Merge pull request #2524 from marma-dev/main

marma-dev · web-flow · commit 993f565a9c0e · 2025-11-25T10:48:31.000+05:30
Adding support for WCOW UVM log forward service
diff --git a/go.mod b/go.mod
@@ -39,6 +39,7 @@ require (
 	go.etcd.io/bbolt v1.4.0
 	go.opencensus.io v0.24.0
 	go.uber.org/mock v0.6.0
+	golang.org/x/net v0.43.0
 	golang.org/x/sync v0.16.0
 	golang.org/x/sys v0.35.0
 	google.golang.org/grpc v1.75.0
@@ -113,7 +114,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/tools v0.36.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
diff --git a/internal/gcs/bridge.go b/internal/gcs/bridge.go
@@ -332,7 +332,7 @@ func (brdg *bridge) recvLoop() error {
 			}
 
 		case prot.MsgTypeNotify:
-			if typ != prot.NotifyContainer|prot.MsgTypeNotify {
+			if typ != prot.NotifyContainer|prot.ComputeSystem|prot.MsgTypeNotify {
 				return fmt.Errorf("bridge received unknown unknown notification message %s", typ)
 			}
 			var ntf prot.ContainerNotification
diff --git a/internal/gcs/bridge_test.go b/internal/gcs/bridge_test.go
@@ -179,7 +179,7 @@ func notifyThroughBridge(t *testing.T, typ prot.MsgType, msg interface{}, fn not
 func TestBridgeNotify(t *testing.T) {
 	ntf := &prot.ContainerNotification{Operation: "testing"}
 	recvd := false
-	err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error {
+	err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.ComputeSystem|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error {
 		if !reflect.DeepEqual(ntf, nntf) {
 			t.Errorf("%+v != %+v", ntf, nntf)
 		}
@@ -197,7 +197,7 @@ func TestBridgeNotify(t *testing.T) {
 func TestBridgeNotifyFailure(t *testing.T) {
 	ntf := &prot.ContainerNotification{Operation: "testing"}
 	errMsg := "notify should have failed"
-	err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error {
+	err := notifyThroughBridge(t, prot.MsgTypeNotify|prot.ComputeSystem|prot.NotifyContainer, ntf, func(nntf *prot.ContainerNotification) error {
 		return errors.New(errMsg)
 	})
 	if err == nil || !strings.Contains(err.Error(), errMsg) {
diff --git a/internal/gcs/guestcaps.go b/internal/gcs/guestcaps.go
@@ -100,3 +100,7 @@ func (w *WCOWGuestDefinedCapabilities) IsDumpStacksSupported() bool {
 func (w *WCOWGuestDefinedCapabilities) IsDeleteContainerStateSupported() bool {
 	return w.DeleteContainerStateSupported
 }
+
+func (w *WCOWGuestDefinedCapabilities) IsLogForwardingSupported() bool {
+	return w.LogForwardingSupported
+}
diff --git a/internal/gcs/guestconnection.go b/internal/gcs/guestconnection.go
@@ -184,6 +184,20 @@ func (gc *GuestConnection) Modify(ctx context.Context, settings interface{}) (er
 	return gc.brdg.RPC(ctx, prot.RPCModifySettings, &req, &resp, false)
 }
 
+func (gc *GuestConnection) ModifyServiceSettings(ctx context.Context, serviceType prot.ServiceModifyPropertyType, settings interface{}) (err error) {
+	ctx, span := oc.StartSpan(ctx, "gcs::GuestConnection::ModifyServiceSettings", oc.WithClientSpanKind)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+
+	req := prot.ServiceModificationRequest{
+		RequestBase:  makeRequest(ctx, nullContainerID),
+		PropertyType: string(serviceType),
+		Settings:     settings,
+	}
+	var resp prot.ResponseBase
+	return gc.brdg.RPC(ctx, prot.RPCModifyServiceSettings, &req, &resp, false)
+}
+
 func (gc *GuestConnection) DumpStacks(ctx context.Context) (response string, err error) {
 	ctx, span := oc.StartSpan(ctx, "gcs::GuestConnection::DumpStacks", oc.WithClientSpanKind)
 	defer span.End()
diff --git a/internal/gcs/guestconnection_test.go b/internal/gcs/guestconnection_test.go
@@ -131,7 +131,7 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error {
 				return err
 			}
 			time.Sleep(50 * time.Millisecond)
-			err = sendJSON(t, rw, prot.MsgType(prot.MsgTypeNotify|prot.NotifyContainer), 0, &prot.ContainerNotification{
+			err = sendJSON(t, rw, prot.MsgType(prot.MsgTypeNotify|prot.ComputeSystem|prot.NotifyContainer), 0, &prot.ContainerNotification{
 				RequestBase: prot.RequestBase{
 					ContainerID: req.ContainerID,
 				},
diff --git a/internal/gcs/prot/protocol.go b/internal/gcs/prot/protocol.go
@@ -71,6 +71,15 @@ var WindowsGcsHvHostID = guid.GUID{
 	Data4: [8]uint8{0x93, 0xfe, 0x42, 0x96, 0x9a, 0xe6, 0xd8, 0xd1},
 }
 
+// WindowsLoggingHvsockServiceID is the hvsock service ID that the Windows log forward service
+// will connect to. 172dad59-976d-45f2-8b6c-6d1b13f2ac4d
+var WindowsLoggingHvsockServiceID = guid.GUID{
+	Data1: 0x172dad59,
+	Data2: 0x976d,
+	Data3: 0x45f2,
+	Data4: [8]uint8{0x8b, 0x6c, 0x6d, 0x1b, 0x13, 0xf2, 0xac, 0x4d},
+}
+
 type AnyInString struct {
 	Value interface{}
 }
@@ -83,10 +92,17 @@ func (a *AnyInString) UnmarshalText(b []byte) error {
 	return json.Unmarshal(b, &a.Value)
 }
 
+const (
+	// Message_Category for the GCS protocol.
+	ComputeSystem  = 0x00100000
+	ComputeService = 0x00200000
+)
+
 type RPCProc uint32
 
 const (
-	RPCCreate RPCProc = (iota+1)<<8 | 1
+	// Compute System RPCs
+	RPCCreate RPCProc = ComputeSystem | (iota+1)<<8 | 1
 	RPCStart
 	RPCShutdownGraceful
 	RPCShutdownForced
@@ -103,6 +119,17 @@ const (
 	RPCLifecycleNotification
 )
 
+const (
+	// Compute Service RPCs
+	RPCModifyServiceSettings RPCProc = ComputeService | (iota+1)<<8 | 1
+)
+
+type ServiceModifyPropertyType string
+
+const (
+	LogForwardService = ServiceModifyPropertyType("LogForwardService")
+)
+
 func (rpc RPCProc) String() string {
 	switch rpc {
 	case RPCCreate:
@@ -135,6 +162,8 @@ func (rpc RPCProc) String() string {
 		return "UpdateContainer"
 	case RPCLifecycleNotification:
 		return "LifecycleNotification"
+	case RPCModifyServiceSettings:
+		return "ModifyServiceSettings"
 	default:
 		return "0x" + strconv.FormatUint(uint64(rpc), 16)
 	}
@@ -143,10 +172,10 @@ func (rpc RPCProc) String() string {
 type MsgType uint32
 
 const (
-	MsgTypeRequest  MsgType = 0x10100000
-	MsgTypeResponse MsgType = 0x20100000
-	MsgTypeNotify   MsgType = 0x30100000
-	MsgTypeMask     MsgType = 0xfff00000
+	MsgTypeRequest  MsgType = 0x10000000
+	MsgTypeResponse MsgType = 0x20000000
+	MsgTypeNotify   MsgType = 0x30000000
+	MsgTypeMask     MsgType = 0xf0000000
 
 	NotifyContainer = 1<<8 | 1
 )
@@ -160,7 +189,7 @@ func (typ MsgType) String() string {
 		s = "Response("
 	case MsgTypeNotify:
 		s = "Notify("
-		switch typ - MsgTypeNotify {
+		switch typ - (ComputeSystem | MsgTypeNotify) {
 		case NotifyContainer:
 			s += "Container"
 		default:
@@ -267,6 +296,12 @@ type ContainerNotification struct {
 	ResultInfo AnyInString `json:",omitempty"`
 }
 
+type ServiceModificationRequest struct {
+	RequestBase
+	PropertyType string      // ServiceModifyPropertyType
+	Settings     interface{} `json:",omitempty"`
+}
+
 type ContainerExecuteProcess struct {
 	RequestBase
 	Settings ExecuteProcessSettings
@@ -345,13 +380,14 @@ type ContainerModifySettings struct {
 }
 
 type GcsCapabilities struct {
-	SendHostCreateMessage      bool
-	SendHostStartMessage       bool
-	HvSocketConfigOnStartup    bool
-	SendLifecycleNotifications bool
-	SupportedSchemaVersions    []hcsschema.Version
-	RuntimeOsType              string
-	GuestDefinedCapabilities   json.RawMessage
+	SendHostCreateMessage          bool
+	SendHostStartMessage           bool
+	HvSocketConfigOnStartup        bool
+	SendLifecycleNotifications     bool
+	ModifyServiceSettingsSupported bool
+	SupportedSchemaVersions        []hcsschema.Version
+	RuntimeOsType                  string
+	GuestDefinedCapabilities       json.RawMessage
 }
 
 type ContainerCreateResponse struct {
diff --git a/internal/hcs/schema1/schema1.go b/internal/hcs/schema1/schema1.go
@@ -221,6 +221,7 @@ type GuestDefinedCapabilities struct {
 	DumpStacksSupported           bool `json:",omitempty"`
 	DeleteContainerStateSupported bool `json:",omitempty"`
 	UpdateContainerSupported      bool `json:",omitempty"`
+	LogForwardingSupported        bool `json:",omitempty"`
 }
 
 // GuestConnectionInfo is the structure of an iterm return by a GuestConnection call on a utility VM
diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
@@ -418,7 +418,12 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		if err := handleWCOWSecurityPolicy(ctx, s.Annotations, wopts); err != nil {
 			return nil, err
 		}
-
+		// If security policy is enable, wopts.ForwardLogs default value should be false
+		if wopts.SecurityPolicyEnabled {
+			wopts.ForwardLogs = false
+		}
+		wopts.LogSources = ParseAnnotationsString(s.Annotations, annotations.LogSources, wopts.LogSources)
+		wopts.ForwardLogs = ParseAnnotationsBool(ctx, s.Annotations, annotations.ForwardLogs, wopts.ForwardLogs)
 		return wopts, nil
 	}
 	return nil, errors.New("cannot create UVM opts spec is not LCOW or WCOW")
diff --git a/internal/oci/uvm_test.go b/internal/oci/uvm_test.go
@@ -117,6 +117,10 @@ func Test_SpecToUVMCreateOptions_Default_WCOW(t *testing.T) {
 	wopts := (opts).(*uvm.OptionsWCOW)
 	dopts := uvm.NewDefaultOptionsWCOW(t.Name(), "")
 
+	// output handler equality is always false, so set to nil
+	wopts.OutputHandlerCreator = nil
+	dopts.OutputHandlerCreator = nil
+
 	if !cmp.Equal(*wopts, *dopts) {
 		t.Fatalf("should not have updated create options from default when no annotation are provided:\n%s", cmp.Diff(wopts, dopts))
 	}
diff --git a/internal/protocol/guestrequest/types.go b/internal/protocol/guestrequest/types.go
@@ -74,3 +74,17 @@ const (
 	STDErrHandle STDIOHandle = "StdErr"
 	AllHandles   STDIOHandle = "All"
 )
+
+type LogForwardServiceRPCRequest struct {
+	RPCType  RPCType `json:"RPCType,omitempty"` // "LogForwardService"
+	Settings string  `json:"Settings,omitempty"`
+}
+
+type RPCType string
+
+const (
+	// LogForwardServiceRPC is the RPC type for the log forward service.
+	RPCModifyServiceSettings RPCType = "ModifyServiceSettings"
+	RPCStartLogForwarding    RPCType = "StartLogForwarding"
+	RPCStopLogForwarding     RPCType = "StopLogForwarding"
+)
diff --git a/internal/uvm/create_wcow.go b/internal/uvm/create_wcow.go
@@ -73,6 +73,10 @@ type OptionsWCOW struct {
 
 	// AdditionalRegistryKeys are Registry keys and their values to additionally add to the uVM.
 	AdditionalRegistryKeys []hcsschema.RegistryValue
+
+	OutputHandlerCreator OutputHandlerCreator // Creates an [OutputHandler] that controls how output received over HVSocket from the UVM is handled. Defaults to parsing output as ETW Log events
+	LogSources           string               // ETW providers to be set for the logging service
+	ForwardLogs          bool                 // Whether to forward logs to the host or not
 }
 
 func defaultConfidentialWCOWOSBootFilesPath() string {
@@ -107,6 +111,9 @@ func NewDefaultOptionsWCOW(id, owner string) *OptionsWCOW {
 		Options:                 newDefaultOptions(id, owner),
 		AdditionalRegistryKeys:  []hcsschema.RegistryValue{},
 		ConfidentialWCOWOptions: &ConfidentialWCOWOptions{},
+		OutputHandlerCreator:    parseLogrus,
+		ForwardLogs:             true, // Default to true for WCOW, and set to false for CWCOW in internal/oci/uvm.go SpecToUVMCreateOpts
+		LogSources:              "",
 	}
 }
 
@@ -277,6 +284,14 @@ func prepareCommonConfigDoc(ctx context.Context, uvm *UtilityVM, opts *OptionsWC
 	}
 
 	maps.Copy(doc.VirtualMachine.Devices.HvSocket.HvSocketConfig.ServiceTable, opts.AdditionalHyperVConfig)
+	if opts.ForwardLogs {
+		key := prot.WindowsLoggingHvsockServiceID.String()
+		doc.VirtualMachine.Devices.HvSocket.HvSocketConfig.ServiceTable[key] = hcsschema.HvSocketServiceConfig{
+			AllowWildcardBinds:        true,
+			BindSecurityDescriptor:    "D:P(A;;FA;;;SY)(A;;FA;;;BA)",
+			ConnectSecurityDescriptor: "D:P(A;;FA;;;SY)(A;;FA;;;BA)",
+		}
+	}
 
 	// Handle StorageQoS if set
 	if opts.StorageQoSBandwidthMaximum > 0 || opts.StorageQoSIopsMaximum > 0 {
@@ -529,6 +544,8 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 		noWritableFileShares:    opts.NoWritableFileShares,
 		createOpts:              opts,
 		blockCIMMounts:          make(map[string]*UVMMountedBlockCIMs),
+		logSources:              opts.LogSources,
+		forwardLogs:             opts.ForwardLogs,
 	}
 
 	defer func() {
@@ -568,6 +585,17 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 		return nil, fmt.Errorf("error while creating the compute system: %w", err)
 	}
 
+	if opts.ForwardLogs {
+		// Create a socket that the executed program can send to. This is usually
+		// used by Log Forward Service to send log data.
+		uvm.outputHandler = opts.OutputHandlerCreator(opts.Options)
+		uvm.outputProcessingDone = make(chan struct{})
+		uvm.outputListener, err = winio.ListenHvsock(&winio.HvsockAddr{
+			VMID:      uvm.RuntimeID(),
+			ServiceID: prot.WindowsLoggingHvsockServiceID,
+		})
+	}
+
 	gcsServiceID := prot.WindowsGcsHvsockServiceID
 	if opts.SecurityPolicyEnabled {
 		gcsServiceID = prot.WindowsSidecarGcsHvsockServiceID
diff --git a/internal/uvm/log_wcow.go b/internal/uvm/log_wcow.go
@@ -0,0 +1,75 @@
+//go:build windows
+
+package uvm
+
+import (
+	"context"
+
+	"github.com/Microsoft/hcsshim/internal/gcs"
+	"github.com/Microsoft/hcsshim/internal/gcs/prot"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
+)
+
+func (uvm *UtilityVM) StartLogForwarding(ctx context.Context) error {
+	// Implementation for starting the log forwarding service
+	if uvm.OS() != "windows" || uvm.gc == nil {
+		return errNotSupported
+	}
+
+	wcaps := gcs.GetWCOWCapabilities(uvm.gc.Capabilities())
+	if wcaps != nil && wcaps.IsLogForwardingSupported() {
+		req := guestrequest.LogForwardServiceRPCRequest{
+			RPCType:  guestrequest.RPCStartLogForwarding,
+			Settings: "",
+		}
+		err := uvm.gc.ModifyServiceSettings(ctx, prot.LogForwardService, req)
+		if err != nil {
+			return err
+		}
+	} else {
+		log.G(ctx).WithField("os", uvm.operatingSystem).Error("Log forwarding not supported for this OS")
+	}
+	return nil
+}
+
+func (uvm *UtilityVM) StopLogForwarding(ctx context.Context) error {
+	// Implementation for stopping the log forwarding service
+	if uvm.OS() != "windows" || uvm.gc == nil {
+		return errNotSupported
+	}
+
+	wcaps := gcs.GetWCOWCapabilities(uvm.gc.Capabilities())
+	if wcaps != nil && wcaps.IsLogForwardingSupported() {
+		req := guestrequest.LogForwardServiceRPCRequest{
+			RPCType:  guestrequest.RPCStopLogForwarding,
+			Settings: "",
+		}
+		err := uvm.gc.ModifyServiceSettings(ctx, prot.LogForwardService, req)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (uvm *UtilityVM) SetLogSources(ctx context.Context) error {
+	// Implementation for setting the log sources
+	if uvm.OS() != "windows" || uvm.gc == nil {
+		return errNotSupported
+	}
+
+	wcaps := gcs.GetWCOWCapabilities(uvm.gc.Capabilities())
+	if wcaps != nil && wcaps.IsLogForwardingSupported() {
+		// Make a call to the GCS to set the ETW providers
+		req := guestrequest.LogForwardServiceRPCRequest{
+			RPCType:  guestrequest.RPCModifyServiceSettings,
+			Settings: uvm.logSources,
+		}
+		err := uvm.gc.ModifyServiceSettings(ctx, prot.LogForwardService, req)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/internal/uvm/start.go b/internal/uvm/start.go
diff --git a/internal/uvm/types.go b/internal/uvm/types.go
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
diff --git a/vendor/golang.org/x/net/netutil/listen.go b/vendor/golang.org/x/net/netutil/listen.go
diff --git a/vendor/modules.txt b/vendor/modules.txt

Original file line number	Diff line number	Diff line change
`@@ -332,7 +332,7 @@ func (brdg *bridge) recvLoop() error {`
`332`	`332`	`}`
`333`	`333`
`334`	`334`	`case prot.MsgTypeNotify:`
`335`		`- if typ != prot.NotifyContainer\|prot.MsgTypeNotify {`
	`335`	`+ if typ != prot.NotifyContainer\|prot.ComputeSystem\|prot.MsgTypeNotify {`
`336`	`336`	`return fmt.Errorf("bridge received unknown unknown notification message %s", typ)`
`337`	`337`	`}`
`338`	`338`	`var ntf prot.ContainerNotification`
Original file line number	Diff line number	Diff line change
`@@ -100,3 +100,7 @@ func (w *WCOWGuestDefinedCapabilities) IsDumpStacksSupported() bool {`
`100`	`100`	`func (w *WCOWGuestDefinedCapabilities) IsDeleteContainerStateSupported() bool {`
`101`	`101`	`return w.DeleteContainerStateSupported`
`102`	`102`	`}`
	`103`	`+`
	`104`	`+func (w *WCOWGuestDefinedCapabilities) IsLogForwardingSupported() bool {`
	`105`	`+ return w.LogForwardingSupported`
	`106`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ func simpleGcsLoop(t *testing.T, rw io.ReadWriter) error {`
`131`	`131`	`return err`
`132`	`132`	`}`
`133`	`133`	`time.Sleep(50 * time.Millisecond)`
`134`		`- err = sendJSON(t, rw, prot.MsgType(prot.MsgTypeNotify\|prot.NotifyContainer), 0, &prot.ContainerNotification{`
	`134`	`+ err = sendJSON(t, rw, prot.MsgType(prot.MsgTypeNotify\|prot.ComputeSystem\|prot.NotifyContainer), 0, &prot.ContainerNotification{`
`135`	`135`	`RequestBase: prot.RequestBase{`
`136`	`136`	`ContainerID: req.ContainerID,`
`137`	`137`	`},`
Original file line number	Diff line number	Diff line change
`@@ -221,6 +221,7 @@ type GuestDefinedCapabilities struct {`
`221`	`221`	DumpStacksSupported bool `json:",omitempty"`
`222`	`222`	DeleteContainerStateSupported bool `json:",omitempty"`
`223`	`223`	UpdateContainerSupported bool `json:",omitempty"`
	`224`	+ LogForwardingSupported bool `json:",omitempty"`
`224`	`225`	`}`
`225`	`226`
`226`	`227`	`// GuestConnectionInfo is the structure of an iterm return by a GuestConnection call on a utility VM`
Original file line number	Diff line number	Diff line change
`@@ -418,7 +418,12 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (`
`418`	`418`	`if err := handleWCOWSecurityPolicy(ctx, s.Annotations, wopts); err != nil {`
`419`	`419`	`return nil, err`
`420`	`420`	`}`
`421`		`-`
	`421`	`+ // If security policy is enable, wopts.ForwardLogs default value should be false`
	`422`	`+ if wopts.SecurityPolicyEnabled {`
	`423`	`+ wopts.ForwardLogs = false`
	`424`	`+ }`
	`425`	`+ wopts.LogSources = ParseAnnotationsString(s.Annotations, annotations.LogSources, wopts.LogSources)`
	`426`	`+ wopts.ForwardLogs = ParseAnnotationsBool(ctx, s.Annotations, annotations.ForwardLogs, wopts.ForwardLogs)`
`422`	`427`	`return wopts, nil`
`423`	`428`	`}`
`424`	`429`	`return nil, errors.New("cannot create UVM opts spec is not LCOW or WCOW")`