Update ROADMAP.md

Update README.md
2025-06-18 20:16:36 +00:00 · 2021-11-14 08:58:52 +00:00 · 2021-11-14 08:56:56 +00:00 · 2021-11-14 08:55:53 +00:00 · 2021-11-03 19:48:39 +00:00 · 2021-11-01 13:00:26 +00:00
1718 changed files with 218121 additions and 268588 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
+vendor/** linguist-generated=true
+Gopkg.lock linguist-generated=true
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -8,10 +8,19 @@
 <!--- If describing a bug, tell us what happens instead of the expected behavior -->
 <!--- If suggesting a change/improvement, explain the difference from current behavior -->

-## Possible Solution
+## Are you a GitHub Sponsor (Yes/No?)
+
+Check at: https://github.com/sponsors/openfaas
+- [ ] Yes
+- [ ] No
+
+## List all Possible Solutions
 <!--- Not obligatory, but suggest a fix/reason for the bug, -->
 <!--- or ideas how to implement the addition or change -->

+## List the one solution that you would recommend
+<!--- If you were to be on the hook for this change. -->
+
 ## Steps to Reproduce (for bugs)
 <!--- Provide a link to a live example, or an unambiguous set of steps to -->
 <!--- reproduce this bug. Include code to reproduce, if relevant -->
@ -38,4 +47,6 @@ containerd -version
 uname -a

 cat /etc/os-release
+
+faasd version
 ```
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -0,0 +1,36 @@
+name: build
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    env:
+      GO111MODULE: off
+    strategy:
+      matrix:
+        go-version: [1.16.x]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: test
+        run: make test
+      - name: dist
+        run: make dist
+      - name: prepare-test
+        run: make prepare-test
+      - name: test e2e
+        run: make test-e2e
+
+
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -0,0 +1,30 @@
+name: publish
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  publish:
+    strategy:
+      matrix:
+        go-version: [ 1.16.x ]
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Make publish
+        run: make publish
+      - name: Upload release binaries
+        uses: alexellis/upload-assets@0.2.2
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./bin/faasd*"]'
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ basic-auth-user
 basic-auth-password
 /bin
 /secrets
+.vscode
--- a/.travis.yml
+++ b/.travis.yml
@ -1,30 +0,0 @@
-sudo: required
-language: go
-
-go:
- '1.13'
-
-addons:
-  apt:
-    packages:
-      - runc
-
-script:
- make dist
- make prepare-test
- make test-e2e
-
-deploy:
-  provider: releases
-  api_key:
-    secure: bccOSB+Mbk5ZJHyJfX82Xg/3/7mxiAYHx7P5m5KS1ncDuRpJBFjDV8Nx2PWYg341b5SMlCwsS3IJ9NkoGvRSKK+3YqeNfTeMabVNdKC2oL1i+4pdxGlbl57QXkzT4smqE8AykZEo4Ujk42rEr3e0gSHT2rXkV+Xt0xnoRVXn2tSRUDwsmwANnaBj6KpH2SjJ/lsfTifxrRB65uwcePaSjkqwR6htFraQtpONC9xYDdek6EoVQmoft/ONZJqi7HR+OcA1yhSt93XU6Vaf3678uLlPX9c/DxgIU9UnXRaOd0UUEiTHaMMWDe/bJSrKmgL7qY05WwbGMsXO/RdswwO1+zwrasrwf86SjdGX/P9AwobTW3eTEiBqw2J77UVbvLzDDoyJ5KrkbHRfPX8aIPO4OG9eHy/e7C3XVx4qv9bJBXQ3qD9YJtei9jmm8F/MCdPWuVYC0hEvHtuhP/xMm4esNUjFM5JUfDucvAuLL34NBYHBDP2XNuV4DkgQQPakfnlvYBd7OqyXCU6pzyWSasXpD1Rz8mD/x8aTUl2Ya4bnXQ8qAa5cnxfPqN2ADRlTw1qS7hl6LsXzNQ6r1mbuh/uFi67ybElIjBTfuMEeJOyYHkkLUHIBpooKrPyr0luAbf0By2D2N/eQQnM/RpixHNfZG/mvXx8ZCrs+wxgvG1Rm7rM=
-  file:
-    - ./bin/faasd
-    - ./bin/faasd-armhf
-    - ./bin/faasd-arm64
-  skip_cleanup: true
-  on:
-    tags: true
-
-env: GO111MODULE=off
-
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -1,607 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  digest = "1:d5e752c67b445baa5b6cb6f8aa706775c2aa8e41aca95a0c651520ff2c80361a"
-  name = "github.com/Microsoft/go-winio"
-  packages = [
-    ".",
-    "pkg/guid",
-  ]
-  pruneopts = "UT"
-  revision = "6c72808b55902eae4c5943626030429ff20f3b63"
-  version = "v0.4.14"
-
-[[projects]]
-  digest = "1:f06a14a8b60a7a9cdbf14ed52272faf4ff5de4ed7c784ff55b64995be98ac59f"
-  name = "github.com/Microsoft/hcsshim"
-  packages = [
-    ".",
-    "internal/cow",
-    "internal/hcs",
-    "internal/hcserror",
-    "internal/hns",
-    "internal/interop",
-    "internal/log",
-    "internal/logfields",
-    "internal/longpath",
-    "internal/mergemaps",
-    "internal/oc",
-    "internal/safefile",
-    "internal/schema1",
-    "internal/schema2",
-    "internal/timeout",
-    "internal/vmcompute",
-    "internal/wclayer",
-    "osversion",
-  ]
-  pruneopts = "UT"
-  revision = "9e921883ac929bbe515b39793ece99ce3a9d7706"
-
-[[projects]]
-  digest = "1:74860eb071d52337d67e9ffd6893b29affebd026505aa917ec23131576a91a77"
-  name = "github.com/alexellis/go-execute"
-  packages = ["pkg/v1"]
-  pruneopts = "UT"
-  revision = "961405ea754427780f2151adff607fa740d377f7"
-  version = "0.3.0"
-
-[[projects]]
-  digest = "1:6076d857867a70e87dd1994407deb142f27436f1293b13e75cc053192d14eb0c"
-  name = "github.com/alexellis/k3sup"
-  packages = ["pkg/env"]
-  pruneopts = "UT"
-  revision = "f9a4adddc732742a9ee7962609408fb0999f2d7b"
-  version = "0.7.1"
-
-[[projects]]
-  digest = "1:cf83a14c8042951b0dcd74758fc32258111ecc7838cbdf5007717172cab9ca9b"
-  name = "github.com/containerd/containerd"
-  packages = [
-    ".",
-    "api/services/containers/v1",
-    "api/services/content/v1",
-    "api/services/diff/v1",
-    "api/services/events/v1",
-    "api/services/images/v1",
-    "api/services/introspection/v1",
-    "api/services/leases/v1",
-    "api/services/namespaces/v1",
-    "api/services/snapshots/v1",
-    "api/services/tasks/v1",
-    "api/services/version/v1",
-    "api/types",
-    "api/types/task",
-    "archive",
-    "archive/compression",
-    "cio",
-    "containers",
-    "content",
-    "content/proxy",
-    "defaults",
-    "diff",
-    "errdefs",
-    "events",
-    "events/exchange",
-    "filters",
-    "identifiers",
-    "images",
-    "images/archive",
-    "labels",
-    "leases",
-    "leases/proxy",
-    "log",
-    "mount",
-    "namespaces",
-    "oci",
-    "pkg/dialer",
-    "platforms",
-    "plugin",
-    "reference",
-    "remotes",
-    "remotes/docker",
-    "remotes/docker/schema1",
-    "rootfs",
-    "runtime/linux/runctypes",
-    "runtime/v2/logging",
-    "runtime/v2/runc/options",
-    "snapshots",
-    "snapshots/proxy",
-    "sys",
-    "version",
-  ]
-  pruneopts = "UT"
-  revision = "ff48f57fc83a8c44cf4ad5d672424a98ba37ded6"
-  version = "v1.3.2"
-
-[[projects]]
-  digest = "1:e4414857969cfbe45c7dab0a012aad4855bf7167c25d672a182cb18676424a0c"
-  name = "github.com/containerd/continuity"
-  packages = [
-    "fs",
-    "pathdriver",
-    "syscallx",
-    "sysx",
-  ]
-  pruneopts = "UT"
-  revision = "f2a389ac0a02ce21c09edd7344677a601970f41c"
-
-[[projects]]
-  digest = "1:1b9a7426259b5333d575785e21e1bd0decf18208f5bfb6424d24a50d5ddf83d0"
-  name = "github.com/containerd/fifo"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13"
-
-[[projects]]
-  branch = "master"
-  digest = "1:2301a9a859e3b0946e2ddd6961ba6faf6857e6e68bc9293db758dbe3b17cc35e"
-  name = "github.com/containerd/go-cni"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "c154a49e2c754b83ebfb12ebf1362213b94d23e6"
-
-[[projects]]
-  digest = "1:6d66a41dbbc6819902f1589d0550bc01c18032c0a598a7cd656731e6df73861b"
-  name = "github.com/containerd/ttrpc"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "92c8520ef9f86600c650dd540266a007bf03670f"
-
-[[projects]]
-  digest = "1:7b4683388adabc709dbb082c13ba35967f072379c85b4acde997c1ca75af5981"
-  name = "github.com/containerd/typeurl"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "a93fcdb778cd272c6e9b3028b2f42d813e785d40"
-
-[[projects]]
-  digest = "1:1a07bbfee1d0534e8dda4773948e6dcd3a061ea7ab047ce04619476946226483"
-  name = "github.com/containernetworking/cni"
-  packages = [
-    "libcni",
-    "pkg/invoke",
-    "pkg/types",
-    "pkg/types/020",
-    "pkg/types/current",
-    "pkg/version",
-  ]
-  pruneopts = "UT"
-  revision = "4cfb7b568922a3c79a23e438dc52fe537fc9687e"
-  version = "v0.7.1"
-
-[[projects]]
-  digest = "1:bcf36df8d43860bfde913d008301aef27c6e9a303582118a837c4a34c0d18167"
-  name = "github.com/coreos/go-systemd"
-  packages = ["journal"]
-  pruneopts = "UT"
-  revision = "2d78030078ef61b3cae27f42ad6d0e46db51b339"
-  version = "v22.0.0"
-
-[[projects]]
-  digest = "1:92ebc9c068ab8e3fff03a58694ee33830964f6febd0130069aadce328802de14"
-  name = "github.com/docker/cli"
-  packages = [
-    "cli/config",
-    "cli/config/configfile",
-    "cli/config/credentials",
-    "cli/config/types",
-  ]
-  pruneopts = "UT"
-  revision = "99c5edceb48d64c1aa5d09b8c9c499d431d98bb9"
-  version = "v19.03.5"
-
-[[projects]]
-  digest = "1:e495f9f1fb2bae55daeb76e099292054fe1f734947274b3cfc403ccda595d55a"
-  name = "github.com/docker/distribution"
-  packages = [
-    "digestset",
-    "reference",
-    "registry/api/errcode",
-  ]
-  pruneopts = "UT"
-  revision = "0d3efadf0154c2b8a4e7b6621fff9809655cc580"
-
-[[projects]]
-  digest = "1:10f9c98f627e9697ec23b7973a683324f1d901dd9bace4a71405c0b2ec554303"
-  name = "github.com/docker/docker"
-  packages = [
-    "pkg/homedir",
-    "pkg/idtools",
-    "pkg/mount",
-    "pkg/system",
-  ]
-  pruneopts = "UT"
-  revision = "ea84732a77251e0d7af278e2b7df1d6a59fca46b"
-  version = "v19.03.5"
-
-[[projects]]
-  digest = "1:9f3f49b4e32d3da2dd6ed07cc568627b53cc80205c0dcf69f4091f027416cb60"
-  name = "github.com/docker/docker-credential-helpers"
-  packages = [
-    "client",
-    "credentials",
-  ]
-  pruneopts = "UT"
-  revision = "54f0238b6bf101fc3ad3b34114cb5520beb562f5"
-  version = "v0.6.3"
-
-[[projects]]
-  digest = "1:0938aba6e09d72d48db029d44dcfa304851f52e2d67cda920436794248e92793"
-  name = "github.com/docker/go-events"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "9461782956ad83b30282bf90e31fa6a70c255ba9"
-
-[[projects]]
-  digest = "1:e95ef557dc3120984bb66b385ae01b4bb8ff56bcde28e7b0d1beed0cccc4d69f"
-  name = "github.com/docker/go-units"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "519db1ee28dcc9fd2474ae59fca29a810482bfb1"
-  version = "v0.4.0"
-
-[[projects]]
-  digest = "1:fa6faf4a2977dc7643de38ae599a95424d82f8ffc184045510737010a82c4ecd"
-  name = "github.com/gogo/googleapis"
-  packages = ["google/rpc"]
-  pruneopts = "UT"
-  revision = "d31c731455cb061f42baff3bda55bad0118b126b"
-  version = "v1.2.0"
-
-[[projects]]
-  digest = "1:4107f4e81e8fd2e80386b4ed56b05e3a1fe26ecc7275fe80bb9c3a80a7344ff4"
-  name = "github.com/gogo/protobuf"
-  packages = [
-    "proto",
-    "sortkeys",
-    "types",
-  ]
-  pruneopts = "UT"
-  revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c"
-  version = "v1.2.1"
-
-[[projects]]
-  branch = "master"
-  digest = "1:b7cb6054d3dff43b38ad2e92492f220f57ae6087ee797dca298139776749ace8"
-  name = "github.com/golang/groupcache"
-  packages = ["lru"]
-  pruneopts = "UT"
-  revision = "611e8accdfc92c4187d399e95ce826046d4c8d73"
-
-[[projects]]
-  digest = "1:f5ce1529abc1204444ec73779f44f94e2fa8fcdb7aca3c355b0c95947e4005c6"
-  name = "github.com/golang/protobuf"
-  packages = [
-    "proto",
-    "ptypes",
-    "ptypes/any",
-    "ptypes/duration",
-    "ptypes/timestamp",
-  ]
-  pruneopts = "UT"
-  revision = "6c65a5562fc06764971b7c5d05c76c75e84bdbf7"
-  version = "v1.3.2"
-
-[[projects]]
-  digest = "1:cbec35fe4d5a4fba369a656a8cd65e244ea2c743007d8f6c1ccb132acf9d1296"
-  name = "github.com/gorilla/mux"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "00bdffe0f3c77e27d2cf6f5c70232a2d3e4d9c15"
-  version = "v1.7.3"
-
-[[projects]]
-  digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be"
-  name = "github.com/inconshreveable/mousetrap"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75"
-  version = "v1.0"
-
-[[projects]]
-  digest = "1:31e761d97c76151dde79e9d28964a812c46efc5baee4085b86f68f0c654450de"
-  name = "github.com/konsorten/go-windows-terminal-sequences"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "f55edac94c9bbba5d6182a4be46d86a2c9b5b50e"
-  version = "v1.0.2"
-
-[[projects]]
-  digest = "1:906eb1ca3c8455e447b99a45237b2b9615b665608fd07ad12cce847dd9a1ec43"
-  name = "github.com/morikuni/aec"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "39771216ff4c63d11f5e604076f9c45e8be1067b"
-  version = "v1.0.0"
-
-[[projects]]
-  digest = "1:bc62c2c038cc8ae51b68f6d52570501a763bb71e78736a9f65d60762429864a9"
-  name = "github.com/opencontainers/go-digest"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "c9281466c8b2f606084ac71339773efd177436e7"
-
-[[projects]]
-  digest = "1:70711188c19c53147099d106169d6a81941ed5c2658651432de564a7d60fd288"
-  name = "github.com/opencontainers/image-spec"
-  packages = [
-    "identity",
-    "specs-go",
-    "specs-go/v1",
-  ]
-  pruneopts = "UT"
-  revision = "d60099175f88c47cd379c4738d158884749ed235"
-  version = "v1.0.1"
-
-[[projects]]
-  digest = "1:18d6ebfbabffccba7318a4e26028b0d41f23ff359df3dc07a53b37a9f3a4a994"
-  name = "github.com/opencontainers/runc"
-  packages = [
-    "libcontainer/system",
-    "libcontainer/user",
-  ]
-  pruneopts = "UT"
-  revision = "d736ef14f0288d6993a1845745d6756cfc9ddd5a"
-  version = "v1.0.0-rc9"
-
-[[projects]]
-  digest = "1:7a58202c5cdf3d2c1eb0621fe369315561cea7f036ad10f0f0479ac36bcc95eb"
-  name = "github.com/opencontainers/runtime-spec"
-  packages = ["specs-go"]
-  pruneopts = "UT"
-  revision = "29686dbc5559d93fb1ef402eeda3e35c38d75af4"
-
-[[projects]]
-  digest = "1:cdf3df431e70077f94e14a99305808e3d13e96262b4686154970f448f7248842"
-  name = "github.com/openfaas/faas"
-  packages = ["gateway/requests"]
-  pruneopts = "UT"
-  revision = "80b6976c106370a7081b2f8e9099a6ea9638e1f3"
-  version = "0.18.10"
-
-[[projects]]
-  digest = "1:6f21508bd38feec0d440ca862f5adcb4c955713f3eb4e075b9af731e6ef258ba"
-  name = "github.com/openfaas/faas-provider"
-  packages = [
-    ".",
-    "auth",
-    "httputil",
-    "proxy",
-    "types",
-  ]
-  pruneopts = "UT"
-  revision = "8f7c35975e1b2bf8286c2f90ee51633eec427491"
-  version = "0.14.0"
-
-[[projects]]
-  digest = "1:cf31692c14422fa27c83a05292eb5cbe0fb2775972e8f1f8446a71549bd8980b"
-  name = "github.com/pkg/errors"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "ba968bfe8b2f7e042a574c888954fccecfa385b4"
-  version = "v0.8.1"
-
-[[projects]]
-  digest = "1:044c51736e2688a3e4f28f72537f8a7b3f9c188fab4477d5334d92dfe2c07ed5"
-  name = "github.com/sethvargo/go-password"
-  packages = ["password"]
-  pruneopts = "UT"
-  revision = "07c3d521e892540e71469bb0312866130714c038"
-  version = "v0.1.3"
-
-[[projects]]
-  digest = "1:fd61cf4ae1953d55df708acb6b91492d538f49c305b364a014049914495db426"
-  name = "github.com/sirupsen/logrus"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f"
-  version = "v1.4.1"
-
-[[projects]]
-  digest = "1:e096613fb7cf34743d49af87d197663cfccd61876e2219853005a57baedfa562"
-  name = "github.com/spf13/cobra"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "f2b07da1e2c38d5f12845a4f607e2e1018cbb1f5"
-  version = "v0.0.5"
-
-[[projects]]
-  digest = "1:524b71991fc7d9246cc7dc2d9e0886ccb97648091c63e30eef619e6862c955dd"
-  name = "github.com/spf13/pflag"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "2e9d26c8c37aae03e3f9d4e90b7116f5accb7cab"
-  version = "v1.0.5"
-
-[[projects]]
-  branch = "master"
-  digest = "1:e14e467ed00ab98665623c5060fa17e3d7079be560ffc33cabafd05d35894f05"
-  name = "github.com/syndtr/gocapability"
-  packages = ["capability"]
-  pruneopts = "UT"
-  revision = "d98352740cb2c55f81556b63d4a1ec64c5a319c2"
-
-[[projects]]
-  digest = "1:1314b5ef1c0b25257ea02e454291bf042478a48407cfe3ffea7e20323bbf5fdf"
-  name = "github.com/vishvananda/netlink"
-  packages = [
-    ".",
-    "nl",
-  ]
-  pruneopts = "UT"
-  revision = "f049be6f391489d3f374498fe0c8df8449258372"
-  version = "v1.1.0"
-
-[[projects]]
-  branch = "master"
-  digest = "1:975cb0c04431bf92e60b636a15897c4a3faba9f7dc04da505646630ac91d29d3"
-  name = "github.com/vishvananda/netns"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "0a2b9b5464df8343199164a0321edf3313202f7e"
-
-[[projects]]
-  digest = "1:aed53a5fa03c1270457e331cf8b7e210e3088a2278fec552c5c5d29c1664e161"
-  name = "go.opencensus.io"
-  packages = [
-    ".",
-    "internal",
-    "trace",
-    "trace/internal",
-    "trace/tracestate",
-  ]
-  pruneopts = "UT"
-  revision = "aad2c527c5defcf89b5afab7f37274304195a6b2"
-  version = "v0.22.2"
-
-[[projects]]
-  branch = "master"
-  digest = "1:676f320d34ccfa88bfa6d04bdf388ed7062af175355c805ef57ccda1a3f13432"
-  name = "golang.org/x/net"
-  packages = [
-    "context",
-    "context/ctxhttp",
-    "http/httpguts",
-    "http2",
-    "http2/hpack",
-    "idna",
-    "internal/timeseries",
-    "trace",
-  ]
-  pruneopts = "UT"
-  revision = "c0dbc17a35534bf2e581d7a942408dc936316da4"
-
-[[projects]]
-  digest = "1:d6b0cfc5ae30841c4b116ac589629f56f8add0955a39f11d8c0d06ca67f5b3d5"
-  name = "golang.org/x/sync"
-  packages = [
-    "errgroup",
-    "semaphore",
-  ]
-  pruneopts = "UT"
-  revision = "42b317875d0fa942474b76e1b46a6060d720ae6e"
-
-[[projects]]
-  branch = "master"
-  digest = "1:a76bac71eb452a046b47f82336ba792d8de988688a912f3fd0e8ec8e57fe1bb4"
-  name = "golang.org/x/sys"
-  packages = [
-    "unix",
-    "windows",
-  ]
-  pruneopts = "UT"
-  revision = "af0d71d358abe0ba3594483a5d519f429dbae3e9"
-
-[[projects]]
-  digest = "1:8d8faad6b12a3a4c819a3f9618cb6ee1fa1cfc33253abeeea8b55336721e3405"
-  name = "golang.org/x/text"
-  packages = [
-    "collate",
-    "collate/build",
-    "internal/colltab",
-    "internal/gen",
-    "internal/language",
-    "internal/language/compact",
-    "internal/tag",
-    "internal/triegen",
-    "internal/ucd",
-    "language",
-    "secure/bidirule",
-    "transform",
-    "unicode/bidi",
-    "unicode/cldr",
-    "unicode/norm",
-    "unicode/rangetable",
-  ]
-  pruneopts = "UT"
-  revision = "342b2e1fbaa52c93f31447ad2c6abc048c63e475"
-  version = "v0.3.2"
-
-[[projects]]
-  branch = "master"
-  digest = "1:583a0c80f5e3a9343d33aea4aead1e1afcc0043db66fdf961ddd1fe8cd3a4faf"
-  name = "google.golang.org/genproto"
-  packages = ["googleapis/rpc/status"]
-  pruneopts = "UT"
-  revision = "b31c10ee225f87dbb9f5f878ead9d64f34f5cbbb"
-
-[[projects]]
-  digest = "1:48eafc052e46b4ebbc7882553873cf6198203e528627cefc94dcaf8553addd19"
-  name = "google.golang.org/grpc"
-  packages = [
-    ".",
-    "balancer",
-    "balancer/base",
-    "balancer/roundrobin",
-    "binarylog/grpc_binarylog_v1",
-    "codes",
-    "connectivity",
-    "credentials",
-    "credentials/internal",
-    "encoding",
-    "encoding/proto",
-    "grpclog",
-    "health/grpc_health_v1",
-    "internal",
-    "internal/backoff",
-    "internal/balancerload",
-    "internal/binarylog",
-    "internal/channelz",
-    "internal/envconfig",
-    "internal/grpcrand",
-    "internal/grpcsync",
-    "internal/syscall",
-    "internal/transport",
-    "keepalive",
-    "metadata",
-    "naming",
-    "peer",
-    "resolver",
-    "resolver/dns",
-    "resolver/passthrough",
-    "serviceconfig",
-    "stats",
-    "status",
-    "tap",
-  ]
-  pruneopts = "UT"
-  revision = "6eaf6f47437a6b4e2153a190160ef39a92c7eceb"
-  version = "v1.23.0"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  input-imports = [
-    "github.com/alexellis/go-execute/pkg/v1",
-    "github.com/alexellis/k3sup/pkg/env",
-    "github.com/containerd/containerd",
-    "github.com/containerd/containerd/cio",
-    "github.com/containerd/containerd/containers",
-    "github.com/containerd/containerd/errdefs",
-    "github.com/containerd/containerd/namespaces",
-    "github.com/containerd/containerd/oci",
-    "github.com/containerd/containerd/remotes",
-    "github.com/containerd/containerd/remotes/docker",
-    "github.com/containerd/containerd/runtime/v2/logging",
-    "github.com/containerd/go-cni",
-    "github.com/coreos/go-systemd/journal",
-    "github.com/docker/cli/cli/config",
-    "github.com/docker/cli/cli/config/configfile",
-    "github.com/docker/distribution/reference",
-    "github.com/gorilla/mux",
-    "github.com/morikuni/aec",
-    "github.com/opencontainers/runtime-spec/specs-go",
-    "github.com/openfaas/faas-provider",
-    "github.com/openfaas/faas-provider/proxy",
-    "github.com/openfaas/faas-provider/types",
-    "github.com/openfaas/faas/gateway/requests",
-    "github.com/pkg/errors",
-    "github.com/sethvargo/go-password/password",
-    "github.com/spf13/cobra",
-    "github.com/vishvananda/netlink",
-    "github.com/vishvananda/netns",
-    "golang.org/x/sys/unix",
-  ]
-  solver-name = "gps-cdcl"
-  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -1,47 +0,0 @@
-[prune]
-  go-tests = true
-  unused-packages = true
-
-[[constraint]]
-  name = "github.com/containerd/containerd"
-  version = "1.3.2"
-
-[[constraint]]
-  name = "github.com/morikuni/aec"
-  version = "1.0.0"
-
-[[constraint]]
-  name = "github.com/spf13/cobra"
-  version = "0.0.5"
-
-[[constraint]]
-  name = "github.com/alexellis/k3sup"
-  version = "0.7.1"
-
-[[constraint]]
-  name = "github.com/alexellis/go-execute"
-  version = "0.3.0"
-
-[[constraint]]
-  name = "github.com/gorilla/mux"
-  version = "1.7.3"
-
-[[constraint]]
-  name = "github.com/openfaas/faas"
-  version = "0.18.7"
-
-[[constraint]]
-  name = "github.com/sethvargo/go-password"
-  version = "0.1.3"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/containerd/go-cni"
-
-[[constraint]]
-  name = "github.com/openfaas/faas-provider"
-  version = "0.14.0"
-
-[[constraint]]
-  name = "github.com/docker/cli"
-  version = "19.3.5"
--- a/4
+++ b/4
@ -1,6 +1,8 @@
 MIT License

-Copyright (c) 2019 Alex Ellis
+Copyright (c) 2020 Alex Ellis
+Copyright (c) 2020 OpenFaaS Ltd
+Copyright (c) 2020 OpenFaas Author(s)

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/43
+++ b/43
@ -1,45 +1,59 @@
 Version := $(shell git describe --tags --dirty)
 GitCommit := $(shell git rev-parse HEAD)
 LDFLAGS := "-s -w -X main.Version=$(Version) -X main.GitCommit=$(GitCommit)"
-CONTAINERD_VER := 1.3.2
-CNI_VERSION := v0.8.5
+CONTAINERD_VER := 1.3.4
+CNI_VERSION := v0.8.6
 ARCH := amd64

+export GO111MODULE=on
+
 .PHONY: all
-all: local
+all: test dist hashgen
+
+.PHONY: publish
+publish: dist hashgen

 local:
-	CGO_ENABLED=0 GOOS=linux go build -o bin/faasd
+	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o bin/faasd
+
+.PHONY: test
+test:
+	CGO_ENABLED=0 GOOS=linux go test -mod=vendor -ldflags $(LDFLAGS) ./...

 .PHONY: dist
 dist:
-	CGO_ENABLED=0 GOOS=linux go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-armhf
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-arm64
+	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -mod=vendor -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-armhf
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod=vendor -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-arm64
+
+.PHONY: hashgen
+hashgen:
+	for f in bin/faasd*; do shasum -a 256 $$f > $$f.sha256; done

 .PHONY: prepare-test
 prepare-test:
 	curl -sLSf https://github.com/containerd/containerd/releases/download/v$(CONTAINERD_VER)/containerd-$(CONTAINERD_VER).linux-amd64.tar.gz > /tmp/containerd.tar.gz && sudo tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
-	curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.3.2/containerd.service | sudo tee /etc/systemd/system/containerd.service
+	curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service | sudo tee /etc/systemd/system/containerd.service
 	sudo systemctl daemon-reload && sudo systemctl start containerd
 	sudo /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
 	sudo mkdir -p /opt/cni/bin
 	curl -sSL https://github.com/containernetworking/plugins/releases/download/$(CNI_VERSION)/cni-plugins-linux-$(ARCH)-$(CNI_VERSION).tgz | sudo tar -xz -C /opt/cni/bin
-	sudo cp $(GOPATH)/src/github.com/openfaas/faasd/bin/faasd /usr/local/bin/
-	cd $(GOPATH)/src/github.com/openfaas/faasd/ && sudo /usr/local/bin/faasd install
+	sudo cp bin/faasd /usr/local/bin/
+	sudo /usr/local/bin/faasd install
 	sudo systemctl status -l containerd --no-pager
 	sudo journalctl -u faasd-provider --no-pager
 	sudo systemctl status -l faasd-provider --no-pager
 	sudo systemctl status -l faasd --no-pager
 	curl -sSLf https://cli.openfaas.com | sudo sh
-	sleep 120 && sudo journalctl -u faasd --no-pager
+	echo "Sleeping for 2m" && sleep 120 && sudo journalctl -u faasd --no-pager

 .PHONY: test-e2e
 test-e2e:
 	sudo cat /var/lib/faasd/secrets/basic-auth-password | /usr/local/bin/faas-cli login --password-stdin
-	/usr/local/bin/faas-cli store deploy figlet --env write_timeout=1s --env read_timeout=1s
+	/usr/local/bin/faas-cli store deploy figlet --env write_timeout=1s --env read_timeout=1s --label testing=true
 	sleep 5
 	/usr/local/bin/faas-cli list -v
+	/usr/local/bin/faas-cli describe figlet | grep testing
 	uname | /usr/local/bin/faas-cli invoke figlet
 	uname | /usr/local/bin/faas-cli invoke figlet --async
 	sleep 10
@ -47,3 +61,8 @@ test-e2e:
 	/usr/local/bin/faas-cli remove figlet
 	sleep 3
 	/usr/local/bin/faas-cli list
+	sleep 3
+	journalctl -t openfaas-fn:figlet --no-pager
+
+# Removed due to timing issue in CI on GitHub Actions
+#	/usr/local/bin/faas-cli logs figlet --since 15m --follow=false | grep Forking
--- a/README.md
+++ b/README.md
@ -1,23 +1,57 @@
-# faasd - serverless with containerd and CNI  🐳
+# faasd - a lightweight & portable faas engine

-[![Build Status](https://travis-ci.com/openfaas/faasd.svg?branch=master)](https://travis-ci.com/openfaas/faasd)
+[![Sponsor this](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/openfaas)](https://github.com/sponsors/openfaas)
+[![Build Status](https://github.com/openfaas/faasd/workflows/build/badge.svg?branch=master)](https://github.com/openfaas/faasd/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![OpenFaaS](https://img.shields.io/badge/openfaas-serverless-blue.svg)](https://www.openfaas.com)
+![Downloads](https://img.shields.io/github/downloads/openfaas/faasd/total)

-faasd is the same OpenFaaS experience and ecosystem, but without Kubernetes. Functions and microservices can be deployed anywhere with reduced overheads whilst retaining the portability of containers and cloud-native tooling.
+faasd is [OpenFaaS](https://github.com/openfaas/) reimagined, but without the cost and complexity of Kubernetes. It runs on a single host with very modest requirements, making it fast and easy to manage. Under the hood it uses [containerd](https://containerd.io/) and [Container Networking Interface (CNI)](https://github.com/containernetworking/cni) along with the same core OpenFaaS components from the main project.

-## About faasd
+![faasd logo](docs/media/social.png)

-* is a single Golang binary
-* can be set-up and left alone to run your applications
-* is multi-arch, so works on Intel `x86_64` and ARM out the box
+## Use-cases and tutorials
+
+faasd is just another way to run OpenFaaS, so many things you read in the docs or in blog posts will work the same way.
+
+Videos and overviews:
+
+* [Exploring of serverless use-cases from commercial and personal users (YouTube)](https://www.youtube.com/watch?v=mzuXVuccaqI)
+* [Meet faasd. Look Ma’ No Kubernetes! (YouTube)](https://www.youtube.com/watch?v=ZnZJXI377ak)
+
+Use-cases and tutorials:
+
+* [Serverless Node.js that you can run anywhere](https://www.openfaas.com/blog/serverless-nodejs/)
+* [Simple Serverless with Golang Functions and Microservices](https://www.openfaas.com/blog/golang-serverless/)
+* [Build a Flask microservice with OpenFaaS](https://www.openfaas.com/blog/openfaas-flask/)
+* [Get started with Java 11 and Vert.x on Kubernetes with OpenFaaS](https://www.openfaas.com/blog/get-started-with-java-openjdk11/)
+* [Deploy to faasd via GitHub Actions](https://www.openfaas.com/blog/openfaas-functions-with-github-actions/)
+* [Scrape and automate websites with Puppeteer](https://www.openfaas.com/blog/puppeteer-scraping/)
+
+Additional resources:
+
+* The official handbook - [Serverless For Everyone Else](https://gumroad.com/l/serverless-for-everyone-else)
+* For reference: [OpenFaaS docs](https://docs.openfaas.com)
+* For use-cases and tutorials: [OpenFaaS blog](https://openfaas.com/blog/)
+* For self-paced learning: [OpenFaaS workshop](https://github.com/openfaas/workshop/)
+
+### About faasd
+
+* faasd is a static Golang binary
 * uses the same core components and ecosystem of OpenFaaS
+* uses containerd for its runtime and CNI for networking
+* is multi-arch, so works on Intel `x86_64` and ARM out the box
+* can run almost any other stateful container through its `docker-compose.yaml` file

-![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=small)
+Most importantly, it's easy to manage so you can set it up and leave it alone to run your functions.

-> Demo of faasd running in KVM
+[![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=medium)](https://www.youtube.com/watch?v=WX1tZoSXy8E)

-## What does faasd deploy?
+> Demo of faasd running asynchronous functions
+
+Watch the video: [faasd walk-through with cloud-init and Multipass](https://www.youtube.com/watch?v=WX1tZoSXy8E)
+
+### What does faasd deploy?

 * faasd - itself, and its [faas-provider](https://github.com/openfaas/faas-provider) for containerd - CRUD for functions and services, implements the OpenFaaS REST API
 * [Prometheus](https://github.com/prometheus/prometheus) - for monitoring of services, metrics, scaling and dashboards
@ -25,7 +59,7 @@ faasd is the same OpenFaaS experience and ecosystem, but without Kubernetes. Fun
 * [OpenFaaS queue-worker for NATS](https://github.com/openfaas/nats-queue-worker) - run your invocations in the background without adding any code. See also: [asynchronous invocations](https://docs.openfaas.com/reference/triggers/#async-nats-streaming)
 * [NATS](https://nats.io) for asynchronous processing and queues

-You'll also need:
+faasd relies on industry-standard tools for running containers:

 * [CNI](https://github.com/containernetworking/plugins)
 * [containerd](https://github.com/containerd/containerd)
@ -33,70 +67,84 @@ You'll also need:

 You can use the standard [faas-cli](https://github.com/openfaas/faas-cli) along with pre-packaged functions from *the Function Store*, or build your own using any OpenFaaS template.

-## Tutorials
+### When should you use faasd over OpenFaaS on Kubernetes?

-### Get started on DigitalOcean, or any other IaaS
+* To deploy microservices and functions that you can update and monitor remotely
+* When you don't have the bandwidth to learn or manage Kubernetes
+* To deploy embedded apps in IoT and edge use-cases
+* To distribute applications to a customer or client
+* You have a cost sensitive project - run faasd on a 1GB VM for 5-10 USD / mo or on your Raspberry Pi
+* When you just need a few functions or microservices, without the cost of a cluster

-If your IaaS supports `user_data` aka "cloud-init", then this guide is for you. If not, then checkout the approach and feel free to run each step manually.
+faasd does not create the same maintenance burden you'll find with maintaining, upgrading, and securing a Kubernetes cluster. You can deploy it and walk away, in the worst case, just deploy a new VM and deploy your functions again.

-* [Build a Serverless appliance with faasd](https://blog.alexellis.io/deploy-serverless-faasd-with-cloud-init/)
+## Learning faasd

-### Run locally on MacOS, Linux, or Windows with Multipass.run
+The faasd project is MIT licensed and open source, and you will find some documentation, blog posts and videos for free.

-* [Get up and running with your own faasd installation on your Mac/Ubuntu or Windows with cloud-config](https://gist.github.com/alexellis/6d297e678c9243d326c151028a3ad7b9)
+However, "Serverless For Everyone Else" is the official handbook and was written to contribute funds towards the upkeep and maintenance of the project.

-### Get started on armhf / Raspberry Pi
+### The official handbook and docs for faasd

-You can run this tutorial on your Raspberry Pi, or adapt the steps for a regular Linux VM/VPS host.
+<a href="https://gumroad.com/l/serverless-for-everyone-else">
+<img src="https://www.alexellis.io/serverless.png" width="40%"></a>

-* [faasd - lightweight Serverless for your Raspberry Pi](https://blog.alexellis.io/faasd-for-lightweight-serverless/)
+You'll learn how to deploy code in any language, lift and shift Dockerfiles, run requests in queues, write background jobs and to integrate with databases. faasd packages the same code as OpenFaaS, so you get built-in metrics for your HTTP endpoints, a user-friendly CLI, pre-packaged functions and templates from the store and a UI.

-### Terraform for DigitalOcean
+Topics include:

-Automate everything within < 60 seconds and get a public URL and IP address back. Customise as required, or adapt to your preferred cloud such as AWS EC2.
+* Should you deploy to a VPS or Raspberry Pi?
+* Deploying your server with bash, cloud-init or terraform
+* Using a private container registry
+* Finding functions in the store
+* Building your first function with Node.js
+* Using environment variables for configuration
+* Using secrets from functions, and enabling authentication tokens
+* Customising templates
+* Monitoring your functions with Grafana and Prometheus
+* Scheduling invocations and background jobs
+* Tuning timeouts, parallelism, running tasks in the background
+* Adding TLS to faasd and custom domains for functions
+* Self-hosting on your Raspberry Pi
+* Adding a database for storage with InfluxDB and Postgresql
+* Troubleshooting and logs
+* CI/CD with GitHub Actions and multi-arch
+* Taking things further, community and case-studies

-* [Provision faasd 0.7.5 on DigitalOcean with Terraform 0.12.0](https://gist.github.com/alexellis/fd618bd2f957eb08c44d086ef2fc3906)
+View sample pages, reviews and testimonials on Gumroad:

-### A note on private repos / registries
+["Serverless For Everyone Else"](https://gumroad.com/l/serverless-for-everyone-else)

-To use private image repos, `~/.docker/config.json` needs to be copied to `/var/lib/faasd/.docker/config.json`.
+### Deploy faasd

-If you'd like to set up your own private registry, [see this tutorial](https://blog.alexellis.io/get-a-tls-enabled-docker-registry-in-5-minutes/).
+The easiest way to deploy faasd is with cloud-init, we give several examples below, and post IaaS platforms will accept "user-data" pasted into their UI, or via their API.

-Beware that running `docker login` on MacOS and Windows may create an empty file with your credentials stored in the system helper.
+For trying it out on MacOS or Windows, we recommend using [multipass](https://multipass.run) to run faasd in a VM.

-Alternatively, use you can use the `registry-login` command from the OpenFaaS Cloud bootstrap tool (ofc-bootstrap):
+If you don't use cloud-init, or have already created your Linux server you can use the installation script as per below:

 ```bash
-curl -sLSf https://raw.githubusercontent.com/openfaas-incubator/ofc-bootstrap/master/get.sh | sudo sh
+git clone https://github.com/openfaas/faasd --depth=1
+cd faasd

-ofc-bootstrap registry-login --username <your-registry-username> --password-stdin
-# (the enter your password and hit return)
-```
-The file will be created in `./credentials/`
-
-### Logs for functions
-
-You can view the logs of functions using `journalctl`:
-
-```bash
-journalctl -t openfaas-fn:FUNCTION_NAME
-
-
-faas-cli store deploy figlet
-journalctl -t openfaas-fn:figlet -f &
-echo logs | faas-cli invoke figlet
+./hack/install.sh
 ```

-### Manual / developer instructions
+> This approach also works for Raspberry Pi

-See [here for manual / developer instructions](docs/DEV.md)
+It's recommended that you do not install Docker on the same host as faasd, since 1) they may both use different versions of containerd and 2) docker's networking rules can disrupt faasd's networking. When using faasd - make your faasd server a faasd server, and build container image on your laptop or in a CI pipeline.

-## Getting help
+#### Deployment tutorials

-### Docs
+* [Use multipass on Windows, MacOS or Linux](/docs/MULTIPASS.md)
+* [Deploy to DigitalOcean with Terraform and TLS](https://www.openfaas.com/blog/faasd-tls-terraform/)
+* [Deploy to any IaaS with cloud-init](https://blog.alexellis.io/deploy-serverless-faasd-with-cloud-init/)
+* [Deploy faasd to your Raspberry Pi](https://blog.alexellis.io/faasd-for-lightweight-serverless/)

-The [OpenFaaS docs](https://docs.openfaas.com/) provide a wealth of information and are kept up to date with new features.
+Terraform scripts:
+
+* [Provision faasd on DigitalOcean with Terraform](docs/bootstrap/README.md)
+* [Provision faasd with TLS on DigitalOcean with Terraform](docs/bootstrap/digitalocean-terraform/README.md)

 ### Function and template store

@ -104,62 +152,21 @@ For community functions see `faas-cli store --help`

 For templates built by the community see: `faas-cli template store list`, you can also use the `dockerfile` template if you just want to migrate an existing service without the benefits of using a template.

-### Workshop
-
-[The OpenFaaS workshop](https://github.com/openfaas/workshop/) is a set of 12 self-paced labs and provides a great starting point
-
 ### Community support

-An active community of almost 3000 users awaits you on Slack. Over 250 of those users are also contributors and help maintain the code.
+Commercial users and solo business owners should become OpenFaaS GitHub Sponsors to receive regular email updates on changes, tutorials and new features.

+If you are learning faasd, or want to share your use-case, you can join the OpenFaaS Slack community.
+
+* [Become an OpenFaaS GitHub Sponsor](https://github.com/sponsors/openfaas/)
 * [Join Slack](https://slack.openfaas.io/)

-## Backlog
+### Backlog, features and known issues

-### Supported operations
+For completed features, WIP and upcoming roadmap see:

-* `faas login`
-* `faas up`
-* `faas list`
-* `faas describe` 
-* `faas deploy --update=true --replace=false`
-* `faas invoke --async`
-* `faas invoke`
-* `faas rm`
-* `faas store list/deploy/inspect`
-* `faas version`
-* `faas namespace`
-* `faas secret`
+See [ROADMAP.md](docs/ROADMAP.md)

-Scale from and to zero is also supported. On a Dell XPS with a small, pre-pulled image unpausing an existing task took 0.19s and starting a task for a killed function took 0.39s. There may be further optimizations to be gained.
-
-Other operations are pending development in the provider such as:
-
-* `faas logs` - to stream logs on-demand for a known function, for the time being you can find logs via `journalctl -u faasd-provider`
-* `faas auth` - supported for Basic Authentication, but OAuth2 & OIDC require a patch
-
-## Todo
-
-Pending:
-
-* [ ] Add support for using container images in third-party public registries
-* [ ] Add support for using container images in private third-party registries
-* [ ] Monitor and restart any of the core components at runtime if the container stops
-* [ ] Bundle/package/automate installation of containerd - [see bootstrap from k3s](https://github.com/rancher/k3s)
-* [ ] Provide ufw rules / example for blocking access to everything but a reverse proxy to the gateway container
-* [ ] Provide [simple Caddyfile example](https://blog.alexellis.io/https-inlets-local-endpoints/) in the README showing how to expose the faasd proxy on port 80/443 with TLS
-
-Done:
-
-* [x] Provide a cloud-config.txt file for automated deployments of `faasd`
-* [x] Inject / manage IPs between core components for service to service communication - i.e. so Prometheus can scrape the OpenFaaS gateway - done via `/etc/hosts` mount
-* [x] Add queue-worker and NATS
-* [x] Create faasd.service and faasd-provider.service
-* [x] Self-install / create systemd service via `faasd install`
-* [x] Restart containers upon restart of faasd
-* [x] Clear / remove containers and tasks with SIGTERM / SIGINT
-* [x] Determine armhf/arm64 containers to run for gateway
-* [x] Configure `basic_auth` to protect the OpenFaaS gateway and faasd-provider HTTP API
-* [x] Setup custom working directory for faasd `/var/lib/faasd/`
-* [x] Use CNI to create network namespaces and adapters
+Want to build a patch without setting up a complete development environment? See [docs/PATCHES.md](docs/PATCHES.md)

+Are you looking to hack on faasd? Follow the [developer instructions](docs/DEV.md) for a manual installation, or use the `hack/install.sh` script and pick up from there.
--- a/cloud-config.txt
+++ b/cloud-config.txt
@ -1,28 +1,30 @@
 #cloud-config
 ssh_authorized_keys:
+## Note: Replace with your own public key
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local

 package_update: true

 packages:
 - runc
+ - git

 runcmd:
- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.3.2/containerd-1.3.2.linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.3.2/containerd.service | tee /etc/systemd/system/containerd.service
+- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.4/containerd-1.5.4-linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
+- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service | tee /etc/systemd/system/containerd.service
 - systemctl daemon-reload && systemctl start containerd
 - systemctl enable containerd
 - /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
 - mkdir -p /opt/cni/bin
 - curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
 - mkdir -p /go/src/github.com/openfaas/
- cd /go/src/github.com/openfaas/ && git clone https://github.com/openfaas/faasd
- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.7/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.13.0 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
 - cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
 - systemctl status -l containerd --no-pager
 - journalctl -u faasd-provider --no-pager
 - systemctl status -l faasd-provider --no-pager
 - systemctl status -l faasd --no-pager
 - curl -sSLf https://cli.openfaas.com | sh
- sleep 5 && journalctl -u faasd --no-pager
+- sleep 60 && journalctl -u faasd --no-pager
 - cat /var/lib/faasd/secrets/basic-auth-password | /usr/local/bin/faas-cli login --password-stdin
--- a/cmd/install.go
+++ b/cmd/install.go
@ -38,6 +38,10 @@ func runInstall(_ *cobra.Command, _ []string) error {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}

+	if err := cp("docker-compose.yaml", faasdwd); err != nil {
+		return err
+	}
+
 	if err := cp("prometheus.yml", faasdwd); err != nil {
 		return err
 	}
@ -89,7 +93,10 @@ func runInstall(_ *cobra.Command, _ []string) error {
 		return err
 	}

-	fmt.Println(`Login with:
+	fmt.Println(`Check status with:
+  sudo journalctl -u faasd --lines 100 -f
+
+Login with:
  sudo cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s`)

 	return nil
@ -102,7 +109,16 @@ func binExists(folder, name string) error {
 	}
 	return nil
 }
+func ensureSecretsDir(folder string) error {
+	if _, err := os.Stat(folder); err != nil {
+		err = os.MkdirAll(folder, secretDirPermission)
+		if err != nil {
+			return err
+		}
+	}

+	return nil
+}
 func ensureWorkingDir(folder string) error {
 	if _, err := os.Stat(folder); err != nil {
 		err = os.MkdirAll(folder, workingDirectoryPermission)
--- a/cmd/provider.go
+++ b/cmd/provider.go
@ -1,8 +1,8 @@
 package cmd

 import (
-	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
@ -11,96 +11,166 @@ import (

 	"github.com/containerd/containerd"
 	bootstrap "github.com/openfaas/faas-provider"
+	"github.com/openfaas/faas-provider/logs"
 	"github.com/openfaas/faas-provider/proxy"
 	"github.com/openfaas/faas-provider/types"
+	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
+	faasdlogs "github.com/openfaas/faasd/pkg/logs"
 	"github.com/openfaas/faasd/pkg/provider/config"
 	"github.com/openfaas/faasd/pkg/provider/handlers"
 	"github.com/spf13/cobra"
 )

-var providerCmd = &cobra.Command{
-	Use:   "provider",
-	Short: "Run the faasd-provider",
-	RunE:  runProvider,
+const secretDirPermission = 0755
+
+func makeProviderCmd() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "provider",
+		Short: "Run the faasd-provider",
+	}
+
+	command.Flags().String("pull-policy", "Always", `Set to "Always" to force a pull of images upon deployment, or "IfNotPresent" to try to use a cached image.`)
+
+	command.RunE = func(_ *cobra.Command, _ []string) error {
+
+		pullPolicy, flagErr := command.Flags().GetString("pull-policy")
+		if flagErr != nil {
+			return flagErr
+		}
+
+		alwaysPull := false
+		if pullPolicy == "Always" {
+			alwaysPull = true
+		}
+
+		config, providerConfig, err := config.ReadFromEnv(types.OsEnv{})
+		if err != nil {
+			return err
+		}
+
+		log.Printf("faasd-provider starting..\tService Timeout: %s\n", config.WriteTimeout.String())
+		printVersion()
+
+		wd, err := os.Getwd()
+		if err != nil {
+			return err
+		}
+
+		writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"),
+			[]byte(`127.0.0.1	localhost`), workingDirectoryPermission)
+
+		if writeHostsErr != nil {
+			return fmt.Errorf("cannot write hosts file: %s", writeHostsErr)
+		}
+
+		writeResolvErr := ioutil.WriteFile(path.Join(wd, "resolv.conf"),
+			[]byte(`nameserver 8.8.8.8`), workingDirectoryPermission)
+
+		if writeResolvErr != nil {
+			return fmt.Errorf("cannot write resolv.conf file: %s", writeResolvErr)
+		}
+
+		cni, err := cninetwork.InitNetwork()
+		if err != nil {
+			return err
+		}
+
+		client, err := containerd.New(providerConfig.Sock)
+		if err != nil {
+			return err
+		}
+
+		defer client.Close()
+
+		invokeResolver := handlers.NewInvokeResolver(client)
+
+		baseUserSecretsPath := path.Join(wd, "secrets")
+		if err := moveSecretsToDefaultNamespaceSecrets(
+			baseUserSecretsPath,
+			faasd.DefaultFunctionNamespace); err != nil {
+			return err
+		}
+
+		bootstrapHandlers := types.FaaSHandlers{
+			FunctionProxy:        proxy.NewHandlerFunc(*config, invokeResolver),
+			DeleteHandler:        handlers.MakeDeleteHandler(client, cni),
+			DeployHandler:        handlers.MakeDeployHandler(client, cni, baseUserSecretsPath, alwaysPull),
+			FunctionReader:       handlers.MakeReadHandler(client),
+			ReplicaReader:        handlers.MakeReplicaReaderHandler(client),
+			ReplicaUpdater:       handlers.MakeReplicaUpdateHandler(client, cni),
+			UpdateHandler:        handlers.MakeUpdateHandler(client, cni, baseUserSecretsPath, alwaysPull),
+			HealthHandler:        func(w http.ResponseWriter, r *http.Request) {},
+			InfoHandler:          handlers.MakeInfoHandler(Version, GitCommit),
+			ListNamespaceHandler: handlers.MakeNamespacesLister(client),
+			SecretHandler:        handlers.MakeSecretHandler(client, baseUserSecretsPath),
+			LogHandler:           logs.NewLogHandlerFunc(faasdlogs.New(), config.ReadTimeout),
+		}
+
+		log.Printf("Listening on TCP port: %d\n", *config.TCPPort)
+		bootstrap.Serve(&bootstrapHandlers, config)
+		return nil
+	}
+
+	return command
 }

-func runProvider(_ *cobra.Command, _ []string) error {
+/*
+* Mutiple namespace support was added after release 0.13.0
+* Function will help users to migrate on multiple namespace support of faasd
+ */
+func moveSecretsToDefaultNamespaceSecrets(baseSecretPath string, defaultNamespace string) error {
+	newSecretPath := path.Join(baseSecretPath, defaultNamespace)

-	config, providerConfig, err := config.ReadFromEnv(types.OsEnv{})
+	err := ensureSecretsDir(newSecretPath)
 	if err != nil {
 		return err
 	}

-	log.Printf("faasd-provider starting..\tService Timeout: %s\n", config.WriteTimeout.String())
-
-	wd, err := os.Getwd()
+	files, err := ioutil.ReadDir(baseSecretPath)
 	if err != nil {
 		return err
 	}

-	writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"),
-		[]byte(`127.0.0.1	localhost`), workingDirectoryPermission)
+	for _, f := range files {
+		if !f.IsDir() {

-	if writeHostsErr != nil {
-		return fmt.Errorf("cannot write hosts file: %s", writeHostsErr)
-	}
+			newPath := path.Join(newSecretPath, f.Name())

-	writeResolvErr := ioutil.WriteFile(path.Join(wd, "resolv.conf"),
-		[]byte(`nameserver 8.8.8.8`), workingDirectoryPermission)
+			// A non-nil error means the file wasn't found in the
+			// destination path
+			if _, err := os.Stat(newPath); err != nil {
+				oldPath := path.Join(baseSecretPath, f.Name())

-	if writeResolvErr != nil {
-		return fmt.Errorf("cannot write resolv.conf file: %s", writeResolvErr)
-	}
+				if err := copyFile(oldPath, newPath); err != nil {
+					return err
+				}

-	cni, err := cninetwork.InitNetwork()
-	if err != nil {
-		return err
-	}
-
-	client, err := containerd.New(providerConfig.Sock)
-	if err != nil {
-		return err
-	}
-
-	defer client.Close()
-
-	invokeResolver := handlers.NewInvokeResolver(client)
-
-	userSecretPath := path.Join(wd, "secrets")
-
-	bootstrapHandlers := types.FaaSHandlers{
-		FunctionProxy:        proxy.NewHandlerFunc(*config, invokeResolver),
-		DeleteHandler:        handlers.MakeDeleteHandler(client, cni),
-		DeployHandler:        handlers.MakeDeployHandler(client, cni, userSecretPath),
-		FunctionReader:       handlers.MakeReadHandler(client),
-		ReplicaReader:        handlers.MakeReplicaReaderHandler(client),
-		ReplicaUpdater:       handlers.MakeReplicaUpdateHandler(client, cni),
-		UpdateHandler:        handlers.MakeUpdateHandler(client, cni, userSecretPath),
-		HealthHandler:        func(w http.ResponseWriter, r *http.Request) {},
-		InfoHandler:          handlers.MakeInfoHandler(Version, GitCommit),
-		ListNamespaceHandler: listNamespaces(),
-		SecretHandler:        handlers.MakeSecretHandler(client, userSecretPath),
-		LogHandler: func(w http.ResponseWriter, r *http.Request) {
-			if r.Body != nil {
-				defer r.Body.Close()
+				log.Printf("[Migration] Copied %s to %s", oldPath, newPath)
 			}
-
-			w.WriteHeader(http.StatusNotImplemented)
-			w.Write([]byte(`Logs are not implemented for faasd`))
-		},
+		}
 	}

-	log.Printf("Listening on TCP port: %d\n", *config.TCPPort)
-	bootstrap.Serve(&bootstrapHandlers, config)
-
 	return nil
 }

-func listNamespaces() func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		list := []string{""}
-		out, _ := json.Marshal(list)
-		w.Write(out)
+func copyFile(src, dst string) error {
+	inputFile, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", src, err)
 	}
+	defer inputFile.Close()
+
+	outputFile, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_APPEND, secretDirPermission)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", dst, err)
+	}
+	defer outputFile.Close()
+
+	// Changed from os.Rename due to issue in #201
+	if _, err := io.Copy(outputFile, inputFile); err != nil {
+		return fmt.Errorf("writing into %s failed %w", outputFile.Name(), err)
+	}
+
+	return nil
 }
--- a/cmd/root.go
+++ b/cmd/root.go
@ -14,7 +14,7 @@ func init() {
 	rootCommand.AddCommand(versionCmd)
 	rootCommand.AddCommand(upCmd)
 	rootCommand.AddCommand(installCmd)
-	rootCommand.AddCommand(providerCmd)
+	rootCommand.AddCommand(makeProviderCmd())
 	rootCommand.AddCommand(collectCmd)
 }

@ -46,7 +46,12 @@ var rootCommand = &cobra.Command{
 	Use:   "faasd",
 	Short: "Start faasd",
 	Long: `
-faasd - serverless without Kubernetes
+faasd - Serverless For Everyone Else
+
+Learn how to build, secure, and monitor functions with faasd with 
+the eBook:
+
+https://gumroad.com/l/serverless-for-everyone-else
 `,
 	RunE:         runRootCommand,
 	SilenceUsage: true,
@ -69,11 +74,11 @@ var versionCmd = &cobra.Command{
 func parseBaseCommand(_ *cobra.Command, _ []string) {
 	printLogo()

-	fmt.Printf(
-		`faasd
-Commit: %s
-Version: %s
-`, GitCommit, GetVersion())
+	printVersion()
+}
+
+func printVersion() {
+	fmt.Printf("faasd version: %s\tcommit: %s\n", GetVersion(), GitCommit)
 }

 func printLogo() {
--- a/cmd/up.go
+++ b/cmd/up.go
@ -7,54 +7,61 @@ import (
 	"os"
 	"os/signal"
 	"path"
-	"strings"
 	"sync"
 	"syscall"
 	"time"

 	"github.com/pkg/errors"
-
-	"github.com/openfaas/faasd/pkg"
-	"github.com/alexellis/k3sup/pkg/env"
 	"github.com/sethvargo/go-password/password"
 	"github.com/spf13/cobra"
+	flag "github.com/spf13/pflag"
+
+	"github.com/openfaas/faasd/pkg"
 )

+// upConfig are the CLI flags used by the `faasd up` command to deploy the faasd service
+type upConfig struct {
+	// composeFilePath is the path to the compose file specifying the faasd service configuration
+	// See https://compose-spec.io/ for more information about the spec,
+	//
+	// currently, this must be the name of a file in workingDir, which is set to the value of
+	// `faasdwd = /var/lib/faasd`
+	composeFilePath string
+
+	// working directory to assume the compose file is in, should be faasdwd.
+	// this is not configurable but may be in the future.
+	workingDir string
+}
+
+func init() {
+	configureUpFlags(upCmd.Flags())
+}
+
 var upCmd = &cobra.Command{
 	Use:   "up",
 	Short: "Start faasd",
 	RunE:  runUp,
 }

-const containerSecretMountDir = "/run/secrets"
+func runUp(cmd *cobra.Command, _ []string) error {

-func runUp(_ *cobra.Command, _ []string) error {
+	printVersion()

-	clientArch, clientOS := env.GetClientArch()
-
-	if clientOS != "Linux" {
-		return fmt.Errorf("You can only use faasd on Linux")
-	}
-	clientSuffix := ""
-	switch clientArch {
-	case "x86_64":
-		clientSuffix = ""
-		break
-	case "armhf":
-	case "armv7l":
-		clientSuffix = "-armhf"
-		break
-	case "arm64":
-	case "aarch64":
-		clientSuffix = "-arm64"
+	cfg, err := parseUpFlags(cmd)
+	if err != nil {
+		return err
 	}

-	if basicAuthErr := makeBasicAuthFiles(path.Join(path.Join(faasdwd, "secrets"))); basicAuthErr != nil {
+	services, err := loadServiceDefinition(cfg)
+	if err != nil {
+		return err
+	}
+
+	basicAuthErr := makeBasicAuthFiles(path.Join(cfg.workingDir, "secrets"))
+	if basicAuthErr != nil {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}

-	services := makeServiceDefinitions(clientSuffix)
-
 	start := time.Now()
 	supervisor, err := pkg.NewSupervisor("/run/containerd/containerd.sock")
 	if err != nil {
@ -64,20 +71,15 @@ func runUp(_ *cobra.Command, _ []string) error {
 	log.Printf("Supervisor created in: %s\n", time.Since(start).String())

 	start = time.Now()
-
-	err = supervisor.Start(services)
-
-	if err != nil {
+	if err := supervisor.Start(services); err != nil {
 		return err
 	}
-
 	defer supervisor.Close()

 	log.Printf("Supervisor init done in: %s\n", time.Since(start).String())

 	shutdownTimeout := time.Second * 1
 	timeout := time.Second * 60
-	proxyDoneCh := make(chan bool)

 	wg := sync.WaitGroup{}
 	wg.Add(1)
@ -94,39 +96,38 @@ func runUp(_ *cobra.Command, _ []string) error {
 			fmt.Println(err)
 		}

-		// Close proxy
-		proxyDoneCh <- true
+		// TODO: close proxies
 		time.AfterFunc(shutdownTimeout, func() {
 			wg.Done()
 		})
 	}()

-	gatewayURLChan := make(chan string, 1)
-	proxyPort := 8080
-	proxy := pkg.NewProxy(proxyPort, timeout)
-	go proxy.Start(gatewayURLChan, proxyDoneCh)
+	localResolver := pkg.NewLocalResolver(path.Join(cfg.workingDir, "hosts"))
+	go localResolver.Start()

-	go func() {
-		wd, _ := os.Getwd()
+	proxies := map[uint32]*pkg.Proxy{}
+	for _, svc := range services {
+		for _, port := range svc.Ports {

-		time.Sleep(3 * time.Second)
-
-		fileData, fileErr := ioutil.ReadFile(path.Join(wd, "hosts"))
-		if fileErr != nil {
-			log.Println(fileErr)
-			return
-		}
-		host := ""
-		lines := strings.Split(string(fileData), "\n")
-		for _, line := range lines {
-			if strings.Index(line, "gateway") > -1 {
-				host = line[:strings.Index(line, "\t")]
+			listenPort := port.Port
+			if _, ok := proxies[listenPort]; ok {
+				return fmt.Errorf("port %d already allocated", listenPort)
 			}
+
+			hostIP := "0.0.0.0"
+			if len(port.HostIP) > 0 {
+				hostIP = port.HostIP
+			}
+
+			upstream := fmt.Sprintf("%s:%d", svc.Name, port.TargetPort)
+			proxies[listenPort] = pkg.NewProxy(upstream, listenPort, hostIP, timeout, localResolver)
 		}
-		log.Printf("[up] Sending %s to proxy\n", host)
-		gatewayURLChan <- host + ":8080"
-		close(gatewayURLChan)
-	}()
+	}
+
+	// TODO: track proxies for later cancellation when receiving sigint/term
+	for _, v := range proxies {
+		go v.Start()
+	}

 	wg.Wait()
 	return nil
@ -134,7 +135,7 @@ func runUp(_ *cobra.Command, _ []string) error {

 func makeBasicAuthFiles(wd string) error {

-	pwdFile := wd + "/basic-auth-password"
+	pwdFile := path.Join(wd, "basic-auth-password")
 	authPassword, err := password.Generate(63, 10, 0, false, true)

 	if err != nil {
@ -146,7 +147,7 @@ func makeBasicAuthFiles(wd string) error {
 		return err
 	}

-	userFile := wd + "/basic-auth-user"
+	userFile := path.Join(wd, "basic-auth-user")
 	err = makeFile(userFile, "admin")
 	if err != nil {
 		return err
@ -155,6 +156,8 @@ func makeBasicAuthFiles(wd string) error {
 	return nil
 }

+// makeFile will create a file with the specified content if it does not exist yet.
+// if the file already exists, the method is a noop.
 func makeFile(filePath, fileContents string) error {
 	_, err := os.Stat(filePath)
 	if err == nil {
@ -168,105 +171,35 @@ func makeFile(filePath, fileContents string) error {
 	}
 }

-func makeServiceDefinitions(archSuffix string) []pkg.Service {
-	wd, _ := os.Getwd()
+// load the docker compose file and then parse it as supervisor Services
+// the logic for loading the compose file comes from the compose reference implementation
+// https://github.com/compose-spec/compose-ref/blob/master/compose-ref.go#L353
+func loadServiceDefinition(cfg upConfig) ([]pkg.Service, error) {

-	return []pkg.Service{
-		pkg.Service{
-			Name:  "basic-auth-plugin",
-			Image: "docker.io/openfaas/basic-auth-plugin:0.18.10" + archSuffix,
-			Env: []string{
-				"port=8080",
-				"secret_mount_path=" + containerSecretMountDir,
-				"user_filename=basic-auth-user",
-				"pass_filename=basic-auth-password",
-			},
-			Mounts: []pkg.Mount{
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-			Args: nil,
-		},
-		pkg.Service{
-			Name:  "nats",
-			Env:   []string{""},
-			Image: "docker.io/library/nats-streaming:0.11.2",
-			Caps:  []string{},
-			Args:  []string{"/nats-streaming-server", "-m", "8222", "--store=memory", "--cluster_id=faas-cluster"},
-		},
-		pkg.Service{
-			Name:  "prometheus",
-			Env:   []string{},
-			Image: "docker.io/prom/prometheus:v2.14.0",
-			Mounts: []pkg.Mount{
-				pkg.Mount{
-					Src:  path.Join(wd, "prometheus.yml"),
-					Dest: "/etc/prometheus/prometheus.yml",
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
-		pkg.Service{
-			Name: "gateway",
-			Env: []string{
-				"basic_auth=true",
-				"functions_provider_url=http://faasd-provider:8081/",
-				"direct_functions=false",
-				"read_timeout=60s",
-				"write_timeout=60s",
-				"upstream_timeout=65s",
-				"faas_nats_address=nats",
-				"faas_nats_port=4222",
-				"auth_proxy_url=http://basic-auth-plugin:8080/validate",
-				"auth_proxy_pass_body=false",
-				"secret_mount_path=" + containerSecretMountDir,
-				"scale_from_zero=true",
-			},
-			Image: "docker.io/openfaas/gateway:0.18.8" + archSuffix,
-			Mounts: []pkg.Mount{
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
-		pkg.Service{
-			Name: "queue-worker",
-			Env: []string{
-				"faas_nats_address=nats",
-				"faas_nats_port=4222",
-				"gateway_invoke=true",
-				"faas_gateway_address=gateway",
-				"ack_wait=5m5s",
-				"max_inflight=1",
-				"write_debug=false",
-				"basic_auth=true",
-				"secret_mount_path=" + containerSecretMountDir,
-			},
-			Image: "docker.io/openfaas/queue-worker:0.9.0",
-			Mounts: []pkg.Mount{
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				pkg.Mount{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
+	serviceConfig, err := pkg.LoadComposeFile(cfg.workingDir, cfg.composeFilePath)
+	if err != nil {
+		return nil, err
 	}
+
+	return pkg.ParseCompose(serviceConfig)
+}
+
+// ConfigureUpFlags will define the flags for the `faasd up` command. The flag struct, configure, and
+// parse are split like this to simplify testability.
+func configureUpFlags(flags *flag.FlagSet) {
+	flags.StringP("file", "f", "docker-compose.yaml", "compose file specifying the faasd service configuration")
+}
+
+// ParseUpFlags will load the flag values into an upFlags object. Errors will be underlying
+// Get errors from the pflag library.
+func parseUpFlags(cmd *cobra.Command) (upConfig, error) {
+	parsed := upConfig{}
+	path, err := cmd.Flags().GetString("file")
+	if err != nil {
+		return parsed, errors.Wrap(err, "can not parse compose file path flag")
+	}
+
+	parsed.composeFilePath = path
+	parsed.workingDir = faasdwd
+	return parsed, err
 }
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,99 @@
+version: "3.7"
+services:
+  basic-auth-plugin:
+    image: ghcr.io/openfaas/basic-auth:0.21.0
+    environment:
+      - port=8080
+      - secret_mount_path=/run/secrets
+      - user_filename=basic-auth-user
+      - pass_filename=basic-auth-password
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+
+  nats:
+    image: docker.io/library/nats-streaming:0.22.0
+    command:
+      - "/nats-streaming-server"
+      - "-m"
+      - "8222"
+      - "--store=memory"
+      - "--cluster_id=faas-cluster"
+    # ports:
+    #    - "127.0.0.1:8222:8222"
+
+  prometheus:
+    image: docker.io/prom/prometheus:v2.14.0
+    volumes:
+      - type: bind
+        source: ./prometheus.yml
+        target: /etc/prometheus/prometheus.yml
+    cap_add:
+      - CAP_NET_RAW
+    ports:
+       - "127.0.0.1:9090:9090"
+
+  gateway:
+    image: ghcr.io/openfaas/gateway:0.21.0
+    environment:
+      - basic_auth=true
+      - functions_provider_url=http://faasd-provider:8081/
+      - direct_functions=false
+      - read_timeout=60s
+      - write_timeout=60s
+      - upstream_timeout=65s
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - auth_proxy_url=http://basic-auth-plugin:8080/validate
+      - auth_proxy_pass_body=false
+      - secret_mount_path=/run/secrets
+      - scale_from_zero=true
+      - function_namespace=openfaas-fn
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - basic-auth-plugin
+      - nats
+      - prometheus
+    ports:
+       - "8080:8080"
+
+  queue-worker:
+    image: ghcr.io/openfaas/queue-worker:0.12.2
+    environment:
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - gateway_invoke=true
+      - faas_gateway_address=gateway
+      - ack_wait=5m5s
+      - max_inflight=1
+      - write_debug=false
+      - basic_auth=true
+      - secret_mount_path=/run/secrets
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - nats
--- a/docs/DEV.md
+++ b/docs/DEV.md
@ -1,9 +1,15 @@
-## Manual installation of faasd for development
+## Instructions for building and testing faasd locally

 > Note: if you're just wanting to try out faasd, then it's likely that you're on the wrong page. This is a detailed set of instructions for those wanting to contribute or customise faasd. Feel free to go back to the homepage and pick a tutorial instead.

+Do you want to help the community test a pull request?
+
+See these instructions instead: [Testing patches](/docs/PATCHES.md)
+
 ### Pre-reqs

+> It's recommended that you do not install Docker on the same host as faasd, since 1) they may both use different versions of containerd and 2) docker's networking rules can disrupt faasd's networking. When using faasd - make your faasd server a faasd server, and build container image on your laptop or in a CI pipeline.
+
 * Linux

    PC / Cloud - any Linux that containerd works on should be fair game, but faasd is tested with Ubuntu 18.04
@ -14,19 +20,76 @@

    For Windows users, install [Git Bash](https://git-scm.com/downloads) along with multipass or vagrant. You can also use WSL1 or WSL2 which provides a Linux environment.

-    You will also need [containerd v1.3.2](https://github.com/containerd/containerd) and the [CNI plugins v0.8.5](https://github.com/containernetworking/plugins)
+    You will also need [containerd v1.5.4](https://github.com/containerd/containerd) and the [CNI plugins v0.8.5](https://github.com/containernetworking/plugins)

    [faas-cli](https://github.com/openfaas/faas-cli) is optional, but recommended.

+If you're using multipass, then allocate sufficient resources:
+
+```bash
+multipass launch \
+  --mem 4G \
+  -c 2 \
+  -n faasd
+
+# Then access its shell
+multipass shell faasd
+```
+
+### Get runc
+
+```bash
+sudo apt update \
+  && sudo apt install -qy \
+    runc \
+    bridge-utils \
+    make
+```
+
+### Get faas-cli (optional)
+
+Having `faas-cli` on your dev machine is useful for testing and debug.
+
+```bash
+curl -sLS https://cli.openfaas.com | sudo sh
+```
+
+#### Install the CNI plugins:
+
+* For PC run `export ARCH=amd64`
+* For RPi/armhf run `export ARCH=arm`
+* For arm64 run `export ARCH=arm64`
+
+Then run:
+
+```bash
+export ARCH=amd64
+export CNI_VERSION=v0.8.5
+
+sudo mkdir -p /opt/cni/bin
+curl -sSL https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | sudo tar -xz -C /opt/cni/bin
+
+# Make a config folder for CNI definitions
+sudo mkdir -p /etc/cni/net.d
+
+# Make an initial loopback configuration
+sudo sh -c 'cat >/etc/cni/net.d/99-loopback.conf <<-EOF
+{
+    "cniVersion": "0.3.1",
+    "type": "loopback"
+}
+EOF'
+```
+
 ### Get containerd

 You have three options - binaries for PC, binaries for armhf, or build from source.

 * Install containerd `x86_64` only

-```sh
-export VER=1.3.2
-curl -sLSf https://github.com/containerd/containerd/releases/download/v$VER/containerd-$VER.linux-amd64.tar.gz > /tmp/containerd.tar.gz \
+```bash
+export VER=1.5.4
+curl -sSL https://github.com/containerd/containerd/releases/download/v$VER/containerd-$VER-linux-amd64.tar.gz > /tmp/containerd.tar.gz \
  && sudo tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1

 containerd -version
@ -36,20 +99,20 @@ containerd -version

    Building `containerd` on armhf is extremely slow, so I've provided binaries for you.

-    ```sh
-    curl -sSL https://github.com/alexellis/containerd-armhf/releases/download/v1.3.2/containerd.tgz | sudo tar -xvz --strip-components=2 -C /usr/local/bin/
+    ```bash
+    curl -sSL https://github.com/alexellis/containerd-armhf/releases/download/v1.5.4/containerd.tgz | sudo tar -xvz --strip-components=2 -C /usr/local/bin/
    ```

 * Or clone / build / install [containerd](https://github.com/containerd/containerd) from source:

-    ```sh
+    ```bash
    export GOPATH=$HOME/go/
    mkdir -p $GOPATH/src/github.com/containerd
    cd $GOPATH/src/github.com/containerd
    git clone https://github.com/containerd/containerd
    cd containerd
    git fetch origin --tags
-    git checkout v1.3.2
+    git checkout v1.5.4

    make
    sudo make install
@ -59,8 +122,12 @@ containerd -version

 #### Ensure containerd is running

-```sh
-curl -sLS https://raw.githubusercontent.com/containerd/containerd/master/containerd.service > /tmp/containerd.service
+```bash
+curl -sLS https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service > /tmp/containerd.service
+
+# Extend the timeouts for low-performance VMs
+echo "[Manager]" | tee -a /tmp/containerd.service
+echo "DefaultTimeoutStartSec=3m" | tee -a /tmp/containerd.service

 sudo cp /tmp/containerd.service /lib/systemd/system/
 sudo systemctl enable containerd
@ -69,9 +136,9 @@ sudo systemctl daemon-reload
 sudo systemctl restart containerd
 ```

-Or run ad-hoc:
+Or run ad-hoc. This step can be useful for exploring why containerd might fail to start.

-```sh
+```bash
 sudo containerd &
 ```

@ -79,13 +146,13 @@ sudo containerd &

 > This is required to allow containers in containerd to access the Internet via your computer's primary network interface.

-```sh
+```bash
 sudo /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
 ```

 Make the setting permanent:

-```sh
+```bash
 echo "net.ipv4.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
 ```

@ -93,7 +160,7 @@ echo "net.ipv4.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf

 #### Get build packages

-```sh
+```bash
 sudo apt update \
  && sudo apt install -qy \
    runc \
@ -105,11 +172,11 @@ You may find alternative package names for CentOS and other Linux distributions.

 #### Install Go 1.13 (x86_64)

-```sh
-curl -sSLf https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz > go.tgz
+```bash
+curl -SLf https://golang.org/dl/go1.16.linux-amd64.tar.gz > /tmp/go.tgz
 sudo rm -rf /usr/local/go/
 sudo mkdir -p /usr/local/go/
-sudo tar -xvf go.tgz -C /usr/local/go/ --strip-components=1
+sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -119,15 +186,15 @@ go version

 You should also add the following to `~/.bash_profile`:

-```sh
-export GOPATH=$HOME/go/
-export PATH=$PATH:/usr/local/go/bin/
+```bash
+echo "export GOPATH=\$HOME/go/" | tee -a $HOME/.bash_profile
+echo "export PATH=\$PATH:/usr/local/go/bin/" | tee -a $HOME/.bash_profile
 ```

 #### Or on Raspberry Pi (armhf)

-```sh
-curl -SLsf https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz > go.tgz
+```bash
+curl -SLsf https://golang.org/dl/go1.16.linux-armv6l.tar.gz > go.tgz
 sudo rm -rf /usr/local/go/
 sudo mkdir -p /usr/local/go/
 sudo tar -xvf go.tgz -C /usr/local/go/ --strip-components=1
@ -138,25 +205,9 @@ export PATH=$PATH:/usr/local/go/bin/
 go version
 ```

-#### Install the CNI plugins:
-
-* For PC run `export ARCH=amd64`
-* For RPi/armhf run `export ARCH=arm`
-* For arm64 run `export ARCH=arm64`
-
-Then run:
-
-```sh
-export ARCH=amd64
-export CNI_VERSION=v0.8.5
-
-sudo mkdir -p /opt/cni/bin
-curl -sSL https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | sudo tar -xz -C /opt/cni/bin
-```
-
 #### Clone faasd and its systemd unit files

-```sh
+```bash
 mkdir -p $GOPATH/src/github.com/openfaas/
 cd $GOPATH/src/github.com/openfaas/
 git clone https://github.com/openfaas/faasd
@ -164,36 +215,39 @@ git clone https://github.com/openfaas/faasd

 #### Build `faasd` from source (optional)

-```sh
+```bash
 cd $GOPATH/src/github.com/openfaas/faasd
 cd faasd
 make local
+
+# Install the binary
+sudo cp bin/faasd /usr/local/bin
 ```

-#### Build and run `faasd` (binaries)
+#### Or, download and run `faasd` (binaries)

-```sh
+```bash
 # For x86_64
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX=""

 # armhf
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd-armhf" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX="-armhf"

 # arm64
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd-arm64" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX="-arm64"
+
+# Then download
+curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd$SUFFIX" \
+    -o "/tmp/faasd" \
+    && chmod +x "/tmp/faasd" 
+sudo mv /tmp/faasd /usr/local/bin/
 ```

 #### Install `faasd`

-```sh
-# Install with systemd
-sudo cp bin/faasd /usr/local/bin
+This step installs faasd as a systemd unit file, creates files in `/var/lib/faasd`, and writes out networking configuration for the CNI bridge networking plugin.
+
+```bash
 sudo faasd install

 2020/02/17 17:38:06 Writing to: "/var/lib/faasd/secrets/basic-auth-password"
@ -206,13 +260,13 @@ You can now log in either from this machine or a remote machine using the OpenFa

 Check that faasd is ready:

-```
+```bash
 sudo journalctl -u faasd
 ```

 You should see output like:

-```
+```bash
 Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 Starting faasd proxy on 8080
 Feb 17 17:46:35 gold-survive faasd[4140]: Gateway: 10.62.0.5:8080
 Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 [proxy] Wait for done
@ -221,15 +275,63 @@ Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 [proxy] Begin list

 To get the CLI for the command above run:

-```sh
+```bash
 curl -sSLf https://cli.openfaas.com | sudo sh
 ```

+#### Make a change to `faasd`
+
+There are two components you can hack on:
+
+For function CRUD you will work on `faasd provider` which is started from `cmd/provider.go`
+
+For faasd itself, you will work on the code from `faasd up`, which is started from `cmd/up.go`
+
+Before working on either, stop the systemd services:
+
+```
+sudo systemctl stop faasd &    # up command
+sudo systemctl stop faasd-provider   # provider command
+```
+
+Here is a workflow you can use for each code change:
+
+Enter the directory of the source code, and build a new binary:
+
+```bash
+cd $GOPATH/src/github.com/openfaas/faasd
+go build
+```
+
+Copy that binary to `/usr/local/bin/`
+
+```bash
+cp faasd /usr/local/bin/
+```
+
+To run `faasd up`, run it from its working directory as root
+
+```bash
+sudo -i
+cd /var/lib/faasd
+
+faasd up
+```
+
+Now to run `faasd provider`, run it from its working directory:
+
+```bash
+sudo -i
+cd /var/lib/faasd-provider
+
+faasd provider
+```
+
 #### At run-time

 Look in `hosts` in the current working folder or in `/var/lib/faasd/` to get the IP for the gateway or Prometheus

-```sh
+```bash
 127.0.0.1      localhost
 10.62.0.1      faasd-provider

--- a/docs/MULTIPASS.md
+++ b/docs/MULTIPASS.md
@ -0,0 +1,141 @@
+# Tutorial - faasd with multipass
+
+## Get up and running with your own faasd installation on your Mac
+
+[multipass from Canonical](https://multipass.run) is like Docker Desktop, but for getting Ubuntu instead of a Docker daemon. It works on MacOS, Linux, and Windows with the same consistent UX. It's not fully open-source, and uses some proprietary add-ons / binaries, but is free to use.
+
+For Linux using Ubuntu, you can install the packages directly, or use `sudo snap install multipass --classic` and follow this tutorial. For Raspberry Pi, [see my tutorial here](https://blog.alexellis.io/faasd-for-lightweight-serverless/).
+
+John McCabe has also tested faasd on Windows with multipass, [see his tweet](https://twitter.com/mccabejohn/status/1221899154672308224).
+
+## Use-case:
+
+Try out [faasd](https://github.com/openfaas/faasd) in a single command using a cloud-config file to get a VM which has:
+
+* port 22 for administration and
+* port 8080 for the OpenFaaS REST API.
+
+![Example](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=medium)
+
+The above screenshot is [from my tweet](https://twitter.com/alexellisuk/status/1221408788395298819/), feel free to comment there.
+
+It took me about 2-3 minutes to run through everything after installing multipass.
+
+## Let's start the tutorial
+
+* Get [multipass.run](https://multipass.run)
+
+* Get my cloud-config.txt file
+
+```sh
+curl -sSLO https://raw.githubusercontent.com/openfaas/faasd/master/cloud-config.txt
+```
+
+* Update the SSH key to match your own, edit `cloud-config.txt`:
+
+Replace the 2nd line with the contents of `~/.ssh/id_rsa.pub`:
+
+```
+ssh_authorized_keys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local
+```
+
+* Boot the VM
+
+```sh
+multipass launch --cloud-init cloud-config.txt  --name faasd
+```
+
+* Get the VM's IP and connect with `ssh`
+
+```sh
+multipass info faasd
+Name:           faasd
+State:          Running
+IPv4:           192.168.64.14
+Release:        Ubuntu 18.04.3 LTS
+Image hash:     a720c34066dc (Ubuntu 18.04 LTS)
+Load:           0.79 0.19 0.06
+Disk usage:     1.1G out of 4.7G
+Memory usage:   145.6M out of 985.7M
+```
+
+Set the variable `IP`:
+
+```
+export IP="192.168.64.14"
+```
+
+You can also try to use `jq` to get the IP into a variable:
+
+```sh
+export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+```
+
+Connect to the IP listed:
+
+```sh
+ssh ubuntu@$IP
+```
+
+Log out once you know it works.
+
+* Let's capture the authentication password into a file for use with `faas-cli`
+
+```
+ssh ubuntu@$IP "sudo cat /var/lib/faasd/secrets/basic-auth-password" > basic-auth-password
+```
+
+## Try faasd (OpenFaaS)
+
+* Login from your laptop (the host)
+
+```
+export OPENFAAS_URL=http://$IP:8080
+cat basic-auth-password | faas-cli login -s
+```
+
+* Deploy a function and invoke it
+
+```
+faas-cli store deploy figlet --env write_timeout=1s
+echo "faasd" | faas-cli invoke figlet
+
+faas-cli describe figlet
+
+# Run async
+curl -i -d "faasd-async" $OPENFAAS_URL/async-function/figlet
+
+# Run async with a callback
+
+curl -i -d "faasd-async" -H "X-Callback-Url: http://some-request-bin.com/path" $OPENFAAS_URL/async-function/figlet
+```
+
+You can also checkout the other store functions: `faas-cli store list`
+
+* Try the UI
+
+Head over to the UI from your laptop and remember that your password is in the `basic-auth-password` file. The username is `admin`:
+
+```
+echo http://$IP:8080
+```
+
+* Stop/start the instance
+
+```sh
+multipass stop faasd
+```
+
+* Delete, if you want to:
+
+```
+multipass delete --purge faasd
+```
+
+You now have a faasd appliance on your Mac. You can also use this cloud-init file with public cloud like AWS or DigitalOcean.
+
+* If you want a public IP for your faasd VM, then just head over to [inlets.dev](https://inlets.dev/)
+* Try my more complete walk-through / tutorial with Raspberry Pi, or run the same steps on your multipass VM, including how to develop your own functions and services - https://blog.alexellis.io/faasd-for-lightweight-serverless/
+* You might also like [Building containers without Docker](https://blog.alexellis.io/building-containers-without-docker/)
+* Star/fork [faasd](https://github.com/openfaas/faasd) on GitHub
--- a/docs/PATCHES.md
+++ b/docs/PATCHES.md
@ -0,0 +1,88 @@
+## Instructions for testing a patch for faasd
+
+### Launch a virtual machine
+
+You can use any kind of Linux virtual machine, Ubuntu 20.04 is recommended.
+
+Launch a cloud VM or use [Multipass](https://multipass.run), which is free to use an can be run locally. A Raspberry Pi 3 or 4 could also be used, but will need you to run `make dist` to cross compile a valid binary.
+
+### Copy over your SSH key
+
+Your SSH key will be used, so that you can copy a new faasd binary over to the host.
+
+```bash
+multipass launch \
+  --mem 4G \
+  -c 2 \
+  -n faasd
+
+# Then access its shell
+multipass shell faasd
+
+# Edit .ssh/authorized_keys
+
+# Add .ssh/id_rsa.pub from your host and save the file
+```
+
+### Install faasd on the VM
+
+You start off with the upstream version of faasd on the host, then add the new version over the top later on.
+
+```bash
+cd /tmp/
+git clone https://github.com/openfaas/faasd --depth=1
+cd faasd/hack
+./install.sh
+
+# Run the login command given to you at the end of the script
+```
+
+Get the multipass IP address:
+
+```bash
+export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+```
+
+### Build a new faasd binary with the patch
+
+Check out faasd on your local computer
+
+```bash
+git clone https://github.com/openfaas/faasd
+cd faasd
+
+gh pr checkout #PR_NUMBER_HERE
+
+GOOS=linux go build
+
+# You can also run "make dist" which is slower, but includes
+# a version and binaries for other platforms such as the Raspberry Pi
+```
+
+### Copy it over to the VM
+
+Now build a new faasd binary and copy it to the VM:
+
+```bash
+scp faasd ubuntu@$IP:~/
+```
+
+Now deploy the new version on the VM:
+
+```bash
+killall -9 faasd-linux; killall -9 faasd-linux ; mv ./faasd-linux /usr/local/bin/faasd
+```
+
+### Check it worked and test that patch
+
+Now run a command with `faas-cli` such as:
+
+* `faas-cli list`
+* `faas-cli version`
+
+See the testing instructions on the PR and run through those steps.
+
+Post your results on GitHub to assist the creator of the pull request.
+
+You can see how to get the logs for various components using the [eBook Serverless For Everyone Else](https://gumroad.com/l/serverless-for-everyone-else), or by consulting the [DEV.md](/docs/DEV.md) guide.
+
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@ -0,0 +1,118 @@
+# faasd backlog and features
+
+## Supported operations
+
+* `faas login`
+* `faas up`
+* `faas list`
+* `faas describe`
+* `faas deploy --update=true --replace=false`
+* `faas invoke --async`
+* `faas invoke`
+* `faas rm`
+* `faas store list/deploy/inspect`
+* `faas version`
+* `faas namespace`
+* `faas secret`
+* `faas logs`
+* `faas auth` - supported for Basic Authentication and OpenFaaS PRO with OIDC and Single-sign On.
+
+Scale from and to zero is also supported. On a Dell XPS with a small, pre-pulled image unpausing an existing task took 0.19s and starting a task for a killed function took 0.39s. There may be further optimizations to be gained.
+
+## Constraints vs OpenFaaS on Kubernetes
+
+faasd suits certain use-cases as mentioned in the README file, for those who want a solution which can scale out horizontally with minimum effort, Kubernetes or K3s is a valid option.
+
+### One replica per function
+
+Functions only support one replica, so cannot scale horizontally, but can scale vertically.
+
+Workaround: deploy one uniquely named function per replica.
+
+### Scale from zero may give a non-200
+
+When scaling from zero there is no health check implemented, so the request may arrive before your HTTP server is ready to serve a request, and therefore give a non-200 code.
+
+Workaround: Do not scale to zero, or have your client retry HTTP calls.
+
+### No clustering is available
+
+No clustering is available in faasd, however you can still apply fault-tolerance and high availability techniques.
+
+Workaround: deploy multiple faasd instances and use a hardware or software load-balancer. Take regular VM/host snapshots or backups.
+
+### No rolling updates
+
+When running `faas-cli deploy`, your old function is removed before the new one is started. This may cause a small amount of downtime, depending on the timeouts and grace periods you set.
+
+Workaround: deploy uniquely named functions per version, and switch an Ingress or Reverse Proxy record to point at a new version once it is ready.
+
+## Known issues
+
+### Non 200 HTTP status from the gateway upon first use
+
+This issue appears to happen sporadically and only for some users.
+
+If you get a non 200 HTTP code from the gateway, or caddy after installing faasd, check the logs of faasd:
+
+```bash
+sudo journalctl -u faasd
+```
+
+If you see the following error:
+
+```
+unable to dial to 10.62.0.5:8080, error: dial tcp 10.62.0.5:8080: connect: no route to host
+```
+
+Restart the faasd service with:
+
+```bash
+sudo systemctl restart faasd
+```
+
+## Backlog
+
+Should have:
+
+* [ ] Offer a recommendation or implement a strategy for faasd replication/HA
+* [ ] Monitor and restart any of the core components at runtime if the container stops
+* [ ] Asynchronous function deletion instead of synchronous
+* [ ] Asynchronous function start-up instead of synchronous
+
+Nice to Have:
+
+* [ ] Terraform for AWS (in-progress)
+* [ ] Total memory limits - if a node has 1GB of RAM, don't allow more than 1000MB of RAM to be reserved via limits
+* [ ] Offer live rolling-updates, with zero downtime - requires moving to IDs vs. names for function containers
+* [ ] Multiple replicas per function
+
+### Completed
+
+* [x] Docs or examples on how to use the various event connectors (Yes in the eBook)
+* [x] Resolve core services from functions by populating/sharing `/etc/hosts` between `faasd` and `faasd-provider`
+* [x] Provide a cloud-init configuration for faasd bootstrap
+* [x] Configure core services from a docker-compose.yaml file
+* [x] Store and fetch logs from the journal
+* [x] Add support for using container images in third-party public registries
+* [x] Add support for using container images in private third-party registries
+* [x] Provide a cloud-config.txt file for automated deployments of `faasd`
+* [x] Inject / manage IPs between core components for service to service communication - i.e. so Prometheus can scrape the OpenFaaS gateway - done via `/etc/hosts` mount
+* [x] Add queue-worker and NATS
+* [x] Create faasd.service and faasd-provider.service
+* [x] Self-install / create systemd service via `faasd install`
+* [x] Restart containers upon restart of faasd
+* [x] Clear / remove containers and tasks with SIGTERM / SIGINT
+* [x] Determine armhf/arm64 containers to run for gateway
+* [x] Configure `basic_auth` to protect the OpenFaaS gateway and faasd-provider HTTP API
+* [x] Setup custom working directory for faasd `/var/lib/faasd/`
+* [x] Use CNI to create network namespaces and adapters
+* [x] Optionally expose core services from the docker-compose.yaml file, locally or to all adapters.
+* [x] ~~[containerd can't pull image from Github Docker Package Registry](https://github.com/containerd/containerd/issues/3291)~~ ghcr.io support
+* [x] Provide [simple Caddyfile example](https://blog.alexellis.io/https-inlets-local-endpoints/) in the README showing how to expose the faasd proxy on port 80/443 with TLS
+* [x] Annotation support
+* [x] Hard memory limits for functions
+* [x] Terraform for DigitalOcean
+* [x] [Store and retrieve annotations in function spec](https://github.com/openfaas/faasd/pull/86) - in progress
+* [x] An installer for faasd and dependencies - runc, containerd
+
--- a/docs/bootstrap/.gitignore
+++ b/docs/bootstrap/.gitignore
@ -0,0 +1,3 @@
+/.terraform/
+/terraform.tfstate
+/terraform.tfstate.backup
--- a/docs/bootstrap/.terraform.lock.hcl
+++ b/docs/bootstrap/.terraform.lock.hcl
@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:/qAnTOSP5KeZkF7wqLai34SKAs7aefulcUA3I8R7rRg=",
+    "h1:PbXtjUfvxwmkycJ0Y9Dyn66Arrpk5L8/P381SXMx2O0=",
+    "h1:lXLX9tmuxV7azTHd0xB0FAVrxyfBtotIz5LEJp8YUk0=",
+    "zh:2191adc79bdfdb3b733e0619e4f391ae91c1631c5dafda42dab561d943651fa4",
+    "zh:21a4f67e42dcdc10fbd7f8579247594844d09a469a3a54862d565913e4d6121d",
+    "zh:557d98325fafcf2db91ea6d92f65373a48c4e995a1a7aeb57009661fee675250",
+    "zh:68c0238cafc37433627e288fcd2c7e14f4f0afdd50b4f265d8d1f1addab6f19f",
+    "zh:7e6d69720734455eb1c69880f049650276089b7fa09085e130d224abaeec887a",
+    "zh:95bd93a696ec050c1cb5e724498fd12b1d69760d01e97c869be3252025691434",
+    "zh:b1b075049e33aa08c032f41a497351c9894f16287a4449032d8b805bc6dcb596",
+    "zh:ba91aa853372c828f808c09dbab2a5bc9493a7cf93210d1487f9637b2cac8ca4",
+    "zh:bc43d27dfe014266697c2ac259f4311300391aa6aa7c5d23e382fe296df938d5",
+    "zh:d3a04d2c76bfc1f46a117b1af7870a97353319ee8f924a37fe77861519f59525",
+    "zh:d3da997c05a653df6cabb912c6c05ceb6bf77219b699f04daf44fd795c81c6ed",
+    "zh:edd0659021b6634acf0f581d1be1985a81fcd1182e3ccb43de6eac6c43be9ab4",
+    "zh:f588ace57b6c35d509ecaa7136e6a8049d227b0674104a1f958359b84862d8e3",
+    "zh:f894ed195a3b9ebbfa1ba7c5d71be06df3a96d783ff064d22dd693ace34d638e",
+    "zh:fb6b0d4b111fafdcb3bb9a7dbab88e2110a6ce6324de64ecf62933ee8b651ccf",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
--- a/docs/bootstrap/README.md
+++ b/docs/bootstrap/README.md
@ -0,0 +1,27 @@
+# Bootstrap faasd on Digitalocean
+
+1) [Sign up to DigitalOcean](https://www.digitalocean.com/?refcode=2962aa9e56a1&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=CopyPaste)
+2) [Download Terraform](https://www.terraform.io)
+3) Clone this gist using the URL from the address bar
+4) Run `terraform init`
+5) Run `terraform apply -var="do_token=$(cat $HOME/digitalocean-access-token)"`
+6) View the output for the gateway URL
+
+```
+gateway_url = http://178.128.39.201:8080/
+```
+7) View the output for sensitive data via `terraform output` command
+
+```bash
+terraform output login_cmd
+login_cmd = faas-cli login -g http://178.128.39.201:8080/ -p rvIU49CEcFcHmqxj
+
+terraform output password
+password = rvIU49CEcFcHmqxj
+```
+
+Note that the user-data may take a couple of minutes to come up since it will be pulling in various components and preparing the machine.
+
+A single host with 1GB of RAM will be deployed for you, to remove at a later date simply use `terraform destroy`.
+
+If required, you can remove the VM via `terraform destroy -var="do_token=$(cat $HOME/digitalocean-access-token)"`
--- a/docs/bootstrap/cloud-config.tpl
+++ b/docs/bootstrap/cloud-config.tpl
@ -0,0 +1,27 @@
+#cloud-config
+package_update: true
+
+packages:
+ - runc
+ - git
+
+runcmd:
+- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.4/containerd-1.5.4-linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
+- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service | tee /etc/systemd/system/containerd.service
+- systemctl daemon-reload && systemctl start containerd
+- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
+- mkdir -p /opt/cni/bin
+- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
+- mkdir -p /go/src/github.com/openfaas/
+- mkdir -p /var/lib/faasd/secrets/
+- echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
+- echo admin > /var/lib/faasd/secrets/basic-auth-user
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.13.0 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
+- systemctl status -l containerd --no-pager
+- journalctl -u faasd-provider --no-pager
+- systemctl status -l faasd-provider --no-pager
+- systemctl status -l faasd --no-pager
+- curl -sSLf https://cli.openfaas.com | sh
+- sleep 5 && journalctl -u faasd --no-pager
--- a/docs/bootstrap/digitalocean-terraform/.gitignore
+++ b/docs/bootstrap/digitalocean-terraform/.gitignore
@ -0,0 +1,3 @@
+/.terraform/
+/terraform.tfstate
+/terraform.tfstate.backup
--- a/docs/bootstrap/digitalocean-terraform/.terraform.lock.hcl
+++ b/docs/bootstrap/digitalocean-terraform/.terraform.lock.hcl
@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:/qAnTOSP5KeZkF7wqLai34SKAs7aefulcUA3I8R7rRg=",
+    "h1:PbXtjUfvxwmkycJ0Y9Dyn66Arrpk5L8/P381SXMx2O0=",
+    "h1:lXLX9tmuxV7azTHd0xB0FAVrxyfBtotIz5LEJp8YUk0=",
+    "zh:2191adc79bdfdb3b733e0619e4f391ae91c1631c5dafda42dab561d943651fa4",
+    "zh:21a4f67e42dcdc10fbd7f8579247594844d09a469a3a54862d565913e4d6121d",
+    "zh:557d98325fafcf2db91ea6d92f65373a48c4e995a1a7aeb57009661fee675250",
+    "zh:68c0238cafc37433627e288fcd2c7e14f4f0afdd50b4f265d8d1f1addab6f19f",
+    "zh:7e6d69720734455eb1c69880f049650276089b7fa09085e130d224abaeec887a",
+    "zh:95bd93a696ec050c1cb5e724498fd12b1d69760d01e97c869be3252025691434",
+    "zh:b1b075049e33aa08c032f41a497351c9894f16287a4449032d8b805bc6dcb596",
+    "zh:ba91aa853372c828f808c09dbab2a5bc9493a7cf93210d1487f9637b2cac8ca4",
+    "zh:bc43d27dfe014266697c2ac259f4311300391aa6aa7c5d23e382fe296df938d5",
+    "zh:d3a04d2c76bfc1f46a117b1af7870a97353319ee8f924a37fe77861519f59525",
+    "zh:d3da997c05a653df6cabb912c6c05ceb6bf77219b699f04daf44fd795c81c6ed",
+    "zh:edd0659021b6634acf0f581d1be1985a81fcd1182e3ccb43de6eac6c43be9ab4",
+    "zh:f588ace57b6c35d509ecaa7136e6a8049d227b0674104a1f958359b84862d8e3",
+    "zh:f894ed195a3b9ebbfa1ba7c5d71be06df3a96d783ff064d22dd693ace34d638e",
+    "zh:fb6b0d4b111fafdcb3bb9a7dbab88e2110a6ce6324de64ecf62933ee8b651ccf",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
--- a/docs/bootstrap/digitalocean-terraform/README.md
+++ b/docs/bootstrap/digitalocean-terraform/README.md
@ -0,0 +1,48 @@
+# Bootstrap faasd with TLS support on Digitalocean
+
+1) [Sign up to DigitalOcean](https://www.digitalocean.com/?refcode=2962aa9e56a1&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=CopyPaste)
+2) [Download Terraform](https://www.terraform.io)
+3) Clone this gist using the URL from the address bar
+4) Run `terraform init`
+5) Configure terraform variables as needed by updating the `main.tfvars` file:
+
+   | Variable     | Description         | Default         |
+   | ------------ | ------------------- | --------------- |
+   | `do_token` | Digitalocean API token | None |
+   | `do_domain` | Public domain used for the faasd gateway | None |
+   | `do_subdomain` | Public subdomain used for the faasd gateway | `faasd` |
+   | `letsencrypt_email` | Email used by when ordering TLS certificate from Letsencrypt | `""` |
+   | `do_create_record` | When set to `true`, a new DNS record will be created. This works only if your domain (`do_domain`) is managed by Digitalocean | `false` |
+   | `do_region` | Digitalocean region for creating the droplet | `fra1` |
+   | `ssh_key_file` | Path to public SSH key file |`~/.ssh/id_rsa.pub` |
+
+> Environment variables can also be used to set terraform variables when running the `terraform apply` command using the format `TF_VAR_name`.
+
+6) Run `terraform apply`
+   1) Add `-var-file=main.tfvars` if you have set the variables in `main.tfvars`.
+   2) OR [use environment variables](https://www.terraform.io/docs/commands/environment-variables.html#tf_var_name) for setting the terraform variables when running the `apply` command
+
+7) View the output for the login command and gateway URL i.e.
+
+```
+droplet_ip = 178.128.39.201
+gateway_url = https://faasd.example.com/
+```
+
+8) View the output for sensitive data via `terraform output` command
+
+```bash
+terraform output login_cmd
+login_cmd = faas-cli login -g http://178.128.39.201:8080/ -p rvIU49CEcFcHmqxj
+
+terraform output password
+password = rvIU49CEcFcHmqxj
+```
+
+
+9) Use your browser to access the OpenFaaS interface
+
+Note that the user-data may take a couple of minutes to come up since it will be pulling in various components and preparing the machine. 
+Also take into consideration the DNS propagation time for the new DNS record.
+
+A single host with 1GB of RAM will be deployed for you, to remove at a later date simply use `terraform destroy`.
--- a/docs/bootstrap/digitalocean-terraform/cloud-config.tpl
+++ b/docs/bootstrap/digitalocean-terraform/cloud-config.tpl
@ -0,0 +1,54 @@
+#cloud-config
+groups:
+  - caddy
+
+users:
+  - name: caddy
+    gecos: Caddy web server
+    primary_group: caddy
+    groups: caddy
+    shell: /usr/sbin/nologin
+    homedir: /var/lib/caddy
+
+write_files:
+- content: |
+    {
+      email ${letsencrypt_email}
+    }
+
+    ${faasd_domain_name} {
+      reverse_proxy 127.0.0.1:8080
+    }
+
+  path: /etc/caddy/Caddyfile
+
+package_update: true
+
+packages:
+ - runc
+
+runcmd:
+- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.4/containerd-1.5.4-linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
+- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service | tee /etc/systemd/system/containerd.service
+- systemctl daemon-reload && systemctl start containerd
+- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
+- mkdir -p /opt/cni/bin
+- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
+- mkdir -p /go/src/github.com/openfaas/
+- mkdir -p /var/lib/faasd/secrets/
+- echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
+- echo admin > /var/lib/faasd/secrets/basic-auth-user
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.13.0 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.13.0/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
+- systemctl status -l containerd --no-pager
+- journalctl -u faasd-provider --no-pager
+- systemctl status -l faasd-provider --no-pager
+- systemctl status -l faasd --no-pager
+- curl -sSLf https://cli.openfaas.com | sh
+- sleep 5 && journalctl -u faasd --no-pager
+- wget https://github.com/caddyserver/caddy/releases/download/v2.1.1/caddy_2.1.1_linux_amd64.tar.gz -O /tmp/caddy.tar.gz && tar -zxvf /tmp/caddy.tar.gz -C /usr/bin/ caddy
+- wget https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service -O /etc/systemd/system/caddy.service
+- systemctl daemon-reload
+- systemctl enable caddy
+- systemctl start caddy
--- a/docs/bootstrap/digitalocean-terraform/main.tf
+++ b/docs/bootstrap/digitalocean-terraform/main.tf
@ -0,0 +1,97 @@
+terraform {
+  required_version = ">= 1.0.4"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.11.0"
+    }
+  }
+}
+
+variable "do_token" {
+  description = "Digitalocean API token"
+}
+variable "do_domain" {
+  description = "Your public domain"
+}
+variable "do_subdomain" {
+  description = "Your public subdomain"
+  default     = "faasd"
+}
+variable "letsencrypt_email" {
+  description = "Email used to order a certificate from Letsencrypt"
+}
+variable "do_create_record" {
+  default     = false
+  description = "Whether to create a DNS record on Digitalocean"
+}
+variable "do_region" {
+  default     = "fra1"
+  description = "The Digitalocean region where the faasd droplet will be created."
+}
+variable "ssh_key_file" {
+  default     = "~/.ssh/id_rsa.pub"
+  description = "Path to the SSH public key file"
+}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "_-#"
+}
+
+data "template_file" "cloud_init" {
+  template = file("cloud-config.tpl")
+  vars = {
+    gw_password       = random_password.password.result,
+    faasd_domain_name = "${var.do_subdomain}.${var.do_domain}"
+    letsencrypt_email = var.letsencrypt_email
+  }
+}
+
+resource "digitalocean_ssh_key" "faasd_ssh_key" {
+  name       = "ssh-key"
+  public_key = file(var.ssh_key_file)
+}
+
+resource "digitalocean_droplet" "faasd" {
+  region    = var.do_region
+  image     = "ubuntu-18-04-x64"
+  name      = "faasd"
+  size      = "s-1vcpu-1gb"
+  user_data = data.template_file.cloud_init.rendered
+  ssh_keys = [
+    digitalocean_ssh_key.faasd_ssh_key.id
+  ]
+}
+
+resource "digitalocean_record" "faasd" {
+  domain = var.do_domain
+  type   = "A"
+  name   = var.do_subdomain
+  value  = digitalocean_droplet.faasd.ipv4_address
+  # Only creates record if do_create_record is true
+  count = var.do_create_record == true ? 1 : 0
+}
+
+output "droplet_ip" {
+  value = digitalocean_droplet.faasd.ipv4_address
+}
+
+output "gateway_url" {
+  value = "https://${var.do_subdomain}.${var.do_domain}/"
+}
+
+output "password" {
+  value     = random_password.password.result
+  sensitive = true
+}
+
+output "login_cmd" {
+  value     = "faas-cli login -g https://${var.do_subdomain}.${var.do_domain}/ -p ${random_password.password.result}"
+  sensitive = true
+}
--- a/docs/bootstrap/digitalocean-terraform/main.tfvars
+++ b/docs/bootstrap/digitalocean-terraform/main.tfvars
@ -0,0 +1,4 @@
+do_token          = ""
+do_domain         = ""
+do_subdomain      = ""
+letsencrypt_email = ""
--- a/docs/bootstrap/main.tf
+++ b/docs/bootstrap/main.tf
@ -0,0 +1,67 @@
+terraform {
+  required_version = ">= 1.0.4"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.11.0"
+    }
+  }
+}
+
+variable "do_token" {}
+
+variable "ssh_key_file" {
+  default     = "~/.ssh/id_rsa.pub"
+  description = "Path to the SSH public key file"
+}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "_-#"
+}
+
+data "template_file" "cloud_init" {
+  template = file("cloud-config.tpl")
+  vars = {
+    gw_password = random_password.password.result
+  }
+}
+
+resource "digitalocean_ssh_key" "faasd_ssh_key" {
+  name       = "ssh-key"
+  public_key = file(var.ssh_key_file)
+}
+
+resource "digitalocean_droplet" "faasd" {
+
+  region = "lon1"
+  image  = "ubuntu-18-04-x64"
+  name   = "faasd"
+  # Plans: https://developers.digitalocean.com/documentation/changelog/api-v2/new-size-slugs-for-droplet-plan-changes/
+  #size   = "512mb"
+  size      = "s-1vcpu-1gb"
+  user_data = data.template_file.cloud_init.rendered
+  ssh_keys = [
+    digitalocean_ssh_key.faasd_ssh_key.id
+  ]
+}
+
+output "password" {
+  value     = random_password.password.result
+  sensitive = true
+}
+
+output "gateway_url" {
+  value = "http://${digitalocean_droplet.faasd.ipv4_address}:8080/"
+}
+
+output "login_cmd" {
+  value     = "faas-cli login -g http://${digitalocean_droplet.faasd.ipv4_address}:8080/ -p ${random_password.password.result}"
+  sensitive = true
+}
+
--- a/docs/media/logo.pdf
+++ b/docs/media/logo.pdf
--- a/docs/media/social.png
+++ b/docs/media/social.png
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,30 @@
+module github.com/openfaas/faasd
+
+go 1.16
+
+require (
+	github.com/alexellis/go-execute v0.5.0
+	github.com/alexellis/k3sup v0.0.0-20210726065733-9717ee3b75a0
+	github.com/compose-spec/compose-go v0.0.0-20200528042322-36d8ce368e05
+	github.com/containerd/containerd v1.5.4
+	github.com/containerd/go-cni v1.0.2
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+	github.com/docker/cli v0.0.0-20191105005515-99c5edceb48d
+	github.com/docker/distribution v2.7.1+incompatible
+	github.com/docker/docker v17.12.0-ce-rc1.0.20191113042239-ea84732a7725+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/gorilla/mux v1.8.0
+	github.com/morikuni/aec v1.0.0
+	github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
+	github.com/openfaas/faas-provider v0.18.6
+	github.com/openfaas/faas/gateway v0.0.0-20210726163109-539f0a2c946e
+	github.com/pkg/errors v0.9.1
+	github.com/sethvargo/go-password v0.2.0
+	github.com/spf13/cobra v1.2.1
+	github.com/spf13/pflag v1.0.5
+	github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852
+	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
+	k8s.io/apimachinery v0.21.3
+)
--- a/go.sum
+++ b/go.sum
--- a/hack/build-containerd-arm64.sh
+++ b/hack/build-containerd-arm64.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi
+
+export GOPATH=$HOME/go/
+export PATH=$PATH:/usr/local/go/bin/
+
+go version
+
+echo "Building containerd"
+
+mkdir -p $GOPATH/src/github.com/containerd
+cd $GOPATH/src/github.com/containerd
+git clone https://github.com/containerd/containerd
+
+cd containerd
+git fetch origin --tags
+git checkout v1.5.4
+
+make
+sudo make install
+
+sudo containerd --version
--- a/hack/build-containerd-armhf.sh
+++ b/hack/build-containerd-armhf.sh
@ -1,12 +1,20 @@
 #!/bin/bash

-export ARCH="armv6l"
-echo "Downloading Go"
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm

-curl -SLsf https://dl.google.com/go/go1.12.14.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -21,7 +29,7 @@ git clone https://github.com/containerd/containerd

 cd containerd
 git fetch origin --tags
-git checkout v1.3.2
+git checkout v1.5.4

 make
 sudo make install
--- a/hack/build-containerd.sh
+++ b/hack/build-containerd.sh
@ -1,12 +1,21 @@
 #!/bin/bash

-export ARCH="amd64"
-echo "Downloading Go"

-curl -SLsf https://dl.google.com/go/go1.12.14.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -21,7 +30,7 @@ git clone https://github.com/containerd/containerd

 cd containerd
 git fetch origin --tags
-git checkout v1.3.2
+git checkout v1.5.4

 make
 sudo make install
--- a/hack/faasd-provider.service
+++ b/hack/faasd-provider.service
@ -5,6 +5,7 @@ Description=faasd-provider
 MemoryLimit=500M
 Environment="secret_mount_path={{.SecretMountPath}}"
 Environment="basic_auth=true"
+Environment="hosts_dir=/var/lib/faasd"
 ExecStart=/usr/local/bin/faasd provider
 Restart=on-failure
 RestartSec=10s
--- a/hack/install.sh
+++ b/hack/install.sh
@ -0,0 +1,206 @@
+#!/bin/bash
+
+# Copyright OpenFaaS Author(s) 2020
+
+#########################
+# Repo specific content #
+#########################
+
+export OWNER="openfaas"
+export REPO="faasd"
+
+version=""
+
+echo "Finding latest version from GitHub"
+version=$(curl -sI https://github.com/$OWNER/$REPO/releases/latest | grep -i "location:" | awk -F"/" '{ printf "%s", $NF }' | tr -d '\r')
+echo "$version"
+
+if [ ! $version ]; then
+  echo "Failed while attempting to get latest version"
+  exit 1
+fi
+
+SUDO=sudo
+if [ "$(id -u)" -eq 0 ]; then
+  SUDO=
+fi
+
+verify_system() {
+  if ! [ -d /run/systemd ]; then
+    fatal 'Can not find systemd to use as a process supervisor for faasd'
+  fi
+}
+
+has_yum() {
+  [ -n "$(command -v yum)" ]
+}
+
+has_apt_get() {
+  [ -n "$(command -v apt-get)" ]
+}
+
+has_pacman() {
+  [ -n "$(command -v pacman)" ]
+}
+
+install_required_packages() {
+  if $(has_apt_get); then
+    $SUDO apt-get update -y
+    $SUDO apt-get install -y curl runc bridge-utils
+  elif $(has_yum); then
+    $SUDO yum check-update -y
+    $SUDO yum install -y curl runc
+  elif $(has_pacman); then
+    $SUDO pacman -Syy
+    $SUDO pacman -Sy curl runc bridge-utils
+  else
+    fatal "Could not find apt-get, yum, or pacman. Cannot install dependencies on this OS."
+    exit 1
+  fi
+}
+
+install_cni_plugins() {
+  cni_version=v0.8.5
+  suffix=""
+  arch=$(uname -m)
+  case $arch in
+  x86_64 | amd64)
+    suffix=amd64
+    ;;
+  aarch64)
+    suffix=arm64
+    ;;
+  arm*)
+    suffix=arm
+    ;;
+  *)
+    fatal "Unsupported architecture $arch"
+    ;;
+  esac
+
+  $SUDO mkdir -p /opt/cni/bin
+  curl -sSL https://github.com/containernetworking/plugins/releases/download/${cni_version}/cni-plugins-linux-${suffix}-${cni_version}.tgz | $SUDO tar -xvz -C /opt/cni/bin
+}
+
+install_containerd() {
+  arch=$(uname -m)
+  case $arch in
+  x86_64 | amd64)
+    curl -sLSf https://github.com/containerd/containerd/releases/download/v1.5.4/containerd-1.5.4-linux-amd64.tar.gz | $SUDO tar -xvz --strip-components=1 -C /usr/local/bin/
+    ;;
+  armv7l)
+    curl -sSL https://github.com/alexellis/containerd-arm/releases/download/v1.5.4/containerd-1.5.4-linux-armhf.tar.gz | $SUDO tar -xvz --strip-components=1 -C /usr/local/bin/
+    ;;
+  aarch64)
+    curl -sSL https://github.com/alexellis/containerd-arm/releases/download/v1.5.4/containerd-1.5.4-linux-arm64.tar.gz | $SUDO tar -xvz --strip-components=1 -C /usr/local/bin/
+    ;;
+  *)
+    fatal "Unsupported architecture $arch"
+    ;;
+  esac
+
+  $SUDO systemctl unmask containerd || :
+  $SUDO curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.5.4/containerd.service --output /etc/systemd/system/containerd.service
+  $SUDO systemctl enable containerd
+  $SUDO systemctl start containerd
+
+  sleep 5
+}
+
+install_faasd() {
+  arch=$(uname -m)
+  case $arch in
+  x86_64 | amd64)
+    suffix=""
+    ;;
+  aarch64)
+    suffix=-arm64
+    ;;
+  armv7l)
+    suffix=-armhf
+    ;;
+  *)
+    echo "Unsupported architecture $arch"
+    exit 1
+    ;;
+  esac
+
+  $SUDO curl -fSLs "https://github.com/openfaas/faasd/releases/download/${version}/faasd${suffix}" --output "/usr/local/bin/faasd"
+  $SUDO chmod a+x "/usr/local/bin/faasd"
+
+  mkdir -p /tmp/faasd-${version}-installation/hack
+  cd /tmp/faasd-${version}-installation
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/docker-compose.yaml" --output "docker-compose.yaml"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/prometheus.yml" --output "prometheus.yml"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/resolv.conf" --output "resolv.conf"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/hack/faasd-provider.service" --output "hack/faasd-provider.service"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/hack/faasd.service" --output "hack/faasd.service"
+  $SUDO /usr/local/bin/faasd install
+}
+
+install_caddy() {
+  if [ ! -z "${FAASD_DOMAIN}" ]; then
+    arch=$(uname -m)
+    case $arch in
+    x86_64 | amd64)
+      suffix="amd64"
+      ;;
+    aarch64)
+      suffix=-arm64
+      ;;
+    armv7l)
+      suffix=-armv7
+      ;;
+    *)
+      echo "Unsupported architecture $arch"
+      exit 1
+      ;;
+    esac
+
+    curl -sSL "https://github.com/caddyserver/caddy/releases/download/v2.4.3/caddy_2.4.3_linux_${suffix}.tar.gz" | $SUDO tar -xvz -C /usr/bin/ caddy
+    $SUDO curl -fSLs https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service --output /etc/systemd/system/caddy.service
+
+    $SUDO mkdir -p /etc/caddy
+    $SUDO mkdir -p /var/lib/caddy
+    
+    if $(id caddy >/dev/null 2>&1); then
+      echo "User caddy already exists."
+    else
+      $SUDO useradd --system --home /var/lib/caddy --shell /bin/false caddy
+    fi
+
+    $SUDO tee /etc/caddy/Caddyfile >/dev/null <<EOF
+{
+  email "${LETSENCRYPT_EMAIL}"
+}
+
+${FAASD_DOMAIN} {
+  reverse_proxy 127.0.0.1:8080
+}
+EOF
+
+    $SUDO chown --recursive caddy:caddy /var/lib/caddy
+    $SUDO chown --recursive caddy:caddy /etc/caddy
+
+    $SUDO systemctl enable caddy
+    $SUDO systemctl start caddy
+  else
+    echo "Skipping caddy installation as FAASD_DOMAIN."
+  fi
+}
+
+install_faas_cli() {
+  curl -sLS https://cli.openfaas.com | $SUDO sh
+}
+
+verify_system
+install_required_packages
+
+$SUDO /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
+echo "net.ipv4.conf.all.forwarding=1" | $SUDO tee -a /etc/sysctl.conf
+
+install_cni_plugins
+install_containerd
+install_faas_cli
+install_faasd
+install_caddy
--- a/pkg/cninetwork/cni_network.go
+++ b/pkg/cninetwork/cni_network.go
@ -1,6 +1,7 @@
 package cninetwork

 import (
+	"bufio"
 	"context"
 	"fmt"
 	"io"
@ -10,6 +11,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"

 	"github.com/containerd/containerd"
 	gocni "github.com/containerd/go-cni"
@ -19,21 +21,31 @@ import (
 const (
 	// CNIBinDir describes the directory where the CNI binaries are stored
 	CNIBinDir = "/opt/cni/bin"
+
 	// CNIConfDir describes the directory where the CNI plugin's configuration is stored
 	CNIConfDir = "/etc/cni/net.d"
+
 	// NetNSPathFmt gives the path to the a process network namespace, given the pid
 	NetNSPathFmt = "/proc/%d/ns/net"
-	// CNIResultsDir is the directory CNI stores allocated IP for containers
-	CNIResultsDir = "/var/lib/cni/results"
+
+	// CNIDataDir is the directory CNI stores allocated IP for containers
+	CNIDataDir = "/var/run/cni"
+
 	// defaultCNIConfFilename is the vanity filename of default CNI configuration file
 	defaultCNIConfFilename = "10-openfaas.conflist"
+
 	// defaultNetworkName names the "docker-bridge"-like CNI plugin-chain installed when no other CNI configuration is present.
 	// This value appears in iptables comments created by CNI.
 	defaultNetworkName = "openfaas-cni-bridge"
+
 	// defaultBridgeName is the default bridge device name used in the defaultCNIConf
 	defaultBridgeName = "openfaas0"
+
 	// defaultSubnet is the default subnet used in the defaultCNIConf -- this value is set to not collide with common container networking subnets:
 	defaultSubnet = "10.62.0.0/16"
+
+	// defaultIfPrefix is the interface name to be created in the container
+	defaultIfPrefix = "eth"
 )

 // defaultCNIConf is a CNI configuration that enables network access to containers (docker-bridge style)
@ -50,6 +62,7 @@ var defaultCNIConf = fmt.Sprintf(`
        "ipam": {
            "type": "host-local",
            "subnet": "%s",
+            "dataDir": "%s",
            "routes": [
                { "dst": "0.0.0.0/0" }
            ]
@ -60,7 +73,7 @@ var defaultCNIConf = fmt.Sprintf(`
      }
    ]
 }
-`, defaultNetworkName, defaultBridgeName, defaultSubnet)
+`, defaultNetworkName, defaultBridgeName, defaultSubnet, CNIDataDir)

 // InitNetwork writes configlist file and initializes CNI network
 func InitNetwork() (gocni.CNI, error) {
@ -75,11 +88,14 @@ func InitNetwork() (gocni.CNI, error) {
 	netConfig := path.Join(CNIConfDir, defaultCNIConfFilename)
 	if err := ioutil.WriteFile(netConfig, []byte(defaultCNIConf), 644); err != nil {
 		return nil, fmt.Errorf("cannot write network config: %s", defaultCNIConfFilename)
-
 	}
+
 	// Initialize CNI library
-	cni, err := gocni.New(gocni.WithPluginConfDir(CNIConfDir),
-		gocni.WithPluginDir([]string{CNIBinDir}))
+	cni, err := gocni.New(
+		gocni.WithPluginConfDir(CNIConfDir),
+		gocni.WithPluginDir([]string{CNIBinDir}),
+		gocni.WithInterfacePrefix(defaultIfPrefix),
+	)

 	if err != nil {
 		return nil, fmt.Errorf("error initializing cni: %s", err)
@ -131,43 +147,61 @@ func DeleteCNINetwork(ctx context.Context, cni gocni.CNI, client *containerd.Cli
 	return errors.Wrapf(containerErr, "Unable to find container: %s, error: %s", name, containerErr)
 }

-// GetIPAddress returns the IP address of the created container
-func GetIPAddress(result *gocni.CNIResult, task containerd.Task) (net.IP, error) {
-	// Get the IP of the created interface
-	var ip net.IP
-	for ifName, config := range result.Interfaces {
-		if config.Sandbox == netNamespace(task) {
-			for _, ipConfig := range config.IPConfigs {
-				if ifName != "lo" && ipConfig.IP.To4() != nil {
-					ip = ipConfig.IP
-				}
-			}
+// GetIPAddress returns the IP address from container based on container name and PID
+func GetIPAddress(container string, PID uint32) (string, error) {
+	CNIDir := path.Join(CNIDataDir, defaultNetworkName)
+
+	files, err := ioutil.ReadDir(CNIDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to read CNI dir for container %s: %v", container, err)
+	}
+
+	for _, file := range files {
+		// each fileName is an IP address
+		fileName := file.Name()
+
+		resultsFile := filepath.Join(CNIDir, fileName)
+		found, err := isCNIResultForPID(resultsFile, container, PID)
+		if err != nil {
+			return "", err
+		}
+
+		if found {
+			return fileName, nil
 		}
 	}
-	if ip == nil {
-		return nil, fmt.Errorf("unable to get IP address for: %s", task.ID())
-	}
-	return ip, nil
+
+	return "", fmt.Errorf("unable to get IP address for container: %s", container)
 }

-func GetIPfromPID(pid int) (*net.IP, error) {
-	// https://github.com/weaveworks/weave/blob/master/net/netdev.go
+// isCNIResultForPID confirms if the CNI result file contains the
+// process name, PID and interface name
+//
+// Example:
+//
+// /var/run/cni/openfaas-cni-bridge/10.62.0.2
+//
+// nats-621
+// eth1
+func isCNIResultForPID(fileName, container string, PID uint32) (bool, error) {
+	found := false

-	peerIDs, err := ConnectedToBridgeVethPeerIds(defaultBridgeName)
+	f, err := os.Open(fileName)
 	if err != nil {
-		return nil, fmt.Errorf("unable to find peers on: %s %s", defaultBridgeName, err)
+		return false, fmt.Errorf("failed to open CNI IP file for %s: %v", fileName, err)
+	}
+	defer f.Close()
+
+	reader := bufio.NewReader(f)
+	processLine, _ := reader.ReadString('\n')
+	if strings.Contains(processLine, fmt.Sprintf("%s-%d", container, PID)) {
+		ethNameLine, _ := reader.ReadString('\n')
+		if strings.Contains(ethNameLine, defaultIfPrefix) {
+			found = true
+		}
 	}

-	addrs, addrsErr := GetNetDevsByVethPeerIds(pid, peerIDs)
-	if addrsErr != nil {
-		return nil, fmt.Errorf("unable to find address for veth pair using: %v %s", peerIDs, addrsErr)
-	}
-
-	if len(addrs) > 0 && len(addrs[0].CIDRs) > 0 {
-		return &addrs[0].CIDRs[0].IP, nil
-	}
-
-	return nil, fmt.Errorf("no IP found for function")
+	return found, nil
 }

 // CNIGateway returns the gateway for default subnet
--- a/pkg/cninetwork/cni_network_test.go
+++ b/pkg/cninetwork/cni_network_test.go
@ -0,0 +1,63 @@
+package cninetwork
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func Test_isCNIResultForPID_Found(t *testing.T) {
+	body := `nats-621
+eth1`
+	fileName := `10.62.0.2`
+	container := "nats"
+	PID := uint32(621)
+	fullPath := filepath.Join(os.TempDir(), fileName)
+
+	err := ioutil.WriteFile(fullPath, []byte(body), 0700)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer func() {
+		os.Remove(fullPath)
+	}()
+
+	got, err := isCNIResultForPID(fullPath, container, PID)
+
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	want := true
+	if got != want {
+		t.Fatalf("want %v, but got %v", want, got)
+	}
+}
+
+func Test_isCNIResultForPID_NoMatch(t *testing.T) {
+	body := `nats-621
+eth1`
+	fileName := `10.62.0.3`
+	container := "gateway"
+	PID := uint32(621)
+	fullPath := filepath.Join(os.TempDir(), fileName)
+
+	err := ioutil.WriteFile(fullPath, []byte(body), 0700)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer func() {
+		os.Remove(fullPath)
+	}()
+
+	got, err := isCNIResultForPID(fullPath, container, PID)
+
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	want := false
+	if got != want {
+		t.Fatalf("want %v, but got %v", want, got)
+	}
+}
--- a/pkg/cninetwork/weave.go
+++ b/pkg/cninetwork/weave.go
@ -1,131 +0,0 @@
-// Copyright Weaveworks
-// github.com/weaveworks/weave/net
-
-package cninetwork
-
-import (
-	"fmt"
-	"net"
-	"os"
-
-	"github.com/vishvananda/netlink"
-	"github.com/vishvananda/netns"
-)
-
-type Dev struct {
-	Name  string           `json:"Name,omitempty"`
-	MAC   net.HardwareAddr `json:"MAC,omitempty"`
-	CIDRs []*net.IPNet     `json:"CIDRs,omitempty"`
-}
-
-func linkToNetDev(link netlink.Link) (Dev, error) {
-	addrs, err := netlink.AddrList(link, netlink.FAMILY_V4)
-	if err != nil {
-		return Dev{}, err
-	}
-
-	netDev := Dev{Name: link.Attrs().Name, MAC: link.Attrs().HardwareAddr}
-	for _, addr := range addrs {
-		netDev.CIDRs = append(netDev.CIDRs, addr.IPNet)
-	}
-	return netDev, nil
-}
-
-// ConnectedToBridgeVethPeerIds returns peer indexes of veth links connected to
-// the given bridge. The peer index is used to query from a container netns
-// whether the container is connected to the bridge.
-func ConnectedToBridgeVethPeerIds(bridgeName string) ([]int, error) {
-	var ids []int
-
-	br, err := netlink.LinkByName(bridgeName)
-	if err != nil {
-		return nil, err
-	}
-	links, err := netlink.LinkList()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, link := range links {
-		if _, isveth := link.(*netlink.Veth); isveth && link.Attrs().MasterIndex == br.Attrs().Index {
-			peerID := link.Attrs().ParentIndex
-			if peerID == 0 {
-				// perhaps running on an older kernel where ParentIndex doesn't work.
-				// as fall-back, assume the peers are consecutive
-				peerID = link.Attrs().Index - 1
-			}
-			ids = append(ids, peerID)
-		}
-	}
-
-	return ids, nil
-}
-
-// Lookup the weave interface of a container
-func GetWeaveNetDevs(processID int) ([]Dev, error) {
-	peerIDs, err := ConnectedToBridgeVethPeerIds("weave")
-	if err != nil {
-		return nil, err
-	}
-
-	return GetNetDevsByVethPeerIds(processID, peerIDs)
-}
-
-func GetNetDevsByVethPeerIds(processID int, peerIDs []int) ([]Dev, error) {
-	// Bail out if this container is running in the root namespace
-	netnsRoot, err := netns.GetFromPid(1)
-	if err != nil {
-		return nil, fmt.Errorf("unable to open root namespace: %s", err)
-	}
-	defer netnsRoot.Close()
-	netnsContainer, err := netns.GetFromPid(processID)
-	if err != nil {
-		// Unable to find a namespace for this process - just return nothing
-		if os.IsNotExist(err) {
-			return nil, nil
-		}
-		return nil, fmt.Errorf("unable to open process %d namespace: %s", processID, err)
-	}
-	defer netnsContainer.Close()
-	if netnsRoot.Equal(netnsContainer) {
-		return nil, nil
-	}
-
-	// convert list of peerIDs into a map for faster lookup
-	indexes := make(map[int]struct{})
-	for _, id := range peerIDs {
-		indexes[id] = struct{}{}
-	}
-
-	var netdevs []Dev
-	err = WithNetNS(netnsContainer, func() error {
-		links, err := netlink.LinkList()
-		if err != nil {
-			return err
-		}
-
-		for _, link := range links {
-			if _, found := indexes[link.Attrs().Index]; found {
-				netdev, err := linkToNetDev(link)
-				if err != nil {
-					return err
-				}
-				netdevs = append(netdevs, netdev)
-			}
-		}
-		return nil
-	})
-
-	return netdevs, err
-}
-
-// Get the weave bridge interface.
-// NB: Should be called from the root network namespace.
-func GetBridgeNetDev(bridgeName string) (Dev, error) {
-	link, err := netlink.LinkByName(bridgeName)
-	if err != nil {
-		return Dev{}, err
-	}
-
-	return linkToNetDev(link)
-}
--- a/pkg/constants.go
+++ b/pkg/constants.go
@ -0,0 +1,16 @@
+package pkg
+
+const (
+	// DefaultFunctionNamespace is the default containerd namespace functions are created
+	DefaultFunctionNamespace = "openfaas-fn"
+
+	// NamespaceLabel indicates that a namespace is managed by faasd
+	NamespaceLabel = "openfaas"
+
+	// FaasdNamespace is the containerd namespace services are created
+	FaasdNamespace = "openfaas"
+
+	faasServicesPullAlways = false
+
+	defaultSnapshotter = "overlayfs"
+)
--- a/pkg/depgraph/depgraph.go
+++ b/pkg/depgraph/depgraph.go
@ -0,0 +1,106 @@
+package depgraph
+
+import "log"
+
+// Node represents a node in a Graph with
+// 0 to many edges
+type Node struct {
+	Name  string
+	Edges []*Node
+}
+
+// Graph is a collection of nodes
+type Graph struct {
+	nodes []*Node
+}
+
+func NewDepgraph() *Graph {
+	return &Graph{
+		nodes: []*Node{},
+	}
+}
+
+// Nodes returns the nodes within the graph
+func (g *Graph) Nodes() []*Node {
+	return g.nodes
+}
+
+// Contains returns true if the target Node is found
+// in its list
+func (g *Graph) Contains(target *Node) bool {
+	for _, g := range g.nodes {
+		if g.Name == target.Name {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Add places a Node into the current Graph
+func (g *Graph) Add(target *Node) {
+	g.nodes = append(g.nodes, target)
+}
+
+// Remove deletes a target Node reference from the
+// list of nodes in the graph
+func (g *Graph) Remove(target *Node) {
+	var found *int
+	for i, n := range g.nodes {
+		if n == target {
+			found = &i
+			break
+		}
+	}
+
+	if found != nil {
+		g.nodes = append(g.nodes[:*found], g.nodes[*found+1:]...)
+	}
+}
+
+// Resolve retruns a list of node names in order of their dependencies.
+// A use case may be for determining the correct order to install
+// software packages, or to start services.
+// Based upon the algorithm described by Ferry Boender in the following article
+// https://www.electricmonk.nl/log/2008/08/07/dependency-resolving-algorithm/
+func (g *Graph) Resolve() []string {
+	resolved := &Graph{}
+	unresolved := &Graph{}
+	for _, node := range g.nodes {
+		resolve(node, resolved, unresolved)
+	}
+
+	order := []string{}
+
+	for _, node := range resolved.Nodes() {
+		order = append(order, node.Name)
+	}
+
+	return order
+}
+
+// resolve mutates the resolved graph for a given starting
+// node. The unresolved graph is used to detect a circular graph
+// error and will throw a panic. This can be caught with a resolve
+// in a go routine.
+func resolve(node *Node, resolved, unresolved *Graph) {
+	unresolved.Add(node)
+
+	for _, edge := range node.Edges {
+
+		if !resolved.Contains(edge) && unresolved.Contains(edge) {
+			log.Panicf("edge: %s may be a circular dependency", edge.Name)
+		}
+
+		resolve(edge, resolved, unresolved)
+	}
+
+	for _, r := range resolved.nodes {
+		if r.Name == node.Name {
+			return
+		}
+	}
+
+	resolved.Add(node)
+	unresolved.Remove(node)
+}
--- a/pkg/depgraph/depgraph_test.go
+++ b/pkg/depgraph/depgraph_test.go
@ -0,0 +1,41 @@
+package depgraph
+
+import "testing"
+
+func Test_RemoveMedial(t *testing.T) {
+	g := Graph{nodes: []*Node{}}
+	a := &Node{Name: "A"}
+	b := &Node{Name: "B"}
+	c := &Node{Name: "C"}
+
+	g.nodes = append(g.nodes, a)
+	g.nodes = append(g.nodes, b)
+	g.nodes = append(g.nodes, c)
+
+	g.Remove(b)
+
+	for _, n := range g.nodes {
+		if n.Name == b.Name {
+			t.Fatalf("Found deleted node: %s", n.Name)
+		}
+	}
+}
+
+func Test_RemoveFinal(t *testing.T) {
+	g := Graph{nodes: []*Node{}}
+	a := &Node{Name: "A"}
+	b := &Node{Name: "B"}
+	c := &Node{Name: "C"}
+
+	g.nodes = append(g.nodes, a)
+	g.nodes = append(g.nodes, b)
+	g.nodes = append(g.nodes, c)
+
+	g.Remove(c)
+
+	for _, n := range g.nodes {
+		if n.Name == c.Name {
+			t.Fatalf("Found deleted node: %s", c.Name)
+		}
+	}
+}
--- a/pkg/deployment_order.go
+++ b/pkg/deployment_order.go
@ -0,0 +1,41 @@
+package pkg
+
+import (
+	"log"
+
+	"github.com/openfaas/faasd/pkg/depgraph"
+)
+
+func buildDeploymentOrder(svcs []Service) []string {
+
+	graph := buildServiceGraph(svcs)
+
+	order := graph.Resolve()
+
+	log.Printf("Start-up order:\n")
+	for _, node := range order {
+		log.Printf("- %s\n", node)
+	}
+
+	return order
+}
+
+func buildServiceGraph(svcs []Service) *depgraph.Graph {
+	graph := depgraph.NewDepgraph()
+
+	nodeMap := map[string]*depgraph.Node{}
+	for _, s := range svcs {
+		n := &depgraph.Node{Name: s.Name}
+		nodeMap[s.Name] = n
+		graph.Add(n)
+
+	}
+
+	for _, s := range svcs {
+		for _, d := range s.DependsOn {
+			nodeMap[s.Name].Edges = append(nodeMap[s.Name].Edges, nodeMap[d])
+		}
+	}
+
+	return graph
+}
--- a/pkg/deployment_order_test.go
+++ b/pkg/deployment_order_test.go
@ -0,0 +1,224 @@
+package pkg
+
+import (
+	"log"
+	"testing"
+)
+
+func Test_buildDeploymentOrder_ARequiresB(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	got := order[0]
+	want := "B"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+}
+
+func Test_buildDeploymentOrder_ARequiresBAndC(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B", "C"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "C",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	a := indexStr(order, "a")
+	b := indexStr(order, "b")
+	c := indexStr(order, "c")
+
+	if a > b {
+		t.Fatalf("a should be after dependencies")
+	}
+	if a > c {
+		t.Fatalf("a should be after dependencies")
+	}
+
+}
+
+func Test_buildDeploymentOrder_ARequiresBRequiresC(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{"C"},
+		},
+		{
+			Name:      "C",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	got := order[0]
+	want := "C"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+	got = order[1]
+	want = "B"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+	got = order[2]
+	want = "A"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+}
+
+func Test_buildDeploymentOrderCircularARequiresBRequiresA(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{"A"},
+		},
+	}
+
+	defer func() { recover() }()
+
+	buildDeploymentOrder(svcs)
+
+	t.Fatalf("did not panic as expected")
+}
+
+func Test_buildDeploymentOrderComposeFile(t *testing.T) {
+	// svcs := []Service{}
+	file, err := LoadComposeFileWithArch("../", "docker-compose.yaml", func() (string, string) {
+		return "x86_64", "Linux"
+	})
+
+	if err != nil {
+		t.Fatalf("unable to load compose file: %s", err)
+	}
+
+	svcs, err := ParseCompose(file)
+	if err != nil {
+		t.Fatalf("unable to parse compose file: %s", err)
+	}
+
+	for _, s := range svcs {
+		log.Printf("Service: %s\n", s.Name)
+		for _, d := range s.DependsOn {
+			log.Printf("Link: %s => %s\n", s.Name, d)
+		}
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	queueWorker := indexStr(order, "queue-worker")
+	nats := indexStr(order, "nats")
+	gateway := indexStr(order, "gateway")
+	prometheus := indexStr(order, "prometheus")
+
+	if prometheus > gateway {
+		t.Fatalf("Prometheus order was after gateway, and should be before")
+	}
+	if nats > gateway {
+		t.Fatalf("NATS order was after gateway, and should be before")
+	}
+	if nats > queueWorker {
+		t.Fatalf("NATS order was after queue-worker, and should be before")
+	}
+}
+
+func Test_buildDeploymentOrderOpenFaaS(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "queue-worker",
+			DependsOn: []string{"nats"},
+		},
+		{
+			Name:      "prometheus",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "gateway",
+			DependsOn: []string{"prometheus", "nats", "basic-auth-plugin"},
+		},
+		{
+			Name:      "basic-auth-plugin",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "nats",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	queueWorker := indexStr(order, "queue-worker")
+	nats := indexStr(order, "nats")
+	gateway := indexStr(order, "gateway")
+	prometheus := indexStr(order, "prometheus")
+
+	if prometheus > gateway {
+		t.Fatalf("Prometheus order was after gateway, and should be before")
+	}
+	if nats > gateway {
+		t.Fatalf("NATS order was after gateway, and should be before")
+	}
+	if nats > queueWorker {
+		t.Fatalf("NATS order was after queue-worker, and should be before")
+	}
+}
+
+func indexStr(st []string, t string) int {
+	for n, s := range st {
+		if s == t {
+			return n
+		}
+
+	}
+	return -1
+}
--- a/pkg/local_resolver.go
+++ b/pkg/local_resolver.go
@ -0,0 +1,104 @@
+package pkg
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+// LocalResolver provides hostname to IP look-up for faasd core services
+type LocalResolver struct {
+	Path  string
+	Map   map[string]string
+	Mutex *sync.RWMutex
+}
+
+// NewLocalResolver creates a new resolver for reading from a hosts file
+func NewLocalResolver(path string) Resolver {
+	return &LocalResolver{
+		Path:  path,
+		Mutex: &sync.RWMutex{},
+		Map:   make(map[string]string),
+	}
+}
+
+// Start polling the disk for the hosts file in Path
+func (l *LocalResolver) Start() {
+	var lastStat os.FileInfo
+
+	for {
+		rebuild := false
+		if info, err := os.Stat(l.Path); err == nil {
+			if lastStat == nil {
+				rebuild = true
+			} else {
+				if !lastStat.ModTime().Equal(info.ModTime()) {
+					rebuild = true
+				}
+			}
+			lastStat = info
+		}
+
+		if rebuild {
+			log.Printf("Resolver rebuilding map")
+			l.rebuild()
+		}
+		time.Sleep(time.Second * 3)
+	}
+}
+
+func (l *LocalResolver) rebuild() {
+	l.Mutex.Lock()
+	defer l.Mutex.Unlock()
+
+	fileData, fileErr := ioutil.ReadFile(l.Path)
+	if fileErr != nil {
+		log.Printf("resolver rebuild error: %s", fileErr.Error())
+		return
+	}
+
+	lines := strings.Split(string(fileData), "\n")
+
+	for _, line := range lines {
+		index := strings.Index(line, "\t")
+
+		if len(line) > 0 && index > -1 {
+			ip := line[:index]
+			host := line[index+1:]
+			log.Printf("Resolver: %q=%q", host, ip)
+			l.Map[host] = ip
+		}
+	}
+}
+
+// Get resolves a hostname to an IP, or timesout after the duration has passed
+func (l *LocalResolver) Get(upstream string, got chan<- string, timeout time.Duration) {
+	start := time.Now()
+	for {
+		if val := l.get(upstream); len(val) > 0 {
+			got <- val
+			break
+		}
+
+		if time.Now().After(start.Add(timeout)) {
+			log.Printf("Timed out after %s getting host %q", timeout.String(), upstream)
+			break
+		}
+
+		time.Sleep(time.Millisecond * 250)
+	}
+}
+
+func (l *LocalResolver) get(upstream string) string {
+	l.Mutex.RLock()
+	defer l.Mutex.RUnlock()
+
+	if val, ok := l.Map[upstream]; ok {
+		return val
+	}
+
+	return ""
+}
--- a/pkg/logs/requestor.go
+++ b/pkg/logs/requestor.go
@ -0,0 +1,183 @@
+package logs
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"os/exec"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/openfaas/faas-provider/logs"
+
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+type requester struct{}
+
+// New returns a new journalctl log Requester
+func New() logs.Requester {
+	return &requester{}
+}
+
+// Query submits a log request to the actual logging system.
+func (r *requester) Query(ctx context.Context, req logs.Request) (<-chan logs.Message, error) {
+	_, err := exec.LookPath("journalctl")
+	if err != nil {
+		return nil, fmt.Errorf("can not find journalctl: %w", err)
+	}
+
+	cmd := buildCmd(ctx, req)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl pipe: %w", err)
+	}
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl err pipe: %w", err)
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl: %w", err)
+	}
+
+	// call start and get the stdout prior to streaming so that we can return a meaningful
+	// error for as long as possible. If the cmd starts correctly, we are highly likely to
+	// succeed anyway
+	msgs := make(chan logs.Message)
+	go streamLogs(ctx, cmd, stdout, msgs)
+	go logErrOut(stderr)
+
+	return msgs, nil
+}
+
+// buildCmd reeturns the equivalent of
+//
+// 	journalctl -t <namespace>:<name>  \
+// 		--output=json \
+// 		--since=<timestamp> \
+// 		<--follow> \
+func buildCmd(ctx context.Context, req logs.Request) *exec.Cmd {
+	// // set the cursor position based on req, default to 5m
+	since := time.Now().Add(-5 * time.Minute)
+	if req.Since != nil && req.Since.Before(time.Now()) {
+		since = *req.Since
+	}
+
+	namespace := req.Namespace
+	if namespace == "" {
+		namespace = faasd.DefaultFunctionNamespace
+	}
+
+	// find the description of the fields here
+	// https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+	// the available fields can vary greatly, the selected fields were detemined by
+	// trial and error with journalctl in an ubuntu VM  (via multipass)
+	args := []string{
+		"--utc",
+		"--no-pager",
+		"--output=json",
+		"--identifier=" + namespace + ":" + req.Name,
+		fmt.Sprintf("--since=%s", since.UTC().Format("2006-01-02 15:04:05")),
+	}
+
+	if req.Follow {
+		args = append(args, "--follow")
+	}
+
+	if req.Tail > 0 {
+		args = append(args, fmt.Sprintf("--lines=%d", req.Tail))
+	}
+
+	return exec.CommandContext(ctx, "journalctl", args...)
+}
+
+// streamLogs copies log entries from the journalctl `cmd`/`out` to `msgs`
+// the loop is based on the Decoder example in the docs
+// https://golang.org/pkg/encoding/json/#Decoder.Decode
+func streamLogs(ctx context.Context, cmd *exec.Cmd, out io.ReadCloser, msgs chan logs.Message) {
+	log.Println("starting journal stream using ", cmd.String())
+
+	// will ensure `out` is closed and all related resources cleaned up
+	go func() {
+		err := cmd.Wait()
+		log.Println("wait result", err)
+	}()
+
+	defer func() {
+		log.Println("closing journal stream")
+		close(msgs)
+	}()
+
+	dec := json.NewDecoder(out)
+	for dec.More() {
+		if ctx.Err() != nil {
+			log.Println("log stream context cancelled")
+			return
+		}
+
+		// the journalctl outputs all the values as a string, so a struct with json
+		// tags wont help much
+		entry := map[string]string{}
+		err := dec.Decode(&entry)
+		if err != nil {
+			log.Printf("error decoding journalctl output: %s", err)
+			return
+		}
+
+		msg, err := parseEntry(entry)
+		if err != nil {
+			log.Printf("error parsing journalctl output: %s", err)
+			return
+		}
+
+		msgs <- msg
+	}
+}
+
+// parseEntry reads the deserialized json from journalctl into a log.Message
+//
+// The following fields are parsed from the journal
+// - MESSAGE
+// - _PID
+// - SYSLOG_IDENTIFIER
+// - __REALTIME_TIMESTAMP
+func parseEntry(entry map[string]string) (logs.Message, error) {
+	logMsg := logs.Message{
+		Text:     entry["MESSAGE"],
+		Instance: entry["_PID"],
+	}
+
+	identifier := entry["SYSLOG_IDENTIFIER"]
+	parts := strings.Split(identifier, ":")
+	if len(parts) != 2 {
+		return logMsg, fmt.Errorf("invalid SYSLOG_IDENTIFIER")
+	}
+	logMsg.Namespace = parts[0]
+	logMsg.Name = parts[1]
+
+	ts, ok := entry["__REALTIME_TIMESTAMP"]
+	if !ok {
+		return logMsg, fmt.Errorf("missing required field __REALTIME_TIMESTAMP")
+	}
+
+	ms, err := strconv.ParseInt(ts, 10, 64)
+	if err != nil {
+		return logMsg, fmt.Errorf("invalid timestamp: %w", err)
+	}
+	logMsg.Timestamp = time.Unix(0, ms*1000).UTC()
+
+	return logMsg, nil
+}
+
+func logErrOut(out io.ReadCloser) {
+	defer log.Println("stderr closed")
+	defer out.Close()
+
+	io.Copy(log.Writer(), out)
+}
--- a/pkg/logs/requestor_test.go
+++ b/pkg/logs/requestor_test.go
@ -0,0 +1,73 @@
+package logs
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/openfaas/faas-provider/logs"
+)
+
+func Test_parseEntry(t *testing.T) {
+	rawEntry := `{ "__CURSOR" : "s=71c4550142d14ace8e2959e3540cc15c;i=133c;b=44864010f0d94baba7b6bf8019f82a56;m=2945cd3;t=5a00d4eb59180;x=8ed47f7f9b3d798", "__REALTIME_TIMESTAMP" : "1583353899094400", "__MONOTONIC_TIMESTAMP" : "43277523", "_BOOT_ID" : "44864010f0d94baba7b6bf8019f82a56", "SYSLOG_IDENTIFIER" : "openfaas-fn:nodeinfo", "_PID" : "2254", "MESSAGE" : "2020/03/04 20:31:39 POST / - 200 OK - ContentLength: 83", "_SOURCE_REALTIME_TIMESTAMP" : "1583353899094372" }`
+	expectedEntry := logs.Message{
+		Name:      "nodeinfo",
+		Namespace: "openfaas-fn",
+		Text:      "2020/03/04 20:31:39 POST / - 200 OK - ContentLength: 83",
+		Timestamp: time.Unix(0, 1583353899094400*1000).UTC(),
+	}
+
+	value := map[string]string{}
+	json.Unmarshal([]byte(rawEntry), &value)
+
+	entry, err := parseEntry(value)
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+
+	if entry.Name != expectedEntry.Name {
+		t.Fatalf("want Name: %q, got %q", expectedEntry.Name, entry.Name)
+	}
+
+	if entry.Namespace != expectedEntry.Namespace {
+		t.Fatalf("want Namespace: %q, got %q", expectedEntry.Namespace, entry.Namespace)
+	}
+
+	if entry.Timestamp != expectedEntry.Timestamp {
+		t.Fatalf("want Timestamp: %q, got %q", expectedEntry.Timestamp, entry.Timestamp)
+	}
+
+	if entry.Text != expectedEntry.Text {
+		t.Fatalf("want Text: %q, got %q", expectedEntry.Text, entry.Text)
+	}
+}
+
+func Test_buildCmd(t *testing.T) {
+	ctx := context.TODO()
+	now := time.Now()
+	req := logs.Request{
+		Name:      "loggyfunc",
+		Namespace: "spacetwo",
+		Follow:    true,
+		Since:     &now,
+		Tail:      5,
+	}
+
+	expectedArgs := fmt.Sprintf(
+		"--utc --no-pager --output=json --identifier=spacetwo:loggyfunc --since=%s --follow --lines=5",
+		now.UTC().Format("2006-01-02 15:04:05"),
+	)
+
+	cmd := buildCmd(ctx, req).String()
+	wantCmd := "journalctl"
+	if !strings.Contains(cmd, wantCmd) {
+		t.Fatalf("cmd want: %q, got: %q", wantCmd, cmd)
+	}
+
+	if !strings.HasSuffix(cmd, expectedArgs) {
+		t.Fatalf("arg want: %q\ngot: %q", expectedArgs, cmd)
+	}
+}
--- a/pkg/provider/handlers/delete.go
+++ b/pkg/provider/handlers/delete.go
@ -8,12 +8,13 @@ import (
 	"log"
 	"net/http"

-	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
-	"github.com/openfaas/faasd/pkg/service"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
 	"github.com/openfaas/faas/gateway/requests"
+
+	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
+	"github.com/openfaas/faasd/pkg/service"
 )

 func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.ResponseWriter, r *http.Request) {
@ -39,9 +40,23 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}

+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.FunctionName

-		function, err := GetFunction(client, name)
+		function, err := GetFunction(client, name, lookupNamespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Delete] %s\n", msg)
@ -49,7 +64,7 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), lookupNamespace)

 		// TODO: this needs to still happen if the task is paused
 		if function.replicas != 0 {
--- a/pkg/provider/handlers/deploy.go
+++ b/pkg/provider/handlers/deploy.go
@ -9,9 +9,11 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"time"

 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	gocni "github.com/containerd/go-cni"
@ -21,10 +23,13 @@ import (
 	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
 )

-func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string) func(w http.ResponseWriter, r *http.Request) {
+const annotationLabelPrefix = "com.openfaas.annotations."

+// MakeDeployHandler returns a handler to deploy a function
+func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {

 		if r.Body == nil {
@ -46,15 +51,32 @@ func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}

-		err = validateSecrets(secretMountPath, req.Secrets)
+		namespace := getRequestNamespace(req.Namespace)
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, namespace)
+
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
 		}

 		name := req.Service
-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)

-		deployErr := deploy(ctx, req, client, cni, secretMountPath)
+		deployErr := deploy(ctx, req, client, cni, namespaceSecretMountPath, alwaysPull)
 		if deployErr != nil {
 			log.Printf("[Deploy] error deploying %s, error: %s\n", name, deployErr)
 			http.Error(w, deployErr.Error(), http.StatusBadRequest)
@ -63,11 +85,16 @@ func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 	}
 }

-func deploy(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, cni gocni.CNI, secretMountPath string) error {
+// prepull is an optimization which means an image can be pulled before a deployment
+// request, since a deployment request first deletes the active function before
+// trying to deploy a new one.
+func prepull(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, alwaysPull bool) (containerd.Image, error) {
+	start := time.Now()
 	r, err := reference.ParseNormalizedNamed(req.Image)
 	if err != nil {
-		return err
+		return nil, err
 	}
+
 	imgRef := reference.TagNameOnly(r).String()

 	snapshotter := ""
@ -75,16 +102,31 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 		snapshotter = val
 	}

-	image, err := service.PrepareImage(ctx, client, imgRef, snapshotter)
+	image, err := service.PrepareImage(ctx, client, imgRef, snapshotter, alwaysPull)
 	if err != nil {
-		return errors.Wrapf(err, "unable to pull image %s", imgRef)
+		return nil, errors.Wrapf(err, "unable to pull image %s", imgRef)
 	}

 	size, _ := image.Size(ctx)
-	log.Printf("Deploy %s size: %d\n", image.Name(), size)
+	log.Printf("Image for: %s size: %d, took: %fs\n", image.Name(), size, time.Since(start).Seconds())
+
+	return image, nil
+}
+
+func deploy(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) error {
+
+	snapshotter := ""
+	if val, ok := os.LookupEnv("snapshotter"); ok {
+		snapshotter = val
+	}
+
+	image, err := prepull(ctx, req, client, alwaysPull)
+	if err != nil {
+		return err
+	}

 	envs := prepareEnv(req.EnvProcess, req.EnvVars)
-	mounts := getMounts()
+	mounts := getOSMounts()

 	for _, secret := range req.Secrets {
 		mounts = append(mounts, specs.Mount{
@ -97,6 +139,23 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container

 	name := req.Service

+	labels, err := buildLabels(&req)
+	if err != nil {
+		return fmt.Errorf("unable to apply labels to container: %s, error: %w", name, err)
+	}
+
+	var memory *specs.LinuxMemory
+	if req.Limits != nil && len(req.Limits.Memory) > 0 {
+		memory = &specs.LinuxMemory{}
+
+		qty, err := resource.ParseQuantity(req.Limits.Memory)
+		if err != nil {
+			log.Printf("error parsing (%q) as quantity: %s", req.Limits.Memory, err.Error())
+		}
+		v := qty.Value()
+		memory.Limit = &v
+	}
+
 	container, err := client.NewContainer(
 		ctx,
 		name,
@ -104,45 +163,71 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 		containerd.WithSnapshotter(snapshotter),
 		containerd.WithNewSnapshot(name+"-snapshot", image),
 		containerd.WithNewSpec(oci.WithImageConfig(image),
+			oci.WithHostname(name),
 			oci.WithCapabilities([]string{"CAP_NET_RAW"}),
 			oci.WithMounts(mounts),
-			oci.WithEnv(envs)),
-		containerd.WithContainerLabels(*req.Labels),
+			oci.WithEnv(envs),
+			withMemory(memory)),
+		containerd.WithContainerLabels(labels),
 	)

 	if err != nil {
-		return fmt.Errorf("unable to create container: %s, error: %s", name, err)
+		return fmt.Errorf("unable to create container: %s, error: %w", name, err)
 	}

 	return createTask(ctx, client, container, cni)

 }

+func buildLabels(request *types.FunctionDeployment) (map[string]string, error) {
+	// Adapted from faas-swarm/handlers/deploy.go:buildLabels
+	labels := map[string]string{}
+
+	if request.Labels != nil {
+		for k, v := range *request.Labels {
+			labels[k] = v
+		}
+	}
+
+	if request.Annotations != nil {
+		for k, v := range *request.Annotations {
+			key := fmt.Sprintf("%s%s", annotationLabelPrefix, k)
+			if _, ok := labels[key]; !ok {
+				labels[key] = v
+			} else {
+				return nil, errors.New(fmt.Sprintf("Key %s cannot be used as a label due to a conflict with annotation prefix %s", k, annotationLabelPrefix))
+			}
+		}
+	}
+
+	return labels, nil
+}
+
 func createTask(ctx context.Context, client *containerd.Client, container containerd.Container, cni gocni.CNI) error {

 	name := container.ID()
-	// task, taskErr := container.NewTask(ctx, cio.NewCreator(cio.WithStdio))

 	task, taskErr := container.NewTask(ctx, cio.BinaryIO("/usr/local/bin/faasd", nil))

 	if taskErr != nil {
-		return fmt.Errorf("unable to start task: %s, error: %s", name, taskErr)
+		return fmt.Errorf("unable to start task: %s, error: %w", name, taskErr)
 	}

 	log.Printf("Container ID: %s\tTask ID %s:\tTask PID: %d\t\n", name, task.ID(), task.Pid())

 	labels := map[string]string{}
-	network, err := cninetwork.CreateCNINetwork(ctx, cni, task, labels)
+	_, err := cninetwork.CreateCNINetwork(ctx, cni, task, labels)

 	if err != nil {
 		return err
 	}

-	ip, err := cninetwork.GetIPAddress(network, task)
+	ip, err := cninetwork.GetIPAddress(name, task.Pid())
 	if err != nil {
 		return err
 	}
-	log.Printf("%s has IP: %s.\n", name, ip.String())
+
+	log.Printf("%s has IP: %s.\n", name, ip)

 	_, waitErr := task.Wait(ctx)
 	if waitErr != nil {
@ -177,20 +262,28 @@ func prepareEnv(envProcess string, reqEnvVars map[string]string) []string {
 	return envs
 }

-func getMounts() []specs.Mount {
-	wd, _ := os.Getwd()
+// getOSMounts provides a mount for os-specific files such
+// as the hosts file and resolv.conf
+func getOSMounts() []specs.Mount {
+	// Prior to hosts_dir env-var, this value was set to
+	// os.Getwd()
+	hostsDir := "/var/lib/faasd"
+	if v, ok := os.LookupEnv("hosts_dir"); ok && len(v) > 0 {
+		hostsDir = v
+	}
+
 	mounts := []specs.Mount{}
 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/resolv.conf",
 		Type:        "bind",
-		Source:      path.Join(wd, "resolv.conf"),
+		Source:      path.Join(hostsDir, "resolv.conf"),
 		Options:     []string{"rbind", "ro"},
 	})

 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/hosts",
 		Type:        "bind",
-		Source:      path.Join(wd, "hosts"),
+		Source:      path.Join(hostsDir, "hosts"),
 		Options:     []string{"rbind", "ro"},
 	})
 	return mounts
@ -204,3 +297,21 @@ func validateSecrets(secretMountPath string, secrets []string) error {
 	}
 	return nil
 }
+
+func withMemory(mem *specs.LinuxMemory) oci.SpecOpts {
+	return func(ctx context.Context, _ oci.Client, c *containers.Container, s *oci.Spec) error {
+		if mem != nil {
+			if s.Linux == nil {
+				s.Linux = &specs.Linux{}
+			}
+			if s.Linux.Resources == nil {
+				s.Linux.Resources = &specs.LinuxResources{}
+			}
+			if s.Linux.Resources.Memory == nil {
+				s.Linux.Resources.Memory = &specs.LinuxMemory{}
+			}
+			s.Linux.Resources.Memory.Limit = mem.Limit
+		}
+		return nil
+	}
+}
--- a/pkg/provider/handlers/deploy_test.go
+++ b/pkg/provider/handlers/deploy_test.go
@ -0,0 +1,77 @@
+package handlers
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/openfaas/faas-provider/types"
+)
+
+func Test_BuildLabels_WithAnnotations(t *testing.T) {
+	// Test each combination of nil/non-nil annotation + label
+	tables := []struct {
+		name       string
+		label      map[string]string
+		annotation map[string]string
+		result     map[string]string
+	}{
+		{"Empty label and annotations returns empty table map", nil, nil, map[string]string{}},
+		{
+			"Label with empty annotation returns valid map",
+			map[string]string{"L1": "V1"},
+			nil,
+			map[string]string{"L1": "V1"}},
+		{
+			"Annotation with empty label returns valid map",
+			nil,
+			map[string]string{"A1": "V2"},
+			map[string]string{fmt.Sprintf("%sA1", annotationLabelPrefix): "V2"}},
+		{
+			"Label and annotation provided returns valid combined map",
+			map[string]string{"L1": "V1"},
+			map[string]string{"A1": "V2"},
+			map[string]string{
+				"L1": "V1",
+				fmt.Sprintf("%sA1", annotationLabelPrefix): "V2",
+			},
+		},
+	}
+
+	for _, tc := range tables {
+
+		t.Run(tc.name, func(t *testing.T) {
+			request := &types.FunctionDeployment{
+				Labels:      &tc.label,
+				Annotations: &tc.annotation,
+			}
+
+			val, err := buildLabels(request)
+
+			if err != nil {
+				t.Fatalf("want: no error got: %v", err)
+			}
+
+			if !reflect.DeepEqual(val, tc.result) {
+				t.Errorf("Want: %s, got: %s", val, tc.result)
+			}
+		})
+	}
+}
+
+func Test_BuildLabels_WithAnnotationCollision(t *testing.T) {
+	request := &types.FunctionDeployment{
+		Labels: &map[string]string{
+			"function_name": "echo",
+			fmt.Sprintf("%scurrent-time", annotationLabelPrefix): "Wed 25 Jul 06:41:43 BST 2018",
+		},
+		Annotations: &map[string]string{"current-time": "Wed 25 Jul 06:41:43 BST 2018"},
+	}
+
+	val, err := buildLabels(request)
+
+	if err == nil {
+		t.Errorf("Expected an error, got %d values", len(val))
+	}
+
+}
--- a/pkg/provider/handlers/functions.go
+++ b/pkg/provider/handlers/functions.go
@ -2,90 +2,241 @@ package handlers

 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
+	"strings"
+	"time"
+
+	"github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
+	"github.com/openfaas/faasd/pkg"
+	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
 )

 type Function struct {
-	name      string
-	namespace string
-	image     string
-	pid       uint32
-	replicas  int
-	IP        string
-	labels    map[string]string
+	name        string
+	namespace   string
+	image       string
+	pid         uint32
+	replicas    int
+	IP          string
+	labels      map[string]string
+	annotations map[string]string
+	secrets     []string
+	envVars     map[string]string
+	envProcess  string
+	memoryLimit int64
+	createdAt   time.Time
 }

-const (
-	// FunctionNamespace is the containerd namespace functions are created
-	FunctionNamespace = "openfaas-fn"
-)
-
 // ListFunctions returns a map of all functions with running tasks on namespace
-func ListFunctions(client *containerd.Client) (map[string]Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
-	functions := make(map[string]Function)
+func ListFunctions(client *containerd.Client, namespace string) (map[string]*Function, error) {

-	containers, _ := client.Containers(ctx)
-	for _, k := range containers {
-		name := k.ID()
-		functions[name], _ = GetFunction(client, name)
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(client, namespace)
+	if err != nil {
+		return nil, err
 	}
+
+	if !valid {
+		return nil, errors.New("namespace not valid")
+	}
+
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
+	functions := make(map[string]*Function)
+
+	containers, err := client.Containers(ctx)
+	if err != nil {
+		return functions, err
+	}
+
+	for _, c := range containers {
+		name := c.ID()
+		f, err := GetFunction(client, name, namespace)
+		if err != nil {
+			log.Printf("error getting function %s: ", name)
+			return functions, err
+		}
+		functions[name] = &f
+	}
+
 	return functions, nil
 }

 // GetFunction returns a function that matches name
-func GetFunction(client *containerd.Client, name string) (Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+func GetFunction(client *containerd.Client, name string, namespace string) (Function, error) {
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
+	fn := Function{}
+
 	c, err := client.LoadContainer(ctx, name)
+	if err != nil {
+		return Function{}, fmt.Errorf("unable to find function: %s, error %w", name, err)
+	}

+	image, err := c.Image(ctx)
+	if err != nil {
+		return fn, err
+	}
+
+	containerName := c.ID()
+	allLabels, labelErr := c.Labels(ctx)
+
+	if labelErr != nil {
+		log.Printf("cannot list container %s labels: %s", containerName, labelErr)
+	}
+
+	labels, annotations := buildLabelsAndAnnotations(allLabels)
+
+	spec, err := c.Spec(ctx)
+	if err != nil {
+		return Function{}, fmt.Errorf("unable to load function %s error: %w", name, err)
+	}
+
+	info, err := c.Info(ctx)
+	if err != nil {
+		return Function{}, fmt.Errorf("can't load info for: %s, error %w", name, err)
+	}
+
+	envVars, envProcess := readEnvFromProcessEnv(spec.Process.Env)
+	secrets := readSecretsFromMounts(spec.Mounts)
+
+	fn.name = containerName
+	fn.namespace = namespace
+	fn.image = image.Name()
+	fn.labels = labels
+	fn.annotations = annotations
+	fn.secrets = secrets
+	fn.envVars = envVars
+	fn.envProcess = envProcess
+	fn.createdAt = info.CreatedAt
+	fn.memoryLimit = readMemoryLimitFromSpec(spec)
+
+	replicas := 0
+	task, err := c.Task(ctx, nil)
 	if err == nil {
-
-		image, _ := c.Image(ctx)
-
-		containerName := c.ID()
-		labels, labelErr := c.Labels(ctx)
-		if labelErr != nil {
-			log.Printf("cannot list container %s labels: %s", containerName, labelErr.Error())
+		// Task for container exists
+		svc, err := task.Status(ctx)
+		if err != nil {
+			return Function{}, fmt.Errorf("unable to get task status for container: %s %w", name, err)
 		}

-		f := Function{
-			name:      containerName,
-			namespace: FunctionNamespace,
-			image:     image.Name(),
-			labels:    labels,
-		}
+		if svc.Status == "running" {
+			replicas = 1
+			fn.pid = task.Pid()

-		replicas := 0
-		task, err := c.Task(ctx, nil)
-		if err == nil {
-			// Task for container exists
-			svc, err := task.Status(ctx)
+			// Get container IP address
+			ip, err := cninetwork.GetIPAddress(name, task.Pid())
 			if err != nil {
-				return Function{}, fmt.Errorf("unable to get task status for container: %s %s", name, err)
+				return Function{}, err
 			}
-			if svc.Status == "running" {
-				replicas = 1
-				f.pid = task.Pid()
+			fn.IP = ip
+		}
+	} else {
+		replicas = 0
+	}

-				// Get container IP address
-				ip, err := cninetwork.GetIPfromPID(int(task.Pid()))
-				if err != nil {
-					return Function{}, err
-				}
-				f.IP = ip.String()
-			}
-		} else {
-			replicas = 0
+	fn.replicas = replicas
+	return fn, nil
+}
+
+func readEnvFromProcessEnv(env []string) (map[string]string, string) {
+	foundEnv := make(map[string]string)
+	fprocess := ""
+	for _, e := range env {
+		kv := strings.Split(e, "=")
+		if len(kv) == 1 {
+			continue
 		}

-		f.replicas = replicas
-		return f, nil
+		if kv[0] == "PATH" {
+			continue
+		}
+
+		if kv[0] == "fprocess" {
+			fprocess = kv[1]
+			continue
+		}
+
+		foundEnv[kv[0]] = kv[1]
+	}
+
+	return foundEnv, fprocess
+}
+
+func readSecretsFromMounts(mounts []specs.Mount) []string {
+	secrets := []string{}
+	for _, mnt := range mounts {
+		x := strings.Split(mnt.Destination, "/var/openfaas/secrets/")
+		if len(x) > 1 {
+			secrets = append(secrets, x[1])
+		}

 	}
-	return Function{}, fmt.Errorf("unable to find function: %s, error %s", name, err)
+	return secrets
+}
+
+// buildLabelsAndAnnotations returns a separated list with labels first,
+// followed by annotations by checking each key of ctrLabels for a prefix.
+func buildLabelsAndAnnotations(ctrLabels map[string]string) (map[string]string, map[string]string) {
+	labels := make(map[string]string)
+	annotations := make(map[string]string)
+
+	for k, v := range ctrLabels {
+		if strings.HasPrefix(k, annotationLabelPrefix) {
+			annotations[strings.TrimPrefix(k, annotationLabelPrefix)] = v
+		} else {
+			labels[k] = v
+		}
+	}
+
+	return labels, annotations
+}
+
+func ListNamespaces(client *containerd.Client) []string {
+	set := []string{}
+	store := client.NamespaceService()
+	namespaces, err := store.List(context.Background())
+	if err != nil {
+		log.Printf("Error listing namespaces: %s", err.Error())
+		set = append(set, faasd.DefaultFunctionNamespace)
+		return set
+	}
+
+	for _, namespace := range namespaces {
+		labels, err := store.Labels(context.Background(), namespace)
+		if err != nil {
+			log.Printf("Error listing label for namespace %s: %s", namespace, err.Error())
+			continue
+		}
+
+		if _, found := labels[pkg.NamespaceLabel]; found {
+			set = append(set, namespace)
+		}
+
+		if !findNamespace(faasd.DefaultFunctionNamespace, set) {
+			set = append(set, faasd.DefaultFunctionNamespace)
+		}
+	}
+
+	return set
+}
+
+func findNamespace(target string, items []string) bool {
+	for _, n := range items {
+		if n == target {
+			return true
+		}
+	}
+	return false
+}
+
+func readMemoryLimitFromSpec(spec *specs.Spec) int64 {
+	if spec.Linux == nil || spec.Linux.Resources == nil || spec.Linux.Resources.Memory == nil || spec.Linux.Resources.Memory.Limit == nil {
+		return 0
+	}
+	return *spec.Linux.Resources.Memory.Limit
 }
--- a/pkg/provider/handlers/functions_test.go
+++ b/pkg/provider/handlers/functions_test.go
@ -0,0 +1,133 @@
+package handlers
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func Test_BuildLabelsAndAnnotationsFromServiceSpec_Annotations(t *testing.T) {
+	container := map[string]string{
+		"qwer": "ty",
+		"dvor": "ak",
+		fmt.Sprintf("%scurrent-time", annotationLabelPrefix): "5 Nov 20:10:20 PST 1955",
+		fmt.Sprintf("%sfuture-time", annotationLabelPrefix):  "21 Oct 20:10:20 PST 2015",
+	}
+
+	labels, annotation := buildLabelsAndAnnotations(container)
+
+	if len(labels) != 2 {
+		t.Errorf("want: %d labels got: %d", 2, len(labels))
+	}
+
+	if len(annotation) != 2 {
+		t.Errorf("want: %d annotation got: %d", 1, len(annotation))
+	}
+
+	if _, ok := annotation["current-time"]; !ok {
+		t.Errorf("want: '%s' entry in annotation map got: key not found", "current-time")
+	}
+}
+
+func Test_SplitMountToSecrets(t *testing.T) {
+	type testCase struct {
+		Name  string
+		Input []specs.Mount
+		Want  []string
+	}
+	tests := []testCase{
+		{Name: "No matching openfaas secrets", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "Nil mounts", Input: nil, Want: []string{}},
+		{Name: "No Mounts", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "One Mounts IS secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts 1 secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/some/other/path"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts all secrets", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/var/openfaas/secrets/secret2"}}, Want: []string{"secret1", "secret2"}},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := readSecretsFromMounts(tc.Input)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want %s, got %s", tc.Want, got)
+			}
+		})
+	}
+}
+
+func Test_ProcessEnvToEnvVars(t *testing.T) {
+	type testCase struct {
+		Name     string
+		Input    []string
+		Want     map[string]string
+		fprocess string
+	}
+	tests := []testCase{
+		{Name: "No matching EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py"}, Want: make(map[string]string), fprocess: "python index.py"},
+		{Name: "No EnvVars", Input: []string{}, Want: make(map[string]string), fprocess: ""},
+		{Name: "One EnvVar", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py", "env=this"}, Want: map[string]string{"env": "this"}, fprocess: "python index.py"},
+		{Name: "Multiple EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "this=that", "env=var", "fprocess=python index.py"}, Want: map[string]string{"this": "that", "env": "var"}, fprocess: "python index.py"},
+		{Name: "Nil EnvVars", Input: nil, Want: make(map[string]string)},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got, fprocess := readEnvFromProcessEnv(tc.Input)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want: %s, got: %s", tc.Want, got)
+			}
+
+			if fprocess != tc.fprocess {
+				t.Fatalf("Want fprocess: %s, got: %s", tc.fprocess, got)
+
+			}
+		})
+	}
+}
+
+func Test_findNamespace(t *testing.T) {
+	type testCase struct {
+		Name            string
+		foundNamespaces []string
+		namespace       string
+		Want            bool
+	}
+	tests := []testCase{
+		{Name: "Namespace Found", namespace: "fn", foundNamespaces: []string{"fn", "openfaas-fn"}, Want: true},
+		{Name: "namespace Not Found", namespace: "fn", foundNamespaces: []string{"openfaas-fn"}, Want: false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := findNamespace(tc.namespace, tc.foundNamespaces)
+			if got != tc.Want {
+				t.Fatalf("Want %t, got %t", tc.Want, got)
+			}
+		})
+	}
+}
+
+func Test_readMemoryLimitFromSpec(t *testing.T) {
+	type testCase struct {
+		Name string
+		Spec *specs.Spec
+		Want int64
+	}
+	testLimit := int64(64)
+	tests := []testCase{
+		{Name: "specs.Linux not found", Spec: &specs.Spec{Linux: nil}, Want: int64(0)},
+		{Name: "specs.LinuxResource not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: nil}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: nil}}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory.Limit not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: nil}}}}, Want: int64(0)},
+		{Name: "Memory limit set as Want", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: &testLimit}}}}, Want: int64(64)},
+	}
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := readMemoryLimitFromSpec(tc.Spec)
+			if got != tc.Want {
+				t.Fatalf("Want %d, got %d", tc.Want, got)
+			}
+		})
+	}
+}
--- a/pkg/provider/handlers/info.go
+++ b/pkg/provider/handlers/info.go
@ -22,10 +22,10 @@ func MakeInfoHandler(version, sha string) http.HandlerFunc {
 			defer r.Body.Close()
 		}

-		infoResponse := types.InfoResponse{
+		infoResponse := types.ProviderInfo{
 			Orchestration: OrchestrationIdentifier,
-			Provider:      ProviderName,
-			Version: types.ProviderVersion{
+			Name:          ProviderName,
+			Version: &types.VersionInfo{
 				Release: version,
 				SHA:     sha,
 			},
--- a/pkg/provider/handlers/info_test.go
+++ b/pkg/provider/handlers/info_test.go
@ -15,14 +15,14 @@ func Test_InfoHandler(t *testing.T) {
 	r := httptest.NewRequest("GET", "/", nil)
 	handler(w, r)

-	resp := types.InfoResponse{}
+	resp := types.ProviderInfo{}
 	err := json.Unmarshal(w.Body.Bytes(), &resp)
 	if err != nil {
 		t.Fatalf("unexpected error unmarshalling the response")
 	}

-	if resp.Provider != ProviderName {
-		t.Fatalf("expected provider %q, got %q", ProviderName, resp.Provider)
+	if resp.Name != ProviderName {
+		t.Fatalf("expected provider %q, got %q", ProviderName, resp.Name)
 	}

 	if resp.Orchestration != OrchestrationIdentifier {
--- a/pkg/provider/handlers/invoke_resolver.go
+++ b/pkg/provider/handlers/invoke_resolver.go
@ -4,8 +4,10 @@ import (
 	"fmt"
 	"log"
 	"net/url"
+	"strings"

 	"github.com/containerd/containerd"
+	faasd "github.com/openfaas/faasd/pkg"
 )

 const watchdogPort = 8080
@ -19,11 +21,18 @@ func NewInvokeResolver(client *containerd.Client) *InvokeResolver {
 }

 func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {
-	log.Printf("Resolve: %q\n", functionName)
+	actualFunctionName := functionName
+	log.Printf("Resolve: %q\n", actualFunctionName)

-	function, err := GetFunction(i.client, functionName)
+	namespace := getNamespace(functionName, faasd.DefaultFunctionNamespace)
+
+	if strings.Contains(functionName, ".") {
+		actualFunctionName = strings.TrimSuffix(functionName, "."+namespace)
+	}
+
+	function, err := GetFunction(i.client, actualFunctionName, namespace)
 	if err != nil {
-		return url.URL{}, fmt.Errorf("%s not found", functionName)
+		return url.URL{}, fmt.Errorf("%s not found", actualFunctionName)
 	}

 	serviceIP := function.IP
@ -37,3 +46,11 @@ func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {

 	return *urlRes, nil
 }
+
+func getNamespace(name, defaultNamespace string) string {
+	namespace := defaultNamespace
+	if strings.Contains(name, ".") {
+		namespace = name[strings.LastIndexAny(name, ".")+1:]
+	}
+	return namespace
+}
--- a/pkg/provider/handlers/namespaces.go
+++ b/pkg/provider/handlers/namespaces.go
@ -0,0 +1,18 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/containerd/containerd"
+)
+
+func MakeNamespacesLister(client *containerd.Client) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		list := ListNamespaces(client)
+		body, _ := json.Marshal(list)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		w.Write(body)
+	}
+}
--- a/pkg/provider/handlers/read.go
+++ b/pkg/provider/handlers/read.go
@ -2,6 +2,7 @@ package handlers

 import (
 	"encoding/json"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"log"
 	"net/http"

@ -13,20 +14,43 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h

 	return func(w http.ResponseWriter, r *http.Request) {

+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		res := []types.FunctionStatus{}
-		funcs, err := ListFunctions(client)
+		fns, err := ListFunctions(client, lookupNamespace)
 		if err != nil {
 			log.Printf("[Read] error listing functions. Error: %s\n", err)
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
-		for _, function := range funcs {
+
+		for _, fn := range fns {
+			annotations := &fn.annotations
+			labels := &fn.labels
+			memory := resource.NewQuantity(fn.memoryLimit, resource.BinarySI)
 			res = append(res, types.FunctionStatus{
-				Name:      function.name,
-				Image:     function.image,
-				Replicas:  uint64(function.replicas),
-				Namespace: function.namespace,
-				Labels:    &function.labels,
+				Name:        fn.name,
+				Image:       fn.image,
+				Replicas:    uint64(fn.replicas),
+				Namespace:   fn.namespace,
+				Labels:      labels,
+				Annotations: annotations,
+				Secrets:     fn.secrets,
+				EnvVars:     fn.envVars,
+				EnvProcess:  fn.envProcess,
+				Limits:      &types.FunctionResources{Memory: memory.String()},
+				CreatedAt:   fn.createdAt,
 			})
 		}

@ -34,6 +58,5 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		w.Write(body)
-
 	}
 }
--- a/pkg/provider/handlers/replicas.go
+++ b/pkg/provider/handlers/replicas.go
@ -14,13 +14,32 @@ func MakeReplicaReaderHandler(client *containerd.Client) func(w http.ResponseWri
 	return func(w http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 		functionName := vars["name"]
+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))

-		if f, err := GetFunction(client, functionName); err == nil {
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		if f, err := GetFunction(client, functionName, lookupNamespace); err == nil {
 			found := types.FunctionStatus{
 				Name:              functionName,
 				AvailableReplicas: uint64(f.replicas),
 				Replicas:          uint64(f.replicas),
 				Namespace:         f.namespace,
+				Labels:            &f.labels,
+				Annotations:       &f.annotations,
+				Secrets:           f.secrets,
+				EnvVars:           f.envVars,
+				EnvProcess:        f.envProcess,
+				CreatedAt:         f.createdAt,
 			}

 			functionBytes, _ := json.Marshal(found)
--- a/pkg/provider/handlers/scale.go
+++ b/pkg/provider/handlers/scale.go
@ -11,6 +11,7 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
+
 	"github.com/openfaas/faas-provider/types"
 )

@ -38,16 +39,30 @@ func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w h
 			return
 		}

+		namespace := getRequestNamespace(readNamespaceFromQuery(r))
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.ServiceName

-		if _, err := GetFunction(client, name); err != nil {
+		if _, err := GetFunction(client, name, namespace); err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Scale] %s\n", msg)
 			http.Error(w, msg, http.StatusNotFound)
 			return
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)

 		ctr, ctrErr := client.LoadContainer(ctx, name)
 		if ctrErr != nil {
@ -57,46 +72,71 @@ func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w h
 			return
 		}

-		taskExists := true
+		var taskExists bool
+		var taskStatus *containerd.Status
+
 		task, taskErr := ctr.Task(ctx, nil)
 		if taskErr != nil {
 			msg := fmt.Sprintf("cannot load task for service %s, error: %s", name, taskErr)
 			log.Printf("[Scale] %s\n", msg)
 			taskExists = false
+		} else {
+			taskExists = true
+			status, statusErr := task.Status(ctx)
+			if statusErr != nil {
+				msg := fmt.Sprintf("cannot load task status for %s, error: %s", name, statusErr)
+				log.Printf("[Scale] %s\n", msg)
+				http.Error(w, msg, http.StatusInternalServerError)
+				return
+			} else {
+				taskStatus = &status
+			}
 		}

-		if req.Replicas > 0 {
-			if taskExists {
-				if status, statusErr := task.Status(ctx); statusErr == nil {
-					if status.Status == containerd.Paused {
-						if resumeErr := task.Resume(ctx); resumeErr != nil {
-							log.Printf("[Scale] error resuming task %s, error: %s\n", name, resumeErr)
-							http.Error(w, resumeErr.Error(), http.StatusBadRequest)
-						}
-					}
-				}
-			} else {
-				deployErr := createTask(ctx, client, ctr, cni)
-				if deployErr != nil {
-					log.Printf("[Scale] error deploying %s, error: %s\n", name, deployErr)
-					http.Error(w, deployErr.Error(), http.StatusBadRequest)
+		createNewTask := false
+
+		// Scale to zero
+		if req.Replicas == 0 {
+			// If a task is running, pause it
+			if taskExists && taskStatus.Status == containerd.Running {
+				if pauseErr := task.Pause(ctx); pauseErr != nil {
+					wrappedPauseErr := fmt.Errorf("error pausing task %s, error: %s", name, pauseErr)
+					log.Printf("[Scale] %s\n", wrappedPauseErr.Error())
+					http.Error(w, wrappedPauseErr.Error(), http.StatusNotFound)
 					return
 				}
-				return
-			}
-		} else {
-			if taskExists {
-				if status, statusErr := task.Status(ctx); statusErr == nil {
-					if status.Status == containerd.Running {
-						if pauseErr := task.Pause(ctx); pauseErr != nil {
-							log.Printf("[Scale] error pausing task %s, error: %s\n", name, pauseErr)
-							http.Error(w, pauseErr.Error(), http.StatusBadRequest)
-						}
-					}
-				}
 			}
 		}

-	}
+		if taskExists {
+			if taskStatus != nil {
+				if taskStatus.Status == containerd.Paused {
+					if resumeErr := task.Resume(ctx); resumeErr != nil {
+						log.Printf("[Scale] error resuming task %s, error: %s\n", name, resumeErr)
+						http.Error(w, resumeErr.Error(), http.StatusBadRequest)
+						return
+					}
+				} else if taskStatus.Status == containerd.Stopped {
+					// Stopped tasks cannot be restarted, must be removed, and created again
+					if _, delErr := task.Delete(ctx); delErr != nil {
+						log.Printf("[Scale] error deleting stopped task %s, error: %s\n", name, delErr)
+						http.Error(w, delErr.Error(), http.StatusBadRequest)
+						return
+					}
+					createNewTask = true
+				}
+			}
+		} else {
+			createNewTask = true
+		}

+		if createNewTask {
+			deployErr := createTask(ctx, client, ctr, cni)
+			if deployErr != nil {
+				log.Printf("[Scale] error deploying %s, error: %s\n", name, deployErr)
+				http.Error(w, deployErr.Error(), http.StatusBadRequest)
+				return
+			}
+		}
+	}
 }
--- a/pkg/provider/handlers/secret.go
+++ b/pkg/provider/handlers/secret.go
@ -2,17 +2,20 @@ package handlers

 import (
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"path"
+	"strings"

 	"github.com/containerd/containerd"
 	"github.com/openfaas/faas-provider/types"
 )

 const secretFilePermission = 0644
+const secretDirPermission = 0755

 func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.ResponseWriter, r *http.Request) {

@ -44,6 +47,22 @@ func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.Respo
 }

 func listSecrets(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
+
+	lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(c, lookupNamespace)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !valid {
+		http.Error(w, "namespace not valid", http.StatusBadRequest)
+		return
+	}
+
+	mountPath = getNamespaceSecretMountPath(mountPath, lookupNamespace)
+
 	files, err := ioutil.ReadDir(mountPath)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@ -52,7 +71,7 @@ func listSecrets(c *containerd.Client, w http.ResponseWriter, r *http.Request, m

 	secrets := []types.Secret{}
 	for _, f := range files {
-		secrets = append(secrets, types.Secret{Name: f.Name()})
+		secrets = append(secrets, types.Secret{Name: f.Name(), Namespace: lookupNamespace})
 	}

 	bytesOut, _ := json.Marshal(secrets)
@ -67,7 +86,50 @@ func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request,
 		return
 	}

-	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), []byte(secret.Value), secretFilePermission)
+	err = validateSecret(secret)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("[secret] is valid: %q", secret.Name)
+	namespace := getRequestNamespace(secret.Namespace)
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
+	err = os.MkdirAll(mountPath, secretDirPermission)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	data := secret.RawValue
+	if len(data) == 0 {
+		data = []byte(secret.Value)
+	}
+
+	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), data, secretFilePermission)
+
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+}
+
+func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
+	secret, err := parseSecret(r)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	namespace := getRequestNamespace(readNamespaceFromQuery(r))
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
+	err = os.Remove(path.Join(mountPath, secret.Name))

 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@ -84,22 +146,26 @@ func parseSecret(r *http.Request) (types.Secret, error) {
 	}

 	err = json.Unmarshal(bytesOut, &secret)
+	if err != nil {
+		return secret, err
+	}
+
 	return secret, err
 }

-func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
-	secret, err := parseSecret(r)
-	if err != nil {
-		log.Printf("[secret] error %s", err.Error())
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
+const traverseErrorSt = "directory traversal found in name"

-	err = os.Remove(path.Join(mountPath, secret.Name))
-
-	if err != nil {
-		log.Printf("[secret] error %s", err.Error())
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
+func isTraversal(name string) bool {
+	return strings.Contains(name, fmt.Sprintf("%s", string(os.PathSeparator))) ||
+		strings.Contains(name, "..")
+}
+
+func validateSecret(secret types.Secret) error {
+	if strings.TrimSpace(secret.Name) == "" {
+		return fmt.Errorf("non-empty name is required")
+	}
+	if isTraversal(secret.Name) {
+		return fmt.Errorf(traverseErrorSt)
+	}
+	return nil
 }
--- a/pkg/provider/handlers/secret_test.go
+++ b/pkg/provider/handlers/secret_test.go
@ -0,0 +1,163 @@
+package handlers
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/openfaas/faas-provider/types"
+)
+
+func Test_parseSecret(t *testing.T) {
+	cases := []struct {
+		name      string
+		payload   string
+		expError  string
+		expSecret types.Secret
+	}{
+		{
+			name:      "no error when name is valid without extention and with no traversal",
+			payload:   `{"name": "authorized_keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized_keys", Value: "foo"},
+		},
+		{
+			name:      "no error when name is valid and parses RawValue correctly",
+			payload:   `{"name": "authorized_keys", "rawValue": "YmFy"}`,
+			expSecret: types.Secret{Name: "authorized_keys", RawValue: []byte("bar")},
+		},
+		{
+			name:      "no error when name is valid with dot and with no traversal",
+			payload:   `{"name": "authorized.keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized.keys", Value: "foo"},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			reader := strings.NewReader(tc.payload)
+			r := httptest.NewRequest(http.MethodPost, "/", reader)
+			secret, err := parseSecret(r)
+			if err != nil && tc.expError == "" {
+				t.Fatalf("unexpected error: %s", err)
+				return
+			}
+
+			if tc.expError != "" {
+				if err == nil {
+					t.Fatalf("expected error: %s, got nil", tc.expError)
+				}
+				if err.Error() != tc.expError {
+					t.Fatalf("expected error: %s, got: %s", tc.expError, err)
+				}
+
+				return
+			}
+
+			if !reflect.DeepEqual(secret, tc.expSecret) {
+				t.Fatalf("expected secret: %+v, got: %+v", tc.expSecret, secret)
+			}
+		})
+	}
+}
+
+func TestSecretCreation(t *testing.T) {
+	mountPath, err := os.MkdirTemp("", "test_secret_creation")
+	if err != nil {
+		t.Fatalf("unexpected error while creating temp directory: %s", err)
+	}
+
+	defer os.RemoveAll(mountPath)
+
+	handler := MakeSecretHandler(nil, mountPath)
+
+	cases := []struct {
+		name       string
+		verb       string
+		payload    string
+		status     int
+		secretPath string
+		secret     string
+		err        string
+	}{
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "/root/.ssh/authorized_keys", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "..", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "empty request returns a validation error",
+			verb:    http.MethodPost,
+			payload: `{}`,
+			status:  http.StatusBadRequest,
+			err:     "non-empty name is required\n",
+		},
+		{
+			name:       "can create secret from string",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "value": "bar"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "rawValue": "YmFy"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret in non-default namespace from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "pity", "rawValue": "dGhlIGZvbw==", "namespace": "a-team"}`,
+			status:     http.StatusOK,
+			secretPath: "/a-team/pity",
+			secret:     "the foo",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(tc.verb, "http://example.com/foo", strings.NewReader(tc.payload))
+			w := httptest.NewRecorder()
+
+			handler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != tc.status {
+				t.Logf("response body: %s", w.Body.String())
+				t.Fatalf("expected status: %d, got: %d", tc.status, resp.StatusCode)
+			}
+
+			if resp.StatusCode != http.StatusOK && w.Body.String() != tc.err {
+				t.Fatalf("expected error message: %q, got %q", tc.err, w.Body.String())
+
+			}
+
+			if tc.secretPath != "" {
+				data, err := os.ReadFile(filepath.Join(mountPath, tc.secretPath))
+				if err != nil {
+					t.Fatalf("can not read the secret from disk: %s", err)
+				}
+
+				if string(data) != tc.secret {
+					t.Fatalf("expected secret value: %s, got %s", tc.secret, string(data))
+				}
+			}
+		})
+	}
+}
--- a/pkg/provider/handlers/update.go
+++ b/pkg/provider/handlers/update.go
@ -8,15 +8,16 @@ import (
 	"log"
 	"net/http"

-	"github.com/openfaas/faasd/pkg/cninetwork"
-	"github.com/openfaas/faasd/pkg/service"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
 	"github.com/openfaas/faas-provider/types"
+
+	"github.com/openfaas/faasd/pkg/cninetwork"
+	"github.com/openfaas/faasd/pkg/service"
 )

-func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string) func(w http.ResponseWriter, r *http.Request) {
+func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) func(w http.ResponseWriter, r *http.Request) {

 	return func(w http.ResponseWriter, r *http.Request) {

@ -39,8 +40,23 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}
 		name := req.Service
+		namespace := getRequestNamespace(req.Namespace)

-		function, err := GetFunction(client, name)
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client, namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+
+		function, err := GetFunction(client, name, namespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Update] %s\n", msg)
@ -48,12 +64,18 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}

-		err = validateSecrets(secretMountPath, req.Secrets)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)
+
+		if _, err := prepull(ctx, req, client, alwaysPull); err != nil {
+			log.Printf("[Update] error with pre-pull: %s, %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
 		if function.replicas != 0 {
 			err = cninetwork.DeleteCNINetwork(ctx, cni, client, name)
 			if err != nil {
@ -61,19 +83,19 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			}
 		}

-		containerErr := service.Remove(ctx, client, name)
-		if containerErr != nil {
-			log.Printf("[Update] error removing %s, %s\n", name, containerErr)
-			http.Error(w, containerErr.Error(), http.StatusInternalServerError)
+		if err := service.Remove(ctx, client, name); err != nil {
+			log.Printf("[Update] error removing %s, %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

-		deployErr := deploy(ctx, req, client, cni, secretMountPath)
-		if deployErr != nil {
-			log.Printf("[Update] error deploying %s, error: %s\n", name, deployErr)
-			http.Error(w, deployErr.Error(), http.StatusBadRequest)
+		// The pull has already been done in prepull, so we can force this pull to "false"
+		pull := false
+
+		if err := deploy(ctx, req, client, cni, namespaceSecretMountPath, pull); err != nil {
+			log.Printf("[Update] error deploying %s, error: %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
 	}
-
 }
--- a/pkg/provider/handlers/utils.go
+++ b/pkg/provider/handlers/utils.go
@ -0,0 +1,49 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"path"
+
+	"github.com/containerd/containerd"
+
+	"github.com/openfaas/faasd/pkg"
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+func getRequestNamespace(namespace string) string {
+
+	if len(namespace) > 0 {
+		return namespace
+	}
+	return faasd.DefaultFunctionNamespace
+}
+
+func readNamespaceFromQuery(r *http.Request) string {
+	q := r.URL.Query()
+	return q.Get("namespace")
+}
+
+func getNamespaceSecretMountPath(userSecretPath string, namespace string) string {
+	return path.Join(userSecretPath, namespace)
+}
+
+// validNamespace indicates whether the namespace is eligable to be
+// used for OpenFaaS functions.
+func validNamespace(client *containerd.Client, namespace string) (bool, error) {
+	if namespace == faasd.DefaultFunctionNamespace {
+		return true, nil
+	}
+
+	store := client.NamespaceService()
+	labels, err := store.Labels(context.Background(), namespace)
+	if err != nil {
+		return false, err
+	}
+
+	if value, found := labels[pkg.NamespaceLabel]; found && value == "true" {
+		return true, nil
+	}
+
+	return false, nil
+}
--- a/pkg/provider/handlers/utils_test.go
+++ b/pkg/provider/handlers/utils_test.go
@ -0,0 +1,75 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+func Test_getRequestNamespace(t *testing.T) {
+	tables := []struct {
+		name              string
+		requestNamespace  string
+		expectedNamespace string
+	}{
+		{name: "RequestNamespace is not provided", requestNamespace: "", expectedNamespace: faasd.DefaultFunctionNamespace},
+		{name: "RequestNamespace is provided", requestNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getRequestNamespace(tc.requestNamespace)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}
+
+func Test_getNamespaceSecretMountPath(t *testing.T) {
+	userSecretPath := "/var/openfaas/secrets"
+	tables := []struct {
+		name               string
+		requestNamespace   string
+		expectedSecretPath string
+	}{
+		{name: "Default Namespace is provided", requestNamespace: faasd.DefaultFunctionNamespace, expectedSecretPath: "/var/openfaas/secrets/" + faasd.DefaultFunctionNamespace},
+		{name: "User Namespace is provided", requestNamespace: "user-namespace", expectedSecretPath: "/var/openfaas/secrets/user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getNamespaceSecretMountPath(userSecretPath, tc.requestNamespace)
+			if actualNamespace != tc.expectedSecretPath {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedSecretPath)
+			}
+		})
+	}
+}
+
+func Test_readNamespaceFromQuery(t *testing.T) {
+	tables := []struct {
+		name              string
+		queryNamespace    string
+		expectedNamespace string
+	}{
+		{name: "No Namespace is provided", queryNamespace: "", expectedNamespace: ""},
+		{name: "User Namespace is provided", queryNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+
+			url := fmt.Sprintf("/test?namespace=%s", tc.queryNamespace)
+			r := httptest.NewRequest(http.MethodGet, url, nil)
+
+			actualNamespace := readNamespaceFromQuery(r)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}
--- a/pkg/proxy.go
+++ b/pkg/proxy.go
@ -1,122 +1,116 @@
 package pkg

 import (
-	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
+	"strconv"
+	"strings"

 	"time"
 )

-func NewProxy(port int, timeout time.Duration) *Proxy {
+// NewProxy creates a HTTP proxy to expose a host
+func NewProxy(upstream string, listenPort uint32, hostIP string, timeout time.Duration, resolver Resolver) *Proxy {

 	return &Proxy{
-		Port:    port,
-		Timeout: timeout,
+		Upstream: upstream,
+		Port:     listenPort,
+		HostIP:   hostIP,
+		Timeout:  timeout,
+		Resolver: resolver,
 	}
 }

+// Proxy for exposing a private container
 type Proxy struct {
 	Timeout time.Duration
-	Port    int
+
+	// Port on which to listen to traffic
+	Port uint32
+
+	// Upstream is where to send traffic when received
+	Upstream string
+
+	// The IP to use to bind locally
+	HostIP string
+
+	Resolver Resolver
 }

-func (p *Proxy) Start(gatewayChan chan string, done chan bool) error {
-	tcp := p.Port
+// Start listening and forwarding HTTP to the host
+func (p *Proxy) Start() error {

 	http.DefaultClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
-	ps := proxyState{
-		Host: "",
+	upstreamHost, upstreamPort, err := getUpstream(p.Upstream, p.Port)
+	if err != nil {
+		return err
 	}

-	ps.Host = <-gatewayChan
+	log.Printf("Looking up IP for: %q", upstreamHost)
+	got := make(chan string, 1)

-	log.Printf("Starting faasd proxy on %d\n", tcp)
+	go p.Resolver.Get(upstreamHost, got, time.Second*5)

-	fmt.Printf("Gateway: %s\n", ps.Host)
+	ipAddress := <-got
+	close(got)

-	s := &http.Server{
-		Addr:           fmt.Sprintf(":%d", tcp),
-		ReadTimeout:    p.Timeout,
-		WriteTimeout:   p.Timeout,
-		MaxHeaderBytes: 1 << 20, // Max header of 1MB
-		Handler:        http.HandlerFunc(makeProxy(&ps)),
+	upstreamAddr := fmt.Sprintf("%s:%d", ipAddress, upstreamPort)
+
+	localBind := fmt.Sprintf("%s:%d", p.HostIP, p.Port)
+	log.Printf("Proxy from: %s, to: %s (%s)\n", localBind, p.Upstream, ipAddress)
+
+	l, err := net.Listen("tcp", localBind)
+	if err != nil {
+		log.Printf("Error: %s", err.Error())
+		return err
 	}

-	go func() {
-		log.Printf("[proxy] Begin listen on %d\n", p.Port)
-		if err := s.ListenAndServe(); err != http.ErrServerClosed {
-			log.Printf("Error ListenAndServe: %v", err)
+	defer l.Close()
+	for {
+		// Wait for a connection.
+		conn, err := l.Accept()
+		if err != nil {
+			acceptErr := fmt.Errorf("Unable to accept on %d, error: %s",
+				p.Port,
+				err.Error())
+			log.Printf("%s", acceptErr.Error())
+			return acceptErr
 		}
-	}()

-	log.Println("[proxy] Wait for done")
-	<-done
-	log.Println("[proxy] Done received")
-	if err := s.Shutdown(context.Background()); err != nil {
-		log.Printf("[proxy] Error in Shutdown: %v", err)
-	}
+		upstream, err := net.Dial("tcp", upstreamAddr)

-	return nil
-}
+		if err != nil {
+			log.Printf("unable to dial to %s, error: %s", upstreamAddr, err.Error())
+			return err
+		}

-// copyHeaders clones the header values from the source into the destination.
-func copyHeaders(destination http.Header, source *http.Header) {
-	for k, v := range *source {
-		vClone := make([]string, len(v))
-		copy(vClone, v)
-		destination[k] = vClone
+		go pipe(conn, upstream)
+		go pipe(upstream, conn)
 	}
 }

-type proxyState struct {
-	Host string
+func pipe(from net.Conn, to net.Conn) {
+	defer from.Close()
+	io.Copy(from, to)
 }

-func makeProxy(ps *proxyState) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
+func getUpstream(val string, defaultPort uint32) (string, uint32, error) {
+	upstreamHostname := val
+	upstreamPort := defaultPort

-		query := ""
-		if len(r.URL.RawQuery) > 0 {
-			query = "?" + r.URL.RawQuery
+	if in := strings.Index(val, ":"); in > -1 {
+		upstreamHostname = val[:in]
+		port, err := strconv.ParseInt(val[in+1:], 10, 32)
+		if err != nil {
+			return "", defaultPort, err
 		}
-
-		upstream := fmt.Sprintf("http://%s%s%s", ps.Host, r.URL.Path, query)
-		fmt.Printf("[faasd] proxy: %s\n", upstream)
-
-		if r.Body != nil {
-			defer r.Body.Close()
-		}
-
-		wrapper := ioutil.NopCloser(r.Body)
-		upReq, upErr := http.NewRequest(r.Method, upstream, wrapper)
-
-		copyHeaders(upReq.Header, &r.Header)
-
-		if upErr != nil {
-			log.Println(upErr)
-
-			http.Error(w, upErr.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		upRes, upResErr := http.DefaultClient.Do(upReq)
-
-		if upResErr != nil {
-			log.Println(upResErr)
-
-			http.Error(w, upResErr.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		copyHeaders(w.Header(), &upRes.Header)
-
-		w.WriteHeader(upRes.StatusCode)
-		io.Copy(w, upRes.Body)
+		upstreamPort = uint32(port)
 	}
+
+	return upstreamHostname, upstreamPort, nil
 }
--- a/pkg/proxy_test.go
+++ b/pkg/proxy_test.go
@ -16,7 +16,7 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {

 	wantBodyText := "OK"
 	wantBody := []byte(wantBodyText)
-	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	upstreamSvr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

 		if r.Body != nil {
 			defer r.Body.Close()
@ -27,17 +27,19 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {

 	}))

-	defer upstream.Close()
+	defer upstreamSvr.Close()
 	port := 8080
-	proxy := NewProxy(port, time.Second*1)
+	u, _ := url.Parse(upstreamSvr.URL)
+	log.Println("Host", u.Host)
+
+	upstreamAddr := u.Host
+	proxy := NewProxy(upstreamAddr, 8080, "127.0.0.1", time.Second*1, &mockResolver{})

 	gwChan := make(chan string, 1)
 	doneCh := make(chan bool)

-	go proxy.Start(gwChan, doneCh)
+	go proxy.Start()

-	u, _ := url.Parse(upstream.URL)
-	log.Println("Host", u.Host)
 	wg := sync.WaitGroup{}
 	wg.Add(1)
 	go func() {
@ -71,3 +73,14 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {
 		doneCh <- true
 	}()
 }
+
+type mockResolver struct {
+}
+
+func (m *mockResolver) Start() {
+
+}
+
+func (m *mockResolver) Get(upstream string, got chan<- string, timeout time.Duration) {
+	got <- upstream
+}
--- a/pkg/resolver.go
+++ b/pkg/resolver.go
@ -0,0 +1,12 @@
+package pkg
+
+import "time"
+
+// Resolver resolves an upstream IP address for a given upstream host
+type Resolver interface {
+	// Start any polling or connections required to resolve
+	Start()
+
+	// Get an IP address using an asynchronous operation
+	Get(upstream string, got chan<- string, timeout time.Duration)
+}
--- a/pkg/service/service.go
+++ b/pkg/service/service.go
@ -27,31 +27,34 @@ func Remove(ctx context.Context, client *containerd.Client, name string) error {
 	container, containerErr := client.LoadContainer(ctx, name)

 	if containerErr == nil {
-		found := true
+		taskFound := true
 		t, err := container.Task(ctx, nil)
 		if err != nil {
 			if errdefs.IsNotFound(err) {
-				found = false
+				taskFound = false
 			} else {
-				return fmt.Errorf("unable to get task %s: ", err)
+				return fmt.Errorf("unable to get task %w: ", err)
 			}
 		}

-		if found {
-			status, _ := t.Status(ctx)
-			fmt.Printf("Status of %s is: %s\n", name, status.Status)
-
-			log.Printf("Need to kill %s\n", name)
-			err := killTask(ctx, t)
+		if taskFound {
+			status, err := t.Status(ctx)
 			if err != nil {
-				return fmt.Errorf("error killing task %s, %s, %s", container.ID(), name, err)
+				log.Printf("Unable to get status for: %s, error: %s", name, err.Error())
+			} else {
+				log.Printf("Status of %s is: %s\n", name, status.Status)
+			}
+
+			log.Printf("Need to kill task: %s\n", name)
+			if err = killTask(ctx, t); err != nil {
+				return fmt.Errorf("error killing task %s, %s, %w", container.ID(), name, err)
 			}
 		}

-		err = container.Delete(ctx, containerd.WithSnapshotCleanup)
-		if err != nil {
-			return fmt.Errorf("error deleting container %s, %s, %s", container.ID(), name, err)
+		if err := container.Delete(ctx, containerd.WithSnapshotCleanup); err != nil {
+			return fmt.Errorf("error deleting container %s, %s, %w", container.ID(), name, err)
 		}
+
 	} else {
 		service := client.SnapshotService("")
 		key := name + "snapshot"
@ -70,14 +73,16 @@ func killTask(ctx context.Context, task containerd.Task) error {
 	wg := &sync.WaitGroup{}
 	wg.Add(1)
 	var err error
+
 	go func() {
 		defer wg.Done()
 		if task != nil {
 			wait, err := task.Wait(ctx)
 			if err != nil {
-				err = fmt.Errorf("error waiting on task: %s", err)
+				log.Printf("error waiting on task: %s", err)
 				return
 			}
+
 			if err := task.Kill(ctx, unix.SIGTERM, containerd.WithKillAll); err != nil {
 				log.Printf("error killing container task: %s", err)
 			}
@ -114,6 +119,7 @@ func getResolver(ctx context.Context, configFile *configfile.ConfigFile) (remote
 		}
 		return ac.Username, ac.Password, nil
 	}
+
 	authOpts := []docker.AuthorizerOpt{docker.WithAuthCreds(credFunc)}
 	authorizer := docker.NewDockerAuthorizer(authOpts...)
 	opts := docker.ResolverOptions{
@ -122,12 +128,13 @@ func getResolver(ctx context.Context, configFile *configfile.ConfigFile) (remote
 	return docker.NewResolver(opts), nil
 }

-func PrepareImage(ctx context.Context, client *containerd.Client, imageName, snapshotter string) (containerd.Image, error) {
+func PrepareImage(ctx context.Context, client *containerd.Client, imageName, snapshotter string, pullAlways bool) (containerd.Image, error) {
 	var (
 		empty    containerd.Image
 		resolver remotes.Resolver
 	)
-	if _, stErr := os.Stat(filepath.Join(dockerConfigDir, config.ConfigFileName)); stErr == nil {
+
+	if _, statErr := os.Stat(filepath.Join(dockerConfigDir, config.ConfigFileName)); statErr == nil {
 		configFile, err := config.Load(dockerConfigDir)
 		if err != nil {
 			return nil, err
@ -136,26 +143,32 @@ func PrepareImage(ctx context.Context, client *containerd.Client, imageName, sna
 		if err != nil {
 			return empty, err
 		}
-	} else if !os.IsNotExist(stErr) {
-		return empty, stErr
+	} else if !os.IsNotExist(statErr) {
+		return empty, statErr
 	}

-	image, err := client.GetImage(ctx, imageName)
-	if err != nil {
-		if !errdefs.IsNotFound(err) {
+	var image containerd.Image
+	if pullAlways {
+		img, err := pullImage(ctx, client, resolver, imageName)
+		if err != nil {
 			return empty, err
 		}
-		rOpts := []containerd.RemoteOpt{
-			containerd.WithPullUnpack,
-		}
-		if resolver != nil {
-			rOpts = append(rOpts, containerd.WithResolver(resolver))
-		}
-		img, err := client.Pull(ctx, imageName, rOpts...)
-		if err != nil {
-			return empty, fmt.Errorf("cannot pull: %s", err)
-		}
+
 		image = img
+	} else {
+		img, err := client.GetImage(ctx, imageName)
+		if err != nil {
+			if !errdefs.IsNotFound(err) {
+				return empty, err
+			}
+			img, err := pullImage(ctx, client, resolver, imageName)
+			if err != nil {
+				return empty, err
+			}
+			image = img
+		} else {
+			image = img
+		}
 	}

 	unpacked, err := image.IsUnpacked(ctx, snapshotter)
@ -171,3 +184,23 @@ func PrepareImage(ctx context.Context, client *containerd.Client, imageName, sna

 	return image, nil
 }
+
+func pullImage(ctx context.Context, client *containerd.Client, resolver remotes.Resolver, imageName string) (containerd.Image, error) {
+
+	var empty containerd.Image
+
+	rOpts := []containerd.RemoteOpt{
+		containerd.WithPullUnpack,
+	}
+
+	if resolver != nil {
+		rOpts = append(rOpts, containerd.WithResolver(resolver))
+	}
+
+	img, err := client.Pull(ctx, imageName, rOpts...)
+	if err != nil {
+		return empty, fmt.Errorf("cannot pull: %s", err)
+	}
+
+	return img, nil
+}
--- a/pkg/supervisor.go
+++ b/pkg/supervisor.go
@ -7,33 +7,48 @@ import (
 	"log"
 	"os"
 	"path"
+	"sort"

-	"github.com/openfaas/faasd/pkg/cninetwork"
-	"github.com/openfaas/faasd/pkg/service"
+	"github.com/alexellis/k3sup/pkg/env"
+	"github.com/compose-spec/compose-go/loader"
+	compose "github.com/compose-spec/compose-go/types"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	gocni "github.com/containerd/go-cni"
+	"github.com/openfaas/faasd/pkg/cninetwork"
+	"github.com/openfaas/faasd/pkg/service"
+	"github.com/pkg/errors"

 	"github.com/containerd/containerd/namespaces"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

 const (
-	defaultSnapshotter         = "overlayfs"
 	workingDirectoryPermission = 0644
-	// faasdNamespace is the containerd namespace services are created
-	faasdNamespace = "default"
 )

 type Service struct {
-	Image  string
-	Env    []string
-	Name   string
-	Mounts []Mount
-	Caps   []string
-	Args   []string
+	// Image is the container image registry reference, in an OCI format.
+	Image     string
+	Env       []string
+	Name      string
+	Mounts    []Mount
+	Caps      []string
+	Args      []string
+	DependsOn []string
+	Ports     []ServicePort
+
+	// User in the docker-compose.yaml spec can set as follows:
+	// a user-id, username, userid:groupid or user:group
+	User string
+}
+
+type ServicePort struct {
+	TargetPort uint32
+	Port       uint32
+	HostIP     string
 }

 type Mount struct {
@ -64,7 +79,7 @@ func NewSupervisor(sock string) (*Supervisor, error) {
 }

 func (s *Supervisor) Start(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)

 	wd, _ := os.Getwd()

@ -86,9 +101,9 @@ func (s *Supervisor) Start(svcs []Service) error {
 	images := map[string]containerd.Image{}

 	for _, svc := range svcs {
-		fmt.Printf("Preparing: %s with image: %s\n", svc.Name, svc.Image)
+		fmt.Printf("Preparing %s with image: %s\n", svc.Name, svc.Image)

-		img, err := service.PrepareImage(ctx, s.client, svc.Image, defaultSnapshotter)
+		img, err := service.PrepareImage(ctx, s.client, svc.Image, defaultSnapshotter, faasServicesPullAlways)
 		if err != nil {
 			return err
 		}
@ -98,12 +113,26 @@ func (s *Supervisor) Start(svcs []Service) error {
 	}

 	for _, svc := range svcs {
-		fmt.Printf("Reconciling: %s\n", svc.Name)
-
+		fmt.Printf("Removing old container for: %s\n", svc.Name)
 		containerErr := service.Remove(ctx, s.client, svc.Name)
 		if containerErr != nil {
 			return containerErr
 		}
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	for _, key := range order {
+
+		var svc *Service
+		for _, s := range svcs {
+			if s.Name == key {
+				svc = &s
+				break
+			}
+		}
+
+		fmt.Printf("Starting: %s\n", svc.Name)

 		image := images[svc.Name]

@ -117,7 +146,6 @@ func (s *Supervisor) Start(svcs []Service) error {
 					Options:     []string{"rbind", "rw"},
 				})
 			}
-
 		}

 		mounts = append(mounts, specs.Mount{
@ -134,59 +162,67 @@ func (s *Supervisor) Start(svcs []Service) error {
 			Options:     []string{"rbind", "ro"},
 		})

-		newContainer, containerCreateErr := s.client.NewContainer(
+		if len(svc.User) > 0 {
+			log.Printf("Running %s with user: %q", svc.Name, svc.User)
+		}
+
+		newContainer, err := s.client.NewContainer(
 			ctx,
 			svc.Name,
 			containerd.WithImage(image),
 			containerd.WithNewSnapshot(svc.Name+"-snapshot", image),
 			containerd.WithNewSpec(oci.WithImageConfig(image),
+				oci.WithHostname(svc.Name),
+				withUserOrDefault(svc.User),
 				oci.WithCapabilities(svc.Caps),
 				oci.WithMounts(mounts),
 				withOCIArgs(svc.Args),
 				oci.WithEnv(svc.Env)),
 		)

-		if containerCreateErr != nil {
-			log.Printf("Error creating container %s\n", containerCreateErr)
-			return containerCreateErr
+		if err != nil {
+			log.Printf("Error creating container: %s\n", err)
+			return err
 		}

-		log.Printf("Created container %s\n", newContainer.ID())
+		log.Printf("Created container: %s\n", newContainer.ID())

-		task, err := newContainer.NewTask(ctx, cio.NewCreator(cio.WithStdio))
+		task, err := newContainer.NewTask(ctx, cio.BinaryIO("/usr/local/bin/faasd", nil))
 		if err != nil {
 			log.Printf("Error creating task: %s\n", err)
 			return err
 		}

 		labels := map[string]string{}
-		network, err := cninetwork.CreateCNINetwork(ctx, s.cni, task, labels)
-
+		_, err = cninetwork.CreateCNINetwork(ctx, s.cni, task, labels)
 		if err != nil {
+			log.Printf("Error creating CNI for %s: %s", svc.Name, err)
 			return err
 		}

-		ip, err := cninetwork.GetIPAddress(network, task)
+		ip, err := cninetwork.GetIPAddress(svc.Name, task.Pid())
 		if err != nil {
+			log.Printf("Error getting IP for %s: %s", svc.Name, err)
 			return err
 		}
-		log.Printf("%s has IP: %s\n", newContainer.ID(), ip.String())

-		hosts, _ := ioutil.ReadFile("hosts")
+		log.Printf("%s has IP: %s\n", newContainer.ID(), ip)
+
+		hosts, err := ioutil.ReadFile("hosts")
+		if err != nil {
+			log.Printf("Unable to read hosts file: %s\n", err.Error())
+		}

 		hosts = []byte(string(hosts) + fmt.Sprintf(`
 %s	%s
 `, ip, svc.Name))
-		writeErr := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission)

-		if writeErr != nil {
-			log.Printf("Error writing file %s %s\n", "hosts", writeErr)
+		if err := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission); err != nil {
+			log.Printf("Error writing file: %s %s\n", "hosts", err)
 		}
-		// os.Chown("hosts", 101, 101)

-		_, err = task.Wait(ctx)
-		if err != nil {
-			log.Printf("Wait err: %s\n", err)
+		if _, err := task.Wait(ctx); err != nil {
+			log.Printf("Task wait error: %s\n", err)
 			return err
 		}

@ -194,7 +230,7 @@ func (s *Supervisor) Start(svcs []Service) error {
 		// log.Println("Exited: ", exitStatusC)

 		if err = task.Start(ctx); err != nil {
-			log.Printf("Task err: %s\n", err)
+			log.Printf("Task start error: %s\n", err)
 			return err
 		}
 	}
@ -207,7 +243,7 @@ func (s *Supervisor) Close() {
 }

 func (s *Supervisor) Remove(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)

 	for _, svc := range svcs {
 		err := cninetwork.DeleteCNINetwork(ctx, s.cni, s.client, svc.Name)
@ -224,6 +260,16 @@ func (s *Supervisor) Remove(svcs []Service) error {
 	return nil
 }

+func withUserOrDefault(userstr string) oci.SpecOpts {
+	if len(userstr) > 0 {
+		return oci.WithUser(userstr)
+	}
+
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		return nil
+	}
+}
+
 func withOCIArgs(args []string) oci.SpecOpts {
 	if len(args) > 0 {
 		return oci.WithProcessArgs(args...)
@ -233,3 +279,137 @@ func withOCIArgs(args []string) oci.SpecOpts {
 		return nil
 	}
 }
+
+// ParseCompose converts a docker-compose Config into a service list that we can
+// pass to the supervisor client Start.
+//
+// The only anticipated error is a failure if the value mounts are not of type 	`bind`.
+func ParseCompose(config *compose.Config) ([]Service, error) {
+	services := make([]Service, len(config.Services))
+	for idx, s := range config.Services {
+		// environment is a map[string]*string
+		// but we want a []string
+
+		var env []string
+
+		envKeys := sortedEnvKeys(s.Environment)
+		for _, name := range envKeys {
+			value := s.Environment[name]
+			if value == nil {
+				env = append(env, fmt.Sprintf(`%s=""`, name))
+			} else {
+				env = append(env, fmt.Sprintf(`%s=%s`, name, *value))
+			}
+		}
+
+		var mounts []Mount
+		for _, v := range s.Volumes {
+			if v.Type != "bind" {
+				return nil, errors.Errorf("unsupported volume mount type '%s' when parsing service '%s'", v.Type, s.Name)
+			}
+			mounts = append(mounts, Mount{
+				Src:  v.Source,
+				Dest: v.Target,
+			})
+		}
+
+		services[idx] = Service{
+			Name:  s.Name,
+			Image: s.Image,
+			// ShellCommand is just an alias of string slice
+			Args:      []string(s.Command),
+			Caps:      s.CapAdd,
+			Env:       env,
+			Mounts:    mounts,
+			DependsOn: s.DependsOn,
+			User:      s.User,
+			Ports:     convertPorts(s.Ports),
+		}
+	}
+
+	return services, nil
+}
+
+func convertPorts(ports []compose.ServicePortConfig) []ServicePort {
+	servicePorts := []ServicePort{}
+	for _, p := range ports {
+		servicePorts = append(servicePorts, ServicePort{
+			Port:       p.Published,
+			TargetPort: p.Target,
+			HostIP:     p.HostIP,
+		})
+	}
+
+	return servicePorts
+}
+
+// LoadComposeFile is a helper method for loading a docker-compose file
+func LoadComposeFile(wd string, file string) (*compose.Config, error) {
+	return LoadComposeFileWithArch(wd, file, env.GetClientArch)
+}
+
+// LoadComposeFileWithArch is a helper method for loading a docker-compose file
+func LoadComposeFileWithArch(wd string, file string, archGetter ArchGetter) (*compose.Config, error) {
+
+	file = path.Join(wd, file)
+	b, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := loader.ParseYAML(b)
+	if err != nil {
+		return nil, err
+	}
+
+	archSuffix, err := GetArchSuffix(archGetter)
+	if err != nil {
+		return nil, err
+	}
+
+	var files []compose.ConfigFile
+	files = append(files, compose.ConfigFile{Filename: file, Config: config})
+
+	return loader.Load(compose.ConfigDetails{
+		WorkingDir:  wd,
+		ConfigFiles: files,
+		Environment: map[string]string{
+			"ARCH_SUFFIX": archSuffix,
+		},
+	})
+}
+
+func sortedEnvKeys(env map[string]*string) (keys []string) {
+	for k := range env {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// ArchGetter provides client CPU architecture and
+// client OS
+type ArchGetter func() (string, string)
+
+// GetArchSuffix provides client CPU architecture and
+// client OS from ArchGetter
+func GetArchSuffix(getClientArch ArchGetter) (suffix string, err error) {
+	clientArch, clientOS := getClientArch()
+
+	if clientOS != "Linux" {
+		return "", fmt.Errorf("you can only use faasd with Linux")
+	}
+
+	switch clientArch {
+	case "x86_64":
+		// no suffix needed
+		return "", nil
+	case "armhf", "armv7l":
+		return "-armhf", nil
+	case "arm64", "aarch64":
+		return "-arm64", nil
+	default:
+		// unknown, so use the default without suffix for now
+		return "", nil
+	}
+}
--- a/pkg/supervisor_test.go
+++ b/pkg/supervisor_test.go
@ -0,0 +1,262 @@
+package pkg
+
+import (
+	"path"
+	"reflect"
+	"testing"
+)
+
+func Test_ParseCompose(t *testing.T) {
+
+	wd := "testdata"
+
+	want := map[string]Service{
+		"basic-auth-plugin": {
+			Name:  "basic-auth-plugin",
+			Image: "docker.io/openfaas/basic-auth-plugin:0.18.17",
+			Env: []string{
+				"pass_filename=basic-auth-password",
+				"port=8080",
+				"secret_mount_path=/run/secrets",
+				"user_filename=basic-auth-user",
+			},
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+		"nats": {
+			Name:  "nats",
+			Image: "docker.io/library/nats-streaming:0.11.2",
+			Args:  []string{"/nats-streaming-server", "-m", "8222", "--store=memory", "--cluster_id=faas-cluster"},
+		},
+		"prometheus": {
+			Name:  "prometheus",
+			Image: "docker.io/prom/prometheus:v2.14.0",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "prometheus.yml"),
+					Dest: "/etc/prometheus/prometheus.yml",
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+		"gateway": {
+			Name: "gateway",
+			Env: []string{
+				"auth_proxy_pass_body=false",
+				"auth_proxy_url=http://basic-auth-plugin:8080/validate",
+				"basic_auth=true",
+				"direct_functions=false",
+				"faas_nats_address=nats",
+				"faas_nats_port=4222",
+				"functions_provider_url=http://faasd-provider:8081/",
+				"read_timeout=60s",
+				"scale_from_zero=true",
+				"secret_mount_path=/run/secrets",
+				"upstream_timeout=65s",
+				"write_timeout=60s",
+			},
+			Image: "docker.io/openfaas/gateway:0.18.17",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps:      []string{"CAP_NET_RAW"},
+			DependsOn: []string{"nats"},
+		},
+		"queue-worker": {
+			Name: "queue-worker",
+			Env: []string{
+				"ack_wait=5m5s",
+				"basic_auth=true",
+				"faas_gateway_address=gateway",
+				"faas_nats_address=nats",
+				"faas_nats_port=4222",
+				"gateway_invoke=true",
+				"max_inflight=1",
+				"secret_mount_path=/run/secrets",
+				"write_debug=false",
+			},
+			Image: "docker.io/openfaas/queue-worker:0.11.2",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+	}
+
+	compose, err := LoadComposeFileWithArch(wd, "docker-compose.yaml", func() (string, string) { return "x86_64", "Linux" })
+	if err != nil {
+		t.Fatalf("can't read docker-compose file: %s", err)
+	}
+
+	services, err := ParseCompose(compose)
+	if err != nil {
+		t.Fatalf("can't parse compose services: %s", err)
+	}
+
+	if len(services) != len(want) {
+		t.Fatalf("want: %d services, got: %d", len(want), len(services))
+	}
+
+	for _, service := range services {
+		exp, ok := want[service.Name]
+
+		if service.Name == "gateway" {
+			if len(service.DependsOn) == 0 {
+				t.Fatalf("gateway should have at least one depends_on entry")
+			}
+		}
+
+		if !ok {
+			t.Fatalf("incorrect service: %s", service.Name)
+		}
+
+		if service.Name != exp.Name {
+			t.Fatalf("incorrect service Name:\n\twant: %s,\n\tgot: %s", exp.Name, service.Name)
+		}
+
+		if service.Image != exp.Image {
+			t.Fatalf("incorrect service Image:\n\twant: %s,\n\tgot: %s", exp.Image, service.Image)
+		}
+
+		equalStringSlice(t, exp.Env, service.Env)
+		equalStringSlice(t, exp.Caps, service.Caps)
+		equalStringSlice(t, exp.Args, service.Args)
+
+		if !reflect.DeepEqual(exp.Mounts, service.Mounts) {
+			t.Fatalf("incorrect service Mounts:\n\twant: %+v,\n\tgot: %+v", exp.Mounts, service.Mounts)
+		}
+	}
+}
+
+func equalStringSlice(t *testing.T, want, found []string) {
+	t.Helper()
+	if (want == nil) != (found == nil) {
+		t.Fatalf("unexpected nil slice: want %+v, got %+v", want, found)
+	}
+
+	if len(want) != len(found) {
+		t.Fatalf("unequal slice length: want %+v, got %+v", want, found)
+	}
+
+	for i := range want {
+		if want[i] != found[i] {
+			t.Fatalf("unexpected value at postition %d: want %s, got %s", i, want[i], found[i])
+		}
+	}
+}
+
+func equalMountSlice(t *testing.T, want, found []Mount) {
+	t.Helper()
+	if (want == nil) != (found == nil) {
+		t.Fatalf("unexpected nil slice: want %+v, got %+v", want, found)
+	}
+
+	if len(want) != len(found) {
+		t.Fatalf("unequal slice length: want %+v, got %+v", want, found)
+	}
+
+	for i := range want {
+		if !reflect.DeepEqual(want[i], found[i]) {
+			t.Fatalf("unexpected value at postition %d: want %s, got %s", i, want[i], found[i])
+		}
+	}
+}
+
+func Test_GetArchSuffix(t *testing.T) {
+	cases := []struct {
+		name      string
+		want      string
+		foundArch string
+		foundOS   string
+		err       string
+	}{
+		{
+			name:    "error if os is not linux",
+			foundOS: "mac",
+			err:     "you can only use faasd with Linux",
+		},
+		{
+			name:      "x86 has no suffix",
+			foundOS:   "Linux",
+			foundArch: "x86_64",
+			want:      "",
+		},
+		{
+			name:      "unknown arch has no suffix",
+			foundOS:   "Linux",
+			foundArch: "anything_else",
+			want:      "",
+		},
+		{
+			name:      "armhf has armhf suffix",
+			foundOS:   "Linux",
+			foundArch: "armhf",
+			want:      "-armhf",
+		},
+		{
+			name:      "armv7l has armhf suffix",
+			foundOS:   "Linux",
+			foundArch: "armv7l",
+			want:      "-armhf",
+		},
+		{
+			name:      "arm64 has arm64 suffix",
+			foundOS:   "Linux",
+			foundArch: "arm64",
+			want:      "-arm64",
+		},
+		{
+			name:      "aarch64 has arm64 suffix",
+			foundOS:   "Linux",
+			foundArch: "aarch64",
+			want:      "-arm64",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			suffix, err := GetArchSuffix(testArchGetter(tc.foundArch, tc.foundOS))
+			if tc.err != "" && err == nil {
+				t.Fatalf("want error %s but got nil", tc.err)
+			} else if tc.err != "" && err.Error() != tc.err {
+				t.Fatalf("want error %s, got %s", tc.err, err.Error())
+			} else if tc.err == "" && err != nil {
+				t.Fatalf("unexpected error %s", err.Error())
+			}
+
+			if suffix != tc.want {
+				t.Fatalf("want suffix %s, got %s", tc.want, suffix)
+			}
+		})
+	}
+}
+
+func testArchGetter(arch, os string) ArchGetter {
+	return func() (string, string) {
+		return arch, os
+	}
+}
--- a/pkg/testdata/docker-compose.yaml
+++ b/pkg/testdata/docker-compose.yaml
@ -0,0 +1,98 @@
+version: "3.7"
+services:
+  basic-auth-plugin:
+    image: "docker.io/openfaas/basic-auth-plugin:0.18.17${ARCH_SUFFIX}"
+    environment:
+      - port=8080
+      - secret_mount_path=/run/secrets
+      - user_filename=basic-auth-user
+      - pass_filename=basic-auth-password
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+
+  nats:
+    image: docker.io/library/nats-streaming:0.11.2
+    command:
+      - "/nats-streaming-server"
+      - "-m"
+      - "8222"
+      - "--store=memory"
+      - "--cluster_id=faas-cluster"
+    ports:
+       - "127.0.0.1:8222:8222"
+
+  prometheus:
+    image: docker.io/prom/prometheus:v2.14.0
+    volumes:
+      - type: bind
+        source: ./prometheus.yml
+        target: /etc/prometheus/prometheus.yml
+    cap_add:
+      - CAP_NET_RAW
+    ports:
+       - "127.0.0.1:9090:9090"
+
+  gateway:
+    image: "docker.io/openfaas/gateway:0.18.17${ARCH_SUFFIX}"
+    environment:
+      - basic_auth=true
+      - functions_provider_url=http://faasd-provider:8081/
+      - direct_functions=false
+      - read_timeout=60s
+      - write_timeout=60s
+      - upstream_timeout=65s
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - auth_proxy_url=http://basic-auth-plugin:8080/validate
+      - auth_proxy_pass_body=false
+      - secret_mount_path=/run/secrets
+      - scale_from_zero=true
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - basic-auth-plugin
+      - nats
+      - prometheus
+    ports:
+       - "8080:8080"
+
+  queue-worker:
+    image: docker.io/openfaas/queue-worker:0.11.2
+    environment:
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - gateway_invoke=true
+      - faas_gateway_address=gateway
+      - ack_wait=5m5s
+      - max_inflight=1
+      - write_debug=false
+      - basic_auth=true
+      - secret_mount_path=/run/secrets
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - nats
--- a/vendor/github.com/Microsoft/go-winio/CODEOWNERS
+++ b/vendor/github.com/Microsoft/go-winio/CODEOWNERS
@ -0,0 +1 @@
+  * @microsoft/containerplat
--- a/vendor/github.com/Microsoft/go-winio/backuptar/noop.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/noop.go
@ -0,0 +1,4 @@
+// +build !windows
+// This file only exists to allow go get on non-Windows platforms.
+
+package backuptar
--- a/vendor/github.com/containerd/containerd/archive/strconv.go
+++ b/vendor/github.com/containerd/containerd/archive/strconv.go
@ -1,34 +1,16 @@
-// +build windows
-
-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package archive
+package backuptar

 import (
+	"archive/tar"
+	"fmt"
 	"strconv"
 	"strings"
 	"time"
-
-	"archive/tar"
 )

-// Forked from https://github.com/golang/go/blob/master/src/archive/tar/strconv.go
-// as archive/tar doesn't support CreationTime, but does handle PAX time parsing,
-// and there's no need to re-invent the wheel.
+// Functions copied from https://github.com/golang/go/blob/master/src/archive/tar/strconv.go
+// as we need to manage the LIBARCHIVE.creationtime PAXRecord manually.
+// Idea taken from containerd which did the same thing.

 // parsePAXTime takes a string of the form %d.%d as described in the PAX
 // specification. Note that this implementation allows for negative timestamps,
@ -62,7 +44,25 @@ func parsePAXTime(s string) (time.Time, error) {
 	}
 	nsecs, _ := strconv.ParseInt(sn, 10, 64) // Must succeed
 	if len(ss) > 0 && ss[0] == '-' {
-		return time.Unix(secs, -nsecs), nil // Negative correction
+		return time.Unix(secs, -1*nsecs), nil // Negative correction
 	}
 	return time.Unix(secs, nsecs), nil
 }
+
+// formatPAXTime converts ts into a time of the form %d.%d as described in the
+// PAX specification. This function is capable of negative timestamps.
+func formatPAXTime(ts time.Time) (s string) {
+	secs, nsecs := ts.Unix(), ts.Nanosecond()
+	if nsecs == 0 {
+		return strconv.FormatInt(secs, 10)
+	}
+
+	// If seconds is negative, then perform correction.
+	sign := ""
+	if secs < 0 {
+		sign = "-"             // Remember sign
+		secs = -(secs + 1)     // Add a second to secs
+		nsecs = -(nsecs - 1e9) // Take that second away from nsecs
+	}
+	return strings.TrimRight(fmt.Sprintf("%s%d.%09d", sign, secs, nsecs), "0")
+}
--- a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
@ -0,0 +1,452 @@
+// +build windows
+
+package backuptar
+
+import (
+	"archive/tar"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"golang.org/x/sys/windows"
+)
+
+const (
+	c_ISUID  = 04000   // Set uid
+	c_ISGID  = 02000   // Set gid
+	c_ISVTX  = 01000   // Save text (sticky bit)
+	c_ISDIR  = 040000  // Directory
+	c_ISFIFO = 010000  // FIFO
+	c_ISREG  = 0100000 // Regular file
+	c_ISLNK  = 0120000 // Symbolic link
+	c_ISBLK  = 060000  // Block special file
+	c_ISCHR  = 020000  // Character special file
+	c_ISSOCK = 0140000 // Socket
+)
+
+const (
+	hdrFileAttributes        = "MSWINDOWS.fileattr"
+	hdrSecurityDescriptor    = "MSWINDOWS.sd"
+	hdrRawSecurityDescriptor = "MSWINDOWS.rawsd"
+	hdrMountPoint            = "MSWINDOWS.mountpoint"
+	hdrEaPrefix              = "MSWINDOWS.xattr."
+
+	hdrCreationTime = "LIBARCHIVE.creationtime"
+)
+
+func writeZeroes(w io.Writer, count int64) error {
+	buf := make([]byte, 8192)
+	c := len(buf)
+	for i := int64(0); i < count; i += int64(c) {
+		if int64(c) > count-i {
+			c = int(count - i)
+		}
+		_, err := w.Write(buf[:c])
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error {
+	curOffset := int64(0)
+	for {
+		bhdr, err := br.Next()
+		if err == io.EOF {
+			err = io.ErrUnexpectedEOF
+		}
+		if err != nil {
+			return err
+		}
+		if bhdr.Id != winio.BackupSparseBlock {
+			return fmt.Errorf("unexpected stream %d", bhdr.Id)
+		}
+
+		// archive/tar does not support writing sparse files
+		// so just write zeroes to catch up to the current offset.
+		err = writeZeroes(t, bhdr.Offset-curOffset)
+		if bhdr.Size == 0 {
+			break
+		}
+		n, err := io.Copy(t, br)
+		if err != nil {
+			return err
+		}
+		curOffset = bhdr.Offset + n
+	}
+	return nil
+}
+
+// BasicInfoHeader creates a tar header from basic file information.
+func BasicInfoHeader(name string, size int64, fileInfo *winio.FileBasicInfo) *tar.Header {
+	hdr := &tar.Header{
+		Format:     tar.FormatPAX,
+		Name:       filepath.ToSlash(name),
+		Size:       size,
+		Typeflag:   tar.TypeReg,
+		ModTime:    time.Unix(0, fileInfo.LastWriteTime.Nanoseconds()),
+		ChangeTime: time.Unix(0, fileInfo.ChangeTime.Nanoseconds()),
+		AccessTime: time.Unix(0, fileInfo.LastAccessTime.Nanoseconds()),
+		PAXRecords: make(map[string]string),
+	}
+	hdr.PAXRecords[hdrFileAttributes] = fmt.Sprintf("%d", fileInfo.FileAttributes)
+	hdr.PAXRecords[hdrCreationTime] = formatPAXTime(time.Unix(0, fileInfo.CreationTime.Nanoseconds()))
+
+	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
+		hdr.Mode |= c_ISDIR
+		hdr.Size = 0
+		hdr.Typeflag = tar.TypeDir
+	}
+	return hdr
+}
+
+// WriteTarFileFromBackupStream writes a file to a tar writer using data from a Win32 backup stream.
+//
+// This encodes Win32 metadata as tar pax vendor extensions starting with MSWINDOWS.
+//
+// The additional Win32 metadata is:
+//
+// MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value
+//
+// MSWINDOWS.rawsd: The Win32 security descriptor, in raw binary format
+//
+// MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink)
+func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size int64, fileInfo *winio.FileBasicInfo) error {
+	name = filepath.ToSlash(name)
+	hdr := BasicInfoHeader(name, size, fileInfo)
+
+	// If r can be seeked, then this function is two-pass: pass 1 collects the
+	// tar header data, and pass 2 copies the data stream. If r cannot be
+	// seeked, then some header data (in particular EAs) will be silently lost.
+	var (
+		restartPos int64
+		err        error
+	)
+	sr, readTwice := r.(io.Seeker)
+	if readTwice {
+		if restartPos, err = sr.Seek(0, io.SeekCurrent); err != nil {
+			readTwice = false
+		}
+	}
+
+	br := winio.NewBackupStreamReader(r)
+	var dataHdr *winio.BackupHeader
+	for dataHdr == nil {
+		bhdr, err := br.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		switch bhdr.Id {
+		case winio.BackupData:
+			hdr.Mode |= c_ISREG
+			if !readTwice {
+				dataHdr = bhdr
+			}
+		case winio.BackupSecurity:
+			sd, err := ioutil.ReadAll(br)
+			if err != nil {
+				return err
+			}
+			hdr.PAXRecords[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd)
+
+		case winio.BackupReparseData:
+			hdr.Mode |= c_ISLNK
+			hdr.Typeflag = tar.TypeSymlink
+			reparseBuffer, err := ioutil.ReadAll(br)
+			rp, err := winio.DecodeReparsePoint(reparseBuffer)
+			if err != nil {
+				return err
+			}
+			if rp.IsMountPoint {
+				hdr.PAXRecords[hdrMountPoint] = "1"
+			}
+			hdr.Linkname = rp.Target
+
+		case winio.BackupEaData:
+			eab, err := ioutil.ReadAll(br)
+			if err != nil {
+				return err
+			}
+			eas, err := winio.DecodeExtendedAttributes(eab)
+			if err != nil {
+				return err
+			}
+			for _, ea := range eas {
+				// Use base64 encoding for the binary value. Note that there
+				// is no way to encode the EA's flags, since their use doesn't
+				// make any sense for persisted EAs.
+				hdr.PAXRecords[hdrEaPrefix+ea.Name] = base64.StdEncoding.EncodeToString(ea.Value)
+			}
+
+		case winio.BackupAlternateData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData:
+			// ignore these streams
+		default:
+			return fmt.Errorf("%s: unknown stream ID %d", name, bhdr.Id)
+		}
+	}
+
+	err = t.WriteHeader(hdr)
+	if err != nil {
+		return err
+	}
+
+	if readTwice {
+		// Get back to the data stream.
+		if _, err = sr.Seek(restartPos, io.SeekStart); err != nil {
+			return err
+		}
+		for dataHdr == nil {
+			bhdr, err := br.Next()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				return err
+			}
+			if bhdr.Id == winio.BackupData {
+				dataHdr = bhdr
+			}
+		}
+	}
+
+	if dataHdr != nil {
+		// A data stream was found. Copy the data.
+		if (dataHdr.Attributes & winio.StreamSparseAttributes) == 0 {
+			if size != dataHdr.Size {
+				return fmt.Errorf("%s: mismatch between file size %d and header size %d", name, size, dataHdr.Size)
+			}
+			_, err = io.Copy(t, br)
+			if err != nil {
+				return err
+			}
+		} else {
+			err = copySparse(t, br)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	// Look for streams after the data stream. The only ones we handle are alternate data streams.
+	// Other streams may have metadata that could be serialized, but the tar header has already
+	// been written. In practice, this means that we don't get EA or TXF metadata.
+	for {
+		bhdr, err := br.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		switch bhdr.Id {
+		case winio.BackupAlternateData:
+			altName := bhdr.Name
+			if strings.HasSuffix(altName, ":$DATA") {
+				altName = altName[:len(altName)-len(":$DATA")]
+			}
+			if (bhdr.Attributes & winio.StreamSparseAttributes) == 0 {
+				hdr = &tar.Header{
+					Format:     hdr.Format,
+					Name:       name + altName,
+					Mode:       hdr.Mode,
+					Typeflag:   tar.TypeReg,
+					Size:       bhdr.Size,
+					ModTime:    hdr.ModTime,
+					AccessTime: hdr.AccessTime,
+					ChangeTime: hdr.ChangeTime,
+				}
+				err = t.WriteHeader(hdr)
+				if err != nil {
+					return err
+				}
+				_, err = io.Copy(t, br)
+				if err != nil {
+					return err
+				}
+
+			} else {
+				// Unsupported for now, since the size of the alternate stream is not present
+				// in the backup stream until after the data has been read.
+				return errors.New("tar of sparse alternate data streams is unsupported")
+			}
+		case winio.BackupEaData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData:
+			// ignore these streams
+		default:
+			return fmt.Errorf("%s: unknown stream ID %d after data", name, bhdr.Id)
+		}
+	}
+	return nil
+}
+
+// FileInfoFromHeader retrieves basic Win32 file information from a tar header, using the additional metadata written by
+// WriteTarFileFromBackupStream.
+func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *winio.FileBasicInfo, err error) {
+	name = hdr.Name
+	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+		size = hdr.Size
+	}
+	fileInfo = &winio.FileBasicInfo{
+		LastAccessTime: windows.NsecToFiletime(hdr.AccessTime.UnixNano()),
+		LastWriteTime:  windows.NsecToFiletime(hdr.ModTime.UnixNano()),
+		ChangeTime:     windows.NsecToFiletime(hdr.ChangeTime.UnixNano()),
+		// Default to ModTime, we'll pull hdrCreationTime below if present
+		CreationTime: windows.NsecToFiletime(hdr.ModTime.UnixNano()),
+	}
+	if attrStr, ok := hdr.PAXRecords[hdrFileAttributes]; ok {
+		attr, err := strconv.ParseUint(attrStr, 10, 32)
+		if err != nil {
+			return "", 0, nil, err
+		}
+		fileInfo.FileAttributes = uint32(attr)
+	} else {
+		if hdr.Typeflag == tar.TypeDir {
+			fileInfo.FileAttributes |= syscall.FILE_ATTRIBUTE_DIRECTORY
+		}
+	}
+	if creationTimeStr, ok := hdr.PAXRecords[hdrCreationTime]; ok {
+		creationTime, err := parsePAXTime(creationTimeStr)
+		if err != nil {
+			return "", 0, nil, err
+		}
+		fileInfo.CreationTime = windows.NsecToFiletime(creationTime.UnixNano())
+	}
+	return
+}
+
+// WriteBackupStreamFromTarFile writes a Win32 backup stream from the current tar file. Since this function may process multiple
+// tar file entries in order to collect all the alternate data streams for the file, it returns the next
+// tar file that was not processed, or io.EOF is there are no more.
+func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) {
+	bw := winio.NewBackupStreamWriter(w)
+	var sd []byte
+	var err error
+	// Maintaining old SDDL-based behavior for backward compatibility.  All new tar headers written
+	// by this library will have raw binary for the security descriptor.
+	if sddl, ok := hdr.PAXRecords[hdrSecurityDescriptor]; ok {
+		sd, err = winio.SddlToSecurityDescriptor(sddl)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if sdraw, ok := hdr.PAXRecords[hdrRawSecurityDescriptor]; ok {
+		sd, err = base64.StdEncoding.DecodeString(sdraw)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if len(sd) != 0 {
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupSecurity,
+			Size: int64(len(sd)),
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(sd)
+		if err != nil {
+			return nil, err
+		}
+	}
+	var eas []winio.ExtendedAttribute
+	for k, v := range hdr.PAXRecords {
+		if !strings.HasPrefix(k, hdrEaPrefix) {
+			continue
+		}
+		data, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			return nil, err
+		}
+		eas = append(eas, winio.ExtendedAttribute{
+			Name:  k[len(hdrEaPrefix):],
+			Value: data,
+		})
+	}
+	if len(eas) != 0 {
+		eadata, err := winio.EncodeExtendedAttributes(eas)
+		if err != nil {
+			return nil, err
+		}
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupEaData,
+			Size: int64(len(eadata)),
+		}
+		err = bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(eadata)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if hdr.Typeflag == tar.TypeSymlink {
+		_, isMountPoint := hdr.PAXRecords[hdrMountPoint]
+		rp := winio.ReparsePoint{
+			Target:       filepath.FromSlash(hdr.Linkname),
+			IsMountPoint: isMountPoint,
+		}
+		reparse := winio.EncodeReparsePoint(&rp)
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupReparseData,
+			Size: int64(len(reparse)),
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(reparse)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupData,
+			Size: hdr.Size,
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = io.Copy(bw, t)
+		if err != nil {
+			return nil, err
+		}
+	}
+	// Copy all the alternate data streams and return the next non-ADS header.
+	for {
+		ahdr, err := t.Next()
+		if err != nil {
+			return nil, err
+		}
+		if ahdr.Typeflag != tar.TypeReg || !strings.HasPrefix(ahdr.Name, hdr.Name+":") {
+			return ahdr, nil
+		}
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupAlternateData,
+			Size: ahdr.Size,
+			Name: ahdr.Name[len(hdr.Name):] + ":$DATA",
+		}
+		err = bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = io.Copy(bw, t)
+		if err != nil {
+			return nil, err
+		}
+	}
+}
--- a/vendor/github.com/Microsoft/go-winio/fileinfo.go
+++ b/vendor/github.com/Microsoft/go-winio/fileinfo.go
@ -5,21 +5,14 @@ package winio
 import (
 	"os"
 	"runtime"
-	"syscall"
 	"unsafe"
-)

-//sys getFileInformationByHandleEx(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) = GetFileInformationByHandleEx
-//sys setFileInformationByHandle(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) = SetFileInformationByHandle
-
-const (
-	fileBasicInfo = 0
-	fileIDInfo    = 0x12
+	"golang.org/x/sys/windows"
 )

 // FileBasicInfo contains file access time and file attributes information.
 type FileBasicInfo struct {
-	CreationTime, LastAccessTime, LastWriteTime, ChangeTime syscall.Filetime
+	CreationTime, LastAccessTime, LastWriteTime, ChangeTime windows.Filetime
 	FileAttributes                                          uint32
 	pad                                                     uint32 // padding
 }
@ -27,7 +20,7 @@ type FileBasicInfo struct {
 // GetFileBasicInfo retrieves times and attributes for a file.
 func GetFileBasicInfo(f *os.File) (*FileBasicInfo, error) {
 	bi := &FileBasicInfo{}
-	if err := getFileInformationByHandleEx(syscall.Handle(f.Fd()), fileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
+	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
@ -36,13 +29,32 @@ func GetFileBasicInfo(f *os.File) (*FileBasicInfo, error) {

 // SetFileBasicInfo sets times and attributes for a file.
 func SetFileBasicInfo(f *os.File, bi *FileBasicInfo) error {
-	if err := setFileInformationByHandle(syscall.Handle(f.Fd()), fileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
+	if err := windows.SetFileInformationByHandle(windows.Handle(f.Fd()), windows.FileBasicInfo, (*byte)(unsafe.Pointer(bi)), uint32(unsafe.Sizeof(*bi))); err != nil {
 		return &os.PathError{Op: "SetFileInformationByHandle", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
 	return nil
 }

+// FileStandardInfo contains extended information for the file.
+// FILE_STANDARD_INFO in WinBase.h
+// https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-file_standard_info
+type FileStandardInfo struct {
+	AllocationSize, EndOfFile int64
+	NumberOfLinks             uint32
+	DeletePending, Directory  bool
+}
+
+// GetFileStandardInfo retrieves ended information for the file.
+func GetFileStandardInfo(f *os.File) (*FileStandardInfo, error) {
+	si := &FileStandardInfo{}
+	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileStandardInfo, (*byte)(unsafe.Pointer(si)), uint32(unsafe.Sizeof(*si))); err != nil {
+		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
+	}
+	runtime.KeepAlive(f)
+	return si, nil
+}
+
 // FileIDInfo contains the volume serial number and file ID for a file. This pair should be
 // unique on a system.
 type FileIDInfo struct {
@ -53,7 +65,7 @@ type FileIDInfo struct {
 // GetFileID retrieves the unique (volume, file ID) pair for a file.
 func GetFileID(f *os.File) (*FileIDInfo, error) {
 	fileID := &FileIDInfo{}
-	if err := getFileInformationByHandleEx(syscall.Handle(f.Fd()), fileIDInfo, (*byte)(unsafe.Pointer(fileID)), uint32(unsafe.Sizeof(*fileID))); err != nil {
+	if err := windows.GetFileInformationByHandleEx(windows.Handle(f.Fd()), windows.FileIdInfo, (*byte)(unsafe.Pointer(fileID)), uint32(unsafe.Sizeof(*fileID))); err != nil {
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
--- a/vendor/github.com/Microsoft/go-winio/go.mod
+++ b/vendor/github.com/Microsoft/go-winio/go.mod
@ -3,7 +3,7 @@ module github.com/Microsoft/go-winio
 go 1.12

 require (
-	github.com/pkg/errors v0.8.1
-	github.com/sirupsen/logrus v1.4.1
-	golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.7.0
+	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
 )
--- a/vendor/github.com/Microsoft/go-winio/go.sum
+++ b/vendor/github.com/Microsoft/go-winio/go.sum
@ -1,16 +1,14 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/vendor/github.com/Microsoft/go-winio/hvsock.go
+++ b/vendor/github.com/Microsoft/go-winio/hvsock.go
@ -1,3 +1,5 @@
+// +build windows
+
 package winio

 import (
--- a/vendor/github.com/Microsoft/go-winio/pipe.go
+++ b/vendor/github.com/Microsoft/go-winio/pipe.go
@ -182,13 +182,14 @@ func (s pipeAddress) String() string {
 }

 // tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
-func tryDialPipe(ctx context.Context, path *string) (syscall.Handle, error) {
+func tryDialPipe(ctx context.Context, path *string, access uint32) (syscall.Handle, error) {
 	for {
+
 		select {
 		case <-ctx.Done():
 			return syscall.Handle(0), ctx.Err()
 		default:
-			h, err := createFile(*path, syscall.GENERIC_READ|syscall.GENERIC_WRITE, 0, nil, syscall.OPEN_EXISTING, syscall.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
+			h, err := createFile(*path, access, 0, nil, syscall.OPEN_EXISTING, syscall.FILE_FLAG_OVERLAPPED|cSECURITY_SQOS_PRESENT|cSECURITY_ANONYMOUS, 0)
 			if err == nil {
 				return h, nil
 			}
@ -197,7 +198,7 @@ func tryDialPipe(ctx context.Context, path *string) (syscall.Handle, error) {
 			}
 			// Wait 10 msec and try again. This is a rather simplistic
 			// view, as we always try each 10 milliseconds.
-			time.Sleep(time.Millisecond * 10)
+			time.Sleep(10 * time.Millisecond)
 		}
 	}
 }
@ -210,7 +211,7 @@ func DialPipe(path string, timeout *time.Duration) (net.Conn, error) {
 	if timeout != nil {
 		absTimeout = time.Now().Add(*timeout)
 	} else {
-		absTimeout = time.Now().Add(time.Second * 2)
+		absTimeout = time.Now().Add(2 * time.Second)
 	}
 	ctx, _ := context.WithDeadline(context.Background(), absTimeout)
 	conn, err := DialPipeContext(ctx, path)
@ -223,9 +224,15 @@ func DialPipe(path string, timeout *time.Duration) (net.Conn, error) {
 // DialPipeContext attempts to connect to a named pipe by `path` until `ctx`
 // cancellation or timeout.
 func DialPipeContext(ctx context.Context, path string) (net.Conn, error) {
+	return DialPipeAccess(ctx, path, syscall.GENERIC_READ|syscall.GENERIC_WRITE)
+}
+
+// DialPipeAccess attempts to connect to a named pipe by `path` with `access` until `ctx`
+// cancellation or timeout.
+func DialPipeAccess(ctx context.Context, path string, access uint32) (net.Conn, error) {
 	var err error
 	var h syscall.Handle
-	h, err = tryDialPipe(ctx, &path)
+	h, err = tryDialPipe(ctx, &path, access)
 	if err != nil {
 		return nil, err
 	}
@ -422,10 +429,10 @@ type PipeConfig struct {
 	// when the pipe is in message mode.
 	MessageMode bool

-	// InputBufferSize specifies the size the input buffer, in bytes.
+	// InputBufferSize specifies the size of the input buffer, in bytes.
 	InputBufferSize int32

-	// OutputBufferSize specifies the size the input buffer, in bytes.
+	// OutputBufferSize specifies the size of the output buffer, in bytes.
 	OutputBufferSize int32
 }

--- a/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go
@ -1,3 +1,5 @@
+// +build windows
+
 // Package guid provides a GUID type. The backing structure for a GUID is
 // identical to that used by the golang.org/x/sys/windows GUID type.
 // There are two main binary encodings used for a GUID, the big-endian encoding,
--- a/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go
@ -0,0 +1,161 @@
+// +build windows
+
+package security
+
+import (
+	"os"
+	"syscall"
+	"unsafe"
+
+	"github.com/pkg/errors"
+)
+
+type (
+	accessMask          uint32
+	accessMode          uint32
+	desiredAccess       uint32
+	inheritMode         uint32
+	objectType          uint32
+	shareMode           uint32
+	securityInformation uint32
+	trusteeForm         uint32
+	trusteeType         uint32
+
+	explicitAccess struct {
+		accessPermissions accessMask
+		accessMode        accessMode
+		inheritance       inheritMode
+		trustee           trustee
+	}
+
+	trustee struct {
+		multipleTrustee          *trustee
+		multipleTrusteeOperation int32
+		trusteeForm              trusteeForm
+		trusteeType              trusteeType
+		name                     uintptr
+	}
+)
+
+const (
+	accessMaskDesiredPermission accessMask = 1 << 31 // GENERIC_READ
+
+	accessModeGrant accessMode = 1
+
+	desiredAccessReadControl desiredAccess = 0x20000
+	desiredAccessWriteDac    desiredAccess = 0x40000
+
+	gvmga = "GrantVmGroupAccess:"
+
+	inheritModeNoInheritance                  inheritMode = 0x0
+	inheritModeSubContainersAndObjectsInherit inheritMode = 0x3
+
+	objectTypeFileObject objectType = 0x1
+
+	securityInformationDACL securityInformation = 0x4
+
+	shareModeRead  shareMode = 0x1
+	shareModeWrite shareMode = 0x2
+
+	sidVmGroup = "S-1-5-83-0"
+
+	trusteeFormIsSid trusteeForm = 0
+
+	trusteeTypeWellKnownGroup trusteeType = 5
+)
+
+// GrantVMGroupAccess sets the DACL for a specified file or directory to
+// include Grant ACE entries for the VM Group SID. This is a golang re-
+// implementation of the same function in vmcompute, just not exported in
+// RS5. Which kind of sucks. Sucks a lot :/
+func GrantVmGroupAccess(name string) error {
+	// Stat (to determine if `name` is a directory).
+	s, err := os.Stat(name)
+	if err != nil {
+		return errors.Wrapf(err, "%s os.Stat %s", gvmga, name)
+	}
+
+	// Get a handle to the file/directory. Must defer Close on success.
+	fd, err := createFile(name, s.IsDir())
+	if err != nil {
+		return err // Already wrapped
+	}
+	defer syscall.CloseHandle(fd)
+
+	// Get the current DACL and Security Descriptor. Must defer LocalFree on success.
+	ot := objectTypeFileObject
+	si := securityInformationDACL
+	sd := uintptr(0)
+	origDACL := uintptr(0)
+	if err := getSecurityInfo(fd, uint32(ot), uint32(si), nil, nil, &origDACL, nil, &sd); err != nil {
+		return errors.Wrapf(err, "%s GetSecurityInfo %s", gvmga, name)
+	}
+	defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(sd)))
+
+	// Generate a new DACL which is the current DACL with the required ACEs added.
+	// Must defer LocalFree on success.
+	newDACL, err := generateDACLWithAcesAdded(name, s.IsDir(), origDACL)
+	if err != nil {
+		return err // Already wrapped
+	}
+	defer syscall.LocalFree((syscall.Handle)(unsafe.Pointer(newDACL)))
+
+	// And finally use SetSecurityInfo to apply the updated DACL.
+	if err := setSecurityInfo(fd, uint32(ot), uint32(si), uintptr(0), uintptr(0), newDACL, uintptr(0)); err != nil {
+		return errors.Wrapf(err, "%s SetSecurityInfo %s", gvmga, name)
+	}
+
+	return nil
+}
+
+// createFile is a helper function to call [Nt]CreateFile to get a handle to
+// the file or directory.
+func createFile(name string, isDir bool) (syscall.Handle, error) {
+	namep := syscall.StringToUTF16(name)
+	da := uint32(desiredAccessReadControl | desiredAccessWriteDac)
+	sm := uint32(shareModeRead | shareModeWrite)
+	fa := uint32(syscall.FILE_ATTRIBUTE_NORMAL)
+	if isDir {
+		fa = uint32(fa | syscall.FILE_FLAG_BACKUP_SEMANTICS)
+	}
+	fd, err := syscall.CreateFile(&namep[0], da, sm, nil, syscall.OPEN_EXISTING, fa, 0)
+	if err != nil {
+		return 0, errors.Wrapf(err, "%s syscall.CreateFile %s", gvmga, name)
+	}
+	return fd, nil
+}
+
+// generateDACLWithAcesAdded generates a new DACL with the two needed ACEs added.
+// The caller is responsible for LocalFree of the returned DACL on success.
+func generateDACLWithAcesAdded(name string, isDir bool, origDACL uintptr) (uintptr, error) {
+	// Generate pointers to the SIDs based on the string SIDs
+	sid, err := syscall.StringToSid(sidVmGroup)
+	if err != nil {
+		return 0, errors.Wrapf(err, "%s syscall.StringToSid %s %s", gvmga, name, sidVmGroup)
+	}
+
+	inheritance := inheritModeNoInheritance
+	if isDir {
+		inheritance = inheritModeSubContainersAndObjectsInherit
+	}
+
+	eaArray := []explicitAccess{
+		explicitAccess{
+			accessPermissions: accessMaskDesiredPermission,
+			accessMode:        accessModeGrant,
+			inheritance:       inheritance,
+			trustee: trustee{
+				trusteeForm: trusteeFormIsSid,
+				trusteeType: trusteeTypeWellKnownGroup,
+				name:        uintptr(unsafe.Pointer(sid)),
+			},
+		},
+	}
+
+	modifiedDACL := uintptr(0)
+	if err := setEntriesInAcl(uintptr(uint32(1)), uintptr(unsafe.Pointer(&eaArray[0])), origDACL, &modifiedDACL); err != nil {
+		return 0, errors.Wrapf(err, "%s SetEntriesInAcl %s", gvmga, name)
+	}
+
+	return modifiedDACL, nil
+}
--- a/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go
@ -0,0 +1,7 @@
+package security
+
+//go:generate go run mksyscall_windows.go -output zsyscall_windows.go syscall_windows.go
+
+//sys getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo
+//sys setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) [failretval!=0] = advapi32.SetSecurityInfo
+//sys setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) [failretval!=0] = advapi32.SetEntriesInAclW
--- a/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go
@ -0,0 +1,70 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package security
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+
+	procGetSecurityInfo  = modadvapi32.NewProc("GetSecurityInfo")
+	procSetEntriesInAclW = modadvapi32.NewProc("SetEntriesInAclW")
+	procSetSecurityInfo  = modadvapi32.NewProc("SetSecurityInfo")
+)
+
+func getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall9(procGetSecurityInfo.Addr(), 8, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(unsafe.Pointer(ppsidOwner)), uintptr(unsafe.Pointer(ppsidGroup)), uintptr(unsafe.Pointer(ppDacl)), uintptr(unsafe.Pointer(ppSacl)), uintptr(unsafe.Pointer(ppSecurityDescriptor)), 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall6(procSetEntriesInAclW.Addr(), 4, uintptr(count), uintptr(pListOfEEs), uintptr(oldAcl), uintptr(unsafe.Pointer(newAcl)), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) {
+	r1, _, e1 := syscall.Syscall9(procSetSecurityInfo.Addr(), 7, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(psidOwner), uintptr(psidGroup), uintptr(pDacl), uintptr(pSacl), 0, 0)
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
--- a/vendor/github.com/Microsoft/go-winio/syscall.go
+++ b/vendor/github.com/Microsoft/go-winio/syscall.go
@ -1,3 +1,3 @@
 package winio

-//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go file.go pipe.go sd.go fileinfo.go privilege.go backup.go hvsock.go
+//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go file.go pipe.go sd.go fileinfo.go privilege.go backup.go hvsock.go
--- a/vendor/github.com/Microsoft/go-winio/vhd/vhd.go
+++ b/vendor/github.com/Microsoft/go-winio/vhd/vhd.go
@ -0,0 +1,323 @@
+// +build windows
+
+package vhd
+
+import (
+	"fmt"
+	"syscall"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
+)
+
+//go:generate go run mksyscall_windows.go -output zvhd_windows.go vhd.go
+
+//sys createVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (err error) [failretval != 0] = virtdisk.CreateVirtualDisk
+//sys openVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (err error) [failretval != 0] = virtdisk.OpenVirtualDisk
+//sys attachVirtualDisk(handle syscall.Handle, securityDescriptor *uintptr, attachVirtualDiskFlag uint32, providerSpecificFlags uint32, parameters *AttachVirtualDiskParameters, overlapped *syscall.Overlapped) (err error) [failretval != 0] = virtdisk.AttachVirtualDisk
+//sys detachVirtualDisk(handle syscall.Handle, detachVirtualDiskFlags uint32, providerSpecificFlags uint32) (err error) [failretval != 0] = virtdisk.DetachVirtualDisk
+//sys getVirtualDiskPhysicalPath(handle syscall.Handle, diskPathSizeInBytes *uint32, buffer *uint16) (err error) [failretval != 0] = virtdisk.GetVirtualDiskPhysicalPath
+
+type (
+	CreateVirtualDiskFlag uint32
+	VirtualDiskFlag       uint32
+	AttachVirtualDiskFlag uint32
+	DetachVirtualDiskFlag uint32
+	VirtualDiskAccessMask uint32
+)
+
+type VirtualStorageType struct {
+	DeviceID uint32
+	VendorID guid.GUID
+}
+
+type CreateVersion2 struct {
+	UniqueID                 guid.GUID
+	MaximumSize              uint64
+	BlockSizeInBytes         uint32
+	SectorSizeInBytes        uint32
+	PhysicalSectorSizeInByte uint32
+	ParentPath               *uint16 // string
+	SourcePath               *uint16 // string
+	OpenFlags                uint32
+	ParentVirtualStorageType VirtualStorageType
+	SourceVirtualStorageType VirtualStorageType
+	ResiliencyGUID           guid.GUID
+}
+
+type CreateVirtualDiskParameters struct {
+	Version  uint32 // Must always be set to 2
+	Version2 CreateVersion2
+}
+
+type OpenVersion2 struct {
+	GetInfoOnly    bool
+	ReadOnly       bool
+	ResiliencyGUID guid.GUID
+}
+
+type OpenVirtualDiskParameters struct {
+	Version  uint32 // Must always be set to 2
+	Version2 OpenVersion2
+}
+
+type AttachVersion2 struct {
+	RestrictedOffset uint64
+	RestrictedLength uint64
+}
+
+type AttachVirtualDiskParameters struct {
+	Version  uint32 // Must always be set to 2
+	Version2 AttachVersion2
+}
+
+const (
+	VIRTUAL_STORAGE_TYPE_DEVICE_VHDX = 0x3
+
+	// Access Mask for opening a VHD
+	VirtualDiskAccessNone     VirtualDiskAccessMask = 0x00000000
+	VirtualDiskAccessAttachRO VirtualDiskAccessMask = 0x00010000
+	VirtualDiskAccessAttachRW VirtualDiskAccessMask = 0x00020000
+	VirtualDiskAccessDetach   VirtualDiskAccessMask = 0x00040000
+	VirtualDiskAccessGetInfo  VirtualDiskAccessMask = 0x00080000
+	VirtualDiskAccessCreate   VirtualDiskAccessMask = 0x00100000
+	VirtualDiskAccessMetaOps  VirtualDiskAccessMask = 0x00200000
+	VirtualDiskAccessRead     VirtualDiskAccessMask = 0x000d0000
+	VirtualDiskAccessAll      VirtualDiskAccessMask = 0x003f0000
+	VirtualDiskAccessWritable VirtualDiskAccessMask = 0x00320000
+
+	// Flags for creating a VHD
+	CreateVirtualDiskFlagNone                              CreateVirtualDiskFlag = 0x0
+	CreateVirtualDiskFlagFullPhysicalAllocation            CreateVirtualDiskFlag = 0x1
+	CreateVirtualDiskFlagPreventWritesToSourceDisk         CreateVirtualDiskFlag = 0x2
+	CreateVirtualDiskFlagDoNotCopyMetadataFromParent       CreateVirtualDiskFlag = 0x4
+	CreateVirtualDiskFlagCreateBackingStorage              CreateVirtualDiskFlag = 0x8
+	CreateVirtualDiskFlagUseChangeTrackingSourceLimit      CreateVirtualDiskFlag = 0x10
+	CreateVirtualDiskFlagPreserveParentChangeTrackingState CreateVirtualDiskFlag = 0x20
+	CreateVirtualDiskFlagVhdSetUseOriginalBackingStorage   CreateVirtualDiskFlag = 0x40
+	CreateVirtualDiskFlagSparseFile                        CreateVirtualDiskFlag = 0x80
+	CreateVirtualDiskFlagPmemCompatible                    CreateVirtualDiskFlag = 0x100
+	CreateVirtualDiskFlagSupportCompressedVolumes          CreateVirtualDiskFlag = 0x200
+
+	// Flags for opening a VHD
+	OpenVirtualDiskFlagNone                        VirtualDiskFlag = 0x00000000
+	OpenVirtualDiskFlagNoParents                   VirtualDiskFlag = 0x00000001
+	OpenVirtualDiskFlagBlankFile                   VirtualDiskFlag = 0x00000002
+	OpenVirtualDiskFlagBootDrive                   VirtualDiskFlag = 0x00000004
+	OpenVirtualDiskFlagCachedIO                    VirtualDiskFlag = 0x00000008
+	OpenVirtualDiskFlagCustomDiffChain             VirtualDiskFlag = 0x00000010
+	OpenVirtualDiskFlagParentCachedIO              VirtualDiskFlag = 0x00000020
+	OpenVirtualDiskFlagVhdsetFileOnly              VirtualDiskFlag = 0x00000040
+	OpenVirtualDiskFlagIgnoreRelativeParentLocator VirtualDiskFlag = 0x00000080
+	OpenVirtualDiskFlagNoWriteHardening            VirtualDiskFlag = 0x00000100
+	OpenVirtualDiskFlagSupportCompressedVolumes    VirtualDiskFlag = 0x00000200
+
+	// Flags for attaching a VHD
+	AttachVirtualDiskFlagNone                          AttachVirtualDiskFlag = 0x00000000
+	AttachVirtualDiskFlagReadOnly                      AttachVirtualDiskFlag = 0x00000001
+	AttachVirtualDiskFlagNoDriveLetter                 AttachVirtualDiskFlag = 0x00000002
+	AttachVirtualDiskFlagPermanentLifetime             AttachVirtualDiskFlag = 0x00000004
+	AttachVirtualDiskFlagNoLocalHost                   AttachVirtualDiskFlag = 0x00000008
+	AttachVirtualDiskFlagNoSecurityDescriptor          AttachVirtualDiskFlag = 0x00000010
+	AttachVirtualDiskFlagBypassDefaultEncryptionPolicy AttachVirtualDiskFlag = 0x00000020
+	AttachVirtualDiskFlagNonPnp                        AttachVirtualDiskFlag = 0x00000040
+	AttachVirtualDiskFlagRestrictedRange               AttachVirtualDiskFlag = 0x00000080
+	AttachVirtualDiskFlagSinglePartition               AttachVirtualDiskFlag = 0x00000100
+	AttachVirtualDiskFlagRegisterVolume                AttachVirtualDiskFlag = 0x00000200
+
+	// Flags for detaching a VHD
+	DetachVirtualDiskFlagNone DetachVirtualDiskFlag = 0x0
+)
+
+// CreateVhdx is a helper function to create a simple vhdx file at the given path using
+// default values.
+func CreateVhdx(path string, maxSizeInGb, blockSizeInMb uint32) error {
+	params := CreateVirtualDiskParameters{
+		Version: 2,
+		Version2: CreateVersion2{
+			MaximumSize:      uint64(maxSizeInGb) * 1024 * 1024 * 1024,
+			BlockSizeInBytes: blockSizeInMb * 1024 * 1024,
+		},
+	}
+
+	handle, err := CreateVirtualDisk(path, VirtualDiskAccessNone, CreateVirtualDiskFlagNone, &params)
+	if err != nil {
+		return err
+	}
+
+	if err := syscall.CloseHandle(handle); err != nil {
+		return err
+	}
+	return nil
+}
+
+// DetachVirtualDisk detaches a virtual hard disk by handle.
+func DetachVirtualDisk(handle syscall.Handle) (err error) {
+	if err := detachVirtualDisk(handle, 0, 0); err != nil {
+		return errors.Wrap(err, "failed to detach virtual disk")
+	}
+	return nil
+}
+
+// DetachVhd detaches a vhd found at `path`.
+func DetachVhd(path string) error {
+	handle, err := OpenVirtualDisk(
+		path,
+		VirtualDiskAccessNone,
+		OpenVirtualDiskFlagCachedIO|OpenVirtualDiskFlagIgnoreRelativeParentLocator,
+	)
+	if err != nil {
+		return err
+	}
+	defer syscall.CloseHandle(handle)
+	return DetachVirtualDisk(handle)
+}
+
+// AttachVirtualDisk attaches a virtual hard disk for use.
+func AttachVirtualDisk(handle syscall.Handle, attachVirtualDiskFlag AttachVirtualDiskFlag, parameters *AttachVirtualDiskParameters) (err error) {
+	// Supports both version 1 and 2 of the attach parameters as version 2 wasn't present in RS5.
+	if err := attachVirtualDisk(
+		handle,
+		nil,
+		uint32(attachVirtualDiskFlag),
+		0,
+		parameters,
+		nil,
+	); err != nil {
+		return errors.Wrap(err, "failed to attach virtual disk")
+	}
+	return nil
+}
+
+// AttachVhd attaches a virtual hard disk at `path` for use. Attaches using version 2
+// of the ATTACH_VIRTUAL_DISK_PARAMETERS.
+func AttachVhd(path string) (err error) {
+	handle, err := OpenVirtualDisk(
+		path,
+		VirtualDiskAccessNone,
+		OpenVirtualDiskFlagCachedIO|OpenVirtualDiskFlagIgnoreRelativeParentLocator,
+	)
+	if err != nil {
+		return err
+	}
+
+	defer syscall.CloseHandle(handle)
+	params := AttachVirtualDiskParameters{Version: 2}
+	if err := AttachVirtualDisk(
+		handle,
+		AttachVirtualDiskFlagNone,
+		&params,
+	); err != nil {
+		return errors.Wrap(err, "failed to attach virtual disk")
+	}
+	return nil
+}
+
+// OpenVirtualDisk obtains a handle to a VHD opened with supplied access mask and flags.
+func OpenVirtualDisk(vhdPath string, virtualDiskAccessMask VirtualDiskAccessMask, openVirtualDiskFlags VirtualDiskFlag) (syscall.Handle, error) {
+	parameters := OpenVirtualDiskParameters{Version: 2}
+	handle, err := OpenVirtualDiskWithParameters(
+		vhdPath,
+		virtualDiskAccessMask,
+		openVirtualDiskFlags,
+		&parameters,
+	)
+	if err != nil {
+		return 0, err
+	}
+	return handle, nil
+}
+
+// OpenVirtualDiskWithParameters obtains a handle to a VHD opened with supplied access mask, flags and parameters.
+func OpenVirtualDiskWithParameters(vhdPath string, virtualDiskAccessMask VirtualDiskAccessMask, openVirtualDiskFlags VirtualDiskFlag, parameters *OpenVirtualDiskParameters) (syscall.Handle, error) {
+	var (
+		handle      syscall.Handle
+		defaultType VirtualStorageType
+	)
+	if parameters.Version != 2 {
+		return handle, fmt.Errorf("only version 2 VHDs are supported, found version: %d", parameters.Version)
+	}
+	if err := openVirtualDisk(
+		&defaultType,
+		vhdPath,
+		uint32(virtualDiskAccessMask),
+		uint32(openVirtualDiskFlags),
+		parameters,
+		&handle,
+	); err != nil {
+		return 0, errors.Wrap(err, "failed to open virtual disk")
+	}
+	return handle, nil
+}
+
+// CreateVirtualDisk creates a virtual harddisk and returns a handle to the disk.
+func CreateVirtualDisk(path string, virtualDiskAccessMask VirtualDiskAccessMask, createVirtualDiskFlags CreateVirtualDiskFlag, parameters *CreateVirtualDiskParameters) (syscall.Handle, error) {
+	var (
+		handle      syscall.Handle
+		defaultType VirtualStorageType
+	)
+	if parameters.Version != 2 {
+		return handle, fmt.Errorf("only version 2 VHDs are supported, found version: %d", parameters.Version)
+	}
+
+	if err := createVirtualDisk(
+		&defaultType,
+		path,
+		uint32(virtualDiskAccessMask),
+		nil,
+		uint32(createVirtualDiskFlags),
+		0,
+		parameters,
+		nil,
+		&handle,
+	); err != nil {
+		return handle, errors.Wrap(err, "failed to create virtual disk")
+	}
+	return handle, nil
+}
+
+// GetVirtualDiskPhysicalPath takes a handle to a virtual hard disk and returns the physical
+// path of the disk on the machine. This path is in the form \\.\PhysicalDriveX where X is an integer
+// that represents the particular enumeration of the physical disk on the caller's system.
+func GetVirtualDiskPhysicalPath(handle syscall.Handle) (_ string, err error) {
+	var (
+		diskPathSizeInBytes uint32 = 256 * 2 // max path length 256 wide chars
+		diskPhysicalPathBuf [256]uint16
+	)
+	if err := getVirtualDiskPhysicalPath(
+		handle,
+		&diskPathSizeInBytes,
+		&diskPhysicalPathBuf[0],
+	); err != nil {
+		return "", errors.Wrap(err, "failed to get disk physical path")
+	}
+	return windows.UTF16ToString(diskPhysicalPathBuf[:]), nil
+}
+
+// CreateDiffVhd is a helper function to create a differencing virtual disk.
+func CreateDiffVhd(diffVhdPath, baseVhdPath string, blockSizeInMB uint32) error {
+	// Setting `ParentPath` is how to signal to create a differencing disk.
+	createParams := &CreateVirtualDiskParameters{
+		Version: 2,
+		Version2: CreateVersion2{
+			ParentPath:       windows.StringToUTF16Ptr(baseVhdPath),
+			BlockSizeInBytes: blockSizeInMB * 1024 * 1024,
+			OpenFlags:        uint32(OpenVirtualDiskFlagCachedIO),
+		},
+	}
+
+	vhdHandle, err := CreateVirtualDisk(
+		diffVhdPath,
+		VirtualDiskAccessNone,
+		CreateVirtualDiskFlagNone,
+		createParams,
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create differencing vhd: %s", err)
+	}
+	if err := syscall.CloseHandle(vhdHandle); err != nil {
+		return fmt.Errorf("failed to close differencing vhd handle: %s", err)
+	}
+	return nil
+}
--- a/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go
@ -0,0 +1,106 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package vhd
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modvirtdisk = windows.NewLazySystemDLL("virtdisk.dll")
+
+	procAttachVirtualDisk          = modvirtdisk.NewProc("AttachVirtualDisk")
+	procCreateVirtualDisk          = modvirtdisk.NewProc("CreateVirtualDisk")
+	procDetachVirtualDisk          = modvirtdisk.NewProc("DetachVirtualDisk")
+	procGetVirtualDiskPhysicalPath = modvirtdisk.NewProc("GetVirtualDiskPhysicalPath")
+	procOpenVirtualDisk            = modvirtdisk.NewProc("OpenVirtualDisk")
+)
+
+func attachVirtualDisk(handle syscall.Handle, securityDescriptor *uintptr, attachVirtualDiskFlag uint32, providerSpecificFlags uint32, parameters *AttachVirtualDiskParameters, overlapped *syscall.Overlapped) (err error) {
+	r1, _, e1 := syscall.Syscall6(procAttachVirtualDisk.Addr(), 6, uintptr(handle), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(attachVirtualDiskFlag), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func createVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return
+	}
+	return _createVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, securityDescriptor, createVirtualDiskFlags, providerSpecificFlags, parameters, overlapped, handle)
+}
+
+func _createVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (err error) {
+	r1, _, e1 := syscall.Syscall9(procCreateVirtualDisk.Addr(), 9, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(createVirtualDiskFlags), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)), uintptr(unsafe.Pointer(handle)))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func detachVirtualDisk(handle syscall.Handle, detachVirtualDiskFlags uint32, providerSpecificFlags uint32) (err error) {
+	r1, _, e1 := syscall.Syscall(procDetachVirtualDisk.Addr(), 3, uintptr(handle), uintptr(detachVirtualDiskFlags), uintptr(providerSpecificFlags))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getVirtualDiskPhysicalPath(handle syscall.Handle, diskPathSizeInBytes *uint32, buffer *uint16) (err error) {
+	r1, _, e1 := syscall.Syscall(procGetVirtualDiskPhysicalPath.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(diskPathSizeInBytes)), uintptr(unsafe.Pointer(buffer)))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func openVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return
+	}
+	return _openVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, openVirtualDiskFlags, parameters, handle)
+}
+
+func _openVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (err error) {
+	r1, _, e1 := syscall.Syscall6(procOpenVirtualDisk.Addr(), 6, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(openVirtualDiskFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(handle)))
+	if r1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
--- a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
@ -19,6 +19,7 @@ const (

 var (
 	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
 )

 // errnoErr returns common boxed Errno values, to prevent
@ -26,7 +27,7 @@ var (
 func errnoErr(e syscall.Errno) error {
 	switch e {
 	case 0:
-		return nil
+		return errERROR_EINVAL
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
@ -37,243 +38,62 @@ func errnoErr(e syscall.Errno) error {
 }

 var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-	modws2_32   = windows.NewLazySystemDLL("ws2_32.dll")
-	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
 	modadvapi32 = windows.NewLazySystemDLL("advapi32.dll")
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
+	modws2_32   = windows.NewLazySystemDLL("ws2_32.dll")

-	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
-	procCreateIoCompletionPort                               = modkernel32.NewProc("CreateIoCompletionPort")
-	procGetQueuedCompletionStatus                            = modkernel32.NewProc("GetQueuedCompletionStatus")
-	procSetFileCompletionNotificationModes                   = modkernel32.NewProc("SetFileCompletionNotificationModes")
-	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
-	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
-	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
-	procCreateFileW                                          = modkernel32.NewProc("CreateFileW")
-	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
-	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
-	procLocalAlloc                                           = modkernel32.NewProc("LocalAlloc")
-	procNtCreateNamedPipeFile                                = modntdll.NewProc("NtCreateNamedPipeFile")
-	procRtlNtStatusToDosErrorNoTeb                           = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
-	procRtlDosPathNameToNtPathName_U                         = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
-	procRtlDefaultNpAcl                                      = modntdll.NewProc("RtlDefaultNpAcl")
-	procLookupAccountNameW                                   = modadvapi32.NewProc("LookupAccountNameW")
+	procAdjustTokenPrivileges                                = modadvapi32.NewProc("AdjustTokenPrivileges")
+	procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW")
 	procConvertSidToStringSidW                               = modadvapi32.NewProc("ConvertSidToStringSidW")
 	procConvertStringSecurityDescriptorToSecurityDescriptorW = modadvapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW")
-	procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW")
-	procLocalFree                                            = modkernel32.NewProc("LocalFree")
 	procGetSecurityDescriptorLength                          = modadvapi32.NewProc("GetSecurityDescriptorLength")
-	procGetFileInformationByHandleEx                         = modkernel32.NewProc("GetFileInformationByHandleEx")
-	procSetFileInformationByHandle                           = modkernel32.NewProc("SetFileInformationByHandle")
-	procAdjustTokenPrivileges                                = modadvapi32.NewProc("AdjustTokenPrivileges")
 	procImpersonateSelf                                      = modadvapi32.NewProc("ImpersonateSelf")
-	procRevertToSelf                                         = modadvapi32.NewProc("RevertToSelf")
-	procOpenThreadToken                                      = modadvapi32.NewProc("OpenThreadToken")
-	procGetCurrentThread                                     = modkernel32.NewProc("GetCurrentThread")
-	procLookupPrivilegeValueW                                = modadvapi32.NewProc("LookupPrivilegeValueW")
-	procLookupPrivilegeNameW                                 = modadvapi32.NewProc("LookupPrivilegeNameW")
+	procLookupAccountNameW                                   = modadvapi32.NewProc("LookupAccountNameW")
 	procLookupPrivilegeDisplayNameW                          = modadvapi32.NewProc("LookupPrivilegeDisplayNameW")
+	procLookupPrivilegeNameW                                 = modadvapi32.NewProc("LookupPrivilegeNameW")
+	procLookupPrivilegeValueW                                = modadvapi32.NewProc("LookupPrivilegeValueW")
+	procOpenThreadToken                                      = modadvapi32.NewProc("OpenThreadToken")
+	procRevertToSelf                                         = modadvapi32.NewProc("RevertToSelf")
 	procBackupRead                                           = modkernel32.NewProc("BackupRead")
 	procBackupWrite                                          = modkernel32.NewProc("BackupWrite")
+	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
+	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
+	procCreateFileW                                          = modkernel32.NewProc("CreateFileW")
+	procCreateIoCompletionPort                               = modkernel32.NewProc("CreateIoCompletionPort")
+	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
+	procGetCurrentThread                                     = modkernel32.NewProc("GetCurrentThread")
+	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
+	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
+	procGetQueuedCompletionStatus                            = modkernel32.NewProc("GetQueuedCompletionStatus")
+	procLocalAlloc                                           = modkernel32.NewProc("LocalAlloc")
+	procLocalFree                                            = modkernel32.NewProc("LocalFree")
+	procSetFileCompletionNotificationModes                   = modkernel32.NewProc("SetFileCompletionNotificationModes")
+	procNtCreateNamedPipeFile                                = modntdll.NewProc("NtCreateNamedPipeFile")
+	procRtlDefaultNpAcl                                      = modntdll.NewProc("RtlDefaultNpAcl")
+	procRtlDosPathNameToNtPathName_U                         = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
+	procRtlNtStatusToDosErrorNoTeb                           = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
+	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
 	procbind                                                 = modws2_32.NewProc("bind")
 )

-func cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
-	newport = syscall.Handle(r0)
-	if newport == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) {
-	r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) {
+func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) {
 	var _p0 uint32
-	if wait {
+	if releaseAll {
 		_p0 = 1
-	} else {
-		_p0 = 0
 	}
-	r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0)
+	r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
+	success = r0 != 0
+	if true {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procConvertSecurityDescriptorToStringSecurityDescriptorW.Addr(), 5, uintptr(unsafe.Pointer(sd)), uintptr(revision), uintptr(secInfo), uintptr(unsafe.Pointer(sddl)), uintptr(unsafe.Pointer(sddlSize)), 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa)
-}
-
-func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
-	handle = syscall.Handle(r0)
-	if handle == syscall.InvalidHandle {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(name)
-	if err != nil {
-		return
-	}
-	return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile)
-}
-
-func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
-	handle = syscall.Handle(r0)
-	if handle == syscall.InvalidHandle {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func localAlloc(uFlags uint32, length uint32) (ptr uintptr) {
-	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0)
-	ptr = uintptr(r0)
-	return
-}
-
-func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) {
-	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
-	status = ntstatus(r0)
-	return
-}
-
-func rtlNtStatusToDosError(status ntstatus) (winerr error) {
-	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
-	if r0 != 0 {
-		winerr = syscall.Errno(r0)
-	}
-	return
-}
-
-func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) {
-	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
-	status = ntstatus(r0)
-	return
-}
-
-func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) {
-	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
-	status = ntstatus(r0)
-	return
-}
-
-func lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(accountName)
-	if err != nil {
-		return
-	}
-	return _lookupAccountName(systemName, _p0, sid, sidSize, refDomain, refDomainSize, sidNameUse)
-}
-
-func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procLookupAccountNameW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }
@ -281,11 +101,7 @@ func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidS
 func convertSidToStringSid(sid *byte, str **uint16) (err error) {
 	r1, _, e1 := syscall.Syscall(procConvertSidToStringSidW.Addr(), 2, uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(str)), 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }
@ -302,126 +118,73 @@ func convertStringSecurityDescriptorToSecurityDescriptor(str string, revision ui
 func _convertStringSecurityDescriptorToSecurityDescriptor(str *uint16, revision uint32, sd *uintptr, size *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall6(procConvertStringSecurityDescriptorToSecurityDescriptorW.Addr(), 4, uintptr(unsafe.Pointer(str)), uintptr(revision), uintptr(unsafe.Pointer(sd)), uintptr(unsafe.Pointer(size)), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procConvertSecurityDescriptorToStringSecurityDescriptorW.Addr(), 5, uintptr(unsafe.Pointer(sd)), uintptr(revision), uintptr(secInfo), uintptr(unsafe.Pointer(sddl)), uintptr(unsafe.Pointer(sddlSize)), 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func localFree(mem uintptr) {
-	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(mem), 0, 0)
-	return
-}
-
 func getSecurityDescriptorLength(sd uintptr) (len uint32) {
 	r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(sd), 0, 0)
 	len = uint32(r0)
 	return
 }

-func getFileInformationByHandleEx(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetFileInformationByHandleEx.Addr(), 4, uintptr(h), uintptr(class), uintptr(unsafe.Pointer(buffer)), uintptr(size), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func setFileInformationByHandle(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procSetFileInformationByHandle.Addr(), 4, uintptr(h), uintptr(class), uintptr(unsafe.Pointer(buffer)), uintptr(size), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
-func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) {
-	var _p0 uint32
-	if releaseAll {
-		_p0 = 1
-	} else {
-		_p0 = 0
-	}
-	r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
-	success = r0 != 0
-	if true {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
-	}
-	return
-}
-
 func impersonateSelf(level uint32) (err error) {
 	r1, _, e1 := syscall.Syscall(procImpersonateSelf.Addr(), 1, uintptr(level), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func revertToSelf() (err error) {
-	r1, _, e1 := syscall.Syscall(procRevertToSelf.Addr(), 0, 0, 0, 0)
+func lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(accountName)
+	if err != nil {
+		return
+	}
+	return _lookupAccountName(systemName, _p0, sid, sidSize, refDomain, refDomainSize, sidNameUse)
+}
+
+func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall9(procLookupAccountNameW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) {
-	var _p0 uint32
-	if openAsSelf {
-		_p0 = 1
-	} else {
-		_p0 = 0
+func lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(systemName)
+	if err != nil {
+		return
 	}
-	r1, _, e1 := syscall.Syscall6(procOpenThreadToken.Addr(), 4, uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)), 0, 0)
+	return _lookupPrivilegeDisplayName(_p0, name, buffer, size, languageId)
+}
+
+func _lookupPrivilegeDisplayName(systemName *uint16, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeDisplayNameW.Addr(), 5, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)), 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func getCurrentThread() (h syscall.Handle) {
-	r0, _, _ := syscall.Syscall(procGetCurrentThread.Addr(), 0, 0, 0, 0)
-	h = syscall.Handle(r0)
+func lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(systemName)
+	if err != nil {
+		return
+	}
+	return _lookupPrivilegeName(_p0, luid, buffer, size)
+}
+
+func _lookupPrivilegeName(systemName *uint16, luid *uint64, buffer *uint16, size *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeNameW.Addr(), 4, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
 	return
 }

@ -442,53 +205,27 @@ func lookupPrivilegeValue(systemName string, name string, luid *uint64) (err err
 func _lookupPrivilegeValue(systemName *uint16, name *uint16, luid *uint64) (err error) {
 	r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid)))
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(systemName)
-	if err != nil {
-		return
+func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) {
+	var _p0 uint32
+	if openAsSelf {
+		_p0 = 1
 	}
-	return _lookupPrivilegeName(_p0, luid, buffer, size)
-}
-
-func _lookupPrivilegeName(systemName *uint16, luid *uint64, buffer *uint16, size *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeNameW.Addr(), 4, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), 0, 0)
+	r1, _, e1 := syscall.Syscall6(procOpenThreadToken.Addr(), 4, uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }

-func lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(systemName)
-	if err != nil {
-		return
-	}
-	return _lookupPrivilegeDisplayName(_p0, name, buffer, size, languageId)
-}
-
-func _lookupPrivilegeDisplayName(systemName *uint16, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeDisplayNameW.Addr(), 5, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)), 0)
+func revertToSelf() (err error) {
+	r1, _, e1 := syscall.Syscall(procRevertToSelf.Addr(), 0, 0, 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }
@ -501,22 +238,14 @@ func backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, proce
 	var _p1 uint32
 	if abort {
 		_p1 = 1
-	} else {
-		_p1 = 0
 	}
 	var _p2 uint32
 	if processSecurity {
 		_p2 = 1
-	} else {
-		_p2 = 0
 	}
 	r1, _, e1 := syscall.Syscall9(procBackupRead.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesRead)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }
@ -529,22 +258,162 @@ func backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, p
 	var _p1 uint32
 	if abort {
 		_p1 = 1
-	} else {
-		_p1 = 0
 	}
 	var _p2 uint32
 	if processSecurity {
 		_p2 = 1
-	} else {
-		_p2 = 0
 	}
 	r1, _, e1 := syscall.Syscall9(procBackupWrite.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesWritten)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0)
 	if r1 == 0 {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) {
+	r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) {
+	r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(name)
+	if err != nil {
+		return
+	}
+	return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile)
+}
+
+func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) {
+	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
+	handle = syscall.Handle(r0)
+	if handle == syscall.InvalidHandle {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) {
+	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
+	newport = syscall.Handle(r0)
+	if newport == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
+	var _p0 *uint16
+	_p0, err = syscall.UTF16PtrFromString(name)
+	if err != nil {
+		return
+	}
+	return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa)
+}
+
+func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
+	r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
+	handle = syscall.Handle(r0)
+	if handle == syscall.InvalidHandle {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getCurrentThread() (h syscall.Handle) {
+	r0, _, _ := syscall.Syscall(procGetCurrentThread.Addr(), 0, 0, 0, 0)
+	h = syscall.Handle(r0)
+	return
+}
+
+func getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) {
+	r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) {
+	r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func localAlloc(uFlags uint32, length uint32) (ptr uintptr) {
+	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0)
+	ptr = uintptr(r0)
+	return
+}
+
+func localFree(mem uintptr) {
+	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(mem), 0, 0)
+	return
+}
+
+func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) {
+	r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) {
+	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
+	status = ntstatus(r0)
+	return
+}
+
+func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) {
+	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
+	status = ntstatus(r0)
+	return
+}
+
+func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) {
+	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
+	status = ntstatus(r0)
+	return
+}
+
+func rtlNtStatusToDosError(status ntstatus) (winerr error) {
+	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
+	if r0 != 0 {
+		winerr = syscall.Errno(r0)
+	}
+	return
+}
+
+func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) {
+	var _p0 uint32
+	if wait {
+		_p0 = 1
+	}
+	r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
 	}
 	return
 }
@ -552,11 +421,7 @@ func backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, p
 func bind(s syscall.Handle, name unsafe.Pointer, namelen int32) (err error) {
 	r1, _, e1 := syscall.Syscall(procbind.Addr(), 3, uintptr(s), uintptr(name), uintptr(namelen))
 	if r1 == socketError {
-		if e1 != 0 {
-			err = errnoErr(e1)
-		} else {
-			err = syscall.EINVAL
-		}
+		err = errnoErr(e1)
 	}
 	return
 }
--- a/vendor/github.com/Microsoft/hcsshim/.gitattributes
+++ b/vendor/github.com/Microsoft/hcsshim/.gitattributes
@ -0,0 +1 @@
+* text=auto eol=lf
--- a/vendor/github.com/Microsoft/hcsshim/.gitignore
+++ b/vendor/github.com/Microsoft/hcsshim/.gitignore
@ -1 +1,3 @@
 *.exe
+.idea
+.vscode
--- a/vendor/github.com/Microsoft/hcsshim/.gometalinter.json
+++ b/vendor/github.com/Microsoft/hcsshim/.gometalinter.json
@ -1,17 +0,0 @@
-{
-    "Vendor": true,
-    "Deadline": "2m",
-    "Sort": [
-        "linter",
-        "severity",
-        "path",
-        "line"
-    ],
-    "Skip": [
-        "internal\\schema2"
-    ],
-    "EnableGC": true,
-    "Enable": [
-        "gofmt"
-    ]
-}
--- a/vendor/github.com/Microsoft/hcsshim/CODEOWNERS
+++ b/vendor/github.com/Microsoft/hcsshim/CODEOWNERS
@ -0,0 +1 @@
+* @microsoft/containerplat
--- a/vendor/github.com/Microsoft/hcsshim/Protobuild.toml
+++ b/vendor/github.com/Microsoft/hcsshim/Protobuild.toml
@ -25,21 +25,25 @@ plugins = ["grpc", "fieldpath"]
  "gogoproto/gogo.proto" = "github.com/gogo/protobuf/gogoproto"
  "google/protobuf/any.proto" = "github.com/gogo/protobuf/types"
  "google/protobuf/empty.proto" = "github.com/gogo/protobuf/types"
+  "google/protobuf/struct.proto" = "github.com/gogo/protobuf/types"
  "google/protobuf/descriptor.proto" = "github.com/gogo/protobuf/protoc-gen-gogo/descriptor"
  "google/protobuf/field_mask.proto" = "github.com/gogo/protobuf/types"
  "google/protobuf/timestamp.proto" = "github.com/gogo/protobuf/types"
  "google/protobuf/duration.proto" = "github.com/gogo/protobuf/types"
+  "github/containerd/cgroups/stats/v1/metrics.proto" = "github.com/containerd/cgroups/stats/v1"

 [[overrides]]
 prefixes = ["github.com/Microsoft/hcsshim/internal/shimdiag"]
 plugins = ["ttrpc"]

-# Lock down runhcs config
+[[overrides]]
+prefixes = ["github.com/Microsoft/hcsshim/internal/computeagent"]
+plugins = ["ttrpc"]

-[[descriptors]]
-prefix = "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
-target = "cmd/containerd-shim-runhcs-v1/options/next.pb.txt"
-ignore_files = [
-	"google/protobuf/descriptor.proto",
-	"gogoproto/gogo.proto"
-]
+[[overrides]]
+prefixes = ["github.com/Microsoft/hcsshim/internal/ncproxyttrpc"]
+plugins = ["ttrpc"]
+
+[[overrides]]
+prefixes = ["github.com/Microsoft/hcsshim/internal/vmservice"]
+plugins = ["ttrpc"]
--- a/vendor/github.com/Microsoft/hcsshim/README.md
+++ b/vendor/github.com/Microsoft/hcsshim/README.md
@ -1,8 +1,8 @@
 # hcsshim

-[![Build status](https://ci.appveyor.com/api/projects/status/nbcw28mnkqml0loa/branch/master?svg=true)](https://ci.appveyor.com/project/WindowsVirtualization/hcsshim/branch/master)
+[![Build status](https://github.com/microsoft/hcsshim/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/microsoft/hcsshim/actions?query=branch%3Amaster)

-This package contains the Golang interface for using the Windows [Host Compute Service](https://blogs.technet.microsoft.com/virtualization/2017/01/27/introducing-the-host-compute-service-hcs/) (HCS) to launch and manage [Windows Containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/). It also contains other helpers and functions for managing Windows Containers such as the Golang interface for the Host Network Service (HNS).
+This package contains the Golang interface for using the Windows [Host Compute Service](https://techcommunity.microsoft.com/t5/containers/introducing-the-host-compute-service-hcs/ba-p/382332) (HCS) to launch and manage [Windows Containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/). It also contains other helpers and functions for managing Windows Containers such as the Golang interface for the Host Network Service (HNS).

 It is primarily used in the [Moby Project](https://github.com/moby/moby), but it can be freely used by other projects as well.

@ -16,6 +16,11 @@ When you submit a pull request, a CLA-bot will automatically determine whether y
 a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions
 provided by the bot. You will only need to do this once across all repos using our CLA.

+We also ask that contributors [sign their commits](https://git-scm.com/docs/git-commit) using `git commit -s` or `git commit --signoff` to certify they either authored the work themselves or otherwise have permission to use it in this project. 
+
+
+## Code of Conduct
+
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
 For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
 contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
--- a/vendor/github.com/Microsoft/hcsshim/appveyor.yml
+++ b/vendor/github.com/Microsoft/hcsshim/appveyor.yml
@ -1,41 +0,0 @@
-version: 0.1.{build}
-
-image: Visual Studio 2017
-
-clone_folder: c:\gopath\src\github.com\Microsoft\hcsshim
-
-environment:
-  GOPATH: c:\gopath
-  PATH: C:\mingw-w64\x86_64-7.2.0-posix-seh-rt_v5-rev1\mingw64\bin;%GOPATH%\bin;C:\gometalinter-2.0.12-windows-amd64;%PATH%
-
-stack: go 1.12.4
-
-build_script:
-  - appveyor DownloadFile https://github.com/alecthomas/gometalinter/releases/download/v2.0.12/gometalinter-2.0.12-windows-amd64.zip
-  - 7z x gometalinter-2.0.12-windows-amd64.zip -y -oC:\ > NUL
-  - gometalinter.exe --config .gometalinter.json ./...
-  - go build ./cmd/containerd-shim-runhcs-v1
-  - go build ./cmd/runhcs
-  - go build ./cmd/tar2ext4
-  - go build ./cmd/wclayer
-  - go build ./internal/tools/grantvmgroupaccess 
-  - go build ./internal/tools/uvmboot
-  - go build ./internal/tools/zapdir
-  - go test -v ./... -tags admin
-  - go test -c ./test/containerd-shim-runhcs-v1/ -tags functional
-  - go test -c ./test/cri-containerd/ -tags functional
-  - go test -c ./test/functional/ -tags functional
-  - go test -c ./test/runhcs/ -tags functional
-
-artifacts:
-  - path: 'containerd-shim-runhcs-v1.exe'
-  - path: 'runhcs.exe'
-  - path: 'tar2ext4.exe'
-  - path: 'wclayer.exe'
-  - path: 'grantvmgroupaccess.exe'  
-  - path: 'uvmboot.exe'
-  - path: 'zapdir.exe'
-  - path: 'containerd-shim-runhcs-v1.test.exe'
-  - path: 'cri-containerd.test.exe'
-  - path: 'functional.test.exe'
-  - path: 'runhcs.test.exe'
--- a/Show More
+++ b/Show More