * time.Millisecond)

+

+			select {

+			case <-ticker.C:

+			case <-ctx.Done():

+				log.G(ctx).WithField("pid", pid).Warn("timed out while waiting for shim to exit")

+				return

+			}

 		}

 	})

 	return c.exitCh

new file mode 100644

@@ -0,0 +1,35 @@

+// +build !windows

+

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package containerd

+

+import (

+	"fmt"

+

+	"github.com/containerd/containerd/snapshots"

+)

+

+// WithRemapperLabels creates the labels used by any supporting snapshotter

+// to shift the filesystem ownership (user namespace mapping) automatically; currently

+// supported by the fuse-overlayfs snapshotter

+func WithRemapperLabels(ctrUID, hostUID, ctrGID, hostGID, length uint32) snapshots.Opt {

+	return snapshots.WithLabels(map[string]string{

+		"containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", ctrUID, hostUID, length),

+		"containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", ctrGID, hostGID, length),

+	})

+}

@@ -35,6 +35,7 @@ import (

 	"github.com/containerd/containerd/errdefs"

 	"github.com/containerd/containerd/images"

 	"github.com/containerd/containerd/mount"

+	"github.com/containerd/containerd/oci"

 	"github.com/containerd/containerd/plugin"

 	"github.com/containerd/containerd/rootfs"

 	"github.com/containerd/containerd/runtime/linux/runctypes"

@@ -175,18 +176,26 @@ type Task interface {

 	// For the built in Linux runtime, github.com/containerd/cgroups.Metrics

 	// are returned in protobuf format

 	Metrics(context.Context) (*types.Metric, error)

+	// Spec returns the current OCI specification for the task

+	Spec(context.Context) (*oci.Spec, error)

 }

 var _ = (Task)(&task{})

 type task struct {

 	client *Client

+	c      Container

 	io  cio.IO

 	id  string

 	pid uint32

 }

+// Spec returns the current OCI specification for the task

+func (t *task) Spec(ctx context.Context) (*oci.Spec, error) {

+	return t.c.Spec(ctx)

+}

+

 // ID of the task

 func (t *task) ID() string {

 	return t.id

@@ -178,13 +178,13 @@ EachLayer:

 				fetchC[i] = make(chan struct{})

 			}

-			go func() {

+			go func(i int) {

 				err := u.fetch(ctx, h, layers[i:], fetchC)

 				if err != nil {

 					fetchErr <- err

 				}

 				close(fetchErr)

-			}()

+			}(i)

 		}

 		select {

@@ -1,102 +1,102 @@

-github.com/beorn7/perks                             37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1

-github.com/BurntSushi/toml                          3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005 # v0.3.1

-github.com/cespare/xxhash/v2                        d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1

+github.com/beorn7/perks                             v1.0.1

+github.com/BurntSushi/toml                          v0.3.1

+github.com/cespare/xxhash/v2                        v2.1.1

 github.com/containerd/btrfs                         153935315f4ab9be5bf03650a1341454b05efa5d

-github.com/containerd/cgroups                       b4448137398923af7f4918b8b2ad8249172ca7a6

-github.com/containerd/console                       8375c3424e4d7b114e8a90a4a40c8e1b40d1d4e6 # v1.0.0

-github.com/containerd/continuity                    0ec596719c75bfd42908850990acea594b7593ac

-github.com/containerd/fifo                          bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13

-github.com/containerd/go-runc                       a5c2862aed5e6358b305b0e16bfce58e0549b1cd

-github.com/containerd/ttrpc                         72bb1b21c5b0a4a107f59dd85f6ab58e564b68d6 # v1.0.1

-github.com/containerd/typeurl                       cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1

-github.com/coreos/go-systemd/v22                    2d78030078ef61b3cae27f42ad6d0e46db51b339 # v22.0.0

-github.com/cpuguy83/go-md2man                       7762f7e404f8416dfa1d9bb6a8c192aa9acb4d19 # v1.0.10

+github.com/containerd/cgroups                       318312a373405e5e91134d8063d04d59768a1bff

+github.com/containerd/console                       v1.0.0

+github.com/containerd/continuity                    efbc4488d8fe1bdc16bde3b2d2990d9b3a899165

+github.com/containerd/fifo                          f15a3290365b9d2627d189e619ab4008e0069caf

+github.com/containerd/go-runc                       7016d3ce2328dd2cb1192b2076ebd565c4e8df0c

+github.com/containerd/ttrpc                         v1.0.1

+github.com/containerd/typeurl                       v1.0.1

+github.com/coreos/go-systemd/v22                    v22.1.0

+github.com/cpuguy83/go-md2man/v2                    v2.0.0

 github.com/docker/go-events                         e31b211e4f1cd09aa76fe4ac244571fab96ae47f

-github.com/docker/go-metrics                        b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1

-github.com/docker/go-units                          519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0

-github.com/godbus/dbus/v5                           37bf87eef99d69c4f1d3528bd66e3a87dc201472 # v5.0.3

-github.com/gogo/googleapis                          01e0f9cca9b92166042241267ee2a5cdf5cff46c # v1.3.2

-github.com/gogo/protobuf                            5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1

-github.com/golang/protobuf                          d23c5127dc24889085f8ccea5c9d560a57a879d8 # v1.3.3

-github.com/google/go-cmp                            3af367b6b30c263d47e8895973edcca9a49cf029 # v0.2.0

-github.com/google/uuid                              0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1

-github.com/grpc-ecosystem/go-grpc-prometheus        c225b8c3b01faf2899099b768856a9e916e5087b # v1.2.0

-github.com/hashicorp/errwrap                        8a6fb523712970c966eefc6b39ed2c5e74880354 # v1.0.0

-github.com/hashicorp/go-multierror                  886a7fbe3eb1c874d46f623bfa70af45f425b3d1 # v1.0.0

-github.com/hashicorp/golang-lru                     7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3

-github.com/imdario/mergo                            7c29201646fa3de8506f701213473dd407f19646 # v0.3.7

-github.com/konsorten/go-windows-terminal-sequences  edb144dfd453055e1e49a3d8b410a660b5a87613 # v1.0.3

-github.com/matttproud/golang_protobuf_extensions    c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1

-github.com/Microsoft/go-winio                       6c72808b55902eae4c5943626030429ff20f3b63 # v0.4.14

-github.com/Microsoft/hcsshim                        5bc557dd210ff2caf615e6e22d398123de77fc11 # v0.8.9

-github.com/opencontainers/go-digest                 c9281466c8b2f606084ac71339773efd177436e7

-github.com/opencontainers/image-spec                d60099175f88c47cd379c4738d158884749ed235 # v1.0.1

-github.com/opencontainers/runc                      dc9208a3303feef5b3839f4323d9beb36df0a9dd # v1.0.0-rc10

-github.com/opencontainers/runtime-spec              c4ee7d12c742ffe806cd9350b6af3b4b19faed6f # v1.0.2

-github.com/pkg/errors                               614d223910a179a466c1767a985424175c39b465 # v0.9.1

-github.com/prometheus/client_golang                 c42bebe5a5cddfc6b28cd639103369d8a75dfa89 # v1.3.0

-github.com/prometheus/client_model                  d1d2010b5beead3fa1c5f271a5cf626e40b3ad6e # v0.1.0

-github.com/prometheus/common                        287d3e634a1e550c9e463dd7e5a75a422c614505 # v0.7.0

-github.com/prometheus/procfs                        6d489fc7f1d9cd890a250f3ea3431b1744b9623f # v0.0.8

-github.com/russross/blackfriday                     05f3235734ad95d0016f6a23902f06461fcf567a # v1.5.2

-github.com/sirupsen/logrus                          60c74ad9be0d874af0ab0daef6ab07c5c5911f0d # v1.6.0

+github.com/docker/go-metrics                        v0.0.1

+github.com/docker/go-units                          v0.4.0

+github.com/godbus/dbus/v5                           v5.0.3

+github.com/gogo/googleapis                          v1.3.2

+github.com/gogo/protobuf                            v1.3.1

+github.com/golang/protobuf                          v1.3.5

+github.com/google/go-cmp                            v0.2.0

+github.com/google/uuid                              v1.1.1

+github.com/grpc-ecosystem/go-grpc-prometheus        v1.2.0

+github.com/hashicorp/errwrap                        v1.0.0

+github.com/hashicorp/go-multierror                  v1.0.0

+github.com/hashicorp/golang-lru                     v0.5.3

+github.com/imdario/mergo                            v0.3.7

+github.com/konsorten/go-windows-terminal-sequences  v1.0.3

+github.com/matttproud/golang_protobuf_extensions    v1.0.1

+github.com/Microsoft/go-winio                       v0.4.14

+github.com/Microsoft/hcsshim                        v0.8.9

+github.com/opencontainers/go-digest                 v1.0.0

+github.com/opencontainers/image-spec                v1.0.1

+github.com/opencontainers/runc                      67169a9d43456ff0d5ae12b967acb8e366e2f181 # v1.0.0-rc91-48-g67169a9d

+github.com/opencontainers/runtime-spec              237cc4f519e2e8f9b235bacccfa8ef5a84df2875 # v1.0.3-0.20200520003142-237cc4f519e2

+github.com/pkg/errors                               v0.9.1

+github.com/prometheus/client_golang                 v1.6.0

+github.com/prometheus/client_model                  v0.2.0

+github.com/prometheus/common                        v0.9.1

+github.com/prometheus/procfs                        v0.0.11

+github.com/russross/blackfriday/v2                  v2.0.1

+github.com/shurcooL/sanitized_anchor_name           v1.0.0

+github.com/sirupsen/logrus                          v1.6.0

 github.com/syndtr/gocapability                      d98352740cb2c55f81556b63d4a1ec64c5a319c2

-github.com/urfave/cli                               bfe2e925cfb6d44b40ad3a779165ea7e8aff9212 # v1.22.0

-go.etcd.io/bbolt                                    a0458a2b35708eef59eb5f620ceb3cd1c01a824d # v1.3.3

-go.opencensus.io                                    9c377598961b706d1542bd2d84d538b5094d596e # v0.22.0

+github.com/urfave/cli                               v1.22.1 # NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092

+go.etcd.io/bbolt                                    v1.3.5

+go.opencensus.io                                    v0.22.0

 golang.org/x/net                                    f3200d17e092c607f615320ecaad13d87ad9a2b3

 golang.org/x/sync                                   42b317875d0fa942474b76e1b46a6060d720ae6e

-golang.org/x/sys                                    5c8b2ff67527cb88b770f693cebf3799036d8bc0

-golang.org/x/text                                   19e51611da83d6be54ddafce4a4af510cb3e9ea4

+golang.org/x/sys                                    9dae0f8f577553e0f21298e18926efc9644c281d

+golang.org/x/text                                   v0.3.3

 google.golang.org/genproto                          e50cd9704f63023d62cd06a1994b98227fc4d21a

-google.golang.org/grpc                              f495f5b15ae7ccda3b38c53a1bfcde4c1a58a2bc # v1.27.1

-gotest.tools/v3                                     bb0d8a963040ea5048dcef1a14d8f8b58a33d4b3 # v3.0.2

+google.golang.org/grpc                              v1.27.1

+gotest.tools/v3                                     v3.0.2

 # cgroups dependencies

-github.com/cilium/ebpf                              4032b1d8aae306b7bb94a2a11002932caf88c644

+github.com/cilium/ebpf                              1c8d4c9ef7759622653a1d319284a44652333b28

 # cri dependencies

-github.com/containerd/cri                           65830369b6b2b4edc454bf5cebbd9b76c1c1ac66 # master

-github.com/davecgh/go-spew                          8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1

-github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580

+github.com/containerd/cri                           8448b92d237e877bed1e4aa7a0baf0dee234dbcb # master

+github.com/davecgh/go-spew                          v1.1.1

 github.com/docker/docker                            4634ce647cf2ce2c6031129ccd109e557244986f

 github.com/docker/spdystream                        449fdfce4d962303d702fec724ef0ad181c92528

-github.com/emicklei/go-restful                      b993709ae1a4f6dd19cfa475232614441b11c9d5 # v2.9.5

-github.com/google/gofuzz                            db92cf7ae75e4a7a28abc005addab2b394362888 # v1.1.0

-github.com/json-iterator/go                         03217c3e97663914aec3faafde50d081f197a0a2 # v1.1.8

-github.com/modern-go/concurrent                     bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3

-github.com/modern-go/reflect2                       4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1

-github.com/opencontainers/selinux                   0d49ba2a6aae052c614dfe5de62a158711a6c461 # 1.5.1

-github.com/seccomp/libseccomp-golang                689e3c1541a84461afc49c1c87352a6cedf72e9c # v0.9.1

-github.com/stretchr/testify                         221dbe5ed46703ee255b1da0dec05086f5035f62 # v1.4.0

-github.com/tchap/go-patricia                        666120de432aea38ab06bd5c818f04f4129882c9 # v2.2.6

+github.com/emicklei/go-restful                      v2.9.5

+github.com/go-logr/logr                             v0.2.0

+github.com/google/gofuzz                            v1.1.0

+github.com/json-iterator/go                         v1.1.9

+github.com/modern-go/concurrent                     1.0.3

+github.com/modern-go/reflect2                       v1.0.1

+github.com/opencontainers/selinux                   v1.6.0

+github.com/seccomp/libseccomp-golang                v0.9.1

+github.com/tchap/go-patricia                        v2.2.6

+github.com/willf/bitset                             d5bec3311243426a3c6d1b7a795f24b17c686dbb # 1.1.10+ used by selinux pkg

 golang.org/x/crypto                                 bac4c82f69751a6dd76e702d54b3ceb88adab236

-golang.org/x/oauth2                                 0f29369cfe4552d0e4bcddc57cc75f4d7e672a33

-golang.org/x/time                                   9d24e82272b4f38b78bc8cff74fa936d31ccd8ef

-gopkg.in/inf.v0                                     d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1

-gopkg.in/yaml.v2                                    53403b58ad1b561927d19068c655246f2db79d48 # v2.2.8

-k8s.io/api                                          d2dce8e1788e4be2be3a62b6439b3eaa087df0df # v0.18.0

-k8s.io/apimachinery                                 105e0c6d63f10531ed07f3b5a2195771a0fa444b # v0.18.0

-k8s.io/apiserver                                    5c8e895629a454efd75a453d1dea5b8142db0013 # v0.18.0

-k8s.io/client-go                                    0b19784585bd0a0ee5509855829ead81feaa2bdc # v0.18.0

-k8s.io/cri-api                                      3d1680d8d202aa12c5dc5689170c3c03a488d35b # v0.18.0

-k8s.io/klog                                         2ca9ad30301bf30a8a6e0fa2110db6b8df699a91 # v1.0.0

-k8s.io/kubernetes                                   9e991415386e4cf155a24b1da15becaa390438d8 # v1.18.0

-k8s.io/utils                                        a9aa75ae1b89e1b992c33383f48e942d97e52dae

-sigs.k8s.io/structured-merge-diff/v3                877aee05330847a873a1a8998b40e12a1e0fde25 # v3.0.0

-sigs.k8s.io/yaml                                    9fc95527decd95bb9d28cc2eab08179b2d0f6971 # v1.2.0

+golang.org/x/oauth2                                 858c2ad4c8b6c5d10852cb89079f6ca1c7309787

+golang.org/x/time                                   555d28b269f0569763d25dbe1a237ae74c6bcc82

+gopkg.in/inf.v0                                     v0.9.1

+gopkg.in/yaml.v2                                    v2.2.8

+k8s.io/api                                          v0.19.0-beta.2

+k8s.io/apimachinery                                 v0.19.0-beta.2

+k8s.io/apiserver                                    v0.19.0-beta.2

+k8s.io/client-go                                    v0.19.0-beta.2

+k8s.io/cri-api                                      v0.19.0-beta.2

+k8s.io/klog/v2                                      v2.2.0

+k8s.io/utils                                        2df71ebbae66f39338aed4cd0bb82d2212ee33cc

+sigs.k8s.io/structured-merge-diff/v3                v3.0.0

+sigs.k8s.io/yaml                                    v1.2.0

 # cni dependencies

-github.com/containerd/go-cni                        0d360c50b10b350b6bb23863fd4dfb1c232b01c9

-github.com/containernetworking/cni                  4cfb7b568922a3c79a23e438dc52fe537fc9687e # v0.7.1

-github.com/containernetworking/plugins              9f96827c7cabb03f21d86326000c00f61e181f6a # v0.7.6

-github.com/fsnotify/fsnotify                        4bf2d1fec78374803a39307bfb8d340688f4f28e # v1.4.8

+github.com/containerd/go-cni                        v1.0.0

+github.com/containernetworking/cni                  v0.7.1

+github.com/containernetworking/plugins              v0.7.6

+github.com/fsnotify/fsnotify                        v1.4.9