patch the internal/shim package to work with Windows shims

This commit adds the changes to ensure that upstream pkg/shim works with Windows shims.

Signed-off-by: Harsh Rawat <harshrawat@microsoft.com>

Author: rawahars

internal/shim/publisher.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 /*
    Copyright The containerd Authors.
 
@@ -18,6 +20,7 @@ package shim
 
 import (
 	"context"
+	"errors"
 	"sync"
 	"time"
 
@@ -157,7 +160,7 @@ func (l *RemoteEventsPublisher) forwardRequest(ctx context.Context, req *v1.Forw
 		}
 	}
 
-	if err != ttrpc.ErrClosed {
+	if !errors.Is(err, ttrpc.ErrClosed) {
 		return err
 	}
 

internal/shim/shim.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 /*
    Copyright The containerd Authors.
 
@@ -263,7 +265,9 @@ func run(ctx context.Context, manager Manager, config Config) error {
 		if debugFlag {
 			logger.Logger.SetLevel(log.DebugLevel)
 		}
-		go reap(ctx, logger, signals)
+		go func() {
+			_ = reap(ctx, logger, signals)
+		}()
 		ss, err := manager.Stop(ctx, id)
 		if err != nil {
 			return err
@@ -453,13 +457,25 @@ func serve(ctx context.Context, server *ttrpc.Server, signals chan os.Signal, sh
 	if err != nil {
 		return err
 	}
+
+	serrs := make(chan error, 1)
+	defer close(serrs)
 	go func() {
 		defer l.Close()
 		if err := server.Serve(ctx, l); err != nil && !errors.Is(err, net.ErrClosed) {
 			log.G(ctx).WithError(err).Fatal("containerd-shim: ttrpc server failure")
+			serrs <- err
+			return
 		}
+		serrs <- nil
 	}()
 
+	// Notify the parent process that the shim is ready.
+	// On Windows this signals a named event; on Unix this is a no-op.
+	if err = notifyReady(ctx, serrs); err != nil {
+		return err
+	}
+
 	if debugFlag && pprof != nil {
 		if err := setupPprof(ctx, pprof); err != nil {
 			log.G(ctx).WithError(err).Warn("Could not setup pprof")

internal/shim/shim_test.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 /*
    Copyright The containerd Authors.
 

internal/shim/shim_windows.go

@@ -1,3 +1,5 @@
+//go:build windows
+
 /*
    Copyright The containerd Authors.
 
@@ -18,41 +20,234 @@ package shim
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"net"
 	"os"
+	"os/signal"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
 
-	"github.com/containerd/errdefs"
+	winio "github.com/Microsoft/go-winio"
+	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/containerd/log"
 	"github.com/containerd/ttrpc"
+	"golang.org/x/sys/windows"
 )
 
-func setupSignals(config Config) (chan os.Signal, error) {
-	return nil, errdefs.ErrNotImplemented
+// notifyReady signals the parent process that the shim server is ready.
+// On Windows, this closes stdout and sets a named event that the parent
+// process is waiting on to know the shim has started successfully.
+func notifyReady(_ context.Context, serrs chan error) error {
+	select {
+	case err := <-serrs:
+		return err
+	case <-time.After(2 * time.Millisecond):
+		// This is our best indication that we have not errored on creation
+		// and are successfully serving the API.
+		os.Stdout.Close()
+		eventName, _ := windows.UTF16PtrFromString(fmt.Sprintf("%s-%s", namespaceFlag, id))
+		// Open the existing event and set it to wake up the parent process which is waiting for the shim to be ready.
+		handle, err := windows.OpenEvent(windows.EVENT_MODIFY_STATE, false, eventName)
+		if err == nil {
+			_ = windows.SetEvent(handle)    // Wake up the parent
+			_ = windows.CloseHandle(handle) // Clean up
+		}
+	}
+	return nil
+}
+
+// setupSignals creates a signal channel for Windows.
+// On Windows, we don't register any signals here because:
+// 1. Child process reaping (SIGCHLD) is not needed - the OS handles it.
+// 2. Exit signals (SIGINT/SIGTERM) are handled by handleExitSignals separately.
+// We return an empty channel that reap() can use, but it won't receive signals.
+func setupSignals(_ Config) (chan os.Signal, error) {
+	signals := make(chan os.Signal, 32)
+	return signals, nil
 }
 
+// newServer creates a new ttrpc server for Windows.
+// Unlike Unix, Windows doesn't have user-based socket authentication,
+// so we create a basic ttrpc server without the handshaker.
 func newServer(opts ...ttrpc.ServerOpt) (*ttrpc.Server, error) {
-	return nil, errdefs.ErrNotImplemented
+	return ttrpc.NewServer(opts...)
 }
 
+// subreaper is not applicable on Windows as the OS automatically
+// handles orphaned processes differently than Unix systems.
 func subreaper() error {
-	return errdefs.ErrNotImplemented
+	// This is a no-op on Windows - the OS handles orphaned processes
+	return nil
 }
 
-func setupDumpStacks(dump chan<- os.Signal) {
+// setupDumpStacks is currently not implemented for Windows.
+// Windows doesn't have SIGUSR1, so stack dumping would need to use
+// a different mechanism (e.g., a named event or debug console).
+func setupDumpStacks(_ chan<- os.Signal) {
+	// No-op on Windows - SIGUSR1 doesn't exist
+	// Future: could implement using Windows events or console signals
 }
 
-func serveListener(path string, fd uintptr) (net.Listener, error) {
-	return nil, errdefs.ErrNotImplemented
+// serveListener creates a named pipe listener for Windows.
+// If path is provided, it creates a new named pipe at that location.
+// If path is empty and fd is provided, it attempts to inherit the listener (not commonly used on Windows).
+func serveListener(path string, _ uintptr) (net.Listener, error) {
+	if path == "" {
+		// On Windows, inheriting file descriptors is more complex and rarely used
+		// with named pipes. We'll return an error if no path is provided.
+		return nil, fmt.Errorf("named pipe path is required on Windows")
+	}
+
+	// Ensure the path is in the correct Windows named pipe format
+	// Expected format: \\.\pipe\<name>
+	if !strings.HasPrefix(path, `\\.\pipe`) {
+		return nil, fmt.Errorf("socket is required to be pipe address")
+	}
+
+	l, err := winio.ListenPipe(path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create named pipe listener at %s: %w", path, err)
+	}
+
+	log.L.WithField("pipe", path).Debug("serving api on named pipe")
+	return l, nil
 }
 
+// reap handles signals on Windows. Unlike Unix, Windows doesn't send SIGCHLD
+// when child processes exit, so we only need to handle shutdown signals.
 func reap(ctx context.Context, logger *log.Entry, signals chan os.Signal) error {
-	return errdefs.ErrNotImplemented
+	logger.Debug("starting signal loop")
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case s := <-signals:
+			logger.WithField("signal", s).Debug("received signal in reap loop")
+			// On Windows, we just log the signal
+			// Exit signals are handled in handleExitSignals
+		}
+	}
 }
 
+// handleExitSignals listens for shutdown signals (SIGINT, SIGTERM) and
+// triggers the provided cancel function for graceful shutdown.
 func handleExitSignals(ctx context.Context, logger *log.Entry, cancel context.CancelFunc) {
+	ch := make(chan os.Signal, 32)
+	// On Windows, os.Kill cannot be caught. We handle os.Interrupt (Ctrl+C) and SIGTERM.
+	signal.Notify(ch, os.Interrupt, syscall.SIGTERM)
+
+	for {
+		select {
+		case s := <-ch:
+			logger.WithField("signal", s).Debug("caught exit signal")
+			cancel()
+			return
+		case <-ctx.Done():
+			return
+		}
+	}
 }
 
-func openLog(ctx context.Context, _ string) (io.Writer, error) {
-	return nil, errdefs.ErrNotImplemented
+// openLog creates a named pipe for shim logging on Windows.
+// The containerd daemon connects to this pipe as a client to read log output.
+// The pipe format is: \\.\pipe\containerd-shim-{namespace}-{id}-log
+func openLog(ctx context.Context, id string) (io.Writer, error) {
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return nil, err
+	}
+	pipePath := fmt.Sprintf("\\\\.\\pipe\\containerd-shim-%s-%s-log", ns, id)
+	l, err := winio.ListenPipe(pipePath, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create shim log pipe: %w", err)
+	}
+
+	rlw := &reconnectingLogWriter{
+		l: l,
+	}
+
+	// Accept connections from containerd in the background.
+	// Supports reconnection if containerd restarts.
+	go rlw.acceptConnections()
+
+	return rlw, nil
+}
+
+// reconnectingLogWriter is a writer that accepts log connections from containerd.
+// It supports reconnection - if containerd restarts, a new connection is accepted
+// and the old one is closed. Logs generated during reconnection may be lost.
+type reconnectingLogWriter struct {
+	l    net.Listener // The named pipe listener waiting for connections
+	mu   sync.Mutex   // Protects the current connection
+	conn net.Conn     // The current active connection (may be nil)
+}
+
+// acceptConnections listens for log connections in the background.
+func (rlw *reconnectingLogWriter) acceptConnections() {
+	for {
+		newConn, err := rlw.l.Accept()
+		if err != nil {
+			// Listener was closed, stop accepting
+			return
+		}
+
+		rlw.mu.Lock()
+		// Close the old connection if one exists
+		if rlw.conn != nil {
+			rlw.conn.Close()
+		}
+		rlw.conn = newConn
+		rlw.mu.Unlock()
+	}
+}
+
+// Write implements io.Writer. It writes to the current connection if one exists.
+// If no connection is established yet, writes are silently dropped to avoid
+// blocking the shim.
+func (rlw *reconnectingLogWriter) Write(p []byte) (n int, err error) {
+	rlw.mu.Lock()
+	conn := rlw.conn
+	rlw.mu.Unlock()
+
+	if conn == nil {
+		// No connection yet, drop the log.
+		return len(p), nil
+	}
+
+	n, err = conn.Write(p)
+	if err != nil {
+		// Connection may have been closed, clear it so next write
+		// doesn't try to use a broken connection
+		rlw.mu.Lock()
+		if rlw.conn == conn {
+			rlw.conn.Close()
+			rlw.conn = nil
+		}
+		rlw.mu.Unlock()
+		// Return success anyway to avoid log write errors propagating
+		return len(p), nil
+	}
+	return n, nil
+}
+
+// Close implements io.Closer. It closes both the listener and any active connection.
+func (rlw *reconnectingLogWriter) Close() error {
+	rlw.mu.Lock()
+	defer rlw.mu.Unlock()
+
+	var err error
+	if rlw.l != nil {
+		err = rlw.l.Close()
+	}
+	if rlw.conn != nil {
+		if cerr := rlw.conn.Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+		rlw.conn = nil
+	}
+	return err
 }