@@ -11,6 +11,7 @@ import (

 	"github.com/containerd/containerd/snapshots"

 	"github.com/docker/docker/daemon/graphdriver"

 	"github.com/docker/docker/layer"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/moby/buildkit/identity"

 	"github.com/moby/buildkit/snapshot"

 	digest "github.com/opencontainers/go-digest"

@@ -73,6 +74,10 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {

 	return s, nil

 }

+func (s *snapshotter) IdentityMapping() *idtools.IdentityMapping {

+	return nil

+}

+

 func (s *snapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error {

 	origParent := parent

 	if parent != "" {

@@ -469,3 +474,7 @@ func (m *mountable) Release() error {

 	m.mounts = nil

 	return m.release()

 }

+

+func (m *mountable) IdentityMapping() *idtools.IdentityMapping {

+	return nil

+}

@@ -25,7 +25,6 @@ import (

 	"github.com/moby/buildkit/control"

 	"github.com/moby/buildkit/identity"

 	"github.com/moby/buildkit/session"

-	"github.com/moby/buildkit/solver/llbsolver"

 	"github.com/moby/buildkit/util/entitlements"

 	"github.com/moby/buildkit/util/resolver"

 	"github.com/moby/buildkit/util/tracing"

@@ -64,10 +63,6 @@ var cacheFields = map[string]bool{

 	"immutable": false,

 }

-func init() {

-	llbsolver.AllowNetworkHostUnstable = true

-}

-

 // Opt is option struct required for creating the builder

 type Opt struct {

 	SessionManager      *session.Manager

@@ -30,6 +30,7 @@ import (

 	"github.com/moby/buildkit/snapshot/blobmapping"

 	"github.com/moby/buildkit/solver/bboltcachestorage"

 	"github.com/moby/buildkit/util/binfmt_misc"

+	"github.com/moby/buildkit/util/entitlements"

 	"github.com/moby/buildkit/worker"

 	specs "github.com/opencontainers/image-spec/specs-go/v1"

 	"github.com/pkg/errors"

@@ -189,6 +190,10 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

 		ResolveCacheExporterFuncs: map[string]remotecache.ResolveCacheExporterFunc{

 			"inline": inlineremotecache.ResolveCacheExporterFunc(),

 		},

+		Entitlements: []string{

+			string(entitlements.EntitlementNetworkHost),

+			// string(entitlements.EntitlementSecurityInsecure),

+		},

 	})

 }

@@ -25,6 +25,7 @@ import (

 	"github.com/moby/buildkit/executor"

 	"github.com/moby/buildkit/exporter"

 	localexporter "github.com/moby/buildkit/exporter/local"

+	tarexporter "github.com/moby/buildkit/exporter/tar"

 	"github.com/moby/buildkit/frontend"

 	gw "github.com/moby/buildkit/frontend/gateway/client"

 	"github.com/moby/buildkit/session"

@@ -213,6 +214,10 @@ func (w *Worker) Exporter(name string, sm *session.Manager) (exporter.Exporter,

 		return localexporter.New(localexporter.Opt{

 			SessionManager: sm,

 		})

+	case client.ExporterTar:

+		return tarexporter.New(tarexporter.Opt{

+			SessionManager: sm,

+		})

 	default:

 		return nil, errors.Errorf("exporter %q could not be found", name)

 	}

@@ -27,8 +27,8 @@ github.com/imdario/mergo v0.3.6

 golang.org/x/sync 1d60e4601c6fd243af51cc01ddf169918a5407ca

 # buildkit

-github.com/moby/buildkit e9aca5bef87e19173b99d8668db0338dcaaa5f33

-github.com/tonistiigi/fsutil 1bdbf124ad494a771e99e0cdcd16326375f8b2c9

+github.com/moby/buildkit b3028967ae6259c9a31c1a1deeccd30fe3469cce

+github.com/tonistiigi/fsutil 3bbb99cdbd76619ab717299830c60f6f2a533a6b

 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746

 github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7

 github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716

@@ -120,7 +120,7 @@ github.com/googleapis/gax-go v2.0.0

 google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9

 # containerd

-github.com/containerd/containerd a15b6e2097c48b632dbdc63254bad4c62b69e709

+github.com/containerd/containerd ceba56893a76f22cf0126c46d835c80fb3833408

 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c

 github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d

 github.com/containerd/cgroups 4994991857f9b0ae8dc439551e8bebdbb4bf66c1

@@ -20,8 +20,8 @@ import (

 	"context"

 	"fmt"

 	"io"

+	"net/url"

 	"os"

-	"path/filepath"

 	"sync"

 	"github.com/containerd/containerd/defaults"

@@ -222,46 +222,76 @@ type DirectIO struct {

 	cio

 }

-var _ IO = &DirectIO{}

+var (

+	_ IO = &DirectIO{}

+	_ IO = &logURI{}

+)

+

+// LogURI provides the raw logging URI

+func LogURI(uri *url.URL) Creator {

+	return func(_ string) (IO, error) {

+		return &logURI{

+			config: Config{

+				Stdout: uri.String(),

+				Stderr: uri.String(),

+			},

+		}, nil

+	}

+}

+

+// BinaryIO forwards container STDOUT|STDERR directly to a logging binary

+func BinaryIO(binary string, args map[string]string) Creator {

+	return func(_ string) (IO, error) {

+		uri := &url.URL{

+			Scheme: "binary",

+			Host:   binary,

+		}

+		for k, v := range args {

+			uri.Query().Set(k, v)

+		}

+		return &logURI{

+			config: Config{

+				Stdout: uri.String(),

+				Stderr: uri.String(),

+			},

+		}, nil

+	}

+}

 // LogFile creates a file on disk that logs the task's STDOUT,STDERR.

 // If the log file already exists, the logs will be appended to the file.

 func LogFile(path string) Creator {

 	return func(_ string) (IO, error) {

-		if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {

-			return nil, err

-		}

-		f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)

-		if err != nil {

-			return nil, err

+		uri := &url.URL{

+			Scheme: "file",

+			Host:   path,

 		}

-		f.Close()

-		return &logIO{

+		return &logURI{

 			config: Config{

-				Stdout: path,

-				Stderr: path,

+				Stdout: uri.String(),

+				Stderr: uri.String(),

 			},

 		}, nil

 	}

 }

-type logIO struct {

+type logURI struct {

 	config Config

 }

-func (l *logIO) Config() Config {

+func (l *logURI) Config() Config {

 	return l.config

 }

-func (l *logIO) Cancel() {

+func (l *logURI) Cancel() {

 }

-func (l *logIO) Wait() {

+func (l *logURI) Wait() {

 }

-func (l *logIO) Close() error {

+func (l *logURI) Close() error {

 	return nil

 }

@@ -300,6 +300,10 @@ type RemoteContext struct {

 	// MaxConcurrentDownloads is the max concurrent content downloads for each pull.

 	MaxConcurrentDownloads int

+

+	// AppendDistributionSourceLabel allows fetcher to add distribute source

+	// label for each blob content, which doesn't work for legacy schema1.

+	AppendDistributionSourceLabel bool

 }

 func defaultRemoteContext() *RemoteContext {

@@ -194,3 +194,12 @@ func WithMaxConcurrentDownloads(max int) RemoteOpt {

 		return nil

 	}

 }

+

+// WithAppendDistributionSourceLabel allows fetcher to add distribute source

+// label for each blob content, which doesn't work for legacy schema1.

+func WithAppendDistributionSourceLabel() RemoteOpt {

+	return func(_ *Client, c *RemoteContext) error {

+		c.AppendDistributionSourceLabel = true

+		return nil

+	}

+}

@@ -29,7 +29,8 @@ import (

 	specs "github.com/opencontainers/runtime-spec/specs-go"

 )

-const nvidiaCLI = "nvidia-container-cli"

+// NvidiaCLI is the path to the Nvidia helper binary

+const NvidiaCLI = "nvidia-container-cli"

 // Capability specifies capabilities for the gpu inside the container

 // Detailed explanation of options can be found:

@@ -51,13 +52,16 @@ const (

 	Display Capability = "display"

 )

-var allCaps = []Capability{

-	Compute,

-	Compat32,

-	Graphics,

-	Utility,

-	Video,

-	Display,

+// AllCaps returns the complete list of supported Nvidia capabilties.

+func AllCaps() []Capability {

+	return []Capability{

+		Compute,

+		Compat32,

+		Graphics,

+		Utility,

+		Video,

+		Display,

+	}

 }

 // WithGPUs adds NVIDIA gpu support to a container

@@ -76,7 +80,7 @@ func WithGPUs(opts ...Opts) oci.SpecOpts {

 			}

 			c.OCIHookPath = path

 		}

-		nvidiaPath, err := exec.LookPath(nvidiaCLI)

+		nvidiaPath, err := exec.LookPath(NvidiaCLI)

 		if err != nil {

 			return err

 		}

@@ -166,7 +170,7 @@ func WithAllDevices(c *config) error {

 // WithAllCapabilities adds all capabilities to the container for the gpus

 func WithAllCapabilities(c *config) error {

-	c.Capabilities = allCaps

+	c.Capabilities = AllCaps()

 	return nil

 }

@@ -161,6 +161,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 				"ioctl",

 				"io_destroy",

 				"io_getevents",

+				"io_pgetevents",

 				"ioprio_get",

 				"ioprio_set",

 				"io_setup",

@@ -319,6 +320,7 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {

 				"stat64",

 				"statfs",

 				"statfs64",

+				"statx",

 				"symlink",

 				"symlinkat",

 				"sync",

@@ -25,14 +25,16 @@ import (

 	"github.com/containerd/containerd/errdefs"

 	"github.com/containerd/containerd/images"

 	"github.com/containerd/containerd/images/archive"

+	"github.com/containerd/containerd/platforms"

 	digest "github.com/opencontainers/go-digest"

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 )

 type importOpts struct {

-	indexName string

-	imageRefT func(string) string

-	dgstRefT  func(digest.Digest) string

+	indexName    string

+	imageRefT    func(string) string

+	dgstRefT     func(digest.Digest) string

+	allPlatforms bool

 }

 // ImportOpt allows the caller to specify import specific options

@@ -64,6 +66,14 @@ func WithIndexName(name string) ImportOpt {

 	}

 }

+// WithAllPlatforms is used to import content for all platforms.

+func WithAllPlatforms(allPlatforms bool) ImportOpt {

+	return func(c *importOpts) error {

+		c.allPlatforms = allPlatforms

+		return nil

+	}

+}

+

 // Import imports an image from a Tar stream using reader.

 // Caller needs to specify importer. Future version may use oci.v1 as the default.

 // Note that unreferrenced blobs may be imported to the content store as well.

@@ -98,6 +108,10 @@ func (c *Client) Import(ctx context.Context, reader io.Reader, opts ...ImportOpt

 			Target: index,

 		})

 	}

+	var platformMatcher = platforms.All

+	if !iopts.allPlatforms {

+		platformMatcher = platforms.Default()

+	}

 	var handler images.HandlerFunc = func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

 		// Only save images at top level

@@ -141,6 +155,7 @@ func (c *Client) Import(ctx context.Context, reader io.Reader, opts ...ImportOpt

 		return idx.Manifests, nil

 	}

+	handler = images.FilterPlatforms(handler, platformMatcher)

 	handler = images.SetChildrenLabels(cs, handler)

 	if err := images.Walk(ctx, handler, index); err != nil {

 		return nil, err

@@ -33,7 +33,7 @@ import (

 	"github.com/containerd/containerd/namespaces"

 	"github.com/containerd/containerd/platforms"

 	"github.com/containerd/continuity/fs"

-	"github.com/opencontainers/image-spec/specs-go/v1"

+	v1 "github.com/opencontainers/image-spec/specs-go/v1"

 	"github.com/opencontainers/runc/libcontainer/user"

 	specs "github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/pkg/errors"

@@ -741,9 +741,11 @@ func WithCapabilities(caps []string) SpecOpts {

 }

 // WithAllCapabilities sets all linux capabilities for the process

-var WithAllCapabilities = WithCapabilities(getAllCapabilities())

+var WithAllCapabilities = WithCapabilities(GetAllCapabilities())

-func getAllCapabilities() []string {

+// GetAllCapabilities returns all caps up to CAP_LAST_CAP

+// or CAP_BLOCK_SUSPEND on RHEL6

+func GetAllCapabilities() []string {

 	last := capability.CAP_LAST_CAP

 	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap

 	if last == capability.Cap(63) {

@@ -759,6 +761,61 @@ func getAllCapabilities() []string {

 	return caps

 }

+func capsContain(caps []string, s string) bool {

+	for _, c := range caps {

+		if c == s {

+			return true

+		}

+	}

+	return false

+}

+

+func removeCap(caps *[]string, s string) {

+	for i, c := range *caps {

+		if c == s {

+			*caps = append((*caps)[:i], (*caps)[i+1:]...)

+		}

+	}

+}

+

+// WithAddedCapabilities adds the provided capabilities

+func WithAddedCapabilities(caps []string) SpecOpts {

+	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {

+		setCapabilities(s)

+		for _, c := range caps {

+			for _, cl := range []*[]string{

+				&s.Process.Capabilities.Bounding,

+				&s.Process.Capabilities.Effective,

+				&s.Process.Capabilities.Permitted,

+				&s.Process.Capabilities.Inheritable,

+			} {

+				if !capsContain(*cl, c) {

+					*cl = append(*cl, c)

+				}

+			}

+		}

+		return nil

+	}

+}

+

+// WithDroppedCapabilities removes the provided capabilities

+func WithDroppedCapabilities(caps []string) SpecOpts {

+	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {

+		setCapabilities(s)

+		for _, c := range caps {

+			for _, cl := range []*[]string{

+				&s.Process.Capabilities.Bounding,

+				&s.Process.Capabilities.Effective,

+				&s.Process.Capabilities.Permitted,

+				&s.Process.Capabilities.Inheritable,

+			} {

+				removeCap(cl, c)

+			}

+		}

+		return nil

+	}

+}

+

 // WithAmbientCapabilities set the Linux ambient capabilities for the process

 // Ambient capabilities should only be set for non-root users or the caller should

 // understand how these capabilities are used and set

@@ -112,8 +112,9 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 		childrenHandler := images.ChildrenHandler(store)

 		// Set any children labels for that content

 		childrenHandler = images.SetChildrenLabels(store, childrenHandler)

-		// Filter children by platforms

-		childrenHandler = images.FilterPlatforms(childrenHandler, rCtx.PlatformMatcher)

+		// Filter manifests by platforms but allow to handle manifest

+		// and configuration for not-target platforms

+		childrenHandler = remotes.FilterManifestByPlatformHandler(childrenHandler, rCtx.PlatformMatcher)

 		// Sort and limit manifests if a finite number is needed

 		if limit > 0 {

 			childrenHandler = images.LimitManifests(childrenHandler, rCtx.PlatformMatcher, limit)

@@ -130,11 +131,23 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 			},

 		)

-		handler = images.Handlers(append(rCtx.BaseHandlers,

+		handlers := append(rCtx.BaseHandlers,

 			remotes.FetchHandler(store, fetcher),

 			convertibleHandler,

 			childrenHandler,

-		)...)

+		)

+

+		// append distribution source label to blob data

+		if rCtx.AppendDistributionSourceLabel {

+			appendDistSrcLabelHandler, err := docker.AppendDistributionSourceLabel(store, ref)

+			if err != nil {

+				return images.Image{}, err

+			}

+

+			handlers = append(handlers, appendDistSrcLabelHandler)

+		}

+

+		handler = images.Handlers(handlers...)

 		converterFunc = func(ctx context.Context, desc ocispec.Descriptor) (ocispec.Descriptor, error) {

 			return docker.ConvertManifest(ctx, store, desc)

@@ -148,6 +161,7 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 	if rCtx.MaxConcurrentDownloads > 0 {

 		limiter = semaphore.NewWeighted(int64(rCtx.MaxConcurrentDownloads))

 	}

+

 	if err := images.Dispatch(ctx, handler, limiter, desc); err != nil {

 		return images.Image{}, err

 	}

new file mode 100644

@@ -0,0 +1,112 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package docker

+

+import (

+	"context"

+	"fmt"

+	"net/url"

+	"strings"

+

+	"github.com/containerd/containerd/content"

+	"github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/labels"

+	"github.com/containerd/containerd/log"

+	"github.com/containerd/containerd/reference"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+)

+

+var (

+	// labelDistributionSource describes the source blob comes from.

+	labelDistributionSource = "containerd.io/distribution.source"

+)

+

+// AppendDistributionSourceLabel updates the label of blob with distribution source.

+func AppendDistributionSourceLabel(manager content.Manager, ref string) (images.HandlerFunc, error) {

+	refspec, err := reference.Parse(ref)

+	if err != nil {

+		return nil, err

+	}

+

+	u, err := url.Parse("dummy://" + refspec.Locator)

+	if err != nil {

+		return nil, err

+	}

+

+	source, repo := u.Hostname(), strings.TrimPrefix(u.Path, "/")

+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

+		info, err := manager.Info(ctx, desc.Digest)

+		if err != nil {

+			return nil, err

+		}

+

+		key := distributionSourceLabelKey(source)

+

+		originLabel := ""

+		if info.Labels != nil {

+			originLabel = info.Labels[key]

+		}

+		value := appendDistributionSourceLabel(originLabel, repo)

+

+		// The repo name has been limited under 256 and the distribution

+		// label might hit the limitation of label size, when blob data

+		// is used as the very, very common layer.

+		if err := labels.Validate(key, value); err != nil {

+			log.G(ctx).Warnf("skip to append distribution label: %s", err)

+			return nil, nil

+		}

+

+		info = content.Info{

+			Digest: desc.Digest,

+			Labels: map[string]string{

+				key: value,

+			},

+		}

+		_, err = manager.Update(ctx, info, fmt.Sprintf("labels.%s", key))

+		return nil, err

+	}, nil

+}

+

+func appendDistributionSourceLabel(originLabel, repo string) string {

+	repos := []string{}

+	if originLabel != "" {

+		repos = strings.Split(originLabel, ",")

+	}

+	repos = append(repos, repo)

+

+	// use emtpy string to present duplicate items

+	for i := 1; i < len(repos); i++ {

+		tmp, j := repos[i], i-1

+		for ; j >= 0 && repos[j] >= tmp; j-- {

+			if repos[j] == tmp {

+				tmp = ""

+			}

+			repos[j+1] = repos[j]

+		}

+		repos[j+1] = tmp

+	}

+

+	i := 0

+	for ; i < len(repos) && repos[i] == ""; i++ {

+	}

+

+	return strings.Join(repos[i:], ",")

+}

+

+func distributionSourceLabelKey(source string) string {

+	return fmt.Sprintf("%s.%s", labelDistributionSource, source)

+}

@@ -206,3 +206,38 @@ func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, pr

 	return nil

 }

+

+// FilterManifestByPlatformHandler allows Handler to handle non-target

+// platform's manifest and configuration data.

+func FilterManifestByPlatformHandler(f images.HandlerFunc, m platforms.Matcher) images.HandlerFunc {

+	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

+		children, err := f(ctx, desc)

+		if err != nil {

+			return nil, err

+		}

+

+		// no platform information

+		if desc.Platform == nil || m == nil {

+			return children, nil

+		}

+

+		var descs []ocispec.Descriptor

+		switch desc.MediaType {

+		case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:

+			if m.Match(*desc.Platform) {

+				descs = children

+			} else {

+				for _, child := range children {

+					if child.MediaType == images.MediaTypeDockerSchema2Config ||

+						child.MediaType == ocispec.MediaTypeImageConfig {

+

+						descs = append(descs, child)

+					}

+				}

+			}

+		default:

+			descs = children

+		}

+		return descs, nil

+	}

+}

@@ -72,7 +72,7 @@ type Process interface {

 // platform implementations

 type Platform interface {

 	CopyConsole(ctx context.Context, console console.Console, stdin, stdout, stderr string,

-		wg, cwg *sync.WaitGroup) (console.Console, error)

+		wg *sync.WaitGroup) (console.Console, error)

 	ShutdownConsole(ctx context.Context, console console.Console) error

 	Close() error

 }

@@ -20,6 +20,7 @@ package linux

 import (

 	"context"

+	"crypto/sha256"

 	"fmt"

 	"io/ioutil"

 	"os"

@@ -103,7 +104,7 @@ func ShimLocal(c *Config, exchange *exchange.Exchange) ShimOpt {

 // ShimConnect is a ShimOpt for connecting to an existing remote shim

 func ShimConnect(c *Config, onClose func()) ShimOpt {

 	return func(b *bundle, ns string, ropts *runctypes.RuncOptions) (shim.Config, client.Opt) {

-		return b.shimConfig(ns, c, ropts), client.WithConnect(b.shimAddress(ns), onClose)

+		return b.shimConfig(ns, c, ropts), client.WithConnect(b.decideShimAddress(ns), onClose)

 	}

 }

@@ -127,10 +128,32 @@ func (b *bundle) Delete() error {

 	return errors.Wrapf(err, "Failed to remove both bundle and workdir locations: %v", err2)

 }

-func (b *bundle) shimAddress(namespace string) string {

+func (b *bundle) legacyShimAddress(namespace string) string {

 	return filepath.Join(string(filepath.Separator), "containerd-shim", namespace, b.id, "shim.sock")

 }

+func (b *bundle) shimAddress(namespace string) string {

+	d := sha256.Sum256([]byte(filepath.Join(namespace, b.id)))

+	return filepath.Join(string(filepath.Separator), "containerd-shim", fmt.Sprintf("%x.sock", d))

+}

+

+func (b *bundle) loadAddress() (string, error) {

+	addressPath := filepath.Join(b.path, "address")

+	data, err := ioutil.ReadFile(addressPath)

+	if err != nil {

+		return "", err

+	}

+	return string(data), nil

+}

+

+func (b *bundle) decideShimAddress(namespace string) string {

+	address, err := b.loadAddress()

+	if err != nil {

+		return b.legacyShimAddress(namespace)

+	}

+	return address

+}

+

 func (b *bundle) shimConfig(namespace string, c *Config, runcOptions *runctypes.RuncOptions) shim.Config {

 	var (

 		criuPath      string

@@ -46,7 +46,7 @@ type execProcess struct {

 	mu      sync.Mutex

 	id      string

 	console console.Console

-	io      runc.IO

+	io      *processIO

 	status  int

 	exited  time.Time

 	pid     *safePid

@@ -172,29 +172,30 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 	// access e.pid until it is updated.

 	e.pid.Lock()

 	defer e.pid.Unlock()

+

 	var (

 		socket  *runc.Socket

-		pidfile = filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id))

+		pio     *processIO

+		pidFile = newExecPidFile(e.path, e.id)

 	)

 	if e.stdio.Terminal {

 		if socket, err = runc.NewTempConsoleSocket(); err != nil {

 			return errors.Wrap(err, "failed to create runc console socket")

 		}

 		defer socket.Close()

-	} else if e.stdio.IsNull() {

-		if e.io, err = runc.NewNullIO(); err != nil {

-			return errors.Wrap(err, "creating new NULL IO")

-		}

 	} else {

-		if e.io, err = runc.NewPipeIO(e.parent.IoUID, e.parent.IoGID, withConditionalIO(e.stdio)); err != nil {

-			return errors.Wrap(err, "failed to create runc io pipes")

+		if pio, err = createIO(ctx, e.id, e.parent.IoUID, e.parent.IoGID, e.stdio); err != nil {

+			return errors.Wrap(err, "failed to create init process I/O")

 		}

+		e.io = pio

 	}

 	opts := &runc.ExecOpts{

-		PidFile: pidfile,

-		IO:      e.io,

+		PidFile: pidFile.Path(),

 		Detach:  true,

 	}

+	if pio != nil {

+		opts.IO = pio.IO()

+	}

 	if socket != nil {

 		opts.ConsoleSocket = socket

 	}

@@ -203,14 +204,10 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 		return e.parent.runtimeError(err, "OCI runtime exec failed")

 	}

 	if e.stdio.Stdin != "" {

-		sc, err := fifo.OpenFifo(context.Background(), e.stdio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

-		if err != nil {

-			return errors.Wrapf(err, "failed to open stdin fifo %s", e.stdio.Stdin)

+		if err := e.openStdin(e.stdio.Stdin); err != nil {

+			return err

 		}

-		e.closers = append(e.closers, sc)

-		e.stdin = sc

 	}

-	var copyWaitGroup sync.WaitGroup

 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)

 	defer cancel()

 	if socket != nil {

@@ -218,16 +215,15 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 		if err != nil {

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

-		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {

+		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {

 			return errors.Wrap(err, "failed to start console copy")

 		}

-	} else if !e.stdio.IsNull() {

-		if err := copyPipes(ctx, e.io, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {

+	} else {

+		if err := pio.Copy(ctx, &e.wg); err != nil {

 			return errors.Wrap(err, "failed to start io pipe copy")

 		}

 	}

-	copyWaitGroup.Wait()

-	pid, err := runc.ReadPidFile(opts.PidFile)

+	pid, err := pidFile.Read()

 	if err != nil {

 		return errors.Wrap(err, "failed to retrieve OCI runtime exec pid")

 	}

@@ -235,6 +231,16 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 	return nil

 }

+func (e *execProcess) openStdin(path string) error {

+	sc, err := fifo.OpenFifo(context.Background(), path, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

+	if err != nil {

+		return errors.Wrapf(err, "failed to open stdin fifo %s", path)

+	}

+	e.stdin = sc

+	e.closers = append(e.closers, sc)

+	return nil

+}

+

 func (e *execProcess) Status(ctx context.Context) (string, error) {

 	s, err := e.parent.Status(ctx)

 	if err != nil {

@@ -41,9 +41,6 @@ import (

 	"github.com/pkg/errors"

 )

-// InitPidFile name of the file that contains the init pid

-const InitPidFile = "init.pid"

-

 // Init represents an initial process for a container

 type Init struct {

 	wg        sync.WaitGroup

@@ -63,7 +60,7 @@ type Init struct {

 	Bundle       string

 	console      console.Console

 	Platform     proc.Platform

-	io           runc.IO

+	io           *processIO

 	runtime      *runc.Runc

 	status       int

 	exited       time.Time

@@ -111,49 +108,33 @@ func New(id string, runtime *runc.Runc, stdio proc.Stdio) *Init {

 // Create the process with the provided config

 func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 	var (

-		err    error

-		socket *runc.Socket

+		err     error

+		socket  *runc.Socket

+		pio     *processIO

+		pidFile = newPidFile(p.Bundle)

 	)

 	if r.Terminal {

 		if socket, err = runc.NewTempConsoleSocket(); err != nil {

 			return errors.Wrap(err, "failed to create OCI runtime console socket")

 		}

 		defer socket.Close()

-	} else if hasNoIO(r) {

-		if p.io, err = runc.NewNullIO(); err != nil {

-			return errors.Wrap(err, "creating new NULL IO")

-		}