@@ -4,7 +4,7 @@

 # containerd is also pinned in vendor.conf. When updating the binary

 # version you may also need to update the vendor version to pick up bug

 # fixes or new APIs.

-CONTAINERD_COMMIT=9754871865f7fe2f4e74d43e2fc7ccd237edcbce # v1.2.2

+CONTAINERD_COMMIT=7f5f1176dd9fb3cc8d3ce5de91759ed3dc969fa2 # v1.2.3

 install_containerd() {

 	echo "Install containerd version $CONTAINERD_COMMIT"

@@ -78,7 +78,7 @@ google.golang.org/grpc v1.12.0

 # the containerd project first, and update both after that is merged.

 # This commit does not need to match RUNC_COMMIT as it is used for helper

 # packages but should be newer or equal.

-github.com/opencontainers/runc 96ec2177ae841256168fcf76954f7177af9446eb

+github.com/opencontainers/runc 12f6a991201fdb8f82579582d5e00e28fba06d0a

 github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db

 github.com/opencontainers/image-spec v1.0.1

 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

@@ -117,12 +117,12 @@ github.com/googleapis/gax-go v2.0.0

 google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9

 # containerd

-github.com/containerd/containerd 9754871865f7fe2f4e74d43e2fc7ccd237edcbce # v1.2.2

+github.com/containerd/containerd 7f5f1176dd9fb3cc8d3ce5de91759ed3dc969fa2 # v1.2.3

 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c

 github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d

 github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2

 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23

-github.com/containerd/cri 0d5cabd006cb5319dc965046067b8432d9fa5ef8 # release/1.2 branch

+github.com/containerd/cri c3cf754321fc38c6af5dfd2552fdde0ad192b31d # release/1.2 branch

 github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3

 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40

 github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a

@@ -100,7 +100,7 @@ const (

 	// readdir calls to this directory do not follow to lower layers.

 	whiteoutOpaqueDir = whiteoutMetaPrefix + ".opq"

-	paxSchilyXattr = "SCHILY.xattrs."

+	paxSchilyXattr = "SCHILY.xattr."

 )

 // Apply applies a tar stream of an OCI style diff tar.

@@ -295,7 +295,7 @@ func applyNaive(ctx context.Context, root string, tr *tar.Reader, options ApplyO

 			linkBasename := filepath.Base(hdr.Linkname)

 			srcHdr = aufsHardlinks[linkBasename]

 			if srcHdr == nil {

-				return 0, fmt.Errorf("Invalid aufs hardlink")

+				return 0, fmt.Errorf("invalid aufs hardlink")

 			}

 			p, err := fs.RootPath(aufsTempdir, linkBasename)

 			if err != nil {

@@ -74,7 +74,7 @@ func tarName(p string) (string, error) {

 	// in file names, it is mostly safe to replace however we must

 	// check just in case

 	if strings.Contains(p, "/") {

-		return "", fmt.Errorf("Windows path contains forward slash: %s", p)

+		return "", fmt.Errorf("windows path contains forward slash: %s", p)

 	}

 	return strings.Replace(p, string(os.PathSeparator), "/", -1), nil

@@ -130,11 +130,7 @@ func skipFile(hdr *tar.Header) bool {

 	// specific or Linux-specific, this warning should be changed to an error

 	// to cater for the situation where someone does manage to upload a Linux

 	// image but have it tagged as Windows inadvertently.

-	if strings.Contains(hdr.Name, ":") {

-		return true

-	}

-

-	return false

+	return strings.Contains(hdr.Name, ":")

 }

 // handleTarTypeBlockCharFifo is an OS-specific helper function used by

@@ -401,12 +401,22 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 	}

 	var (

-		schema1Converter *schema1.Converter

-		handler          images.Handler

+		handler images.Handler

+

+		isConvertible bool

+		converterFunc func(context.Context, ocispec.Descriptor) (ocispec.Descriptor, error)

 	)

+

 	if desc.MediaType == images.MediaTypeDockerSchema1Manifest && rCtx.ConvertSchema1 {

-		schema1Converter = schema1.NewConverter(store, fetcher)

+		schema1Converter := schema1.NewConverter(store, fetcher)

+

 		handler = images.Handlers(append(rCtx.BaseHandlers, schema1Converter)...)

+

+		isConvertible = true

+

+		converterFunc = func(ctx context.Context, _ ocispec.Descriptor) (ocispec.Descriptor, error) {

+			return schema1Converter.Convert(ctx)

+		}

 	} else {

 		// Get all the children for a descriptor

 		childrenHandler := images.ChildrenHandler(store)

@@ -419,18 +429,34 @@ func (c *Client) fetch(ctx context.Context, rCtx *RemoteContext, ref string, lim

 			childrenHandler = images.LimitManifests(childrenHandler, rCtx.PlatformMatcher, limit)

 		}

+		// set isConvertible to true if there is application/octet-stream media type

+		convertibleHandler := images.HandlerFunc(

+			func(_ context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

+				if desc.MediaType == docker.LegacyConfigMediaType {

+					isConvertible = true

+				}

+

+				return []ocispec.Descriptor{}, nil

+			},

+		)

+

 		handler = images.Handlers(append(rCtx.BaseHandlers,

 			remotes.FetchHandler(store, fetcher),

+			convertibleHandler,

 			childrenHandler,

 		)...)

+

+		converterFunc = func(ctx context.Context, desc ocispec.Descriptor) (ocispec.Descriptor, error) {

+			return docker.ConvertManifest(ctx, store, desc)

+		}

 	}

 	if err := images.Dispatch(ctx, handler, desc); err != nil {

 		return images.Image{}, err

 	}

-	if schema1Converter != nil {

-		desc, err = schema1Converter.Convert(ctx)

-		if err != nil {

+

+	if isConvertible {

+		if desc, err = converterFunc(ctx, desc); err != nil {

 			return images.Image{}, err

 		}

 	}

@@ -47,7 +47,5 @@ func unlock(ref string) {

 	locksMu.Lock()

 	defer locksMu.Unlock()

-	if _, ok := locks[ref]; ok {

-		delete(locks, ref)

-	}

+	delete(locks, ref)

 }

@@ -37,10 +37,10 @@ func WithProfile(profile string) oci.SpecOpts {

 		s.Linux.Seccomp = &specs.LinuxSeccomp{}

 		f, err := ioutil.ReadFile(profile)

 		if err != nil {

-			return fmt.Errorf("Cannot load seccomp profile %q: %v", profile, err)

+			return fmt.Errorf("cannot load seccomp profile %q: %v", profile, err)

 		}

 		if err := json.Unmarshal(f, s.Linux.Seccomp); err != nil {

-			return fmt.Errorf("Decoding seccomp profile failed %q: %v", profile, err)

+			return fmt.Errorf("decoding seccomp profile failed %q: %v", profile, err)

 		}

 		return nil

 	}

@@ -185,7 +185,6 @@ func (s *scanner) scanQuoted(quote rune) {

 			ch = s.next()

 		}

 	}

-	return

 }

 func (s *scanner) scanEscape(quote rune) rune {

@@ -99,8 +99,7 @@ func (c *Client) Import(ctx context.Context, reader io.Reader, opts ...ImportOpt

 		})

 	}

-	var handler images.HandlerFunc

-	handler = func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

+	var handler images.HandlerFunc = func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {

 		// Only save images at top level

 		if desc.Digest != index.Digest {

 			return images.Children(ctx, cs, desc)

@@ -762,7 +762,7 @@ func (cs *contentStore) garbageCollect(ctx context.Context) (d time.Duration, er

 	t1 := time.Now()

 	defer func() {

 		if err == nil {

-			d = time.Now().Sub(t1)

+			d = time.Since(t1)

 		}

 		cs.l.Unlock()

 	}()

@@ -154,7 +154,7 @@ func (m *DB) Init(ctx context.Context) error {

 				if err := m.migrate(tx); err != nil {

 					return errors.Wrapf(err, "failed to migrate to %s.%d", m.schema, m.version)

 				}

-				log.G(ctx).WithField("d", time.Now().Sub(t0)).Debugf("finished database migration to %s.%d", m.schema, m.version)

+				log.G(ctx).WithField("d", time.Since(t0)).Debugf("finished database migration to %s.%d", m.schema, m.version)

 			}

 		}

@@ -306,7 +306,7 @@ func (m *DB) GarbageCollect(ctx context.Context) (gc.Stats, error) {

 				m.cleanupSnapshotter(snapshotterName)

 				sl.Lock()

-				stats.SnapshotD[snapshotterName] = time.Now().Sub(st1)

+				stats.SnapshotD[snapshotterName] = time.Since(st1)

 				sl.Unlock()

 				wg.Done()

@@ -321,7 +321,7 @@ func (m *DB) GarbageCollect(ctx context.Context) (gc.Stats, error) {

 		go func() {

 			ct1 := time.Now()

 			m.cleanupContent()

-			stats.ContentD = time.Now().Sub(ct1)

+			stats.ContentD = time.Since(ct1)

 			wg.Done()

 		}()

 		m.dirtyCS = false

@@ -329,7 +329,7 @@ func (m *DB) GarbageCollect(ctx context.Context) (gc.Stats, error) {

 	m.dirtyL.Unlock()

-	stats.MetaD = time.Now().Sub(t1)

+	stats.MetaD = time.Since(t1)

 	m.wlock.Unlock()

 	wg.Wait()

@@ -296,10 +296,6 @@ func references(ctx context.Context, tx *bolt.Tx, node gc.Node, fn func(gc.Node)

 		bkt := getBucket(tx, bucketKeyVersion, []byte(node.Namespace), bucketKeyObjectSnapshots, []byte(ss), []byte(name))

 		if bkt == nil {

-			getBucket(tx, bucketKeyVersion, []byte(node.Namespace), bucketKeyObjectSnapshots).ForEach(func(k, v []byte) error {

-				return nil

-			})

-

 			// Node may be created from dead edge

 			return nil

 		}

@@ -628,7 +628,7 @@ func (s *snapshotter) garbageCollect(ctx context.Context) (d time.Duration, err

 			}

 		}

 		if err == nil {

-			d = time.Now().Sub(t1)

+			d = time.Since(t1)

 		}

 	}()

@@ -68,7 +68,7 @@ func parseInfoFile(r io.Reader) ([]Info, error) {

 		numFields := len(fields)

 		if numFields < 10 {

 			// should be at least 10 fields

-			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields (%d)", text, numFields)

+			return nil, fmt.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields)

 		}

 		p := Info{}

 		// ignore any numbers parsing errors, as there should not be any

@@ -76,7 +76,7 @@ func parseInfoFile(r io.Reader) ([]Info, error) {

 		p.Parent, _ = strconv.Atoi(fields[1])

 		mm := strings.Split(fields[2], ":")

 		if len(mm) != 2 {

-			return nil, fmt.Errorf("Parsing '%s' failed: unexpected minor:major pair %s", text, mm)

+			return nil, fmt.Errorf("parsing '%s' failed: unexpected minor:major pair %s", text, mm)

 		}

 		p.Major, _ = strconv.Atoi(mm[0])

 		p.Minor, _ = strconv.Atoi(mm[1])

@@ -101,11 +101,11 @@ func parseInfoFile(r io.Reader) ([]Info, error) {

 			}

 		}

 		if i == numFields {

-			return nil, fmt.Errorf("Parsing '%s' failed: missing separator ('-')", text)

+			return nil, fmt.Errorf("parsing '%s' failed: missing separator ('-')", text)

 		}

 		// There should be 3 fields after the separator...

 		if i+4 > numFields {

-			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields after a separator", text)

+			return nil, fmt.Errorf("parsing '%s' failed: not enough fields after a separator", text)

 		}

 		// ... but in Linux <= 3.9 mounting a cifs with spaces in a share name

 		// (like "//serv/My Documents") _may_ end up having a space in the last field

@@ -42,10 +42,7 @@ var (

 // IsSkipPlugin returns true if the error is skipping the plugin

 func IsSkipPlugin(err error) bool {

-	if errors.Cause(err) == ErrSkipPlugin {

-		return true

-	}

-	return false

+	return errors.Cause(err) == ErrSkipPlugin

 }

 // Type is the type of the plugin

@@ -111,9 +111,11 @@ func (p *process) Start(ctx context.Context) error {

 		ExecID:      p.id,

 	})

 	if err != nil {

-		p.io.Cancel()

-		p.io.Wait()

-		p.io.Close()

+		if p.io != nil {

+			p.io.Cancel()

+			p.io.Wait()

+			p.io.Close()

+		}

 		return errdefs.FromGRPC(err)

 	}

 	p.pid = r.Pid

@@ -79,8 +79,8 @@ func init() {

 		var t octetType

 		isCtl := c <= 31 || c == 127

 		isChar := 0 <= c && c <= 127

-		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0

-		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {

+		isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c))

+		if strings.ContainsRune(" \t\r\n", rune(c)) {

 			t |= isSpace

 		}

 		if isChar && !isCtl && !isSeparator {

new file mode 100644

@@ -0,0 +1,88 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package docker

+

+import (

+	"bytes"

+	"context"

+	"encoding/json"

+	"fmt"

+

+	"github.com/containerd/containerd/content"

+	"github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/log"

+	"github.com/containerd/containerd/remotes"

+	digest "github.com/opencontainers/go-digest"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"github.com/pkg/errors"

+)

+

+// LegacyConfigMediaType should be replaced by OCI image spec.

+//

+// More detail: docker/distribution#1622

+const LegacyConfigMediaType = "application/octet-stream"

+

+// ConvertManifest changes application/octet-stream to schema2 config media type if need.

+//

+// NOTE:

+// 1. original manifest will be deleted by next gc round.

+// 2. don't cover manifest list.

+func ConvertManifest(ctx context.Context, store content.Store, desc ocispec.Descriptor) (ocispec.Descriptor, error) {

+	if !(desc.MediaType == images.MediaTypeDockerSchema2Manifest ||

+		desc.MediaType == ocispec.MediaTypeImageManifest) {

+

+		log.G(ctx).Warnf("do nothing for media type: %s", desc.MediaType)

+		return desc, nil

+	}

+

+	// read manifest data

+	mb, err := content.ReadBlob(ctx, store, desc)

+	if err != nil {

+		return ocispec.Descriptor{}, errors.Wrap(err, "failed to read index data")

+	}

+

+	var manifest ocispec.Manifest

+	if err := json.Unmarshal(mb, &manifest); err != nil {

+		return ocispec.Descriptor{}, errors.Wrap(err, "failed to unmarshal data into manifest")

+	}

+

+	// check config media type

+	if manifest.Config.MediaType != LegacyConfigMediaType {

+		return desc, nil

+	}

+

+	manifest.Config.MediaType = images.MediaTypeDockerSchema2Config

+	data, err := json.MarshalIndent(manifest, "", "   ")

+	if err != nil {

+		return ocispec.Descriptor{}, errors.Wrap(err, "failed to marshal manifest")

+	}

+

+	// update manifest with gc labels

+	desc.Digest = digest.Canonical.FromBytes(data)

+	desc.Size = int64(len(data))

+

+	labels := map[string]string{}

+	for i, c := range append([]ocispec.Descriptor{manifest.Config}, manifest.Layers...) {

+		labels[fmt.Sprintf("containerd.io/gc.ref.content.%d", i)] = c.Digest.String()

+	}

+

+	ref := remotes.MakeRefKey(ctx, desc)

+	if err := content.WriteBlob(ctx, store, ref, bytes.NewReader(data), desc, content.WithLabels(labels)); err != nil {

+		return ocispec.Descriptor{}, errors.Wrap(err, "failed to update content")

+	}

+	return desc, nil

+}

@@ -69,4 +69,8 @@ type PlatformRuntime interface {

 	// Tasks returns all the current tasks for the runtime.

 	// Any container runs at most one task at a time.

 	Tasks(context.Context, bool) ([]Task, error)

+	// Add adds a task into runtime.

+	Add(context.Context, Task) error

+	// Delete remove a task.

+	Delete(context.Context, string)

 }

@@ -69,7 +69,3 @@ func (s *deletedState) SetExited(status int) {

 func (s *deletedState) Exec(ctx context.Context, path string, r *ExecConfig) (proc.Process, error) {

 	return nil, errors.Errorf("cannot exec in a deleted state")

 }

-

-func (s *deletedState) Pid() int {

-	return -1

-}

@@ -49,7 +49,7 @@ type execProcess struct {

 	io      runc.IO

 	status  int

 	exited  time.Time

-	pid     int

+	pid     *safePid

 	closers []io.Closer

 	stdin   io.Closer

 	stdio   proc.Stdio

@@ -69,11 +69,7 @@ func (e *execProcess) ID() string {

 }

 func (e *execProcess) Pid() int {

-	return e.execState.Pid()

-}

-

-func (e *execProcess) pidv() int {

-	return e.pid

+	return e.pid.get()

 }

 func (e *execProcess) ExitStatus() int {

@@ -145,7 +141,7 @@ func (e *execProcess) Kill(ctx context.Context, sig uint32, _ bool) error {

 }

 func (e *execProcess) kill(ctx context.Context, sig uint32, _ bool) error {

-	pid := e.pid

+	pid := e.pid.get()

 	if pid != 0 {

 		if err := unix.Kill(pid, syscall.Signal(sig)); err != nil {

 			return errors.Wrapf(checkKillError(err), "exec kill error")

@@ -170,6 +166,12 @@ func (e *execProcess) Start(ctx context.Context) error {

 }

 func (e *execProcess) start(ctx context.Context) (err error) {

+	// The reaper may receive exit signal right after

+	// the container is started, before the e.pid is updated.

+	// In that case, we want to block the signal handler to

+	// access e.pid until it is updated.

+	e.pid.Lock()

+	defer e.pid.Unlock()

 	var (

 		socket  *runc.Socket

 		pidfile = filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id))

@@ -201,7 +203,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 		return e.parent.runtimeError(err, "OCI runtime exec failed")

 	}

 	if e.stdio.Stdin != "" {

-		sc, err := fifo.OpenFifo(ctx, e.stdio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

+		sc, err := fifo.OpenFifo(context.Background(), e.stdio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

 		if err != nil {

 			return errors.Wrapf(err, "failed to open stdin fifo %s", e.stdio.Stdin)

 		}

@@ -210,29 +212,26 @@ func (e *execProcess) start(ctx context.Context) (err error) {

 	}

 	var copyWaitGroup sync.WaitGroup

 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)

+	defer cancel()

 	if socket != nil {

 		console, err := socket.ReceiveMaster()

 		if err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

 		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to start console copy")

 		}

 	} else if !e.stdio.IsNull() {

 		if err := copyPipes(ctx, e.io, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg, &copyWaitGroup); err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to start io pipe copy")

 		}

 	}

 	copyWaitGroup.Wait()

 	pid, err := runc.ReadPidFile(opts.PidFile)

 	if err != nil {

-		cancel()

 		return errors.Wrap(err, "failed to retrieve OCI runtime exec pid")

 	}

-	e.pid = pid

+	e.pid.pid = pid

 	return nil

 }

@@ -250,11 +249,11 @@ func (e *execProcess) Status(ctx context.Context) (string, error) {

 	e.mu.Lock()

 	defer e.mu.Unlock()

 	// if we don't have a pid then the exec process has just been created

-	if e.pid == 0 {

+	if e.pid.get() == 0 {

 		return "created", nil

 	}

 	// if we have a pid and it can be signaled, the process is running

-	if err := unix.Kill(e.pid, 0); err == nil {

+	if err := unix.Kill(e.pid.get(), 0); err == nil {

 		return "running", nil

 	}

 	// else if we have a pid but it can nolonger be signaled, it has stopped

@@ -31,7 +31,6 @@ type execState interface {

 	Delete(context.Context) error

 	Kill(context.Context, uint32, bool) error

 	SetExited(int)

-	Pid() int

 }

 type execCreatedState struct {

@@ -83,12 +82,6 @@ func (s *execCreatedState) SetExited(status int) {

 	}

 }

-func (s *execCreatedState) Pid() int {

-	s.p.mu.Lock()

-	defer s.p.mu.Unlock()

-	return s.p.pidv()

-}

-

 type execRunningState struct {

 	p *execProcess

 }

@@ -127,12 +120,6 @@ func (s *execRunningState) SetExited(status int) {

 	}

 }

-func (s *execRunningState) Pid() int {

-	s.p.mu.Lock()

-	defer s.p.mu.Unlock()

-	return s.p.pidv()

-}

-

 type execStoppedState struct {

 	p *execProcess

 }

@@ -170,7 +157,3 @@ func (s *execStoppedState) Kill(ctx context.Context, sig uint32, all bool) error

 func (s *execStoppedState) SetExited(status int) {

 	// no op

 }

-

-func (s *execStoppedState) Pid() int {

-	return s.p.pidv()

-}

@@ -160,7 +160,7 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 		return p.runtimeError(err, "OCI runtime create failed")

 	}

 	if r.Stdin != "" {

-		sc, err := fifo.OpenFifo(ctx, r.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

+		sc, err := fifo.OpenFifo(context.Background(), r.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

 		if err != nil {

 			return errors.Wrapf(err, "failed to open stdin fifo %s", r.Stdin)

 		}

@@ -169,21 +169,19 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 	}

 	var copyWaitGroup sync.WaitGroup

 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)

+	defer cancel()

 	if socket != nil {

 		console, err := socket.ReceiveMaster()

 		if err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to retrieve console master")

 		}

 		console, err = p.Platform.CopyConsole(ctx, console, r.Stdin, r.Stdout, r.Stderr, &p.wg, &copyWaitGroup)

 		if err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to start console copy")

 		}

 		p.console = console

 	} else if !hasNoIO(r) {

 		if err := copyPipes(ctx, p.io, r.Stdin, r.Stdout, r.Stderr, &p.wg, &copyWaitGroup); err != nil {

-			cancel()

 			return errors.Wrap(err, "failed to start io pipe copy")

 		}

 	}

@@ -191,7 +189,6 @@ func (p *Init) Create(ctx context.Context, r *CreateConfig) error {

 	copyWaitGroup.Wait()

 	pid, err := runc.ReadPidFile(pidFile)

 	if err != nil {

-		cancel()

 		return errors.Wrap(err, "failed to retrieve OCI runtime container pid")

 	}

 	p.pid = pid

@@ -409,6 +406,7 @@ func (p *Init) exec(ctx context.Context, path string, r *ExecConfig) (proc.Proce

 			Terminal: r.Terminal,

 		},

 		waitBlock: make(chan struct{}),

+		pid:       &safePid{},

 	}

 	e.execState = &execCreatedState{p: e}

 	return e, nil

@@ -172,7 +172,7 @@ func (s *createdCheckpointState) Start(ctx context.Context) error {

 		return p.runtimeError(err, "OCI runtime restore failed")

 	}

 	if sio.Stdin != "" {

-		sc, err := fifo.OpenFifo(ctx, sio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

+		sc, err := fifo.OpenFifo(context.Background(), sio.Stdin, syscall.O_WRONLY|syscall.O_NONBLOCK, 0)

 		if err != nil {

 			return errors.Wrapf(err, "failed to open stdin fifo %s", sio.Stdin)

 		}

@@ -111,7 +111,7 @@ func copyPipes(ctx context.Context, rio runc.IO, stdin, stdout, stderr string, w

 	if stdin == "" {

 		return nil

 	}

-	f, err := fifo.OpenFifo(ctx, stdin, syscall.O_RDONLY|syscall.O_NONBLOCK, 0)

+	f, err := fifo.OpenFifo(context.Background(), stdin, syscall.O_RDONLY|syscall.O_NONBLOCK, 0)

 	if err != nil {

 		return fmt.Errorf("containerd-shim: opening %s failed: %s", stdin, err)

 	}

@@ -23,6 +23,7 @@ import (

 	"io"

 	"os"

 	"strings"

+	"sync"

 	"time"

 	"github.com/containerd/containerd/errdefs"

@@ -31,6 +32,18 @@ import (

 	"golang.org/x/sys/unix"

 )

+// safePid is a thread safe wrapper for pid.

+type safePid struct {

+	sync.Mutex

+	pid int

+}

+

+func (s *safePid) get() int {

+	s.Lock()

+	defer s.Unlock()

+	return s.pid

+}

+

 // TODO(mlaventure): move to runc package?

 func getLastRuntimeError(r *runc.Runc) (string, error) {

 	if r.Log == "" {

@@ -303,6 +303,16 @@ func (r *Runtime) Get(ctx context.Context, id string) (runtime.Task, error) {

 	return r.tasks.Get(ctx, id)

 }

+// Add a runtime task

+func (r *Runtime) Add(ctx context.Context, task runtime.Task) error {

+	return r.tasks.Add(ctx, task)

+}

+

+// Delete a runtime task

+func (r *Runtime) Delete(ctx context.Context, id string) {

+	r.tasks.Delete(ctx, id)

+}

+

 func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {

 	dir, err := ioutil.ReadDir(filepath.Join(r.state, ns))

 	if err != nil {

@@ -185,8 +185,10 @@ func (t *task) Start(ctx context.Context) error {

 		ContainerID: t.id,

 	})

 	if err != nil {

-		t.io.Cancel()

-		t.io.Close()

+		if t.io != nil {

+			t.io.Cancel()

+			t.io.Close()

+		}

 		return errdefs.FromGRPC(err)

 	}

 	t.pid = r.Pid

@@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.0.0

 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef

 github.com/golang/protobuf v1.1.0

 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d

-github.com/opencontainers/runc 96ec2177ae841256168fcf76954f7177af9446eb

+github.com/opencontainers/runc 12f6a991201fdb8f82579582d5e00e28fba06d0a

 github.com/sirupsen/logrus v1.0.0

 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c

 golang.org/x/net b3756b4b77d7b13260a0a2ec658753cf48922eac

@@ -43,7 +43,7 @@ github.com/google/go-cmp v0.1.0

 go.etcd.io/bbolt v1.3.1-etcd.8

 # cri dependencies

-github.com/containerd/cri 0d5cabd006cb5319dc965046067b8432d9fa5ef8 # release/1.2 branch

+github.com/containerd/cri c3cf754321fc38c6af5dfd2552fdde0ad192b31d # release/1.2 branch

 github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90

 github.com/blang/semver v3.1.0

 github.com/containernetworking/cni v0.6.0

@@ -22,7 +22,7 @@ import "strings"

 // Comparison is case insensitive.

 func InStringSlice(ss []string, str string) bool {

 	for _, s := range ss {

-		if strings.ToLower(s) == strings.ToLower(str) {

+		if strings.EqualFold(s, str) {

 			return true

 		}

 	}

@@ -34,7 +34,7 @@ func InStringSlice(ss []string, str string) bool {

 func SubtractStringSlice(ss []string, str string) []string {

 	var res []string

 	for _, s := range ss {

-		if strings.ToLower(s) == strings.ToLower(str) {

+		if strings.EqualFold(s, str) {

 			continue

 		}

 		res = append(res, s)

@@ -3,7 +3,7 @@ github.com/blang/semver v3.1.0

 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895

 github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2

 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23

-github.com/containerd/containerd 4b284fa3ab61832b022ba428055f793a75ffc251

+github.com/containerd/containerd 0137339c8c1d55de5545ffdd723199dfba27cb24

 github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4

 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c

 github.com/containerd/go-cni 40bcf8ec8acd7372be1d77031d585d5d8e561c90

@@ -39,7 +39,7 @@ github.com/modern-go/concurrent 1.0.3

 github.com/modern-go/reflect2 1.0.1

 github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7

 github.com/opencontainers/image-spec v1.0.1

-github.com/opencontainers/runc v1.0.0-rc6

+github.com/opencontainers/runc 12f6a991201fdb8f82579582d5e00e28fba06d0a

 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353

 github.com/opencontainers/runtime-tools v0.6.0

 github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a

@@ -463,7 +463,7 @@ func WriteCgroupProc(dir string, pid int) error {

 		return fmt.Errorf("no such directory for %s", CgroupProcesses)

 	}

-	// Dont attach any pid to the cgroup if -1 is specified as a pid

+	// Don't attach any pid to the cgroup if -1 is specified as a pid

 	if pid != -1 {

 		if err := ioutil.WriteFile(filepath.Join(dir, CgroupProcesses), []byte(strconv.Itoa(pid)), 0700); err != nil {

 			return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err)