v0.9.0

What's New

• The runhcs containerd shim now supports launching Host Process containers.
• LCOW layers can now be encrypted via dmverity.
• Process dumps can now be generated for WCOW and LCOW via an OCI annotation.
• LCOW container execs now run as whatever user the container was launched as, unless the spec was overridden with a different user.
• Shared memory is now configurable via an OCI annotation.
• WCOW supports extensible virtual disks as data disks.
• LCOW supports hugepage mounts if the kernel used is built with this support.

See the Changelog for the full list of changes!

Bug Fixes

• Fix duplicate "failed" in HCS error strings.
• Get rid of redundant logs in HCN version range checks.
• HNS v1 policy schemas now have correct omitEmpty fields.

See the Changelog for the full list of changes!

Changelog

• Enable scratch space encryption via annotation by @anmaxvl in #1095
• Enforce security policy at unmount by @SeanTAllen in #1162
• Make policy environment variable rules consts by @SeanTAllen in #1164
• Remove unused variable by @SeanTAllen in #1165
• Update naming in internal security policy tool by @SeanTAllen in #1166
• Rename variable in SecurityPolicyEnforcer by @SeanTAllen in #1168
• Rename EnforceStartContainerPolicy by @SeanTAllen in #1169
• fix vmAccess param usage in AddSCSI by @anmaxvl in #1167
• Change internal data structure in SecurityPolicyEnforcer by @SeanTAllen in #1171
• Update kernel driver annotation for accuracy by @katiewasnothere in #1172
• Rework how working directories function for job containers by @dcantah in #1137
• Add WCOW sandbox mount support by @dcantah in #1087
• Add support for passing in a virtual function index to assign pci device by @katiewasnothere in #1163
• Set PATHEXT for job containers to handle binaries with no extension by @dcantah in #1174
• Add process dump functionality for WCOW/LCOW by @dcantah in #1062
• Update json format for security policy by @SeanTAllen in #1173
• Rework LCOW username setup/exec behavior by @dcantah in #1178
• Refactor pod config generation in tests by @anmaxvl in #1180
• tests: Fix tests that used old pullRequiredLCOWImages func name by @anmaxvl in #1183
• Remove unused definitions in winapi by @dcantah in #1181
• Also run tests on Windows Server 2022 GitHub Runner by @TBBle in #1176
• tests: Fix ExecUser LCOW tests using old function signature by @anmaxvl in #1184
• Add unit tests for computeagent by @katiewasnothere in #1182
• Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 in /test by @dependabot in #1185
• Bump github.com/containerd/containerd from 1.5.4 to 1.5.7 by @dependabot in #1186
• Add compute agent store for ncproxy reconnect by @katiewasnothere in #1097
• Update names of ncproxy proxy resources with test name included by @katiewasnothere in #1189
• Merge Microsoft/opengcs and Microsoft/hcsshim by @dcantah in #973
• Run late clone tests on 20H2+ builds only. by @ambarve in #1028
• Fix bug with VSMB & SCSI mounts on the same host path by @ambarve in #1021
• Support for storage space data disks by @ambarve in #998
• Add option to set no direct map by default on wcow VSMB devices by @katiewasnothere in #1030
• Read max 1MB data from panic.log by @ambarve in #1029
• Change Makefile file type from crlf to lf by @katiewasnothere in #1031
• support pod and container updates by @katiewasnothere in #931
• Add new flags to integration tests to specify virtstack by @dcantah in #1019
• Change VSMBNoDirectMap_WCOW_Hypervisor test to fix CI break by @dcantah in #1033
• fix break in cpu groups test on machines with build < 20124 by @katiewasnothere in #1036
• lf line endingify stray opengcs files by @dcantah in #1032
• Remotevm UVM implementation by @dcantah in #1023
• VHD with dm-verity by @SeanTAllen in #985
• Add tests for LCOW shared scratch space work by @dcantah in #955
• shim: Clean up delete invocation behavior by @kevpar in #1041
• Remove internal GCS connection functionality by @dcantah in #1038
• Add instructions to build containerd-shim and gcs binaries by @dcantah in #1034
• Add DnsSettings to ncproxy CreateEndpointRequest by @dcantah in #1026
• use requested stdio in call to exec in shim host by @katiewasnothere in #1044
• Added Support for NestedIpSet type in SetPolicy and a new Network Policy called NetworkACL policy by @netal in #1045
• Add DNSDomain to hns endpoint object by @dcantah in #1047
• add logic to stack lcow layers on a single VPMEM device by @anmaxvl in #930
• Read vhd verity footer by @anmaxvl in #1008
• fix wrong error logged when dm-verity footer read fails by @anmaxvl in #1054
• Get rid of redundant logs in HCN version range checks by @dcantah in #1053
• Add containerd-shim plumbing for job containers by @dcantah in #962
• Fix functional tests build and revendor by @katiewasnothere in #1063
• Remove ERROR_PROC_NOT_FOUND from error checks by @kevpar in #1064
• export annotations for use in test suite by @katiewasnothere in #1061
• Support specifying a specific logrus log level for shim log output by @dcantah in #1058
• Support registering and unregistering ncproxy as a Windows service by @dcantah in #1046
• Bump containerd to 1.5.2 by @aledbf in #1068
• Add missing 'functional' tag to test source by @TBBle in #1069
• Add support to dump stacks for ncproxy when requested by @katiewasnothere in #1070
• Fix lost span attribute for NameToGuid by @TBBle in #1071
• Remove leftover generated HCS2 schema file by @TBBle in #1074
• Add volume mount support for job containers by @dcantah in #1057
• Gate CRI update container tests behind feature flag by @dcantah in #1079
• Updating HNS v1 policy schemas with correct omitEmpty fields by @elweb9858 in #1078
• Fix relative paths (with dot) not working for job containers by @dcantah in #1081
• Add support for reading in device extension files for container create hcs document by @katiewasnothere in #1060
• Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 in /test by @dependabot in #1082
• Bump github.com/containerd/containerd from 1.5.2 to 1.5.4 by @dependabot in #1083
• Bump github.com/opencontainers/runc from 1.0.0-rc93 to 1.0.0-rc95 by @dependabot in #1084
• tests: increase opengcs tests verbosity by @anmaxvl in #1088
• make container's shared memory configurable via annotation by @anmaxvl in #1052
• Support for extensible virtual disks as data disks by @ambarve in #1039
• Minor bug fixes by @ambarve in #1093
• Add support to encrypt SCSI scratch disks with dm-crypt by @AntonioND in #1090
• Add basis for allowing the creation of configuration enforcement in gcs by @SeanTAllen in #1094
• Add retry around wclayer operations for process isolated containers by @dcantah in #1091
• Fix build break in functional tests by @katiewasnothere in #1098
• Fix incorrect casing in error message by @SeanTAllen in #1103
• chore: Cleanup guest pmem package by @anmaxvl in #1096
• Skip setting security policy when it's empty by @anmaxvl in #1099
• Fix incorrect variable casing by @SeanTAllen in #1106
• Fix variable naming by @SeanTAllen in #1105
• tests: fix VPMem layer packing tests by @anmaxvl in #1109
• Support for Kernel Boot Options - LCOW by @ninzavivek in #1108
• Add network stats to the enable getting stats directly by @jsturtevant in #1102
• Add sleep before layer operation retries by @dcantah in #1122
• Add GetCachedSupportedFeatures method to hcn package by @dcantah in #1123
• Check if stdio pipes are nil for job containers/fix windows.Close usage by @dcantah in #1115
• Add security policy enforcement of command line options when starting containers by @SeanTAllen in #1116
• Fix spelling error by @SeanTAllen in #1127
• Update ncproxy compute agent cache map by @katiewasnothere in #1126
• Make ncproxy a urfave/cli app by @dcantah in #1121
• Bugfix for UnicodeString constructor by @ambarve in #1138
• Fix duplicate "failed" in HCS errors by @thaJeztah in #1139
• Add extra info about DCO check to README by @dcantah in #1140
• Update test package go modules by @katiewasnothere in #1141
• Fixup logic for sandbox and container cleanup on failure by @katiewasnothere in #1142
• Add stylecheck linter to golangci-lint CI runs by @dcantah in #1125
• Enable dm-verity for multi-mapped LCOW layers by @anmaxvl in #1089
• add RecommendedVHDSizeGB constant by @praenubilus in #1145
• Add more messages when guest relays and init process finish by @anmaxvl in #1104
• Job container path touchups + rework tests by @dcantah in #1117
• Update test modules with hcsshim changes by @katiewasnothere in #1150
• Add ci step to validate that modules have been vendored in by @katiewasnothere in #1112
• Hugepage support for LCOW by @ninzavivek in #1118
• Update test modules with up to date hcsshim code by @katiewasnothere in #1151
• Add security policy enforcement of environment variables by @SeanTAllen in #1146
• Add note about test directory go mod vendor steps to README by @dcantah in #1156
• Update script to verify go modules to match hashes of all files by @katiewasnothere in #1157
• Add unit tests to ncproxy by @katiewasnothere in #1143
• Switch JSON policy schema from using arrays to maps by @SeanTAllen in #1154
• Add new internal cmd package request struct to remove shimdiag package import by @katiewasnothere in #1153
• Add additional information to the error message when validating modules by @katiewasnothere in #1159
• Update securitypolicy tool to support multiple registries by @SeanTAllen in #1161
• Add security policy enforcement for SCSI devices by @SeanTAllen in #1158

Full changelog: v0.8.22...v0.9.0