Co-authored-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
Signed-off-by: Jie Chen <jiechen3@microsoft.com>

Enable Windows UVM functional tests

* Add support for HCN v2 endpoint and add unit tests
* switch to HCN v2 endpoint API instead of HNS v1 endpoint API
* Support parsing routes in GCS when we setup the network interfaces
* [breaking] update gcs bridge LCOW network adapter type with new fields that better
align with v2 endpoint
* Add unit tests for new GCS side changes
* Add legacy policy based routing for lcow and an annotation to toggle use

Signed-off-by: Kathryn Baldauf <kabaldau@microsoft.com>

---------

Signed-off-by: Kathryn Baldauf <kabaldau@microsoft.com>

Signed-off-by: Jie Chen <jiechen3@microsoft.com>

Skip HVSock_* flaky tests until they are fixed

Signed-off-by: Jie Chen <jiechen3@microsoft.com>

* Previously we were just using the IPAM routes configured earlier in the test,
* but this causes an error since the IPAM route will append the scope identifier
* at the end of IPv6 routes' NextHop.

Signed-off-by: Kathryn Baldauf <kabaldau@microsoft.com>

Skipped uvm plan9 test until azurelinux rootfs is fixed

Signed-off-by: Jie Chen <jiechen3@microsoft.com>

This reverts commit e5c83a1.

The OIDC authentication is failing for PRs from external contributors because the id-token write permission is not granted to forked repos. Disabling the Linux UVM tests for now until it is fixed.

Signed-off-by: Jie Chen <jiechen3@microsoft.com>

* github-actions: update lint action

seems like something broke with newer golang versions.

Update golangci-lint version and set `only-new-issues` to `true`.

Signed-off-by: Maksim An <maksiman@microsoft.com>

* lint: fix lint errors

Signed-off-by: Maksim An <maksiman@microsoft.com>

---------

Signed-off-by: Maksim An <maksiman@microsoft.com>

* HvSocket support for containers

Applications connecting from the host into the container should use
container-specific VMID. This ID will need to be the same as the
container's VMID inside the guest, which is calculated by HCS/GCS
like it's done in this PR by `HCSIDToGUID`.

To allow the container ID to work with HvSocket on the host, we
need to set up an AddressInfo mapping to tell HvSocket to redirect
the call into the UVM, which is done in this PR by default for
all WCOW containers.

Add internal `hvsocketaddr.exe` tool that clients can use to generate
VM ID for container.

Add a generic function for creating HvSocket address info mapping.

export a function that creates a mapping for containers only.

---------

Signed-off-by: Maksim An <maksiman@microsoft.com>
Co-authored-by: Kevin Parsons <kevpar@microsoft.com>

* feature: cross-container named pipes

Add new "uvm://" mount prefix to support cross-container
pipes for Xenon WCOW containers. For now, it's a WCOW-only
feature, while the Linux work is being prototyped.

Additionally, extend the logic of `GetContainerPipeMapping` to
also handle cross-container pipes within the UVM. The syntax
similar to sandbox mounts:

```
{
  "host_path": "uvm://\\\\.\\pipe\\uvmPipe",
  "container_path": "\\\\.\\pipe\\containerPipe"
}
```

Containers sharing the pipe need to have the same "host_path".

refactor how named pipes are parsed and added for WCOW.

`setupMounts` will now try to parse mount source as a named pipe
for both process isolated and hyper-v isolated containers.
The mapped pipes will be tracked under `namedPipeMounts` and
later added to HCS container doc.

go mod tidy in test directory
---------

Signed-off-by: Maksim An <maksiman@microsoft.com>

Signed-off-by: Maksim An <maksiman@microsoft.com>

tooling: allow pause container to be run in privileged mode

Currently WCOW UVM only support booting with VmbFS and legacy layers. However, we are
adding support for booting the UVM with BlockCIM layers. This commit updates the
WCOWBootFiles struct to support different boot configurations.

Signed-off-by: Amit Barve <ambarve@microsoft.com>

Initial changes to allow creating confidential WCOW UVMs. uvmboot tool is also updated for
easier command line testing of confidential UVMs.

Signed-off-by: Amit Barve <ambarve@microsoft.com>

* Fix `golang.org/x/crypto` & `/net` vulnerabilities

Update `golang.org/x/crypto` and`golang.org/x/net` to fix reported
vulnerabilies.
(This update requires `go1.23`, so updated that in `go.mod`).

Also update other `golang.org/x/` modules.

PRs:
 - 2418
 - 2417
 - 2415
 - 2414
 - 2411
 - 2409
 - 2408
 - 2396
 - 2395

NOTE: **This commit only has updates to `go.mod`.**

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

* `go.sum` and vendor updates

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

---------

Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>

…2405)

This PR fixes a discrepancy between user info handling between
GCS and rego policy enforcer. For example, GCS doesn't require the
user/group to exist in container's /etc/passwd and /etc/group
and has a fallback to UID and GID 0, when the user is absent.
Rego enforcer's `GetUserInfo`, however, always tries to
lookup user/group in /etc/passwd and /etc/group and returns
an error when the UID doesn't exist. This behavior is inconsistent
with non confidential LCOW workloads and fixed in this PR.

To avoid circular imports, the spec.go and spec_devices.go under
`internal/guest/runtime/hcsv2` have been moved under
`internal/guest/spec` and the dependent code updated accordingly.
As a result a bunch of methods are now exported, but still under
`internal`, so this shouldn't cause problems.

User parsing has been updated and split into `ParseUserStr`, which
returns UID and GID for a given `username` string and `SetUserStr`,
which just sets the UID and GID for the OCI process.

Rego enforcer's `GetUserInfo` now prioritizes the result of
`ParseUserStr` and fallbacks to the previous behavior of UID/GID
lookup in container's filesystem.

Signed-off-by: Maksim An <maksiman@microsoft.com>