Add support for namespace mutations

Adds support for: Get, Create, Update, Delete Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
Update to latest faas-provider
2025-06-18 12:06:36 +00:00 · 2023-07-07 13:45:36 +01:00 · 2023-07-07 09:48:27 +01:00 · 2023-07-06 11:05:06 +01:00 · 2023-07-06 11:04:06 +01:00 · 2023-05-23 11:20:58 +01:00
2647 changed files with 396713 additions and 345217 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
+vendor/** linguist-generated=true
+Gopkg.lock linguist-generated=true
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -1,16 +1,37 @@
-<!--- Provide a general summary of the issue in the Title above -->
+## Due diligence

+<!-- Due dilligence -->
+## My actions before raising this issue
+Before you ask for help or support, make sure that you've [consulted the manual for faasd](https://openfaas.gumroad.com/l/serverless-for-everyone-else). We can't answer questions that are already covered by the manual.
+
+
+<!-- How is this affecting you? What task are you trying to accomplish? -->
+## Why do you need this?
+
+<!-- Attempts to mask or hide this may result in the issue being closed -->
+## Who is this for?
+
+What company is this for? Are you listed in the [ADOPTERS.md](https://github.com/openfaas/faas/blob/master/ADOPTERS.md) file?
+
+<!--- Provide a general summary of the issue in the Title above -->
 ## Expected Behaviour
 <!--- If you're describing a bug, tell us what should happen -->
 <!--- If you're suggesting a change/improvement, tell us how it should work -->

+
 ## Current Behaviour
 <!--- If describing a bug, tell us what happens instead of the expected behavior -->
 <!--- If suggesting a change/improvement, explain the difference from current behavior -->

-## Possible Solution
-<!--- Not obligatory, but suggest a fix/reason for the bug, -->
-<!--- or ideas how to implement the addition or change -->
+
+## List All Possible Solutions and Workarounds
+<!--- Suggest a fix/reason for the bug, or ideas how to implement  -->
+<!--- the addition or change -->
+<!--- Is there a workaround which could avoid making changes? -->
+
+## Which Solution Do You Recommend?
+<!--- Pick your preferred solution, if you were to implement and maintain this change -->
+

 ## Steps to Reproduce (for bugs)
 <!--- Provide a link to a live example, or an unambiguous set of steps to -->
@ -20,10 +41,6 @@
 3.
 4.

-## Context
-<!--- How has this issue affected you? What are you trying to accomplish? -->
-<!--- Providing context helps us come up with a solution that is most useful in the real world -->
-
 ## Your Environment

 * OS and architecture:
@ -38,4 +55,6 @@ containerd -version
 uname -a

 cat /etc/os-release
+
+faasd version
 ```
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -0,0 +1,32 @@
+name: build
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    env:
+      GO111MODULE: off
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.20.x
+
+      - name: test
+        run: make test
+      - name: dist
+        run: make dist
+      - name: prepare-test
+        run: make prepare-test
+      - name: test e2e
+        run: make test-e2e
+
+
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -0,0 +1,26 @@
+name: publish
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+        with:
+          fetch-depth: 1
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.20.x
+      - name: Make publish
+        run: make publish
+      - name: Upload release binaries
+        uses: alexellis/upload-assets@0.4.0
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./bin/faasd*"]'
--- a/.github/workflows/verify-images.yaml
+++ b/.github/workflows/verify-images.yaml
@ -0,0 +1,18 @@
+name: Verify Docker Compose Images
+
+on:
+  push:
+    paths:
+      - '**.yaml'
+
+jobs:
+  verifyImages:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@master
+      - uses: alexellis/setup-arkade@v2
+      - name: Verify chart images
+        id: verify_images
+        run: |
+          VERBOSE=true make verify-compose
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ basic-auth-user
 basic-auth-password
 /bin
 /secrets
+.vscode
--- a/.travis.yml
+++ b/.travis.yml
@ -1,30 +0,0 @@
-sudo: required
-language: go
-
-go:
- '1.13'
-
-addons:
-  apt:
-    packages:
-      - runc
-
-script:
- make dist
- make prepare-test
- make test-e2e
-
-deploy:
-  provider: releases
-  api_key:
-    secure: bccOSB+Mbk5ZJHyJfX82Xg/3/7mxiAYHx7P5m5KS1ncDuRpJBFjDV8Nx2PWYg341b5SMlCwsS3IJ9NkoGvRSKK+3YqeNfTeMabVNdKC2oL1i+4pdxGlbl57QXkzT4smqE8AykZEo4Ujk42rEr3e0gSHT2rXkV+Xt0xnoRVXn2tSRUDwsmwANnaBj6KpH2SjJ/lsfTifxrRB65uwcePaSjkqwR6htFraQtpONC9xYDdek6EoVQmoft/ONZJqi7HR+OcA1yhSt93XU6Vaf3678uLlPX9c/DxgIU9UnXRaOd0UUEiTHaMMWDe/bJSrKmgL7qY05WwbGMsXO/RdswwO1+zwrasrwf86SjdGX/P9AwobTW3eTEiBqw2J77UVbvLzDDoyJ5KrkbHRfPX8aIPO4OG9eHy/e7C3XVx4qv9bJBXQ3qD9YJtei9jmm8F/MCdPWuVYC0hEvHtuhP/xMm4esNUjFM5JUfDucvAuLL34NBYHBDP2XNuV4DkgQQPakfnlvYBd7OqyXCU6pzyWSasXpD1Rz8mD/x8aTUl2Ya4bnXQ8qAa5cnxfPqN2ADRlTw1qS7hl6LsXzNQ6r1mbuh/uFi67ybElIjBTfuMEeJOyYHkkLUHIBpooKrPyr0luAbf0By2D2N/eQQnM/RpixHNfZG/mvXx8ZCrs+wxgvG1Rm7rM=
-  file:
-    - ./bin/faasd
-    - ./bin/faasd-armhf
-    - ./bin/faasd-arm64
-  skip_cleanup: true
-  on:
-    tags: true
-
-env: GO111MODULE=off
-
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -1,607 +0,0 @@
-# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
-
-
-[[projects]]
-  digest = "1:d5e752c67b445baa5b6cb6f8aa706775c2aa8e41aca95a0c651520ff2c80361a"
-  name = "github.com/Microsoft/go-winio"
-  packages = [
-    ".",
-    "pkg/guid",
-  ]
-  pruneopts = "UT"
-  revision = "6c72808b55902eae4c5943626030429ff20f3b63"
-  version = "v0.4.14"
-
-[[projects]]
-  digest = "1:f06a14a8b60a7a9cdbf14ed52272faf4ff5de4ed7c784ff55b64995be98ac59f"
-  name = "github.com/Microsoft/hcsshim"
-  packages = [
-    ".",
-    "internal/cow",
-    "internal/hcs",
-    "internal/hcserror",
-    "internal/hns",
-    "internal/interop",
-    "internal/log",
-    "internal/logfields",
-    "internal/longpath",
-    "internal/mergemaps",
-    "internal/oc",
-    "internal/safefile",
-    "internal/schema1",
-    "internal/schema2",
-    "internal/timeout",
-    "internal/vmcompute",
-    "internal/wclayer",
-    "osversion",
-  ]
-  pruneopts = "UT"
-  revision = "9e921883ac929bbe515b39793ece99ce3a9d7706"
-
-[[projects]]
-  digest = "1:74860eb071d52337d67e9ffd6893b29affebd026505aa917ec23131576a91a77"
-  name = "github.com/alexellis/go-execute"
-  packages = ["pkg/v1"]
-  pruneopts = "UT"
-  revision = "961405ea754427780f2151adff607fa740d377f7"
-  version = "0.3.0"
-
-[[projects]]
-  digest = "1:6076d857867a70e87dd1994407deb142f27436f1293b13e75cc053192d14eb0c"
-  name = "github.com/alexellis/k3sup"
-  packages = ["pkg/env"]
-  pruneopts = "UT"
-  revision = "f9a4adddc732742a9ee7962609408fb0999f2d7b"
-  version = "0.7.1"
-
-[[projects]]
-  digest = "1:cf83a14c8042951b0dcd74758fc32258111ecc7838cbdf5007717172cab9ca9b"
-  name = "github.com/containerd/containerd"
-  packages = [
-    ".",
-    "api/services/containers/v1",
-    "api/services/content/v1",
-    "api/services/diff/v1",
-    "api/services/events/v1",
-    "api/services/images/v1",
-    "api/services/introspection/v1",
-    "api/services/leases/v1",
-    "api/services/namespaces/v1",
-    "api/services/snapshots/v1",
-    "api/services/tasks/v1",
-    "api/services/version/v1",
-    "api/types",
-    "api/types/task",
-    "archive",
-    "archive/compression",
-    "cio",
-    "containers",
-    "content",
-    "content/proxy",
-    "defaults",
-    "diff",
-    "errdefs",
-    "events",
-    "events/exchange",
-    "filters",
-    "identifiers",
-    "images",
-    "images/archive",
-    "labels",
-    "leases",
-    "leases/proxy",
-    "log",
-    "mount",
-    "namespaces",
-    "oci",
-    "pkg/dialer",
-    "platforms",
-    "plugin",
-    "reference",
-    "remotes",
-    "remotes/docker",
-    "remotes/docker/schema1",
-    "rootfs",
-    "runtime/linux/runctypes",
-    "runtime/v2/logging",
-    "runtime/v2/runc/options",
-    "snapshots",
-    "snapshots/proxy",
-    "sys",
-    "version",
-  ]
-  pruneopts = "UT"
-  revision = "ff48f57fc83a8c44cf4ad5d672424a98ba37ded6"
-  version = "v1.3.2"
-
-[[projects]]
-  digest = "1:e4414857969cfbe45c7dab0a012aad4855bf7167c25d672a182cb18676424a0c"
-  name = "github.com/containerd/continuity"
-  packages = [
-    "fs",
-    "pathdriver",
-    "syscallx",
-    "sysx",
-  ]
-  pruneopts = "UT"
-  revision = "f2a389ac0a02ce21c09edd7344677a601970f41c"
-
-[[projects]]
-  digest = "1:1b9a7426259b5333d575785e21e1bd0decf18208f5bfb6424d24a50d5ddf83d0"
-  name = "github.com/containerd/fifo"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "bda0ff6ed73c67bfb5e62bc9c697f146b7fd7f13"
-
-[[projects]]
-  branch = "master"
-  digest = "1:2301a9a859e3b0946e2ddd6961ba6faf6857e6e68bc9293db758dbe3b17cc35e"
-  name = "github.com/containerd/go-cni"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "c154a49e2c754b83ebfb12ebf1362213b94d23e6"
-
-[[projects]]
-  digest = "1:6d66a41dbbc6819902f1589d0550bc01c18032c0a598a7cd656731e6df73861b"
-  name = "github.com/containerd/ttrpc"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "92c8520ef9f86600c650dd540266a007bf03670f"
-
-[[projects]]
-  digest = "1:7b4683388adabc709dbb082c13ba35967f072379c85b4acde997c1ca75af5981"
-  name = "github.com/containerd/typeurl"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "a93fcdb778cd272c6e9b3028b2f42d813e785d40"
-
-[[projects]]
-  digest = "1:1a07bbfee1d0534e8dda4773948e6dcd3a061ea7ab047ce04619476946226483"
-  name = "github.com/containernetworking/cni"
-  packages = [
-    "libcni",
-    "pkg/invoke",
-    "pkg/types",
-    "pkg/types/020",
-    "pkg/types/current",
-    "pkg/version",
-  ]
-  pruneopts = "UT"
-  revision = "4cfb7b568922a3c79a23e438dc52fe537fc9687e"
-  version = "v0.7.1"
-
-[[projects]]
-  digest = "1:bcf36df8d43860bfde913d008301aef27c6e9a303582118a837c4a34c0d18167"
-  name = "github.com/coreos/go-systemd"
-  packages = ["journal"]
-  pruneopts = "UT"
-  revision = "2d78030078ef61b3cae27f42ad6d0e46db51b339"
-  version = "v22.0.0"
-
-[[projects]]
-  digest = "1:92ebc9c068ab8e3fff03a58694ee33830964f6febd0130069aadce328802de14"
-  name = "github.com/docker/cli"
-  packages = [
-    "cli/config",
-    "cli/config/configfile",
-    "cli/config/credentials",
-    "cli/config/types",
-  ]
-  pruneopts = "UT"
-  revision = "99c5edceb48d64c1aa5d09b8c9c499d431d98bb9"
-  version = "v19.03.5"
-
-[[projects]]
-  digest = "1:e495f9f1fb2bae55daeb76e099292054fe1f734947274b3cfc403ccda595d55a"
-  name = "github.com/docker/distribution"
-  packages = [
-    "digestset",
-    "reference",
-    "registry/api/errcode",
-  ]
-  pruneopts = "UT"
-  revision = "0d3efadf0154c2b8a4e7b6621fff9809655cc580"
-
-[[projects]]
-  digest = "1:10f9c98f627e9697ec23b7973a683324f1d901dd9bace4a71405c0b2ec554303"
-  name = "github.com/docker/docker"
-  packages = [
-    "pkg/homedir",
-    "pkg/idtools",
-    "pkg/mount",
-    "pkg/system",
-  ]
-  pruneopts = "UT"
-  revision = "ea84732a77251e0d7af278e2b7df1d6a59fca46b"
-  version = "v19.03.5"
-
-[[projects]]
-  digest = "1:9f3f49b4e32d3da2dd6ed07cc568627b53cc80205c0dcf69f4091f027416cb60"
-  name = "github.com/docker/docker-credential-helpers"
-  packages = [
-    "client",
-    "credentials",
-  ]
-  pruneopts = "UT"
-  revision = "54f0238b6bf101fc3ad3b34114cb5520beb562f5"
-  version = "v0.6.3"
-
-[[projects]]
-  digest = "1:0938aba6e09d72d48db029d44dcfa304851f52e2d67cda920436794248e92793"
-  name = "github.com/docker/go-events"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "9461782956ad83b30282bf90e31fa6a70c255ba9"
-
-[[projects]]
-  digest = "1:e95ef557dc3120984bb66b385ae01b4bb8ff56bcde28e7b0d1beed0cccc4d69f"
-  name = "github.com/docker/go-units"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "519db1ee28dcc9fd2474ae59fca29a810482bfb1"
-  version = "v0.4.0"
-
-[[projects]]
-  digest = "1:fa6faf4a2977dc7643de38ae599a95424d82f8ffc184045510737010a82c4ecd"
-  name = "github.com/gogo/googleapis"
-  packages = ["google/rpc"]
-  pruneopts = "UT"
-  revision = "d31c731455cb061f42baff3bda55bad0118b126b"
-  version = "v1.2.0"
-
-[[projects]]
-  digest = "1:4107f4e81e8fd2e80386b4ed56b05e3a1fe26ecc7275fe80bb9c3a80a7344ff4"
-  name = "github.com/gogo/protobuf"
-  packages = [
-    "proto",
-    "sortkeys",
-    "types",
-  ]
-  pruneopts = "UT"
-  revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c"
-  version = "v1.2.1"
-
-[[projects]]
-  branch = "master"
-  digest = "1:b7cb6054d3dff43b38ad2e92492f220f57ae6087ee797dca298139776749ace8"
-  name = "github.com/golang/groupcache"
-  packages = ["lru"]
-  pruneopts = "UT"
-  revision = "611e8accdfc92c4187d399e95ce826046d4c8d73"
-
-[[projects]]
-  digest = "1:f5ce1529abc1204444ec73779f44f94e2fa8fcdb7aca3c355b0c95947e4005c6"
-  name = "github.com/golang/protobuf"
-  packages = [
-    "proto",
-    "ptypes",
-    "ptypes/any",
-    "ptypes/duration",
-    "ptypes/timestamp",
-  ]
-  pruneopts = "UT"
-  revision = "6c65a5562fc06764971b7c5d05c76c75e84bdbf7"
-  version = "v1.3.2"
-
-[[projects]]
-  digest = "1:cbec35fe4d5a4fba369a656a8cd65e244ea2c743007d8f6c1ccb132acf9d1296"
-  name = "github.com/gorilla/mux"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "00bdffe0f3c77e27d2cf6f5c70232a2d3e4d9c15"
-  version = "v1.7.3"
-
-[[projects]]
-  digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be"
-  name = "github.com/inconshreveable/mousetrap"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75"
-  version = "v1.0"
-
-[[projects]]
-  digest = "1:31e761d97c76151dde79e9d28964a812c46efc5baee4085b86f68f0c654450de"
-  name = "github.com/konsorten/go-windows-terminal-sequences"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "f55edac94c9bbba5d6182a4be46d86a2c9b5b50e"
-  version = "v1.0.2"
-
-[[projects]]
-  digest = "1:906eb1ca3c8455e447b99a45237b2b9615b665608fd07ad12cce847dd9a1ec43"
-  name = "github.com/morikuni/aec"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "39771216ff4c63d11f5e604076f9c45e8be1067b"
-  version = "v1.0.0"
-
-[[projects]]
-  digest = "1:bc62c2c038cc8ae51b68f6d52570501a763bb71e78736a9f65d60762429864a9"
-  name = "github.com/opencontainers/go-digest"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "c9281466c8b2f606084ac71339773efd177436e7"
-
-[[projects]]
-  digest = "1:70711188c19c53147099d106169d6a81941ed5c2658651432de564a7d60fd288"
-  name = "github.com/opencontainers/image-spec"
-  packages = [
-    "identity",
-    "specs-go",
-    "specs-go/v1",
-  ]
-  pruneopts = "UT"
-  revision = "d60099175f88c47cd379c4738d158884749ed235"
-  version = "v1.0.1"
-
-[[projects]]
-  digest = "1:18d6ebfbabffccba7318a4e26028b0d41f23ff359df3dc07a53b37a9f3a4a994"
-  name = "github.com/opencontainers/runc"
-  packages = [
-    "libcontainer/system",
-    "libcontainer/user",
-  ]
-  pruneopts = "UT"
-  revision = "d736ef14f0288d6993a1845745d6756cfc9ddd5a"
-  version = "v1.0.0-rc9"
-
-[[projects]]
-  digest = "1:7a58202c5cdf3d2c1eb0621fe369315561cea7f036ad10f0f0479ac36bcc95eb"
-  name = "github.com/opencontainers/runtime-spec"
-  packages = ["specs-go"]
-  pruneopts = "UT"
-  revision = "29686dbc5559d93fb1ef402eeda3e35c38d75af4"
-
-[[projects]]
-  digest = "1:cdf3df431e70077f94e14a99305808e3d13e96262b4686154970f448f7248842"
-  name = "github.com/openfaas/faas"
-  packages = ["gateway/requests"]
-  pruneopts = "UT"
-  revision = "80b6976c106370a7081b2f8e9099a6ea9638e1f3"
-  version = "0.18.10"
-
-[[projects]]
-  digest = "1:6f21508bd38feec0d440ca862f5adcb4c955713f3eb4e075b9af731e6ef258ba"
-  name = "github.com/openfaas/faas-provider"
-  packages = [
-    ".",
-    "auth",
-    "httputil",
-    "proxy",
-    "types",
-  ]
-  pruneopts = "UT"
-  revision = "8f7c35975e1b2bf8286c2f90ee51633eec427491"
-  version = "0.14.0"
-
-[[projects]]
-  digest = "1:cf31692c14422fa27c83a05292eb5cbe0fb2775972e8f1f8446a71549bd8980b"
-  name = "github.com/pkg/errors"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "ba968bfe8b2f7e042a574c888954fccecfa385b4"
-  version = "v0.8.1"
-
-[[projects]]
-  digest = "1:044c51736e2688a3e4f28f72537f8a7b3f9c188fab4477d5334d92dfe2c07ed5"
-  name = "github.com/sethvargo/go-password"
-  packages = ["password"]
-  pruneopts = "UT"
-  revision = "07c3d521e892540e71469bb0312866130714c038"
-  version = "v0.1.3"
-
-[[projects]]
-  digest = "1:fd61cf4ae1953d55df708acb6b91492d538f49c305b364a014049914495db426"
-  name = "github.com/sirupsen/logrus"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f"
-  version = "v1.4.1"
-
-[[projects]]
-  digest = "1:e096613fb7cf34743d49af87d197663cfccd61876e2219853005a57baedfa562"
-  name = "github.com/spf13/cobra"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "f2b07da1e2c38d5f12845a4f607e2e1018cbb1f5"
-  version = "v0.0.5"
-
-[[projects]]
-  digest = "1:524b71991fc7d9246cc7dc2d9e0886ccb97648091c63e30eef619e6862c955dd"
-  name = "github.com/spf13/pflag"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "2e9d26c8c37aae03e3f9d4e90b7116f5accb7cab"
-  version = "v1.0.5"
-
-[[projects]]
-  branch = "master"
-  digest = "1:e14e467ed00ab98665623c5060fa17e3d7079be560ffc33cabafd05d35894f05"
-  name = "github.com/syndtr/gocapability"
-  packages = ["capability"]
-  pruneopts = "UT"
-  revision = "d98352740cb2c55f81556b63d4a1ec64c5a319c2"
-
-[[projects]]
-  digest = "1:1314b5ef1c0b25257ea02e454291bf042478a48407cfe3ffea7e20323bbf5fdf"
-  name = "github.com/vishvananda/netlink"
-  packages = [
-    ".",
-    "nl",
-  ]
-  pruneopts = "UT"
-  revision = "f049be6f391489d3f374498fe0c8df8449258372"
-  version = "v1.1.0"
-
-[[projects]]
-  branch = "master"
-  digest = "1:975cb0c04431bf92e60b636a15897c4a3faba9f7dc04da505646630ac91d29d3"
-  name = "github.com/vishvananda/netns"
-  packages = ["."]
-  pruneopts = "UT"
-  revision = "0a2b9b5464df8343199164a0321edf3313202f7e"
-
-[[projects]]
-  digest = "1:aed53a5fa03c1270457e331cf8b7e210e3088a2278fec552c5c5d29c1664e161"
-  name = "go.opencensus.io"
-  packages = [
-    ".",
-    "internal",
-    "trace",
-    "trace/internal",
-    "trace/tracestate",
-  ]
-  pruneopts = "UT"
-  revision = "aad2c527c5defcf89b5afab7f37274304195a6b2"
-  version = "v0.22.2"
-
-[[projects]]
-  branch = "master"
-  digest = "1:676f320d34ccfa88bfa6d04bdf388ed7062af175355c805ef57ccda1a3f13432"
-  name = "golang.org/x/net"
-  packages = [
-    "context",
-    "context/ctxhttp",
-    "http/httpguts",
-    "http2",
-    "http2/hpack",
-    "idna",
-    "internal/timeseries",
-    "trace",
-  ]
-  pruneopts = "UT"
-  revision = "c0dbc17a35534bf2e581d7a942408dc936316da4"
-
-[[projects]]
-  digest = "1:d6b0cfc5ae30841c4b116ac589629f56f8add0955a39f11d8c0d06ca67f5b3d5"
-  name = "golang.org/x/sync"
-  packages = [
-    "errgroup",
-    "semaphore",
-  ]
-  pruneopts = "UT"
-  revision = "42b317875d0fa942474b76e1b46a6060d720ae6e"
-
-[[projects]]
-  branch = "master"
-  digest = "1:a76bac71eb452a046b47f82336ba792d8de988688a912f3fd0e8ec8e57fe1bb4"
-  name = "golang.org/x/sys"
-  packages = [
-    "unix",
-    "windows",
-  ]
-  pruneopts = "UT"
-  revision = "af0d71d358abe0ba3594483a5d519f429dbae3e9"
-
-[[projects]]
-  digest = "1:8d8faad6b12a3a4c819a3f9618cb6ee1fa1cfc33253abeeea8b55336721e3405"
-  name = "golang.org/x/text"
-  packages = [
-    "collate",
-    "collate/build",
-    "internal/colltab",
-    "internal/gen",
-    "internal/language",
-    "internal/language/compact",
-    "internal/tag",
-    "internal/triegen",
-    "internal/ucd",
-    "language",
-    "secure/bidirule",
-    "transform",
-    "unicode/bidi",
-    "unicode/cldr",
-    "unicode/norm",
-    "unicode/rangetable",
-  ]
-  pruneopts = "UT"
-  revision = "342b2e1fbaa52c93f31447ad2c6abc048c63e475"
-  version = "v0.3.2"
-
-[[projects]]
-  branch = "master"
-  digest = "1:583a0c80f5e3a9343d33aea4aead1e1afcc0043db66fdf961ddd1fe8cd3a4faf"
-  name = "google.golang.org/genproto"
-  packages = ["googleapis/rpc/status"]
-  pruneopts = "UT"
-  revision = "b31c10ee225f87dbb9f5f878ead9d64f34f5cbbb"
-
-[[projects]]
-  digest = "1:48eafc052e46b4ebbc7882553873cf6198203e528627cefc94dcaf8553addd19"
-  name = "google.golang.org/grpc"
-  packages = [
-    ".",
-    "balancer",
-    "balancer/base",
-    "balancer/roundrobin",
-    "binarylog/grpc_binarylog_v1",
-    "codes",
-    "connectivity",
-    "credentials",
-    "credentials/internal",
-    "encoding",
-    "encoding/proto",
-    "grpclog",
-    "health/grpc_health_v1",
-    "internal",
-    "internal/backoff",
-    "internal/balancerload",
-    "internal/binarylog",
-    "internal/channelz",
-    "internal/envconfig",
-    "internal/grpcrand",
-    "internal/grpcsync",
-    "internal/syscall",
-    "internal/transport",
-    "keepalive",
-    "metadata",
-    "naming",
-    "peer",
-    "resolver",
-    "resolver/dns",
-    "resolver/passthrough",
-    "serviceconfig",
-    "stats",
-    "status",
-    "tap",
-  ]
-  pruneopts = "UT"
-  revision = "6eaf6f47437a6b4e2153a190160ef39a92c7eceb"
-  version = "v1.23.0"
-
-[solve-meta]
-  analyzer-name = "dep"
-  analyzer-version = 1
-  input-imports = [
-    "github.com/alexellis/go-execute/pkg/v1",
-    "github.com/alexellis/k3sup/pkg/env",
-    "github.com/containerd/containerd",
-    "github.com/containerd/containerd/cio",
-    "github.com/containerd/containerd/containers",
-    "github.com/containerd/containerd/errdefs",
-    "github.com/containerd/containerd/namespaces",
-    "github.com/containerd/containerd/oci",
-    "github.com/containerd/containerd/remotes",
-    "github.com/containerd/containerd/remotes/docker",
-    "github.com/containerd/containerd/runtime/v2/logging",
-    "github.com/containerd/go-cni",
-    "github.com/coreos/go-systemd/journal",
-    "github.com/docker/cli/cli/config",
-    "github.com/docker/cli/cli/config/configfile",
-    "github.com/docker/distribution/reference",
-    "github.com/gorilla/mux",
-    "github.com/morikuni/aec",
-    "github.com/opencontainers/runtime-spec/specs-go",
-    "github.com/openfaas/faas-provider",
-    "github.com/openfaas/faas-provider/proxy",
-    "github.com/openfaas/faas-provider/types",
-    "github.com/openfaas/faas/gateway/requests",
-    "github.com/pkg/errors",
-    "github.com/sethvargo/go-password/password",
-    "github.com/spf13/cobra",
-    "github.com/vishvananda/netlink",
-    "github.com/vishvananda/netns",
-    "golang.org/x/sys/unix",
-  ]
-  solver-name = "gps-cdcl"
-  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -1,47 +0,0 @@
-[prune]
-  go-tests = true
-  unused-packages = true
-
-[[constraint]]
-  name = "github.com/containerd/containerd"
-  version = "1.3.2"
-
-[[constraint]]
-  name = "github.com/morikuni/aec"
-  version = "1.0.0"
-
-[[constraint]]
-  name = "github.com/spf13/cobra"
-  version = "0.0.5"
-
-[[constraint]]
-  name = "github.com/alexellis/k3sup"
-  version = "0.7.1"
-
-[[constraint]]
-  name = "github.com/alexellis/go-execute"
-  version = "0.3.0"
-
-[[constraint]]
-  name = "github.com/gorilla/mux"
-  version = "1.7.3"
-
-[[constraint]]
-  name = "github.com/openfaas/faas"
-  version = "0.18.7"
-
-[[constraint]]
-  name = "github.com/sethvargo/go-password"
-  version = "0.1.3"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/containerd/go-cni"
-
-[[constraint]]
-  name = "github.com/openfaas/faas-provider"
-  version = "0.14.0"
-
-[[constraint]]
-  name = "github.com/docker/cli"
-  version = "19.3.5"
--- a/4
+++ b/4
@ -1,6 +1,8 @@
 MIT License

-Copyright (c) 2019 Alex Ellis
+Copyright (c) 2020 Alex Ellis
+Copyright (c) 2020 OpenFaaS Ltd
+Copyright (c) 2020 OpenFaas Author(s)

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/50
+++ b/50
@ -1,38 +1,55 @@
 Version := $(shell git describe --tags --dirty)
 GitCommit := $(shell git rev-parse HEAD)
 LDFLAGS := "-s -w -X main.Version=$(Version) -X main.GitCommit=$(GitCommit)"
-CONTAINERD_VER := 1.3.2
-CNI_VERSION := v0.8.5
+CONTAINERD_VER := 1.7.0
+CNI_VERSION := v0.9.1
 ARCH := amd64

+export GO111MODULE=on
+
 .PHONY: all
-all: local
+all: test dist hashgen
+
+.PHONY: publish
+publish: dist hashgen

 local:
-	CGO_ENABLED=0 GOOS=linux go build -o bin/faasd
+	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o bin/faasd
+
+.PHONY: test
+test:
+	CGO_ENABLED=0 GOOS=linux go test -mod=vendor -ldflags $(LDFLAGS) ./...
+
+.PHONY: dist-local
+dist-local:
+	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags $(LDFLAGS) -o bin/faasd

 .PHONY: dist
 dist:
-	CGO_ENABLED=0 GOOS=linux go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-armhf
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags $(LDFLAGS) -a -installsuffix cgo -o bin/faasd-arm64
+	CGO_ENABLED=0 GOOS=linux go build -mod=vendor -ldflags $(LDFLAGS) -o bin/faasd
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -mod=vendor -ldflags $(LDFLAGS) -o bin/faasd-armhf
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -mod=vendor -ldflags $(LDFLAGS) -o bin/faasd-arm64
+
+.PHONY: hashgen
+hashgen:
+	for f in bin/faasd*; do shasum -a 256 $$f > $$f.sha256; done

 .PHONY: prepare-test
 prepare-test:
-	curl -sLSf https://github.com/containerd/containerd/releases/download/v$(CONTAINERD_VER)/containerd-$(CONTAINERD_VER).linux-amd64.tar.gz > /tmp/containerd.tar.gz && sudo tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
-	curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.3.2/containerd.service | sudo tee /etc/systemd/system/containerd.service
+	curl -sLSf https://github.com/containerd/containerd/releases/download/v$(CONTAINERD_VER)/containerd-$(CONTAINERD_VER)-linux-amd64.tar.gz > /tmp/containerd.tar.gz && sudo tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
+	curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.7.0/containerd.service | sudo tee /etc/systemd/system/containerd.service
 	sudo systemctl daemon-reload && sudo systemctl start containerd
 	sudo /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
 	sudo mkdir -p /opt/cni/bin
 	curl -sSL https://github.com/containernetworking/plugins/releases/download/$(CNI_VERSION)/cni-plugins-linux-$(ARCH)-$(CNI_VERSION).tgz | sudo tar -xz -C /opt/cni/bin
-	sudo cp $(GOPATH)/src/github.com/openfaas/faasd/bin/faasd /usr/local/bin/
-	cd $(GOPATH)/src/github.com/openfaas/faasd/ && sudo /usr/local/bin/faasd install
+	sudo cp bin/faasd /usr/local/bin/
+	sudo /usr/local/bin/faasd install
 	sudo systemctl status -l containerd --no-pager
 	sudo journalctl -u faasd-provider --no-pager
 	sudo systemctl status -l faasd-provider --no-pager
 	sudo systemctl status -l faasd --no-pager
 	curl -sSLf https://cli.openfaas.com | sudo sh
-	sleep 120 && sudo journalctl -u faasd --no-pager
+	echo "Sleeping for 2m" && sleep 120 && sudo journalctl -u faasd --no-pager

 .PHONY: test-e2e
 test-e2e:
@ -48,3 +65,12 @@ test-e2e:
 	/usr/local/bin/faas-cli remove figlet
 	sleep 3
 	/usr/local/bin/faas-cli list
+	sleep 3
+	journalctl -t openfaas-fn:figlet --no-pager
+
+# Removed due to timing issue in CI on GitHub Actions
+#	/usr/local/bin/faas-cli logs figlet --since 15m --follow=false | grep Forking
+
+verify-compose:
+	@echo Verifying docker-compose.yaml images in remote registries && \
+	arkade chart verify --verbose=$(VERBOSE) -f ./docker-compose.yaml
--- a/README.md
+++ b/README.md
@ -1,23 +1,56 @@
-# faasd - serverless with containerd and CNI  🐳
+# faasd - a lightweight & portable faas engine

-[![Build Status](https://travis-ci.com/openfaas/faasd.svg?branch=master)](https://travis-ci.com/openfaas/faasd)
+[![Sponsor faasd](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/openfaas)](https://github.com/sponsors/openfaas)
+[![Build Status](https://github.com/openfaas/faasd/workflows/build/badge.svg?branch=master)](https://github.com/openfaas/faasd/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![OpenFaaS](https://img.shields.io/badge/openfaas-serverless-blue.svg)](https://www.openfaas.com)
+![Downloads](https://img.shields.io/github/downloads/openfaas/faasd/total)

-faasd is the same OpenFaaS experience and ecosystem, but without Kubernetes. Functions and microservices can be deployed anywhere with reduced overheads whilst retaining the portability of containers and cloud-native tooling.
+faasd is [OpenFaaS](https://github.com/openfaas/) reimagined, but without the cost and complexity of Kubernetes. It runs on a single host with very modest requirements, making it fast and easy to manage. Under the hood it uses [containerd](https://containerd.io/) and [Container Networking Interface (CNI)](https://github.com/containernetworking/cni) along with the same core OpenFaaS components from the main project.

-## About faasd
+![faasd logo](docs/media/social.png)

-* is a single Golang binary
-* can be set-up and left alone to run your applications
-* is multi-arch, so works on Intel `x86_64` and ARM out the box
+## Use-cases and tutorials
+
+faasd is just another way to run OpenFaaS, so many things you read in the docs or in blog posts will work the same way.
+
+Videos and overviews:
+
+* [Exploring of serverless use-cases from commercial and personal users (YouTube)](https://www.youtube.com/watch?v=mzuXVuccaqI)
+* [Meet faasd. Look Ma’ No Kubernetes! (YouTube)](https://www.youtube.com/watch?v=ZnZJXI377ak)
+
+Use-cases and tutorials:
+
+* [Serverless Node.js that you can run anywhere](https://www.openfaas.com/blog/serverless-nodejs/)
+* [Simple Serverless with Golang Functions and Microservices](https://www.openfaas.com/blog/golang-serverless/)
+* [Build a Flask microservice with OpenFaaS](https://www.openfaas.com/blog/openfaas-flask/)
+* [Get started with Java 11 and Vert.x on Kubernetes with OpenFaaS](https://www.openfaas.com/blog/get-started-with-java-openjdk11/)
+* [Deploy to faasd via GitHub Actions](https://www.openfaas.com/blog/openfaas-functions-with-github-actions/)
+* [Scrape and automate websites with Puppeteer](https://www.openfaas.com/blog/puppeteer-scraping/)
+
+Additional resources:
+
+* The official handbook - [Serverless For Everyone Else](https://gumroad.com/l/serverless-for-everyone-else)
+* For reference: [OpenFaaS docs](https://docs.openfaas.com)
+* For use-cases and tutorials: [OpenFaaS blog](https://openfaas.com/blog/)
+* For self-paced learning: [OpenFaaS workshop](https://github.com/openfaas/workshop/)
+
+### About faasd
+
+* faasd is a static Golang binary
 * uses the same core components and ecosystem of OpenFaaS
+* uses containerd for its runtime and CNI for networking
+* is multi-arch, so works on Intel `x86_64` and ARM out the box
+* can run almost any other stateful container through its `docker-compose.yaml` file

-![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=small)
+Most importantly, it's easy to manage so you can set it up and leave it alone to run your functions.

-> Demo of faasd running in KVM
+[![demo](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=medium)](https://www.youtube.com/watch?v=WX1tZoSXy8E)

-## What does faasd deploy?
+> Demo of faasd running asynchronous functions
+
+Watch the video: [faasd walk-through with cloud-init and Multipass](https://www.youtube.com/watch?v=WX1tZoSXy8E)
+
+### What does faasd deploy?

 * faasd - itself, and its [faas-provider](https://github.com/openfaas/faas-provider) for containerd - CRUD for functions and services, implements the OpenFaaS REST API
 * [Prometheus](https://github.com/prometheus/prometheus) - for monitoring of services, metrics, scaling and dashboards
@ -25,7 +58,7 @@ faasd is the same OpenFaaS experience and ecosystem, but without Kubernetes. Fun
 * [OpenFaaS queue-worker for NATS](https://github.com/openfaas/nats-queue-worker) - run your invocations in the background without adding any code. See also: [asynchronous invocations](https://docs.openfaas.com/reference/triggers/#async-nats-streaming)
 * [NATS](https://nats.io) for asynchronous processing and queues

-You'll also need:
+faasd relies on industry-standard tools for running containers:

 * [CNI](https://github.com/containernetworking/plugins)
 * [containerd](https://github.com/containerd/containerd)
@ -33,70 +66,86 @@ You'll also need:

 You can use the standard [faas-cli](https://github.com/openfaas/faas-cli) along with pre-packaged functions from *the Function Store*, or build your own using any OpenFaaS template.

-## Tutorials
+### When should you use faasd over OpenFaaS on Kubernetes?

-### Get started on DigitalOcean, or any other IaaS
+* To deploy microservices and functions that you can update and monitor remotely
+* When you don't have the bandwidth to learn or manage Kubernetes
+* To deploy embedded apps in IoT and edge use-cases
+* To distribute applications to a customer or client
+* You have a cost sensitive project - run faasd on a 1GB VM for 5-10 USD / mo or on your Raspberry Pi
+* When you just need a few functions or microservices, without the cost of a cluster

-If your IaaS supports `user_data` aka "cloud-init", then this guide is for you. If not, then checkout the approach and feel free to run each step manually.
+faasd does not create the same maintenance burden you'll find with maintaining, upgrading, and securing a Kubernetes cluster. You can deploy it and walk away, in the worst case, just deploy a new VM and deploy your functions again.

-* [Build a Serverless appliance with faasd](https://blog.alexellis.io/deploy-serverless-faasd-with-cloud-init/)
+You can learn more about supported OpenFaaS features in the [ROADMAP.md](/docs/ROADMAP.md)

-### Run locally on MacOS, Linux, or Windows with Multipass.run
+## Learning faasd

-* [Get up and running with your own faasd installation on your Mac/Ubuntu or Windows with cloud-config](https://gist.github.com/alexellis/6d297e678c9243d326c151028a3ad7b9)
+The faasd project is MIT licensed and open source, and you will find some documentation, blog posts and videos for free.

-### Get started on armhf / Raspberry Pi
+However, "Serverless For Everyone Else" is the official handbook and was written to contribute funds towards the upkeep and maintenance of the project.

-You can run this tutorial on your Raspberry Pi, or adapt the steps for a regular Linux VM/VPS host.
+### The official handbook and docs for faasd

-* [faasd - lightweight Serverless for your Raspberry Pi](https://blog.alexellis.io/faasd-for-lightweight-serverless/)
+<a href="https://gumroad.com/l/serverless-for-everyone-else">
+<img src="https://www.alexellis.io/serverless.png" width="40%"></a>

-### Terraform for DigitalOcean
+You'll learn how to deploy code in any language, lift and shift Dockerfiles, run requests in queues, write background jobs and to integrate with databases. faasd packages the same code as OpenFaaS, so you get built-in metrics for your HTTP endpoints, a user-friendly CLI, pre-packaged functions and templates from the store and a UI.

-Automate everything within < 60 seconds and get a public URL and IP address back. Customise as required, or adapt to your preferred cloud such as AWS EC2.
+Topics include:

-* [Provision faasd 0.7.5 on DigitalOcean with Terraform 0.12.0](https://gist.github.com/alexellis/fd618bd2f957eb08c44d086ef2fc3906)
+* Should you deploy to a VPS or Raspberry Pi?
+* Deploying your server with bash, cloud-init or terraform
+* Using a private container registry
+* Finding functions in the store
+* Building your first function with Node.js
+* Using environment variables for configuration
+* Using secrets from functions, and enabling authentication tokens
+* Customising templates
+* Monitoring your functions with Grafana and Prometheus
+* Scheduling invocations and background jobs
+* Tuning timeouts, parallelism, running tasks in the background
+* Adding TLS to faasd and custom domains for functions
+* Self-hosting on your Raspberry Pi
+* Adding a database for storage with InfluxDB and Postgresql
+* Troubleshooting and logs
+* CI/CD with GitHub Actions and multi-arch
+* Taking things further, community and case-studies

-### A note on private repos / registries
+View sample pages, reviews and testimonials on Gumroad:

-To use private image repos, `~/.docker/config.json` needs to be copied to `/var/lib/faasd/.docker/config.json`.
+["Serverless For Everyone Else"](https://gumroad.com/l/serverless-for-everyone-else)

-If you'd like to set up your own private registry, [see this tutorial](https://blog.alexellis.io/get-a-tls-enabled-docker-registry-in-5-minutes/).
+### Deploy faasd

-Beware that running `docker login` on MacOS and Windows may create an empty file with your credentials stored in the system helper.
+The easiest way to deploy faasd is with cloud-init, we give several examples below, and post IaaS platforms will accept "user-data" pasted into their UI, or via their API.

-Alternatively, use you can use the `registry-login` command from the OpenFaaS Cloud bootstrap tool (ofc-bootstrap):
+For trying it out on MacOS or Windows, we recommend using [multipass](https://multipass.run) to run faasd in a VM.
+
+If you don't use cloud-init, or have already created your Linux server you can use the installation script as per below:

 ```bash
-curl -sLSf https://raw.githubusercontent.com/openfaas-incubator/ofc-bootstrap/master/get.sh | sudo sh
+git clone https://github.com/openfaas/faasd --depth=1
+cd faasd

-ofc-bootstrap registry-login --username <your-registry-username> --password-stdin
-# (the enter your password and hit return)
-```
-The file will be created in `./credentials/`
-
-### Logs for functions
-
-You can view the logs of functions using `journalctl`:
-
-```bash
-journalctl -t openfaas-fn:FUNCTION_NAME
-
-
-faas-cli store deploy figlet
-journalctl -t openfaas-fn:figlet -f &
-echo logs | faas-cli invoke figlet
+./hack/install.sh
 ```

-### Manual / developer instructions
+> This approach also works for Raspberry Pi

-See [here for manual / developer instructions](docs/DEV.md)
+It's recommended that you do not install Docker on the same host as faasd, since 1) they may both use different versions of containerd and 2) docker's networking rules can disrupt faasd's networking. When using faasd - make your faasd server a faasd server, and build container image on your laptop or in a CI pipeline.

-## Getting help
+#### Deployment tutorials

-### Docs
+* [Use multipass on Windows, MacOS or Linux](/docs/MULTIPASS.md)
+* [Deploy to DigitalOcean with Terraform and TLS](https://www.openfaas.com/blog/faasd-tls-terraform/)
+* [Deploy to any IaaS with cloud-init](https://blog.alexellis.io/deploy-serverless-faasd-with-cloud-init/)
+* [Deploy faasd to your Raspberry Pi](https://blog.alexellis.io/faasd-for-lightweight-serverless/)

-The [OpenFaaS docs](https://docs.openfaas.com/) provide a wealth of information and are kept up to date with new features.
+Terraform scripts:
+
+* [Provision faasd on DigitalOcean with Terraform](docs/bootstrap/README.md)
+* [Provision faasd with TLS on DigitalOcean with Terraform](docs/bootstrap/digitalocean-terraform/README.md)

 ### Function and template store

@ -104,62 +153,19 @@ For community functions see `faas-cli store --help`

 For templates built by the community see: `faas-cli template store list`, you can also use the `dockerfile` template if you just want to migrate an existing service without the benefits of using a template.

-### Workshop
-
-[The OpenFaaS workshop](https://github.com/openfaas/workshop/) is a set of 12 self-paced labs and provides a great starting point
-
 ### Community support

-An active community of almost 3000 users awaits you on Slack. Over 250 of those users are also contributors and help maintain the code.
+Commercial users and solo business owners should become OpenFaaS GitHub Sponsors to receive regular email updates on changes, tutorials and new features.

-* [Join Slack](https://slack.openfaas.io/)
+If you are learning faasd, or want to share your use-case, you can join the OpenFaaS Slack community.

-## Backlog
+* [Become an OpenFaaS GitHub Sponsor](https://github.com/sponsors/openfaas/)
+* [Join the weekly Office Hours call](https://docs.openfaas.com/community/)

-### Supported operations
+### Backlog, features, design limitations and any known issues

-* `faas login`
-* `faas up`
-* `faas list`
-* `faas describe` 
-* `faas deploy --update=true --replace=false`
-* `faas invoke --async`
-* `faas invoke`
-* `faas rm`
-* `faas store list/deploy/inspect`
-* `faas version`
-* `faas namespace`
-* `faas secret`
+For open backlog items, shipped features, design limitations and any known issues, see [ROADMAP.md](docs/ROADMAP.md)

-Scale from and to zero is also supported. On a Dell XPS with a small, pre-pulled image unpausing an existing task took 0.19s and starting a task for a killed function took 0.39s. There may be further optimizations to be gained.
-
-Other operations are pending development in the provider such as:
-
-* `faas logs` - to stream logs on-demand for a known function, for the time being you can find logs via `journalctl -u faasd-provider`
-* `faas auth` - supported for Basic Authentication, but OAuth2 & OIDC require a patch
-
-## Todo
-
-Pending:
-
-* [ ] Add support for using container images in third-party public registries
-* [ ] Add support for using container images in private third-party registries
-* [ ] Monitor and restart any of the core components at runtime if the container stops
-* [ ] Bundle/package/automate installation of containerd - [see bootstrap from k3s](https://github.com/rancher/k3s)
-* [ ] Provide ufw rules / example for blocking access to everything but a reverse proxy to the gateway container
-* [ ] Provide [simple Caddyfile example](https://blog.alexellis.io/https-inlets-local-endpoints/) in the README showing how to expose the faasd proxy on port 80/443 with TLS
-
-Done:
-
-* [x] Provide a cloud-config.txt file for automated deployments of `faasd`
-* [x] Inject / manage IPs between core components for service to service communication - i.e. so Prometheus can scrape the OpenFaaS gateway - done via `/etc/hosts` mount
-* [x] Add queue-worker and NATS
-* [x] Create faasd.service and faasd-provider.service
-* [x] Self-install / create systemd service via `faasd install`
-* [x] Restart containers upon restart of faasd
-* [x] Clear / remove containers and tasks with SIGTERM / SIGINT
-* [x] Determine armhf/arm64 containers to run for gateway
-* [x] Configure `basic_auth` to protect the OpenFaaS gateway and faasd-provider HTTP API
-* [x] Setup custom working directory for faasd `/var/lib/faasd/`
-* [x] Use CNI to create network namespaces and adapters
+Want to build a patch without setting up a complete development environment? See [docs/PATCHES.md](docs/PATCHES.md)

+Are you looking to hack on faasd? Follow the [developer instructions](docs/DEV.md) for a manual installation, or use the `hack/install.sh` script and pick up from there.
--- a/cloud-config.txt
+++ b/cloud-config.txt
@ -1,28 +1,20 @@
 #cloud-config
 ssh_authorized_keys:
+## Note: Replace with your own public key
  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local

 package_update: true

 packages:
 - runc
+ - git

 runcmd:
- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.3.2/containerd-1.3.2.linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.3.2/containerd.service | tee /etc/systemd/system/containerd.service
- systemctl daemon-reload && systemctl start containerd
- systemctl enable containerd
- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
- mkdir -p /opt/cni/bin
- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz | tar -xz -C /opt/cni/bin
- mkdir -p /go/src/github.com/openfaas/
- cd /go/src/github.com/openfaas/ && git clone https://github.com/openfaas/faasd
- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.7/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
+- curl -sfL https://raw.githubusercontent.com/openfaas/faasd/master/hack/install.sh | bash -s -
 - systemctl status -l containerd --no-pager
 - journalctl -u faasd-provider --no-pager
 - systemctl status -l faasd-provider --no-pager
 - systemctl status -l faasd --no-pager
 - curl -sSLf https://cli.openfaas.com | sh
- sleep 5 && journalctl -u faasd --no-pager
+- sleep 60 && journalctl -u faasd --no-pager
 - cat /var/lib/faasd/secrets/basic-auth-password | /usr/local/bin/faas-cli login --password-stdin
--- a/cmd/install.go
+++ b/cmd/install.go
@ -38,6 +38,10 @@ func runInstall(_ *cobra.Command, _ []string) error {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}

+	if err := cp("docker-compose.yaml", faasdwd); err != nil {
+		return err
+	}
+
 	if err := cp("prometheus.yml", faasdwd); err != nil {
 		return err
 	}
@ -89,8 +93,11 @@ func runInstall(_ *cobra.Command, _ []string) error {
 		return err
 	}

-	fmt.Println(`Login with:
-  sudo cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s`)
+	fmt.Println(`Check status with:
+  sudo journalctl -u faasd --lines 100 -f
+
+Login with:
+  sudo -E cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s`)

 	return nil
 }
@ -102,7 +109,16 @@ func binExists(folder, name string) error {
 	}
 	return nil
 }
+func ensureSecretsDir(folder string) error {
+	if _, err := os.Stat(folder); err != nil {
+		err = os.MkdirAll(folder, secretDirPermission)
+		if err != nil {
+			return err
+		}
+	}

+	return nil
+}
 func ensureWorkingDir(folder string) error {
 	if _, err := os.Stat(folder); err != nil {
 		err = os.MkdirAll(folder, workingDirectoryPermission)
--- a/cmd/provider.go
+++ b/cmd/provider.go
@ -1,8 +1,8 @@
 package cmd

 import (
-	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
@ -11,14 +11,19 @@ import (

 	"github.com/containerd/containerd"
 	bootstrap "github.com/openfaas/faas-provider"
+	"github.com/openfaas/faas-provider/logs"
 	"github.com/openfaas/faas-provider/proxy"
 	"github.com/openfaas/faas-provider/types"
+	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
+	faasdlogs "github.com/openfaas/faasd/pkg/logs"
 	"github.com/openfaas/faasd/pkg/provider/config"
 	"github.com/openfaas/faasd/pkg/provider/handlers"
 	"github.com/spf13/cobra"
 )

+const secretDirPermission = 0755
+
 func makeProviderCmd() *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "provider",
@ -45,6 +50,7 @@ func makeProviderCmd() *cobra.Command {
 		}

 		log.Printf("faasd-provider starting..\tService Timeout: %s\n", config.WriteTimeout.String())
+		printVersion()

 		wd, err := os.Getwd()
 		if err != nil {
@ -79,31 +85,30 @@ func makeProviderCmd() *cobra.Command {

 		invokeResolver := handlers.NewInvokeResolver(client)

-		userSecretPath := path.Join(wd, "secrets")
-
-		bootstrapHandlers := types.FaaSHandlers{
-			FunctionProxy:        proxy.NewHandlerFunc(*config, invokeResolver),
-			DeleteHandler:        handlers.MakeDeleteHandler(client, cni),
-			DeployHandler:        handlers.MakeDeployHandler(client, cni, userSecretPath, alwaysPull),
-			FunctionReader:       handlers.MakeReadHandler(client),
-			ReplicaReader:        handlers.MakeReplicaReaderHandler(client),
-			ReplicaUpdater:       handlers.MakeReplicaUpdateHandler(client, cni),
-			UpdateHandler:        handlers.MakeUpdateHandler(client, cni, userSecretPath, alwaysPull),
-			HealthHandler:        func(w http.ResponseWriter, r *http.Request) {},
-			InfoHandler:          handlers.MakeInfoHandler(Version, GitCommit),
-			ListNamespaceHandler: listNamespaces(),
-			SecretHandler:        handlers.MakeSecretHandler(client, userSecretPath),
-			LogHandler: func(w http.ResponseWriter, r *http.Request) {
-				if r.Body != nil {
-					defer r.Body.Close()
-				}
-
-				w.WriteHeader(http.StatusNotImplemented)
-				w.Write([]byte(`Logs are not implemented for faasd`))
-			},
+		baseUserSecretsPath := path.Join(wd, "secrets")
+		if err := moveSecretsToDefaultNamespaceSecrets(
+			baseUserSecretsPath,
+			faasd.DefaultFunctionNamespace); err != nil {
+			return err
 		}

-		log.Printf("Listening on TCP port: %d\n", *config.TCPPort)
+		bootstrapHandlers := types.FaaSHandlers{
+			FunctionProxy:   proxy.NewHandlerFunc(*config, invokeResolver),
+			DeleteFunction:  handlers.MakeDeleteHandler(client, cni),
+			DeployFunction:  handlers.MakeDeployHandler(client, cni, baseUserSecretsPath, alwaysPull),
+			FunctionLister:  handlers.MakeReadHandler(client),
+			FunctionStatus:  handlers.MakeReplicaReaderHandler(client),
+			ScaleFunction:   handlers.MakeReplicaUpdateHandler(client, cni),
+			UpdateFunction:  handlers.MakeUpdateHandler(client, cni, baseUserSecretsPath, alwaysPull),
+			Health:          func(w http.ResponseWriter, r *http.Request) {},
+			Info:            handlers.MakeInfoHandler(Version, GitCommit),
+			ListNamespaces:  handlers.MakeNamespacesLister(client),
+			Secrets:         handlers.MakeSecretHandler(client.NamespaceService(), baseUserSecretsPath),
+			Logs:            logs.NewLogHandlerFunc(faasdlogs.New(), config.ReadTimeout),
+			MutateNamespace: handlers.MakeMutateNamespace(client),
+		}
+
+		log.Printf("Listening on: 0.0.0.0:%d\n", *config.TCPPort)
 		bootstrap.Serve(&bootstrapHandlers, config)
 		return nil
 	}
@ -111,10 +116,62 @@ func makeProviderCmd() *cobra.Command {
 	return command
 }

-func listNamespaces() func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		list := []string{""}
-		out, _ := json.Marshal(list)
-		w.Write(out)
+/*
+* Mutiple namespace support was added after release 0.13.0
+* Function will help users to migrate on multiple namespace support of faasd
+ */
+func moveSecretsToDefaultNamespaceSecrets(baseSecretPath string, defaultNamespace string) error {
+	newSecretPath := path.Join(baseSecretPath, defaultNamespace)
+
+	err := ensureSecretsDir(newSecretPath)
+	if err != nil {
+		return err
 	}
+
+	files, err := ioutil.ReadDir(baseSecretPath)
+	if err != nil {
+		return err
+	}
+
+	for _, f := range files {
+		if !f.IsDir() {
+
+			newPath := path.Join(newSecretPath, f.Name())
+
+			// A non-nil error means the file wasn't found in the
+			// destination path
+			if _, err := os.Stat(newPath); err != nil {
+				oldPath := path.Join(baseSecretPath, f.Name())
+
+				if err := copyFile(oldPath, newPath); err != nil {
+					return err
+				}
+
+				log.Printf("[Migration] Copied %s to %s", oldPath, newPath)
+			}
+		}
+	}
+
+	return nil
+}
+
+func copyFile(src, dst string) error {
+	inputFile, err := os.Open(src)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", src, err)
+	}
+	defer inputFile.Close()
+
+	outputFile, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_APPEND, secretDirPermission)
+	if err != nil {
+		return fmt.Errorf("opening %s failed %w", dst, err)
+	}
+	defer outputFile.Close()
+
+	// Changed from os.Rename due to issue in #201
+	if _, err := io.Copy(outputFile, inputFile); err != nil {
+		return fmt.Errorf("writing into %s failed %w", outputFile.Name(), err)
+	}
+
+	return nil
 }
--- a/cmd/root.go
+++ b/cmd/root.go
@ -46,7 +46,12 @@ var rootCommand = &cobra.Command{
 	Use:   "faasd",
 	Short: "Start faasd",
 	Long: `
-faasd - serverless without Kubernetes
+faasd - Serverless For Everyone Else
+
+Learn how to build, secure, and monitor functions with faasd with 
+the eBook:
+
+https://gumroad.com/l/serverless-for-everyone-else
 `,
 	RunE:         runRootCommand,
 	SilenceUsage: true,
@ -69,11 +74,11 @@ var versionCmd = &cobra.Command{
 func parseBaseCommand(_ *cobra.Command, _ []string) {
 	printLogo()

-	fmt.Printf(
-		`faasd
-Commit: %s
-Version: %s
-`, GitCommit, GetVersion())
+	printVersion()
+}
+
+func printVersion() {
+	fmt.Printf("faasd version: %s\tcommit: %s\n", GetVersion(), GitCommit)
 }

 func printLogo() {
--- a/cmd/up.go
+++ b/cmd/up.go
@ -7,77 +7,80 @@ import (
 	"os"
 	"os/signal"
 	"path"
-	"strings"
 	"sync"
 	"syscall"
 	"time"

 	"github.com/pkg/errors"
-
-	"github.com/alexellis/k3sup/pkg/env"
-	"github.com/openfaas/faasd/pkg"
 	"github.com/sethvargo/go-password/password"
 	"github.com/spf13/cobra"
+	flag "github.com/spf13/pflag"
+
+	units "github.com/docker/go-units"
+	"github.com/openfaas/faasd/pkg"
 )

+// upConfig are the CLI flags used by the `faasd up` command to deploy the faasd service
+type upConfig struct {
+	// composeFilePath is the path to the compose file specifying the faasd service configuration
+	// See https://compose-spec.io/ for more information about the spec,
+	//
+	// currently, this must be the name of a file in workingDir, which is set to the value of
+	// `faasdwd = /var/lib/faasd`
+	composeFilePath string
+
+	// working directory to assume the compose file is in, should be faasdwd.
+	// this is not configurable but may be in the future.
+	workingDir string
+}
+
+func init() {
+	configureUpFlags(upCmd.Flags())
+}
+
 var upCmd = &cobra.Command{
 	Use:   "up",
 	Short: "Start faasd",
 	RunE:  runUp,
 }

-const containerSecretMountDir = "/run/secrets"
+func runUp(cmd *cobra.Command, _ []string) error {

-func runUp(_ *cobra.Command, _ []string) error {
+	printVersion()

-	clientArch, clientOS := env.GetClientArch()
-
-	if clientOS != "Linux" {
-		return fmt.Errorf("You can only use faasd on Linux")
-	}
-	clientSuffix := ""
-	switch clientArch {
-	case "x86_64":
-		clientSuffix = ""
-		break
-	case "armhf":
-	case "armv7l":
-		clientSuffix = "-armhf"
-		break
-	case "arm64":
-	case "aarch64":
-		clientSuffix = "-arm64"
+	cfg, err := parseUpFlags(cmd)
+	if err != nil {
+		return err
 	}

-	if basicAuthErr := makeBasicAuthFiles(path.Join(path.Join(faasdwd, "secrets"))); basicAuthErr != nil {
+	services, err := loadServiceDefinition(cfg)
+	if err != nil {
+		return err
+	}
+
+	basicAuthErr := makeBasicAuthFiles(path.Join(cfg.workingDir, "secrets"))
+	if basicAuthErr != nil {
 		return errors.Wrap(basicAuthErr, "cannot create basic-auth-* files")
 	}

-	services := makeServiceDefinitions(clientSuffix)
-
 	start := time.Now()
 	supervisor, err := pkg.NewSupervisor("/run/containerd/containerd.sock")
 	if err != nil {
 		return err
 	}

-	log.Printf("Supervisor created in: %s\n", time.Since(start).String())
+	log.Printf("Supervisor created in: %s\n", units.HumanDuration(time.Since(start)))

 	start = time.Now()
-
-	err = supervisor.Start(services)
-
-	if err != nil {
+	if err := supervisor.Start(services); err != nil {
 		return err
 	}
-
 	defer supervisor.Close()

-	log.Printf("Supervisor init done in: %s\n", time.Since(start).String())
+	log.Printf("Supervisor init done in: %s\n", units.HumanDuration(time.Since(start)))

 	shutdownTimeout := time.Second * 1
 	timeout := time.Second * 60
-	proxyDoneCh := make(chan bool)

 	wg := sync.WaitGroup{}
 	wg.Add(1)
@ -94,40 +97,38 @@ func runUp(_ *cobra.Command, _ []string) error {
 			fmt.Println(err)
 		}

-		// Close proxy
-		proxyDoneCh <- true
+		// TODO: close proxies
 		time.AfterFunc(shutdownTimeout, func() {
 			wg.Done()
 		})
 	}()

-	gatewayURLChan := make(chan string, 1)
-	proxyPort := 8080
-	proxy := pkg.NewProxy(proxyPort, timeout)
-	go proxy.Start(gatewayURLChan, proxyDoneCh)
+	localResolver := pkg.NewLocalResolver(path.Join(cfg.workingDir, "hosts"))
+	go localResolver.Start()

-	go func() {
-		wd, _ := os.Getwd()
+	proxies := map[uint32]*pkg.Proxy{}
+	for _, svc := range services {
+		for _, port := range svc.Ports {

-		time.Sleep(3 * time.Second)
-
-		fileData, fileErr := ioutil.ReadFile(path.Join(wd, "hosts"))
-		if fileErr != nil {
-			log.Println(fileErr)
-			return
-		}
-
-		host := ""
-		lines := strings.Split(string(fileData), "\n")
-		for _, line := range lines {
-			if strings.Index(line, "gateway") > -1 {
-				host = line[:strings.Index(line, "\t")]
+			listenPort := port.Port
+			if _, ok := proxies[listenPort]; ok {
+				return fmt.Errorf("port %d already allocated", listenPort)
 			}
+
+			hostIP := "0.0.0.0"
+			if len(port.HostIP) > 0 {
+				hostIP = port.HostIP
+			}
+
+			upstream := fmt.Sprintf("%s:%d", svc.Name, port.TargetPort)
+			proxies[listenPort] = pkg.NewProxy(upstream, listenPort, hostIP, timeout, localResolver)
 		}
-		log.Printf("[up] Sending %s to proxy\n", host)
-		gatewayURLChan <- host + ":8080"
-		close(gatewayURLChan)
-	}()
+	}
+
+	// TODO: track proxies for later cancellation when receiving sigint/term
+	for _, v := range proxies {
+		go v.Start()
+	}

 	wg.Wait()
 	return nil
@ -135,7 +136,7 @@ func runUp(_ *cobra.Command, _ []string) error {

 func makeBasicAuthFiles(wd string) error {

-	pwdFile := wd + "/basic-auth-password"
+	pwdFile := path.Join(wd, "basic-auth-password")
 	authPassword, err := password.Generate(63, 10, 0, false, true)

 	if err != nil {
@ -147,7 +148,7 @@ func makeBasicAuthFiles(wd string) error {
 		return err
 	}

-	userFile := wd + "/basic-auth-user"
+	userFile := path.Join(wd, "basic-auth-user")
 	err = makeFile(userFile, "admin")
 	if err != nil {
 		return err
@ -156,6 +157,8 @@ func makeBasicAuthFiles(wd string) error {
 	return nil
 }

+// makeFile will create a file with the specified content if it does not exist yet.
+// if the file already exists, the method is a noop.
 func makeFile(filePath, fileContents string) error {
 	_, err := os.Stat(filePath)
 	if err == nil {
@ -169,105 +172,35 @@ func makeFile(filePath, fileContents string) error {
 	}
 }

-func makeServiceDefinitions(archSuffix string) []pkg.Service {
-	wd, _ := os.Getwd()
+// load the docker compose file and then parse it as supervisor Services
+// the logic for loading the compose file comes from the compose reference implementation
+// https://github.com/compose-spec/compose-ref/blob/master/compose-ref.go#L353
+func loadServiceDefinition(cfg upConfig) ([]pkg.Service, error) {

-	return []pkg.Service{
-		{
-			Name:  "basic-auth-plugin",
-			Image: "docker.io/openfaas/basic-auth-plugin:0.18.10" + archSuffix,
-			Env: []string{
-				"port=8080",
-				"secret_mount_path=" + containerSecretMountDir,
-				"user_filename=basic-auth-user",
-				"pass_filename=basic-auth-password",
-			},
-			Mounts: []pkg.Mount{
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-			Args: nil,
-		},
-		{
-			Name:  "nats",
-			Env:   []string{""},
-			Image: "docker.io/library/nats-streaming:0.11.2",
-			Caps:  []string{},
-			Args:  []string{"/nats-streaming-server", "-m", "8222", "--store=memory", "--cluster_id=faas-cluster"},
-		},
-		{
-			Name:  "prometheus",
-			Env:   []string{},
-			Image: "docker.io/prom/prometheus:v2.14.0",
-			Mounts: []pkg.Mount{
-				{
-					Src:  path.Join(wd, "prometheus.yml"),
-					Dest: "/etc/prometheus/prometheus.yml",
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
-		{
-			Name: "gateway",
-			Env: []string{
-				"basic_auth=true",
-				"functions_provider_url=http://faasd-provider:8081/",
-				"direct_functions=false",
-				"read_timeout=60s",
-				"write_timeout=60s",
-				"upstream_timeout=65s",
-				"faas_nats_address=nats",
-				"faas_nats_port=4222",
-				"auth_proxy_url=http://basic-auth-plugin:8080/validate",
-				"auth_proxy_pass_body=false",
-				"secret_mount_path=" + containerSecretMountDir,
-				"scale_from_zero=true",
-			},
-			Image: "docker.io/openfaas/gateway:0.18.8" + archSuffix,
-			Mounts: []pkg.Mount{
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
-		{
-			Name: "queue-worker",
-			Env: []string{
-				"faas_nats_address=nats",
-				"faas_nats_port=4222",
-				"gateway_invoke=true",
-				"faas_gateway_address=gateway",
-				"ack_wait=5m5s",
-				"max_inflight=1",
-				"write_debug=false",
-				"basic_auth=true",
-				"secret_mount_path=" + containerSecretMountDir,
-			},
-			Image: "docker.io/openfaas/queue-worker:0.9.0",
-			Mounts: []pkg.Mount{
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-password"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-password"),
-				},
-				{
-					Src:  path.Join(path.Join(wd, "secrets"), "basic-auth-user"),
-					Dest: path.Join(containerSecretMountDir, "basic-auth-user"),
-				},
-			},
-			Caps: []string{"CAP_NET_RAW"},
-		},
+	serviceConfig, err := pkg.LoadComposeFile(cfg.workingDir, cfg.composeFilePath)
+	if err != nil {
+		return nil, err
 	}
+
+	return pkg.ParseCompose(serviceConfig)
+}
+
+// ConfigureUpFlags will define the flags for the `faasd up` command. The flag struct, configure, and
+// parse are split like this to simplify testability.
+func configureUpFlags(flags *flag.FlagSet) {
+	flags.StringP("file", "f", "docker-compose.yaml", "compose file specifying the faasd service configuration")
+}
+
+// ParseUpFlags will load the flag values into an upFlags object. Errors will be underlying
+// Get errors from the pflag library.
+func parseUpFlags(cmd *cobra.Command) (upConfig, error) {
+	parsed := upConfig{}
+	path, err := cmd.Flags().GetString("file")
+	if err != nil {
+		return parsed, errors.Wrap(err, "can not parse compose file path flag")
+	}
+
+	parsed.composeFilePath = path
+	parsed.workingDir = faasdwd
+	return parsed, err
 }
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,94 @@
+version: "3.7"
+services:
+
+  nats:
+    image: docker.io/library/nats-streaming:0.25.5
+# nobody
+    user: "65534"
+    command:
+      - "/nats-streaming-server"
+      - "-m"
+      - "8222"
+      - "--store=file"
+      - "--dir=/nats"
+      - "--cluster_id=faas-cluster"
+    volumes:
+# Data directory
+      - type: bind
+        source: ./nats
+        target: /nats
+    # ports:
+    #    - "127.0.0.1:8222:8222"
+
+  prometheus:
+    image: docker.io/prom/prometheus:v2.45.0
+# nobody
+    user: "65534"
+    volumes:
+# Config directory
+      - type: bind
+        source: ./prometheus.yml
+        target: /etc/prometheus/prometheus.yml
+# Data directory
+      - type: bind
+        source: ./prometheus
+        target: /prometheus
+    cap_add:
+      - CAP_NET_RAW
+    ports:
+       - "127.0.0.1:9090:9090"
+
+  gateway:
+    image: ghcr.io/openfaas/gateway:0.26.4
+    environment:
+      - basic_auth=true
+      - functions_provider_url=http://faasd-provider:8081/
+      - direct_functions=false
+      - read_timeout=60s
+      - write_timeout=60s
+      - upstream_timeout=65s
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - secret_mount_path=/run/secrets
+      - scale_from_zero=true
+      - function_namespace=openfaas-fn
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - nats
+      - prometheus
+    ports:
+       - "8080:8080"
+
+  queue-worker:
+    image: ghcr.io/openfaas/queue-worker:0.13.3
+    environment:
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - gateway_invoke=true
+      - faas_gateway_address=gateway
+      - ack_wait=5m5s
+      - max_inflight=1
+      - write_debug=false
+      - basic_auth=true
+      - secret_mount_path=/run/secrets
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - nats
--- a/docs/DEV.md
+++ b/docs/DEV.md
@ -1,9 +1,15 @@
-## Manual installation of faasd for development
+## Instructions for building and testing faasd locally

 > Note: if you're just wanting to try out faasd, then it's likely that you're on the wrong page. This is a detailed set of instructions for those wanting to contribute or customise faasd. Feel free to go back to the homepage and pick a tutorial instead.

+Do you want to help the community test a pull request?
+
+See these instructions instead: [Testing patches](/docs/PATCHES.md)
+
 ### Pre-reqs

+> It's recommended that you do not install Docker on the same host as faasd, since 1) they may both use different versions of containerd and 2) docker's networking rules can disrupt faasd's networking. When using faasd - make your faasd server a faasd server, and build container image on your laptop or in a CI pipeline.
+
 * Linux

    PC / Cloud - any Linux that containerd works on should be fair game, but faasd is tested with Ubuntu 18.04
@ -14,19 +20,78 @@

    For Windows users, install [Git Bash](https://git-scm.com/downloads) along with multipass or vagrant. You can also use WSL1 or WSL2 which provides a Linux environment.

-    You will also need [containerd v1.3.2](https://github.com/containerd/containerd) and the [CNI plugins v0.8.5](https://github.com/containernetworking/plugins)
+    You will also need [containerd](https://github.com/containerd/containerd) and the [CNI plugins](https://github.com/containernetworking/plugins)

    [faas-cli](https://github.com/openfaas/faas-cli) is optional, but recommended.

+If you're using multipass, then allocate sufficient resources:
+
+```bash
+multipass launch \
+  --memory 4G \
+  -c 2 \
+  -n faasd
+
+# Then access its shell
+multipass shell faasd
+```
+
+### Get runc
+
+```bash
+sudo apt update \
+  && sudo apt install -qy \
+    runc \
+    bridge-utils \
+    make
+```
+
+### Get faas-cli (optional)
+
+Having `faas-cli` on your dev machine is useful for testing and debug.
+
+```bash
+curl -sLS https://cli.openfaas.com | sudo sh
+```
+
+#### Install the CNI plugins:
+
+* For PC run `export ARCH=amd64`
+* For RPi/armhf run `export ARCH=arm`
+* For arm64 run `export ARCH=arm64`
+
+Then run:
+
+```bash
+export ARCH=amd64
+export CNI_VERSION=v0.9.1
+
+sudo mkdir -p /opt/cni/bin
+curl -sSL https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | sudo tar -xz -C /opt/cni/bin
+
+# Make a config folder for CNI definitions
+sudo mkdir -p /etc/cni/net.d
+
+# Make an initial loopback configuration
+sudo sh -c 'cat >/etc/cni/net.d/99-loopback.conf <<-EOF
+{
+    "cniVersion": "0.3.1",
+    "type": "loopback"
+}
+EOF'
+```
+
 ### Get containerd

 You have three options - binaries for PC, binaries for armhf, or build from source.

 * Install containerd `x86_64` only

-```sh
-export VER=1.3.2
-curl -sLSf https://github.com/containerd/containerd/releases/download/v$VER/containerd-$VER.linux-amd64.tar.gz > /tmp/containerd.tar.gz \
+
+
+```bash
+export VER=1.7.0
+curl -sSL https://github.com/containerd/containerd/releases/download/v$VER/containerd-$VER-linux-amd64.tar.gz -o /tmp/containerd.tar.gz \
  && sudo tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1

 containerd -version
@ -36,20 +101,22 @@ containerd -version

    Building `containerd` on armhf is extremely slow, so I've provided binaries for you.

-    ```sh
-    curl -sSL https://github.com/alexellis/containerd-armhf/releases/download/v1.3.2/containerd.tgz | sudo tar -xvz --strip-components=2 -C /usr/local/bin/
+    ```bash
+    export VER=1.7.0
+    curl -sSL https://github.com/alexellis/containerd-armhf/releases/download/v$VER/containerd-$VER-linux-armhf.tar.gz
+ | sudo tar -xvz --strip-components=2 -C /usr/local/bin/
    ```

 * Or clone / build / install [containerd](https://github.com/containerd/containerd) from source:

-    ```sh
+    ```bash
    export GOPATH=$HOME/go/
    mkdir -p $GOPATH/src/github.com/containerd
    cd $GOPATH/src/github.com/containerd
    git clone https://github.com/containerd/containerd
    cd containerd
    git fetch origin --tags
-    git checkout v1.3.2
+    git checkout v1.7.0

    make
    sudo make install
@ -59,8 +126,12 @@ containerd -version

 #### Ensure containerd is running

-```sh
-curl -sLS https://raw.githubusercontent.com/containerd/containerd/master/containerd.service > /tmp/containerd.service
+```bash
+curl -sLS https://raw.githubusercontent.com/containerd/containerd/v1.7.0/containerd.service > /tmp/containerd.service
+
+# Extend the timeouts for low-performance VMs
+echo "[Manager]" | tee -a /tmp/containerd.service
+echo "DefaultTimeoutStartSec=3m" | tee -a /tmp/containerd.service

 sudo cp /tmp/containerd.service /lib/systemd/system/
 sudo systemctl enable containerd
@ -69,9 +140,9 @@ sudo systemctl daemon-reload
 sudo systemctl restart containerd
 ```

-Or run ad-hoc:
+Or run ad-hoc. This step can be useful for exploring why containerd might fail to start.

-```sh
+```bash
 sudo containerd &
 ```

@ -79,13 +150,13 @@ sudo containerd &

 > This is required to allow containers in containerd to access the Internet via your computer's primary network interface.

-```sh
+```bash
 sudo /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
 ```

 Make the setting permanent:

-```sh
+```bash
 echo "net.ipv4.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf
 ```

@ -93,7 +164,7 @@ echo "net.ipv4.conf.all.forwarding=1" | sudo tee -a /etc/sysctl.conf

 #### Get build packages

-```sh
+```bash
 sudo apt update \
  && sudo apt install -qy \
    runc \
@ -105,11 +176,11 @@ You may find alternative package names for CentOS and other Linux distributions.

 #### Install Go 1.13 (x86_64)

-```sh
-curl -sSLf https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz > go.tgz
+```bash
+curl -SLf https://golang.org/dl/go1.16.linux-amd64.tar.gz > /tmp/go.tgz
 sudo rm -rf /usr/local/go/
 sudo mkdir -p /usr/local/go/
-sudo tar -xvf go.tgz -C /usr/local/go/ --strip-components=1
+sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -119,15 +190,15 @@ go version

 You should also add the following to `~/.bash_profile`:

-```sh
-export GOPATH=$HOME/go/
-export PATH=$PATH:/usr/local/go/bin/
+```bash
+echo "export GOPATH=\$HOME/go/" | tee -a $HOME/.bash_profile
+echo "export PATH=\$PATH:/usr/local/go/bin/" | tee -a $HOME/.bash_profile
 ```

 #### Or on Raspberry Pi (armhf)

-```sh
-curl -SLsf https://dl.google.com/go/go1.13.6.linux-armv6l.tar.gz > go.tgz
+```bash
+curl -SLsf https://golang.org/dl/go1.16.linux-armv6l.tar.gz > go.tgz
 sudo rm -rf /usr/local/go/
 sudo mkdir -p /usr/local/go/
 sudo tar -xvf go.tgz -C /usr/local/go/ --strip-components=1
@ -138,25 +209,9 @@ export PATH=$PATH:/usr/local/go/bin/
 go version
 ```

-#### Install the CNI plugins:
-
-* For PC run `export ARCH=amd64`
-* For RPi/armhf run `export ARCH=arm`
-* For arm64 run `export ARCH=arm64`
-
-Then run:
-
-```sh
-export ARCH=amd64
-export CNI_VERSION=v0.8.5
-
-sudo mkdir -p /opt/cni/bin
-curl -sSL https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz | sudo tar -xz -C /opt/cni/bin
-```
-
 #### Clone faasd and its systemd unit files

-```sh
+```bash
 mkdir -p $GOPATH/src/github.com/openfaas/
 cd $GOPATH/src/github.com/openfaas/
 git clone https://github.com/openfaas/faasd
@ -164,55 +219,58 @@ git clone https://github.com/openfaas/faasd

 #### Build `faasd` from source (optional)

-```sh
+```bash
 cd $GOPATH/src/github.com/openfaas/faasd
 cd faasd
 make local
+
+# Install the binary
+sudo cp bin/faasd /usr/local/bin
 ```

-#### Build and run `faasd` (binaries)
+#### Or, download and run `faasd` (binaries)

-```sh
+```bash
 # For x86_64
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX=""

 # armhf
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd-armhf" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX="-armhf"

 # arm64
-sudo curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.7.4/faasd-arm64" \
-    -o "/usr/local/bin/faasd" \
-    && sudo chmod a+x "/usr/local/bin/faasd"
+export SUFFIX="-arm64"
+
+# Then download
+curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.16.2/faasd$SUFFIX" \
+    -o "/tmp/faasd" \
+    && chmod +x "/tmp/faasd" 
+sudo mv /tmp/faasd /usr/local/bin/
 ```

 #### Install `faasd`

-```sh
-# Install with systemd
-sudo cp bin/faasd /usr/local/bin
+This step installs faasd as a systemd unit file, creates files in `/var/lib/faasd`, and writes out networking configuration for the CNI bridge networking plugin.
+
+```bash
 sudo faasd install

 2020/02/17 17:38:06 Writing to: "/var/lib/faasd/secrets/basic-auth-password"
 2020/02/17 17:38:06 Writing to: "/var/lib/faasd/secrets/basic-auth-user"
 Login with:
-  sudo cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s
+  sudo -E cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -s
 ```

 You can now log in either from this machine or a remote machine using the OpenFaaS UI, or CLI.

 Check that faasd is ready:

-```
+```bash
 sudo journalctl -u faasd
 ```

 You should see output like:

-```
+```bash
 Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 Starting faasd proxy on 8080
 Feb 17 17:46:35 gold-survive faasd[4140]: Gateway: 10.62.0.5:8080
 Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 [proxy] Wait for done
@ -221,15 +279,63 @@ Feb 17 17:46:35 gold-survive faasd[4140]: 2020/02/17 17:46:35 [proxy] Begin list

 To get the CLI for the command above run:

-```sh
+```bash
 curl -sSLf https://cli.openfaas.com | sudo sh
 ```

+#### Make a change to `faasd`
+
+There are two components you can hack on:
+
+For function CRUD you will work on `faasd provider` which is started from `cmd/provider.go`
+
+For faasd itself, you will work on the code from `faasd up`, which is started from `cmd/up.go`
+
+Before working on either, stop the systemd services:
+
+```
+sudo systemctl stop faasd &    # up command
+sudo systemctl stop faasd-provider   # provider command
+```
+
+Here is a workflow you can use for each code change:
+
+Enter the directory of the source code, and build a new binary:
+
+```bash
+cd $GOPATH/src/github.com/openfaas/faasd
+go build
+```
+
+Copy that binary to `/usr/local/bin/`
+
+```bash
+cp faasd /usr/local/bin/
+```
+
+To run `faasd up`, run it from its working directory as root
+
+```bash
+sudo -i
+cd /var/lib/faasd
+
+faasd up
+```
+
+Now to run `faasd provider`, run it from its working directory:
+
+```bash
+sudo -i
+cd /var/lib/faasd-provider
+
+faasd provider
+```
+
 #### At run-time

 Look in `hosts` in the current working folder or in `/var/lib/faasd/` to get the IP for the gateway or Prometheus

-```sh
+```bash
 127.0.0.1      localhost
 10.62.0.1      faasd-provider

@ -259,3 +365,31 @@ The default Basic Auth username is `admin`, which is written to `/var/lib/faasd/
 * `faasd install` - install faasd and containerd with systemd, this must be run from `$GOPATH/src/github.com/openfaas/faasd`
 * `journalctl -u faasd -f` - faasd service logs
 * `journalctl -u faasd-provider -f` - faasd-provider service logs
+
+#### Uninstall
+
+* Stop faasd and faasd-provider
+```
+sudo systemctl stop faasd
+sudo systemctl stop faasd-provider
+sudo systemctl stop containerd
+```
+
+* Remove faasd from machine
+```
+sudo systemctl disable faasd
+sudo systemctl disable faasd-provider
+sudo systemctl disable containerd
+sudo rm -rf /usr/local/bin/faasd
+sudo rm -rf /var/lib/faasd
+sudo rm -rf /usr/lib/systemd/system/faasd-provider.service
+sudo rm -rf /usr/lib/systemd/system/faasd.service
+sudo rm -rf /usr/lib/systemd/system/containerd
+sudo systemctl daemon-reload
+```
+
+* Remove additional dependencies. Be cautious as other software will be dependent on these.
+```
+sudo apt-get remove runc bridge-utils
+sudo rm -rf /opt/cni/bin
+```
--- a/docs/MULTIPASS.md
+++ b/docs/MULTIPASS.md
@ -0,0 +1,142 @@
+# Tutorial - faasd with multipass
+
+## Get up and running with your own faasd installation on your Mac
+
+[multipass from Canonical](https://multipass.run) is like Docker Desktop, but for getting Ubuntu instead of a Docker daemon. It works on MacOS, Linux, and Windows with the same consistent UX. It's not fully open-source, and uses some proprietary add-ons / binaries, but is free to use.
+
+For Linux using Ubuntu, you can install the packages directly, or use `sudo snap install multipass --classic` and follow this tutorial. For Raspberry Pi, [see my tutorial here](https://blog.alexellis.io/faasd-for-lightweight-serverless/).
+
+John McCabe has also tested faasd on Windows with multipass, [see his tweet](https://twitter.com/mccabejohn/status/1221899154672308224).
+
+## Use-case:
+
+Try out [faasd](https://github.com/openfaas/faasd) in a single command using a cloud-config file to get a VM which has:
+
+* port 22 for administration and
+* port 8080 for the OpenFaaS REST API.
+
+![Example](https://pbs.twimg.com/media/EPNQz00W4AEwDxM?format=jpg&name=medium)
+
+The above screenshot is [from my tweet](https://twitter.com/alexellisuk/status/1221408788395298819/), feel free to comment there.
+
+It took me about 2-3 minutes to run through everything after installing multipass.
+
+## Let's start the tutorial
+
+* Get [multipass.run](https://multipass.run)
+
+* Get my cloud-config.txt file
+
+    ```sh
+    curl -sSLO https://raw.githubusercontent.com/openfaas/faasd/master/cloud-config.txt
+    ```
+
+* Boot the VM 
+
+    The `cloud-config.txt` contains an ssh key to allow your local machine to access the VM. However, this must be updated with your local ssh key. 
+    This command will update the key with your local public key value and start the VM.
+
+    ```sh
+    sed "s/ssh-rsa.*/$(cat $HOME/.ssh/id_*.pub)/" cloud-config.txt | multipass launch --name faasd --cloud-init -
+    ```
+
+    This can also be done manually, just replace the 2nd line of the `cloud-config.txt` with the contents of your public ssh key, usually either `~/.ssh/id_rsa.pub` or `~/.ssh/id_ed25519.pub`
+
+    ```
+    ssh_authorized_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Q/aUYUr3P1XKVucnO9mlWxOjJm+K01lHJR90MkHC9zbfTqlp8P7C3J26zKAuzHXOeF+VFxETRr6YedQKW9zp5oP7sN+F2gr/pO7GV3VmOqHMV7uKfyUQfq7H1aVzLfCcI7FwN2Zekv3yB7kj35pbsMa1Za58aF6oHRctZU6UWgXXbRxP+B04DoVU7jTstQ4GMoOCaqYhgPHyjEAS3DW0kkPW6HzsvJHkxvVcVlZ/wNJa1Ie/yGpzOzWIN0Ol0t2QT/RSWOhfzO1A2P0XbPuZ04NmriBonO9zR7T1fMNmmtTuK7WazKjQT3inmYRAqU6pe8wfX8WIWNV7OowUjUsv alex@alexr.local
+    ```
+
+* Get the VM's IP and connect with `ssh`
+
+    ```sh
+    multipass info faasd
+    Name:           faasd
+    State:          Running
+    IPv4:           192.168.64.14
+    Release:        Ubuntu 18.04.3 LTS
+    Image hash:     a720c34066dc (Ubuntu 18.04 LTS)
+    Load:           0.79 0.19 0.06
+    Disk usage:     1.1G out of 4.7G
+    Memory usage:   145.6M out of 985.7M
+    ```
+
+    Set the variable `IP`:
+
+    ```
+    export IP="192.168.64.14"
+    ```
+
+    You can also try to use `jq` to get the IP into a variable:
+
+    ```sh
+    export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+    ```
+
+    Connect to the IP listed:
+
+    ```sh
+    ssh ubuntu@$IP
+    ```
+
+    Log out once you know it works.
+
+* Let's capture the authentication password into a file for use with `faas-cli`
+
+    ```
+    ssh ubuntu@$IP "sudo cat /var/lib/faasd/secrets/basic-auth-password" > basic-auth-password
+    ```
+
+## Try faasd (OpenFaaS)
+
+* Login from your laptop (the host)
+
+    ```
+    export OPENFAAS_URL=http://$IP:8080
+    cat basic-auth-password | faas-cli login -s
+    ```
+
+* Deploy a function and invoke it
+
+    ```
+    faas-cli store deploy figlet --env write_timeout=1s
+    echo "faasd" | faas-cli invoke figlet
+
+    faas-cli describe figlet
+
+    # Run async
+    curl -i -d "faasd-async" $OPENFAAS_URL/async-function/figlet
+
+    # Run async with a callback
+
+    curl -i -d "faasd-async" -H "X-Callback-Url: http://some-request-bin.com/path" $OPENFAAS_URL/async-function/figlet
+    ```
+
+    You can also checkout the other store functions: `faas-cli store list`
+
+* Try the UI
+
+    Head over to the UI from your laptop and remember that your password is in the `basic-auth-password` file. The username is `admin`:
+
+    ```
+    echo http://$IP:8080
+    ```
+
+* Stop/start the instance
+
+    ```sh
+    multipass stop faasd
+    ```
+
+* Delete, if you want to:
+
+    ```
+    multipass delete --purge faasd
+    ```
+
+You now have a faasd appliance on your Mac. You can also use this cloud-init file with public cloud like AWS or DigitalOcean.
+
+* If you want a public IP for your faasd VM, then just head over to [inlets.dev](https://inlets.dev/)
+* Try my more complete walk-through / tutorial with Raspberry Pi, or run the same steps on your multipass VM, including how to develop your own functions and services - https://blog.alexellis.io/faasd-for-lightweight-serverless/
+* You might also like [Building containers without Docker](https://blog.alexellis.io/building-containers-without-docker/)
+* Star/fork [faasd](https://github.com/openfaas/faasd) on GitHub
--- a/docs/PATCHES.md
+++ b/docs/PATCHES.md
@ -0,0 +1,88 @@
+## Instructions for testing a patch for faasd
+
+### Launch a virtual machine
+
+You can use any kind of Linux virtual machine, Ubuntu 20.04 is recommended.
+
+Launch a cloud VM or use [Multipass](https://multipass.run), which is free to use an can be run locally. A Raspberry Pi 3 or 4 could also be used, but will need you to run `make dist` to cross compile a valid binary.
+
+### Copy over your SSH key
+
+Your SSH key will be used, so that you can copy a new faasd binary over to the host.
+
+```bash
+multipass launch \
+  --memory 4G \
+  -c 2 \
+  -n faasd
+
+# Then access its shell
+multipass shell faasd
+
+# Edit .ssh/authorized_keys
+
+# Add .ssh/id_rsa.pub from your host and save the file
+```
+
+### Install faasd on the VM
+
+You start off with the upstream version of faasd on the host, then add the new version over the top later on.
+
+```bash
+cd /tmp/
+git clone https://github.com/openfaas/faasd --depth=1
+cd faasd/hack
+./install.sh
+
+# Run the login command given to you at the end of the script
+```
+
+Get the multipass IP address:
+
+```bash
+export IP=$(multipass info faasd --format json| jq -r '.info.faasd.ipv4[0]')
+```
+
+### Build a new faasd binary with the patch
+
+Check out faasd on your local computer
+
+```bash
+git clone https://github.com/openfaas/faasd
+cd faasd
+
+gh pr checkout #PR_NUMBER_HERE
+
+GOOS=linux go build
+
+# You can also run "make dist" which is slower, but includes
+# a version and binaries for other platforms such as the Raspberry Pi
+```
+
+### Copy it over to the VM
+
+Now build a new faasd binary and copy it to the VM:
+
+```bash
+scp faasd ubuntu@$IP:~/
+```
+
+Now deploy the new version on the VM:
+
+```bash
+killall -9 faasd-linux; killall -9 faasd-linux ; mv ./faasd-linux /usr/local/bin/faasd
+```
+
+### Check it worked and test that patch
+
+Now run a command with `faas-cli` such as:
+
+* `faas-cli list`
+* `faas-cli version`
+
+See the testing instructions on the PR and run through those steps.
+
+Post your results on GitHub to assist the creator of the pull request.
+
+You can see how to get the logs for various components using the [eBook Serverless For Everyone Else](https://gumroad.com/l/serverless-for-everyone-else), or by consulting the [DEV.md](/docs/DEV.md) guide.
+
--- a/docs/README.md
+++ b/docs/README.md
@ -0,0 +1,7 @@
+# Documentation
+
+- [Develop faasd](./DEV.md) - Instructions for building and testing faasd locally
+- [Testing faasd](./PATCHES.md) - Instructions for testing a patch for faasd
+- [Roadmap](./ROADMAP.md) - Overview of features, backlog and known issues
+- [Run faasd with multipass](./MULTIPASS.md) - Tutorial on how to run faasd on a local multipass VM
+- [Terraform modules](./TERRAFORM.md) - A collection of official and community provided terraform modules for faasd
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@ -0,0 +1,151 @@
+# faasd backlog and features
+
+It's important to understand the vision for faasd vs OpenFaaS CE/Pro.
+
+faasd is a single-node implementation of OpenFaaS.
+
+It is supposed to be a lightweight, low-overhead, way to deploy OpenFaaS functions for functions which do not need planet-scale.
+
+It is not supposed to have multiple replicas, clustering, HA, or auto-scaling.
+
+[Learn when to use faasd](https://docs.openfaas.com/deployment/)
+
+## Supported operations
+
+* `faas-cli login`
+* `faas-cli up`
+* `faas-cli list`
+* `faas-cli describe`
+* `faas-cli deploy --update=true --replace=false`
+* `faas-cli invoke --async`
+* `faas-cli invoke`
+* `faas-cli rm`
+* `faas-cli store list/deploy/inspect`
+* `faas-cli version`
+* `faas-cli namespace`
+* `faas-cli secret`
+* `faas-cli logs`
+* `faas-cli auth` - supported for Basic Authentication and OpenFaaS Pro with OIDC and Single-sign On.
+
+The OpenFaaS REST API is supported by faasd, learn more in the [manual](https://store.openfaas.com/l/serverless-for-everyone-else) under "Can I get an API with that?"
+
+## Constraints vs OpenFaaS on Kubernetes
+
+faasd suits certain use-cases as mentioned in the [README.md](/README.md) file, for those who want a solution which can scale out horizontally with minimum effort, Kubernetes or K3s is a valid option.
+
+Which is right for you? [Read a comparison in the OpenFaaS docs](https://docs.openfaas.com/deployment/)
+
+### One replica per function
+
+Functions only support one replica for each function, so that means horizontal scaling is not available.
+
+It can scale vertically, and this may be a suitable alternative for many use-cases. See the [YAML reference for how to configure limits](https://docs.openfaas.com/reference/yaml/).
+
+Workaround: deploy multiple, dynamically named functions `scraper-1`, `scraper-2`, `scraper-3` and set up a reverse proxy rule to load balance i.e. `scraper.example.com => [/function/scraper-1, /function/scraper-2, /function/scraper-3]`.
+
+### Scale from zero may give a non-200
+
+faasd itself does not implement a health check to determine if a function is ready for traffic. Since faasd doesn't support auto-scaling, this is unlikely to affect you.
+
+Workaround: Have your client retry HTTP calls, or don't scale to zero.
+
+### Leaf-node only - no clustering
+
+faasd is operates on a leaf-node/single-node model. If this is an issue for you, but you have resource constraints, you will need to use [OpenFaaS CE or Pro on Kubernetes](https://docs.openfaas.com/deployment/).
+
+There are no plans to add any form of clustering or multi-node support to faasd.
+
+See past discussion at: [HA / resilience in faasd #225](https://github.com/openfaas/faasd/issues/225)
+
+What about HA and fault tolerance?
+
+To achieve fault tolerance, you could put two faasd instances behind a load balancer or proxy, but you will need to deploy the same set of functions to each.
+
+An alternative would be to take regular VM backups or snapshots.
+
+### No rolling updates are available today
+
+When running `faas-cli deploy`, your old function is removed before the new one is started. This may cause a period of downtime, depending on the timeouts and grace periods you set.
+
+Workaround: deploy uniquely named functions i.e. `scraper-1` and `scraper-2` with a reverse proxy rule that maps `/function/scraper` to the active version.
+
+## Known issues
+
+### Troubleshooting
+
+There is a very detailed chapter on troubleshooting in the eBook [Serverless For Everyone Else](https://store.openfaas.com/l/serverless-for-everyone-else)
+
+### Your function timed-out at 60 seconds
+
+This is no longer an issue, see the manual for how to configure a longer timeout, updated 3rd October 2022.
+
+### Non 200 HTTP status from the gateway upon reboot
+
+This issue appears to happen sporadically and only for some users.
+
+If you get a non 200 HTTP code from the gateway, or caddy after installing faasd, check the logs of faasd:
+
+```bash
+sudo journalctl -u faasd
+```
+
+If you see the following error:
+
+```
+unable to dial to 10.62.0.5:8080, error: dial tcp 10.62.0.5:8080: connect: no route to host
+```
+
+Restart the faasd service with:
+
+```bash
+sudo systemctl restart faasd
+```
+
+## Backlog
+
+Should have:
+
+* [ ] Restart any of the containers in docker-compose.yaml if they crash.
+* [ ] Asynchronous function deployment and deletion (currently synchronous/blocking)
+
+Nice to Have:
+
+* [ ] Live rolling-updates, with zero downtime (may require using IDs instead of names for function containers)
+* [ ] Apply a total memory limit for the host (if a node has 1GB of RAM, don't allow more than 1GB of RAM to be specified in the limits field)
+* [ ] Terraform for AWS EC2
+
+Won't have:
+
+* [ ] Clustering
+* [ ] Multiple replicas per function
+
+### Completed
+
+* [x] Docs or examples on how to use the various event connectors (Yes in the eBook)
+* [x] Resolve core services from functions by populating/sharing `/etc/hosts` between `faasd` and `faasd-provider`
+* [x] Provide a cloud-init configuration for faasd bootstrap
+* [x] Configure core services from a docker-compose.yaml file
+* [x] Store and fetch logs from the journal
+* [x] Add support for using container images in third-party public registries
+* [x] Add support for using container images in private third-party registries
+* [x] Provide a cloud-config.txt file for automated deployments of `faasd`
+* [x] Inject / manage IPs between core components for service to service communication - i.e. so Prometheus can scrape the OpenFaaS gateway - done via `/etc/hosts` mount
+* [x] Add queue-worker and NATS
+* [x] Create faasd.service and faasd-provider.service
+* [x] Self-install / create systemd service via `faasd install`
+* [x] Restart containers upon restart of faasd
+* [x] Clear / remove containers and tasks with SIGTERM / SIGINT
+* [x] Determine armhf/arm64 containers to run for gateway
+* [x] Configure `basic_auth` to protect the OpenFaaS gateway and faasd-provider HTTP API
+* [x] Setup custom working directory for faasd `/var/lib/faasd/`
+* [x] Use CNI to create network namespaces and adapters
+* [x] Optionally expose core services from the docker-compose.yaml file, locally or to all adapters.
+* [x] ~~[containerd can't pull image from Github Docker Package Registry](https://github.com/containerd/containerd/issues/3291)~~ ghcr.io support
+* [x] Provide [simple Caddyfile example](https://blog.alexellis.io/https-inlets-local-endpoints/) in the README showing how to expose the faasd proxy on port 80/443 with TLS
+* [x] Annotation support
+* [x] Hard memory limits for functions
+* [x] Terraform for DigitalOcean
+* [x] [Store and retrieve annotations in function spec](https://github.com/openfaas/faasd/pull/86) - in progress
+* [x] An installer for faasd and dependencies - runc, containerd
+* [x] Offer a recommendation or implement a strategy for faasd replication/HA
+
--- a/docs/TERRAFORM.md
+++ b/docs/TERRAFORM.md
@ -0,0 +1,14 @@
+# Terraform Modules for faasd
+
+| Terraform Module | Author | Origin | Status |
+|-----------|--------|--------|--------|
+| [faasd on DigitalOcean](https://github.com/openfaas/faasd/tree/master/docs/bootstrap/digitalocean-terraform) | OpenFaaS | Official | Active |
+| [faasd on DigitalOcean](https://github.com/jsiebens/terraform-digitalocean-faasd) | Johan Siebens | Community | Active |
+| [faasd on Google Cloud Platform](https://github.com/jsiebens/terraform-google-faasd) | Johan Siebens | Community | Active |
+| [faasd on Microsoft Azure ](https://github.com/jsiebens/terraform-azurerm-faasd) | Johan Siebens | Community | Active |
+| [faasd on Equinix Metal](https://github.com/jsiebens/terraform-equinix-faasd) | Johan Siebens | Community | Active |
+| [faasd on Scaleway](https://github.com/jsiebens/terraform-scaleway-faasd) | Johan Siebens | Community | Active |
+| [faasd on Amazon Web Services](https://github.com/jsiebens/terraform-aws-faasd) |Johan Siebens | Community | Active |
+| [faasd on Linode](https://github.com/itTrident/terraform-linode-faasd) | itTrident | Community | Active |
+| [faasd on Vultr](https://github.com/itTrident/terraform-vultr-faasd) | itTrident | Community | Active |
+| [faasd on Exoscale](https://github.com/itTrident/terraform-exoscale-faasd) | itTrident | Community | Active |
--- a/docs/bootstrap/cloud-config.tpl
+++ b/docs/bootstrap/cloud-config.tpl
@ -0,0 +1,27 @@
+#cloud-config
+package_update: true
+
+packages:
+ - runc
+ - git
+
+runcmd:
+- curl -sLSf https://github.com/containerd/containerd/releases/download/v1.7.0/containerd-1.7.0-linux-amd64.tar.gz > /tmp/containerd.tar.gz && tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/ --strip-components=1
+- curl -SLfs https://raw.githubusercontent.com/containerd/containerd/v1.7.0/containerd.service | tee /etc/systemd/system/containerd.service
+- systemctl daemon-reload && systemctl start containerd
+- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
+- mkdir -p /opt/cni/bin
+- curl -sSL https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz | tar -xz -C /opt/cni/bin
+- mkdir -p /go/src/github.com/openfaas/
+- mkdir -p /var/lib/faasd/secrets/
+- echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
+- echo admin > /var/lib/faasd/secrets/basic-auth-user
+- cd /go/src/github.com/openfaas/ && git clone --depth 1 --branch 0.16.2 https://github.com/openfaas/faasd
+- curl -fSLs "https://github.com/openfaas/faasd/releases/download/0.16.2/faasd" --output "/usr/local/bin/faasd" && chmod a+x "/usr/local/bin/faasd"
+- cd /go/src/github.com/openfaas/faasd/ && /usr/local/bin/faasd install
+- systemctl status -l containerd --no-pager
+- journalctl -u faasd-provider --no-pager
+- systemctl status -l faasd-provider --no-pager
+- systemctl status -l faasd --no-pager
+- curl -sSLf https://cli.openfaas.com | sh
+- sleep 5 && journalctl -u faasd --no-pager
--- a/docs/bootstrap/digitalocean-terraform/.gitignore
+++ b/docs/bootstrap/digitalocean-terraform/.gitignore
@ -0,0 +1,3 @@
+/.terraform/
+/terraform.tfstate
+/terraform.tfstate.backup
--- a/docs/bootstrap/digitalocean-terraform/.terraform.lock.hcl
+++ b/docs/bootstrap/digitalocean-terraform/.terraform.lock.hcl
@ -0,0 +1,66 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:/qAnTOSP5KeZkF7wqLai34SKAs7aefulcUA3I8R7rRg=",
+    "h1:PbXtjUfvxwmkycJ0Y9Dyn66Arrpk5L8/P381SXMx2O0=",
+    "h1:lXLX9tmuxV7azTHd0xB0FAVrxyfBtotIz5LEJp8YUk0=",
+    "zh:2191adc79bdfdb3b733e0619e4f391ae91c1631c5dafda42dab561d943651fa4",
+    "zh:21a4f67e42dcdc10fbd7f8579247594844d09a469a3a54862d565913e4d6121d",
+    "zh:557d98325fafcf2db91ea6d92f65373a48c4e995a1a7aeb57009661fee675250",
+    "zh:68c0238cafc37433627e288fcd2c7e14f4f0afdd50b4f265d8d1f1addab6f19f",
+    "zh:7e6d69720734455eb1c69880f049650276089b7fa09085e130d224abaeec887a",
+    "zh:95bd93a696ec050c1cb5e724498fd12b1d69760d01e97c869be3252025691434",
+    "zh:b1b075049e33aa08c032f41a497351c9894f16287a4449032d8b805bc6dcb596",
+    "zh:ba91aa853372c828f808c09dbab2a5bc9493a7cf93210d1487f9637b2cac8ca4",
+    "zh:bc43d27dfe014266697c2ac259f4311300391aa6aa7c5d23e382fe296df938d5",
+    "zh:d3a04d2c76bfc1f46a117b1af7870a97353319ee8f924a37fe77861519f59525",
+    "zh:d3da997c05a653df6cabb912c6c05ceb6bf77219b699f04daf44fd795c81c6ed",
+    "zh:edd0659021b6634acf0f581d1be1985a81fcd1182e3ccb43de6eac6c43be9ab4",
+    "zh:f588ace57b6c35d509ecaa7136e6a8049d227b0674104a1f958359b84862d8e3",
+    "zh:f894ed195a3b9ebbfa1ba7c5d71be06df3a96d783ff064d22dd693ace34d638e",
+    "zh:fb6b0d4b111fafdcb3bb9a7dbab88e2110a6ce6324de64ecf62933ee8b651ccf",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
--- a/docs/bootstrap/digitalocean-terraform/README.md
+++ b/docs/bootstrap/digitalocean-terraform/README.md
@ -0,0 +1,48 @@
+# Bootstrap faasd with TLS support on Digitalocean
+
+1) [Sign up to DigitalOcean](https://www.digitalocean.com/?refcode=2962aa9e56a1&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=CopyPaste)
+2) [Download Terraform](https://www.terraform.io)
+3) Clone this gist using the URL from the address bar
+4) Run `terraform init`
+5) Configure terraform variables as needed by updating the `main.tfvars` file:
+
+   | Variable     | Description         | Default         |
+   | ------------ | ------------------- | --------------- |
+   | `do_token` | Digitalocean API token | None |
+   | `do_domain` | Public domain used for the faasd gateway | None |
+   | `do_subdomain` | Public subdomain used for the faasd gateway | `faasd` |
+   | `letsencrypt_email` | Email used by when ordering TLS certificate from Letsencrypt | `""` |
+   | `do_create_record` | When set to `true`, a new DNS record will be created. This works only if your domain (`do_domain`) is managed by Digitalocean | `false` |
+   | `do_region` | Digitalocean region for creating the droplet | `fra1` |
+   | `ssh_key_file` | Path to public SSH key file |`~/.ssh/id_rsa.pub` |
+
+> Environment variables can also be used to set terraform variables when running the `terraform apply` command using the format `TF_VAR_name`.
+
+6) Run `terraform apply`
+   1) Add `-var-file=main.tfvars` if you have set the variables in `main.tfvars`.
+   2) OR [use environment variables](https://www.terraform.io/docs/commands/environment-variables.html#tf_var_name) for setting the terraform variables when running the `apply` command
+
+7) View the output for the login command and gateway URL i.e.
+
+```
+droplet_ip = 178.128.39.201
+gateway_url = https://faasd.example.com/
+```
+
+8) View the output for sensitive data via `terraform output` command
+
+```bash
+terraform output login_cmd
+login_cmd = faas-cli login -g http://178.128.39.201:8080/ -p rvIU49CEcFcHmqxj
+
+terraform output password
+password = rvIU49CEcFcHmqxj
+```
+
+
+9) Use your browser to access the OpenFaaS interface
+
+Note that the user-data may take a couple of minutes to come up since it will be pulling in various components and preparing the machine. 
+Also take into consideration the DNS propagation time for the new DNS record.
+
+A single host with 1GB of RAM will be deployed for you, to remove at a later date simply use `terraform destroy`.
--- a/docs/bootstrap/digitalocean-terraform/cloud-config.tpl
+++ b/docs/bootstrap/digitalocean-terraform/cloud-config.tpl
@ -0,0 +1,9 @@
+#! /bin/bash
+
+mkdir -p /var/lib/faasd/secrets/
+echo ${gw_password} > /var/lib/faasd/secrets/basic-auth-password
+
+export FAASD_DOMAIN=${faasd_domain_name}
+export LETSENCRYPT_EMAIL=${letsencrypt_email}
+
+curl -sfL https://raw.githubusercontent.com/openfaas/faasd/master/hack/install.sh | bash -s -
--- a/docs/bootstrap/digitalocean-terraform/main.tf
+++ b/docs/bootstrap/digitalocean-terraform/main.tf
@ -0,0 +1,97 @@
+terraform {
+  required_version = ">= 1.0.4"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.11.0"
+    }
+  }
+}
+
+variable "do_token" {
+  description = "Digitalocean API token"
+}
+variable "do_domain" {
+  description = "Your public domain"
+}
+variable "do_subdomain" {
+  description = "Your public subdomain"
+  default     = "faasd"
+}
+variable "letsencrypt_email" {
+  description = "Email used to order a certificate from Letsencrypt"
+}
+variable "do_create_record" {
+  default     = false
+  description = "Whether to create a DNS record on Digitalocean"
+}
+variable "do_region" {
+  default     = "fra1"
+  description = "The Digitalocean region where the faasd droplet will be created."
+}
+variable "ssh_key_file" {
+  default     = "~/.ssh/id_rsa.pub"
+  description = "Path to the SSH public key file"
+}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "_-#"
+}
+
+data "template_file" "cloud_init" {
+  template = file("cloud-config.tpl")
+  vars = {
+    gw_password       = random_password.password.result,
+    faasd_domain_name = "${var.do_subdomain}.${var.do_domain}"
+    letsencrypt_email = var.letsencrypt_email
+  }
+}
+
+resource "digitalocean_ssh_key" "faasd_ssh_key" {
+  name       = "ssh-key"
+  public_key = file(var.ssh_key_file)
+}
+
+resource "digitalocean_droplet" "faasd" {
+  region    = var.do_region
+  image     = "ubuntu-18-04-x64"
+  name      = "faasd"
+  size      = "s-1vcpu-1gb"
+  user_data = data.template_file.cloud_init.rendered
+  ssh_keys = [
+    digitalocean_ssh_key.faasd_ssh_key.id
+  ]
+}
+
+resource "digitalocean_record" "faasd" {
+  domain = var.do_domain
+  type   = "A"
+  name   = var.do_subdomain
+  value  = digitalocean_droplet.faasd.ipv4_address
+  # Only creates record if do_create_record is true
+  count = var.do_create_record == true ? 1 : 0
+}
+
+output "droplet_ip" {
+  value = digitalocean_droplet.faasd.ipv4_address
+}
+
+output "gateway_url" {
+  value = "https://${var.do_subdomain}.${var.do_domain}/"
+}
+
+output "password" {
+  value     = random_password.password.result
+  sensitive = true
+}
+
+output "login_cmd" {
+  value     = "faas-cli login -g https://${var.do_subdomain}.${var.do_domain}/ -p ${random_password.password.result}"
+  sensitive = true
+}
--- a/docs/bootstrap/digitalocean-terraform/main.tfvars
+++ b/docs/bootstrap/digitalocean-terraform/main.tfvars
@ -0,0 +1,4 @@
+do_token          = ""
+do_domain         = ""
+do_subdomain      = ""
+letsencrypt_email = ""
--- a/docs/media/logo.pdf
+++ b/docs/media/logo.pdf
--- a/docs/media/social.png
+++ b/docs/media/social.png
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,112 @@
+module github.com/openfaas/faasd
+
+go 1.20
+
+require (
+	github.com/alexellis/arkade v0.0.0-20230705083451-a4dd6013ddcd
+	github.com/alexellis/go-execute v0.6.0
+	github.com/compose-spec/compose-go v0.0.0-20200528042322-36d8ce368e05
+	github.com/containerd/containerd v1.7.0
+	github.com/containerd/go-cni v1.1.9
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+	github.com/docker/cli v24.0.2+incompatible
+	github.com/docker/distribution v2.8.2+incompatible
+	github.com/docker/docker v24.0.2+incompatible // indirect
+	github.com/docker/go-units v0.5.0
+	github.com/gorilla/mux v1.8.0
+	github.com/morikuni/aec v1.0.0
+	github.com/opencontainers/runtime-spec v1.1.0-rc.3
+	github.com/openfaas/faas-provider v0.24.0
+	github.com/openfaas/faas/gateway v0.0.0-20230707085301-9e6f814f6fd8
+	github.com/pkg/errors v0.9.1
+	github.com/sethvargo/go-password v0.2.0
+	github.com/spf13/cobra v1.7.0
+	github.com/spf13/pflag v1.0.5
+	github.com/vishvananda/netlink v1.2.1-beta.2
+	github.com/vishvananda/netns v0.0.4
+	golang.org/x/sys v0.10.0
+	k8s.io/apimachinery v0.27.3
+)
+
+require (
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.10.0-rc.7 // indirect
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cheggaaa/pb/v3 v3.1.2 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/ttrpc v1.2.1 // indirect
+	github.com/containerd/typeurl/v2 v2.1.0 // indirect
+	github.com/containernetworking/cni v1.1.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-containerregistry v0.15.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/imdario/mergo v0.3.14 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/nats-io/nats.go v1.22.1 // indirect
+	github.com/nats-io/nkeys v0.3.0 // indirect
+	github.com/nats-io/nuid v1.0.1 // indirect
+	github.com/nats-io/stan.go v0.10.4 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/opencontainers/runc v1.1.5 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/openfaas/nats-queue-worker v0.0.0-20230303171817-9dfe6fa61387 // indirect
+	github.com/otiai10/copy v1.12.0 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.6.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/otel v1.14.0 // indirect
+	go.opentelemetry.io/otel/trace v1.14.0 // indirect
+	golang.org/x/crypto v0.10.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/tools v0.8.0 // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	google.golang.org/grpc v1.53.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools/v3 v3.0.3 // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,520 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
+github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
+github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
+github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/hcsshim v0.10.0-rc.7 h1:HBytQPxcv8Oy4244zbQbe6hnOnx544eL5QPUqhJldz8=
+github.com/Microsoft/hcsshim v0.10.0-rc.7/go.mod h1:ILuwjA+kNW+MrN/w5un7n3mTqkwsFu4Bp05/okFUZlE=
+github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
+github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
+github.com/alexellis/arkade v0.0.0-20230317160202-4d8f80c5b033 h1:nq1a5V5MOoiLIKLOpB6HGeoRjdzKFoFQ6S1jMwIPdDY=
+github.com/alexellis/arkade v0.0.0-20230317160202-4d8f80c5b033/go.mod h1:T8i2qJQ5D13uTn+IgGCpC+ylJ3fb+bcnfrLppWcCuSo=
+github.com/alexellis/arkade v0.0.0-20230705083451-a4dd6013ddcd h1:Cvt1/JwejfGBTfZUuqa4EdiyV8VPIDTCJ3fua+QqUpc=
+github.com/alexellis/arkade v0.0.0-20230705083451-a4dd6013ddcd/go.mod h1:PupjhF444AKYAD3NRbzCMhLWHiF/uixUmCWDuR2PzWA=
+github.com/alexellis/go-execute v0.5.0 h1:L8kgNlFzNbJov7jrInlaig7i6ZUSz/tYYmqvb8dyD0s=
+github.com/alexellis/go-execute v0.5.0/go.mod h1:AgHTcsCF9wrP0mMVTO8N+lFw1Biy71NybBOk8M+qgy8=
+github.com/alexellis/go-execute v0.6.0 h1:FVGoudJnWSObwf9qmehbvVuvhK6g1UpKOCBjS+OUXEA=
+github.com/alexellis/go-execute v0.6.0/go.mod h1:nlg2F6XdYydUm1xXQMMiuibQCV1mveybBkNWfdNznjk=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
+github.com/cheggaaa/pb/v3 v3.1.2 h1:FIxT3ZjOj9XJl0U4o2XbEhjFfZl7jCVCDOGq1ZAB7wQ=
+github.com/cheggaaa/pb/v3 v3.1.2/go.mod h1:SNjnd0yKcW+kw0brSusraeDd5Bf1zBfxAzTL2ss3yQ4=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/compose-spec/compose-go v0.0.0-20200528042322-36d8ce368e05 h1:3CoRXflT4IAdIpsFTqZBlLuHOkHYhBvW0iijkQKm4QY=
+github.com/compose-spec/compose-go v0.0.0-20200528042322-36d8ce368e05/go.mod h1:y75QUr1jcR5aFNf3Tj3dhwnujABGz6UaRrZ5qZwF1cc=
+github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
+github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
+github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
+github.com/containerd/containerd v1.7.0 h1:G/ZQr3gMZs6ZT0qPUZ15znx5QSdQdASW11nXTLTM2Pg=
+github.com/containerd/containerd v1.7.0/go.mod h1:QfR7Efgb/6X2BDpTPJRvPTYDE9rsF0FsXX9J8sIs/sc=
+github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
+github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
+github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
+github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
+github.com/containerd/go-cni v1.1.9 h1:ORi7P1dYzCwVM6XPN4n3CbkuOx/NZ2DOqy+SHRdo9rU=
+github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM=
+github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
+github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
+github.com/containerd/ttrpc v1.2.1 h1:VWv/Rzx023TBLv4WQ+9WPXlBG/s3rsRjY3i9AJ2BJdE=
+github.com/containerd/ttrpc v1.2.1/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf1G5tYZak=
+github.com/containerd/typeurl/v2 v2.1.0 h1:yNAhJvbNEANt7ck48IlEGOxP7YAp6LLpGn5jZACDNIE=
+github.com/containerd/typeurl/v2 v2.1.0/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ=
+github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
+github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy13Ul2Q5oM=
+github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
+github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
+github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v23.0.3+incompatible h1:9GhVsShNWz1hO//9BNg/dpMnZW25KydO4wtVxWAIbho=
+github.com/docker/docker v23.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
+github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
+github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
+github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
+github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
+github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
+github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
+github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE=
+github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/imdario/mergo v0.3.14 h1:fOqeC1+nCuuk6PKQdg9YmosXX7Y7mHX6R/0ZldI9iHo=
+github.com/imdario/mergo v0.3.14/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.16.3 h1:XuJt9zzcnaz6a16/OU53ZjWp/v7/42WcR5t2a0PcNQY=
+github.com/klauspost/compress v1.16.3/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
+github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
+github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-shellwords v1.0.10/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
+github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
+github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.3.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
+github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
+github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
+github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
+github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
+github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
+github.com/nats-io/nats.go v1.22.1 h1:XzfqDspY0RNufzdrB8c4hFR+R3dahkxlpWe5+IWJzbE=
+github.com/nats-io/nats.go v1.22.1/go.mod h1:tLqubohF7t4z3du1QDPYJIQQyhb4wl6DhjxEajSI7UA=
+github.com/nats-io/nkeys v0.3.0 h1:cgM5tL53EvYRU+2YLXIK0G2mJtK12Ft9oeooSZMA2G8=
+github.com/nats-io/nkeys v0.3.0/go.mod h1:gvUNGjVcM2IPr5rCsRsC6Wb3Hr2CQAm08dsxtV6A5y4=
+github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
+github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
+github.com/nats-io/stan.go v0.10.4 h1:19GS/eD1SeQJaVkeM9EkvEYattnvnWrZ3wkSWSw4uXw=
+github.com/nats-io/stan.go v0.10.4/go.mod h1:3XJXH8GagrGqajoO/9+HgPyKV5MWsv7S5ccdda+pc6k=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.4.0 h1:+Ig9nvqgS5OBSACXNk15PLdp0U9XPYROt9CFzVdFGIs=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.23.0 h1:/oxKu9c2HVap+F3PfKort2Hw5DEU+HGlW8n+tguWsys=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
+github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs=
+github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.1.0-rc.1 h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w=
+github.com/opencontainers/runtime-spec v1.1.0-rc.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.1.0-rc.3 h1:l04uafi6kxByhbxev7OWiuUv0LZxEsYUfDWZ6bztAuU=
+github.com/opencontainers/runtime-spec v1.1.0-rc.3/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
+github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/openfaas/faas-provider v0.21.0 h1:rnTy1Gpx+0YvqriQD8miQ2DfpOJXYZbV3VMqe8ri5lc=
+github.com/openfaas/faas-provider v0.21.0/go.mod h1:Farrp+9Med8LeK3aoYpqplMP8f5ebTILbCSLg2LPLZk=
+github.com/openfaas/faas-provider v0.23.0 h1:C29yoEa+00YriqcGVii/R6P22IDlzoMuR3V49Po4vBI=
+github.com/openfaas/faas-provider v0.23.0/go.mod h1:yZyfou3iBkvvH6jILaeUivgy3RhnWABh+Ze4rGUG2wM=
+github.com/openfaas/faas-provider v0.24.0 h1:5ToqdkqZ3pM9SdFKBMUmhU8IjXMh6+qd7gEDBeFhp1M=
+github.com/openfaas/faas-provider v0.24.0/go.mod h1:NsETIfEndZn4mn/w/XnBTcDTwKqULCziphLp7KgeRcA=
+github.com/openfaas/faas/gateway v0.0.0-20230317100158-e44448c5dca2 h1:mSQlNX+etC2pd+yxZrkOj91vO0Vma75XHjI8+mKdS+A=
+github.com/openfaas/faas/gateway v0.0.0-20230317100158-e44448c5dca2/go.mod h1:iQNG+Up27CXDLHgIr9mcifTzaPD2mYOFTZW8MHxib7M=
+github.com/openfaas/faas/gateway v0.0.0-20230628073303-c0d710c97ff7 h1:L93R55OfxBjoWVR5bCWn1HHbVzyiNTL+hgWloS/hNrg=
+github.com/openfaas/faas/gateway v0.0.0-20230628073303-c0d710c97ff7/go.mod h1:REnxOe821v2IRlQEvj1Gjt5w1Xdshx8IT5/UF1MlEQc=
+github.com/openfaas/faas/gateway v0.0.0-20230707085301-9e6f814f6fd8 h1:KJyo/Em7/Pzb61cGu0U8l3/6dBQAK/lMEZCK9can8WU=
+github.com/openfaas/faas/gateway v0.0.0-20230707085301-9e6f814f6fd8/go.mod h1:dr/Cno1dEuFB7+OD8fzq+CApKMY9Gdbho4zJKl0nVzI=
+github.com/openfaas/nats-queue-worker v0.0.0-20230117214128-3615ccb286cc h1:qMcVTwdbRAqZtQrYS9rvUxnbQY6nmqf7CIsjp7A+cOo=
+github.com/openfaas/nats-queue-worker v0.0.0-20230117214128-3615ccb286cc/go.mod h1:s86POyW6C8S4CALFRhO8ax5sR2uaQUJQ0HaQGvbTpTc=
+github.com/openfaas/nats-queue-worker v0.0.0-20230303171817-9dfe6fa61387 h1:D4xbdy309Wdyhlm6PgJqUV/aR77VQQG8UTF+q0ay71c=
+github.com/openfaas/nats-queue-worker v0.0.0-20230303171817-9dfe6fa61387/go.mod h1:s86POyW6C8S4CALFRhO8ax5sR2uaQUJQ0HaQGvbTpTc=
+github.com/otiai10/copy v1.12.0 h1:cLMgSQnXBs1eehF0Wy/FAGsgDTDmAqFR7rQylBb1nDY=
+github.com/otiai10/copy v1.12.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
+github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
+github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8=
+github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
+github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
+github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
+github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
+github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
+github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
+github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg=
+github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+github.com/sethvargo/go-password v0.2.0 h1:BTDl4CC/gjf/axHMaDQtw507ogrXLci6XRiLc7i/UHI=
+github.com/sethvargo/go-password v0.2.0/go.mod h1:Ym4Mr9JXLBycr02MFuVQ/0JHidNetSgbzutTr3zsYXE=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
+github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8=
+github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck=
+github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY=
+github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
+github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
+github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
+go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM=
+go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU=
+go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M=
+go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
+go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210314154223-e6e6c4f2bb5b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
+golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
+golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
+golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
+golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA=
+google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
+google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k=
+k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
+k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM=
+k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
--- a/hack/build-containerd-arm64.sh
+++ b/hack/build-containerd-arm64.sh
@ -0,0 +1,37 @@
+#!/bin/bash
+
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi
+
+export GOPATH=$HOME/go/
+export PATH=$PATH:/usr/local/go/bin/
+
+go version
+
+echo "Building containerd"
+
+mkdir -p $GOPATH/src/github.com/containerd
+cd $GOPATH/src/github.com/containerd
+git clone https://github.com/containerd/containerd
+
+cd containerd
+git fetch origin --tags
+git checkout v1.7.0
+
+make
+sudo make install
+
+sudo containerd --version
--- a/hack/build-containerd-armhf.sh
+++ b/hack/build-containerd-armhf.sh
@ -1,12 +1,20 @@
 #!/bin/bash

-export ARCH="armv6l"
-echo "Downloading Go"
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm

-curl -SLsf https://dl.google.com/go/go1.12.14.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -21,7 +29,7 @@ git clone https://github.com/containerd/containerd

 cd containerd
 git fetch origin --tags
-git checkout v1.3.2
+git checkout v1.7.0

 make
 sudo make install
--- a/hack/build-containerd.sh
+++ b/hack/build-containerd.sh
@ -1,12 +1,21 @@
 #!/bin/bash

-export ARCH="amd64"
-echo "Downloading Go"

-curl -SLsf https://dl.google.com/go/go1.12.14.linux-$ARCH.tar.gz --output /tmp/go.tgz
-sudo rm -rf /usr/local/go/
-sudo mkdir -p /usr/local/go/
-sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+# See pre-reqs:
+# https://github.com/alexellis/containerd-arm
+
+export ARCH="arm64"
+
+if [ ! -d "/usr/local/go/bin" ]; then
+    echo "Downloading Go.."
+    
+    curl -SLsf https://golang.org/dl/go1.16.6.linux-$ARCH.tar.gz --output /tmp/go.tgz
+    sudo rm -rf /usr/local/go/
+    sudo mkdir -p /usr/local/go/
+    sudo tar -xvf /tmp/go.tgz -C /usr/local/go/ --strip-components=1
+else
+    echo "Go already present, skipping."
+fi

 export GOPATH=$HOME/go/
 export PATH=$PATH:/usr/local/go/bin/
@ -21,7 +30,7 @@ git clone https://github.com/containerd/containerd

 cd containerd
 git fetch origin --tags
-git checkout v1.3.2
+git checkout v1.7.0

 make
 sudo make install
--- a/hack/faasd-provider.service
+++ b/hack/faasd-provider.service
@ -5,6 +5,7 @@ Description=faasd-provider
 MemoryLimit=500M
 Environment="secret_mount_path={{.SecretMountPath}}"
 Environment="basic_auth=true"
+Environment="hosts_dir=/var/lib/faasd"
 ExecStart=/usr/local/bin/faasd provider
 Restart=on-failure
 RestartSec=10s
--- a/hack/install.sh
+++ b/hack/install.sh
@ -0,0 +1,190 @@
+#!/bin/bash
+
+# Copyright OpenFaaS Author(s) 2022
+
+set -e -x -o pipefail
+
+export OWNER="openfaas"
+export REPO="faasd"
+
+# On CentOS /usr/local/bin is not included in the PATH when using sudo. 
+# Running arkade with sudo on CentOS requires the full path
+# to the arkade binary. 
+export ARKADE=/usr/local/bin/arkade
+
+# When running as a startup script (cloud-init), the HOME variable is not always set.
+# As it is required for arkade to properly download tools, 
+# set the variable to /usr/local so arkade will download binaries to /usr/local/.arkade
+if [ -z "${HOME}" ]; then
+  export HOME=/usr/local
+fi
+
+version=""
+
+echo "Finding latest version from GitHub"
+version=$(curl -sI https://github.com/$OWNER/$REPO/releases/latest | grep -i "location:" | awk -F"/" '{ printf "%s", $NF }' | tr -d '\r')
+echo "$version"
+
+if [ ! $version ]; then
+  echo "Failed while attempting to get latest version"
+  exit 1
+fi
+
+SUDO=sudo
+if [ "$(id -u)" -eq 0 ]; then
+  SUDO=
+fi
+
+verify_system() {
+  if ! [ -d /run/systemd ]; then
+    fatal 'Can not find systemd to use as a process supervisor for faasd'
+  fi
+}
+
+has_yum() {
+  [ -n "$(command -v yum)" ]
+}
+
+has_apt_get() {
+  [ -n "$(command -v apt-get)" ]
+}
+
+has_pacman() {
+  [ -n "$(command -v pacman)" ]
+}
+
+install_required_packages() {
+  if $(has_apt_get); then
+    # Debian bullseye is missing iptables. Added to required packages
+    # to get it working in raspberry pi. No such known issues in
+    # other distros. Hence, adding only to this block.
+    # reference: https://github.com/openfaas/faasd/pull/237
+    $SUDO apt-get update -y
+    $SUDO apt-get install -y curl runc bridge-utils iptables
+  elif $(has_yum); then
+    $SUDO yum check-update -y
+    $SUDO yum install -y curl runc iptables-services
+  elif $(has_pacman); then
+    $SUDO pacman -Syy
+    $SUDO pacman -Sy curl runc bridge-utils
+  else
+    fatal "Could not find apt-get, yum, or pacman. Cannot install dependencies on this OS."
+    exit 1
+  fi
+}
+
+install_arkade(){
+  curl -sLS https://get.arkade.dev | $SUDO sh
+  arkade --help
+}
+
+install_cni_plugins() {
+  cni_version=v0.9.1
+  $SUDO $ARKADE system install cni --version ${cni_version} --path /opt/cni/bin --progress=false
+}
+
+install_containerd() {
+  CONTAINERD_VER=1.7.0
+  $SUDO systemctl unmask containerd || :
+
+  arch=$(uname -m)
+  if [ $arch == "armv7l" ]; then
+    $SUDO curl -fSLs "https://github.com/alexellis/containerd-arm/releases/download/v${CONTAINERD_VER}/containerd-${CONTAINERD_VER}-linux-armhf.tar.gz" --output "/tmp/containerd.tar.gz"
+    $SUDO tar -xvf /tmp/containerd.tar.gz -C /usr/local/bin/
+    $SUDO curl -fSLs https://raw.githubusercontent.com/containerd/containerd/v${CONTAINERD_VER}/containerd.service --output "/etc/systemd/system/containerd.service"
+    $SUDO systemctl enable containerd
+    $SUDO systemctl start containerd
+  else
+    $SUDO $ARKADE system install containerd --systemd --version v${CONTAINERD_VER}  --progress=false
+  fi
+  
+  sleep 5
+}
+
+install_faasd() {
+  arch=$(uname -m)
+  case $arch in
+  x86_64 | amd64)
+    suffix=""
+    ;;
+  aarch64)
+    suffix=-arm64
+    ;;
+  armv7l)
+    suffix=-armhf
+    ;;
+  *)
+    echo "Unsupported architecture $arch"
+    exit 1
+    ;;
+  esac
+
+  $SUDO curl -fSLs "https://github.com/openfaas/faasd/releases/download/${version}/faasd${suffix}" --output "/usr/local/bin/faasd"
+  $SUDO chmod a+x "/usr/local/bin/faasd"
+
+  mkdir -p /tmp/faasd-${version}-installation/hack
+  cd /tmp/faasd-${version}-installation
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/docker-compose.yaml" --output "docker-compose.yaml"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/prometheus.yml" --output "prometheus.yml"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/resolv.conf" --output "resolv.conf"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/hack/faasd-provider.service" --output "hack/faasd-provider.service"
+  $SUDO curl -fSLs "https://raw.githubusercontent.com/openfaas/faasd/${version}/hack/faasd.service" --output "hack/faasd.service"
+  $SUDO /usr/local/bin/faasd install
+}
+
+install_caddy() {
+  if [ ! -z "${FAASD_DOMAIN}" ]; then
+    CADDY_VER=v2.4.3
+    arkade get --progress=false caddy -v ${CADDY_VER}
+    
+    # /usr/bin/caddy is specified in the upstream service file.
+    $SUDO install -m 755 $HOME/.arkade/bin/caddy /usr/bin/caddy
+
+    $SUDO curl -fSLs https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service --output /etc/systemd/system/caddy.service
+
+    $SUDO mkdir -p /etc/caddy
+    $SUDO mkdir -p /var/lib/caddy
+    
+    if $(id caddy >/dev/null 2>&1); then
+      echo "User caddy already exists."
+    else
+      $SUDO useradd --system --home /var/lib/caddy --shell /bin/false caddy
+    fi
+
+    $SUDO tee /etc/caddy/Caddyfile >/dev/null <<EOF
+{
+  email "${LETSENCRYPT_EMAIL}"
+}
+
+${FAASD_DOMAIN} {
+  reverse_proxy 127.0.0.1:8080
+}
+EOF
+
+    $SUDO chown --recursive caddy:caddy /var/lib/caddy
+    $SUDO chown --recursive caddy:caddy /etc/caddy
+
+    $SUDO systemctl enable caddy
+    $SUDO systemctl start caddy
+  else
+    echo "Skipping caddy installation as FAASD_DOMAIN."
+  fi
+}
+
+install_faas_cli() {
+  arkade get --progress=false faas-cli
+  $SUDO install -m 755 $HOME/.arkade/bin/faas-cli /usr/local/bin/
+}
+
+verify_system
+install_required_packages
+
+$SUDO /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
+echo "net.ipv4.conf.all.forwarding=1" | $SUDO tee -a /etc/sysctl.conf
+
+install_arkade
+install_cni_plugins
+install_containerd
+install_faas_cli
+install_faasd
+install_caddy
--- a/pkg/cninetwork/cni_network.go
+++ b/pkg/cninetwork/cni_network.go
@ -1,6 +1,7 @@
 package cninetwork

 import (
+	"bufio"
 	"context"
 	"fmt"
 	"io"
@ -10,6 +11,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"

 	"github.com/containerd/containerd"
 	gocni "github.com/containerd/go-cni"
@ -19,21 +21,31 @@ import (
 const (
 	// CNIBinDir describes the directory where the CNI binaries are stored
 	CNIBinDir = "/opt/cni/bin"
+
 	// CNIConfDir describes the directory where the CNI plugin's configuration is stored
 	CNIConfDir = "/etc/cni/net.d"
+
 	// NetNSPathFmt gives the path to the a process network namespace, given the pid
 	NetNSPathFmt = "/proc/%d/ns/net"
-	// CNIResultsDir is the directory CNI stores allocated IP for containers
-	CNIResultsDir = "/var/lib/cni/results"
+
+	// CNIDataDir is the directory CNI stores allocated IP for containers
+	CNIDataDir = "/var/run/cni"
+
 	// defaultCNIConfFilename is the vanity filename of default CNI configuration file
 	defaultCNIConfFilename = "10-openfaas.conflist"
+
 	// defaultNetworkName names the "docker-bridge"-like CNI plugin-chain installed when no other CNI configuration is present.
 	// This value appears in iptables comments created by CNI.
 	defaultNetworkName = "openfaas-cni-bridge"
+
 	// defaultBridgeName is the default bridge device name used in the defaultCNIConf
 	defaultBridgeName = "openfaas0"
+
 	// defaultSubnet is the default subnet used in the defaultCNIConf -- this value is set to not collide with common container networking subnets:
 	defaultSubnet = "10.62.0.0/16"
+
+	// defaultIfPrefix is the interface name to be created in the container
+	defaultIfPrefix = "eth"
 )

 // defaultCNIConf is a CNI configuration that enables network access to containers (docker-bridge style)
@ -50,6 +62,7 @@ var defaultCNIConf = fmt.Sprintf(`
        "ipam": {
            "type": "host-local",
            "subnet": "%s",
+            "dataDir": "%s",
            "routes": [
                { "dst": "0.0.0.0/0" }
            ]
@ -60,7 +73,7 @@ var defaultCNIConf = fmt.Sprintf(`
      }
    ]
 }
-`, defaultNetworkName, defaultBridgeName, defaultSubnet)
+`, defaultNetworkName, defaultBridgeName, defaultSubnet, CNIDataDir)

 // InitNetwork writes configlist file and initializes CNI network
 func InitNetwork() (gocni.CNI, error) {
@ -75,11 +88,14 @@ func InitNetwork() (gocni.CNI, error) {
 	netConfig := path.Join(CNIConfDir, defaultCNIConfFilename)
 	if err := ioutil.WriteFile(netConfig, []byte(defaultCNIConf), 644); err != nil {
 		return nil, fmt.Errorf("cannot write network config: %s", defaultCNIConfFilename)
-
 	}
+
 	// Initialize CNI library
-	cni, err := gocni.New(gocni.WithPluginConfDir(CNIConfDir),
-		gocni.WithPluginDir([]string{CNIBinDir}))
+	cni, err := gocni.New(
+		gocni.WithPluginConfDir(CNIConfDir),
+		gocni.WithPluginDir([]string{CNIBinDir}),
+		gocni.WithInterfacePrefix(defaultIfPrefix),
+	)

 	if err != nil {
 		return nil, fmt.Errorf("error initializing cni: %s", err)
@ -131,43 +147,61 @@ func DeleteCNINetwork(ctx context.Context, cni gocni.CNI, client *containerd.Cli
 	return errors.Wrapf(containerErr, "Unable to find container: %s, error: %s", name, containerErr)
 }

-// GetIPAddress returns the IP address of the created container
-func GetIPAddress(result *gocni.CNIResult, task containerd.Task) (net.IP, error) {
-	// Get the IP of the created interface
-	var ip net.IP
-	for ifName, config := range result.Interfaces {
-		if config.Sandbox == netNamespace(task) {
-			for _, ipConfig := range config.IPConfigs {
-				if ifName != "lo" && ipConfig.IP.To4() != nil {
-					ip = ipConfig.IP
-				}
-			}
+// GetIPAddress returns the IP address from container based on container name and PID
+func GetIPAddress(container string, PID uint32) (string, error) {
+	CNIDir := path.Join(CNIDataDir, defaultNetworkName)
+
+	files, err := ioutil.ReadDir(CNIDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to read CNI dir for container %s: %v", container, err)
+	}
+
+	for _, file := range files {
+		// each fileName is an IP address
+		fileName := file.Name()
+
+		resultsFile := filepath.Join(CNIDir, fileName)
+		found, err := isCNIResultForPID(resultsFile, container, PID)
+		if err != nil {
+			return "", err
+		}
+
+		if found {
+			return fileName, nil
 		}
 	}
-	if ip == nil {
-		return nil, fmt.Errorf("unable to get IP address for: %s", task.ID())
-	}
-	return ip, nil
+
+	return "", fmt.Errorf("unable to get IP address for container: %s", container)
 }

-func GetIPfromPID(pid int) (*net.IP, error) {
-	// https://github.com/weaveworks/weave/blob/master/net/netdev.go
+// isCNIResultForPID confirms if the CNI result file contains the
+// process name, PID and interface name
+//
+// Example:
+//
+// /var/run/cni/openfaas-cni-bridge/10.62.0.2
+//
+// nats-621
+// eth1
+func isCNIResultForPID(fileName, container string, PID uint32) (bool, error) {
+	found := false

-	peerIDs, err := ConnectedToBridgeVethPeerIds(defaultBridgeName)
+	f, err := os.Open(fileName)
 	if err != nil {
-		return nil, fmt.Errorf("unable to find peers on: %s %s", defaultBridgeName, err)
+		return false, fmt.Errorf("failed to open CNI IP file for %s: %v", fileName, err)
+	}
+	defer f.Close()
+
+	reader := bufio.NewReader(f)
+	processLine, _ := reader.ReadString('\n')
+	if strings.Contains(processLine, fmt.Sprintf("%s-%d", container, PID)) {
+		ethNameLine, _ := reader.ReadString('\n')
+		if strings.Contains(ethNameLine, defaultIfPrefix) {
+			found = true
+		}
 	}

-	addrs, addrsErr := GetNetDevsByVethPeerIds(pid, peerIDs)
-	if addrsErr != nil {
-		return nil, fmt.Errorf("unable to find address for veth pair using: %v %s", peerIDs, addrsErr)
-	}
-
-	if len(addrs) > 0 && len(addrs[0].CIDRs) > 0 {
-		return &addrs[0].CIDRs[0].IP, nil
-	}
-
-	return nil, fmt.Errorf("no IP found for function")
+	return found, nil
 }

 // CNIGateway returns the gateway for default subnet
--- a/pkg/cninetwork/cni_network_test.go
+++ b/pkg/cninetwork/cni_network_test.go
@ -0,0 +1,63 @@
+package cninetwork
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func Test_isCNIResultForPID_Found(t *testing.T) {
+	body := `nats-621
+eth1`
+	fileName := `10.62.0.2`
+	container := "nats"
+	PID := uint32(621)
+	fullPath := filepath.Join(os.TempDir(), fileName)
+
+	err := ioutil.WriteFile(fullPath, []byte(body), 0700)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer func() {
+		os.Remove(fullPath)
+	}()
+
+	got, err := isCNIResultForPID(fullPath, container, PID)
+
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	want := true
+	if got != want {
+		t.Fatalf("want %v, but got %v", want, got)
+	}
+}
+
+func Test_isCNIResultForPID_NoMatch(t *testing.T) {
+	body := `nats-621
+eth1`
+	fileName := `10.62.0.3`
+	container := "gateway"
+	PID := uint32(621)
+	fullPath := filepath.Join(os.TempDir(), fileName)
+
+	err := ioutil.WriteFile(fullPath, []byte(body), 0700)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer func() {
+		os.Remove(fullPath)
+	}()
+
+	got, err := isCNIResultForPID(fullPath, container, PID)
+
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	want := false
+	if got != want {
+		t.Fatalf("want %v, but got %v", want, got)
+	}
+}
--- a/pkg/cninetwork/weave.go
+++ b/pkg/cninetwork/weave.go
@ -1,131 +0,0 @@
-// Copyright Weaveworks
-// github.com/weaveworks/weave/net
-
-package cninetwork
-
-import (
-	"fmt"
-	"net"
-	"os"
-
-	"github.com/vishvananda/netlink"
-	"github.com/vishvananda/netns"
-)
-
-type Dev struct {
-	Name  string           `json:"Name,omitempty"`
-	MAC   net.HardwareAddr `json:"MAC,omitempty"`
-	CIDRs []*net.IPNet     `json:"CIDRs,omitempty"`
-}
-
-func linkToNetDev(link netlink.Link) (Dev, error) {
-	addrs, err := netlink.AddrList(link, netlink.FAMILY_V4)
-	if err != nil {
-		return Dev{}, err
-	}
-
-	netDev := Dev{Name: link.Attrs().Name, MAC: link.Attrs().HardwareAddr}
-	for _, addr := range addrs {
-		netDev.CIDRs = append(netDev.CIDRs, addr.IPNet)
-	}
-	return netDev, nil
-}
-
-// ConnectedToBridgeVethPeerIds returns peer indexes of veth links connected to
-// the given bridge. The peer index is used to query from a container netns
-// whether the container is connected to the bridge.
-func ConnectedToBridgeVethPeerIds(bridgeName string) ([]int, error) {
-	var ids []int
-
-	br, err := netlink.LinkByName(bridgeName)
-	if err != nil {
-		return nil, err
-	}
-	links, err := netlink.LinkList()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, link := range links {
-		if _, isveth := link.(*netlink.Veth); isveth && link.Attrs().MasterIndex == br.Attrs().Index {
-			peerID := link.Attrs().ParentIndex
-			if peerID == 0 {
-				// perhaps running on an older kernel where ParentIndex doesn't work.
-				// as fall-back, assume the peers are consecutive
-				peerID = link.Attrs().Index - 1
-			}
-			ids = append(ids, peerID)
-		}
-	}
-
-	return ids, nil
-}
-
-// Lookup the weave interface of a container
-func GetWeaveNetDevs(processID int) ([]Dev, error) {
-	peerIDs, err := ConnectedToBridgeVethPeerIds("weave")
-	if err != nil {
-		return nil, err
-	}
-
-	return GetNetDevsByVethPeerIds(processID, peerIDs)
-}
-
-func GetNetDevsByVethPeerIds(processID int, peerIDs []int) ([]Dev, error) {
-	// Bail out if this container is running in the root namespace
-	netnsRoot, err := netns.GetFromPid(1)
-	if err != nil {
-		return nil, fmt.Errorf("unable to open root namespace: %s", err)
-	}
-	defer netnsRoot.Close()
-	netnsContainer, err := netns.GetFromPid(processID)
-	if err != nil {
-		// Unable to find a namespace for this process - just return nothing
-		if os.IsNotExist(err) {
-			return nil, nil
-		}
-		return nil, fmt.Errorf("unable to open process %d namespace: %s", processID, err)
-	}
-	defer netnsContainer.Close()
-	if netnsRoot.Equal(netnsContainer) {
-		return nil, nil
-	}
-
-	// convert list of peerIDs into a map for faster lookup
-	indexes := make(map[int]struct{})
-	for _, id := range peerIDs {
-		indexes[id] = struct{}{}
-	}
-
-	var netdevs []Dev
-	err = WithNetNS(netnsContainer, func() error {
-		links, err := netlink.LinkList()
-		if err != nil {
-			return err
-		}
-
-		for _, link := range links {
-			if _, found := indexes[link.Attrs().Index]; found {
-				netdev, err := linkToNetDev(link)
-				if err != nil {
-					return err
-				}
-				netdevs = append(netdevs, netdev)
-			}
-		}
-		return nil
-	})
-
-	return netdevs, err
-}
-
-// Get the weave bridge interface.
-// NB: Should be called from the root network namespace.
-func GetBridgeNetDev(bridgeName string) (Dev, error) {
-	link, err := netlink.LinkByName(bridgeName)
-	if err != nil {
-		return Dev{}, err
-	}
-
-	return linkToNetDev(link)
-}
--- a/pkg/constants.go
+++ b/pkg/constants.go
@ -0,0 +1,16 @@
+package pkg
+
+const (
+	// DefaultFunctionNamespace is the default containerd namespace functions are created
+	DefaultFunctionNamespace = "openfaas-fn"
+
+	// NamespaceLabel indicates that a namespace is managed by faasd
+	NamespaceLabel = "openfaas"
+
+	// FaasdNamespace is the containerd namespace services are created
+	FaasdNamespace = "openfaas"
+
+	faasServicesPullAlways = false
+
+	defaultSnapshotter = "overlayfs"
+)
--- a/pkg/depgraph/depgraph.go
+++ b/pkg/depgraph/depgraph.go
@ -0,0 +1,106 @@
+package depgraph
+
+import "log"
+
+// Node represents a node in a Graph with
+// 0 to many edges
+type Node struct {
+	Name  string
+	Edges []*Node
+}
+
+// Graph is a collection of nodes
+type Graph struct {
+	nodes []*Node
+}
+
+func NewDepgraph() *Graph {
+	return &Graph{
+		nodes: []*Node{},
+	}
+}
+
+// Nodes returns the nodes within the graph
+func (g *Graph) Nodes() []*Node {
+	return g.nodes
+}
+
+// Contains returns true if the target Node is found
+// in its list
+func (g *Graph) Contains(target *Node) bool {
+	for _, g := range g.nodes {
+		if g.Name == target.Name {
+			return true
+		}
+	}
+
+	return false
+}
+
+// Add places a Node into the current Graph
+func (g *Graph) Add(target *Node) {
+	g.nodes = append(g.nodes, target)
+}
+
+// Remove deletes a target Node reference from the
+// list of nodes in the graph
+func (g *Graph) Remove(target *Node) {
+	var found *int
+	for i, n := range g.nodes {
+		if n == target {
+			found = &i
+			break
+		}
+	}
+
+	if found != nil {
+		g.nodes = append(g.nodes[:*found], g.nodes[*found+1:]...)
+	}
+}
+
+// Resolve retruns a list of node names in order of their dependencies.
+// A use case may be for determining the correct order to install
+// software packages, or to start services.
+// Based upon the algorithm described by Ferry Boender in the following article
+// https://www.electricmonk.nl/log/2008/08/07/dependency-resolving-algorithm/
+func (g *Graph) Resolve() []string {
+	resolved := &Graph{}
+	unresolved := &Graph{}
+	for _, node := range g.nodes {
+		resolve(node, resolved, unresolved)
+	}
+
+	order := []string{}
+
+	for _, node := range resolved.Nodes() {
+		order = append(order, node.Name)
+	}
+
+	return order
+}
+
+// resolve mutates the resolved graph for a given starting
+// node. The unresolved graph is used to detect a circular graph
+// error and will throw a panic. This can be caught with a resolve
+// in a go routine.
+func resolve(node *Node, resolved, unresolved *Graph) {
+	unresolved.Add(node)
+
+	for _, edge := range node.Edges {
+
+		if !resolved.Contains(edge) && unresolved.Contains(edge) {
+			log.Panicf("edge: %s may be a circular dependency", edge.Name)
+		}
+
+		resolve(edge, resolved, unresolved)
+	}
+
+	for _, r := range resolved.nodes {
+		if r.Name == node.Name {
+			return
+		}
+	}
+
+	resolved.Add(node)
+	unresolved.Remove(node)
+}
--- a/pkg/depgraph/depgraph_test.go
+++ b/pkg/depgraph/depgraph_test.go
@ -0,0 +1,41 @@
+package depgraph
+
+import "testing"
+
+func Test_RemoveMedial(t *testing.T) {
+	g := Graph{nodes: []*Node{}}
+	a := &Node{Name: "A"}
+	b := &Node{Name: "B"}
+	c := &Node{Name: "C"}
+
+	g.nodes = append(g.nodes, a)
+	g.nodes = append(g.nodes, b)
+	g.nodes = append(g.nodes, c)
+
+	g.Remove(b)
+
+	for _, n := range g.nodes {
+		if n.Name == b.Name {
+			t.Fatalf("Found deleted node: %s", n.Name)
+		}
+	}
+}
+
+func Test_RemoveFinal(t *testing.T) {
+	g := Graph{nodes: []*Node{}}
+	a := &Node{Name: "A"}
+	b := &Node{Name: "B"}
+	c := &Node{Name: "C"}
+
+	g.nodes = append(g.nodes, a)
+	g.nodes = append(g.nodes, b)
+	g.nodes = append(g.nodes, c)
+
+	g.Remove(c)
+
+	for _, n := range g.nodes {
+		if n.Name == c.Name {
+			t.Fatalf("Found deleted node: %s", c.Name)
+		}
+	}
+}
--- a/pkg/deployment_order.go
+++ b/pkg/deployment_order.go
@ -0,0 +1,41 @@
+package pkg
+
+import (
+	"log"
+
+	"github.com/openfaas/faasd/pkg/depgraph"
+)
+
+func buildDeploymentOrder(svcs []Service) []string {
+
+	graph := buildServiceGraph(svcs)
+
+	order := graph.Resolve()
+
+	log.Printf("Start-up order:\n")
+	for _, node := range order {
+		log.Printf("- %s\n", node)
+	}
+
+	return order
+}
+
+func buildServiceGraph(svcs []Service) *depgraph.Graph {
+	graph := depgraph.NewDepgraph()
+
+	nodeMap := map[string]*depgraph.Node{}
+	for _, s := range svcs {
+		n := &depgraph.Node{Name: s.Name}
+		nodeMap[s.Name] = n
+		graph.Add(n)
+
+	}
+
+	for _, s := range svcs {
+		for _, d := range s.DependsOn {
+			nodeMap[s.Name].Edges = append(nodeMap[s.Name].Edges, nodeMap[d])
+		}
+	}
+
+	return graph
+}
--- a/pkg/deployment_order_test.go
+++ b/pkg/deployment_order_test.go
@ -0,0 +1,224 @@
+package pkg
+
+import (
+	"log"
+	"testing"
+)
+
+func Test_buildDeploymentOrder_ARequiresB(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	got := order[0]
+	want := "B"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+}
+
+func Test_buildDeploymentOrder_ARequiresBAndC(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B", "C"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "C",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	a := indexStr(order, "a")
+	b := indexStr(order, "b")
+	c := indexStr(order, "c")
+
+	if a > b {
+		t.Fatalf("a should be after dependencies")
+	}
+	if a > c {
+		t.Fatalf("a should be after dependencies")
+	}
+
+}
+
+func Test_buildDeploymentOrder_ARequiresBRequiresC(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{"C"},
+		},
+		{
+			Name:      "C",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	got := order[0]
+	want := "C"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+	got = order[1]
+	want = "B"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+	got = order[2]
+	want = "A"
+	if got != want {
+		t.Fatalf("%s should be last to be installed, but was: %s", want, got)
+	}
+}
+
+func Test_buildDeploymentOrderCircularARequiresBRequiresA(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "A",
+			DependsOn: []string{"B"},
+		},
+		{
+			Name:      "B",
+			DependsOn: []string{"A"},
+		},
+	}
+
+	defer func() { recover() }()
+
+	buildDeploymentOrder(svcs)
+
+	t.Fatalf("did not panic as expected")
+}
+
+func Test_buildDeploymentOrderComposeFile(t *testing.T) {
+	// svcs := []Service{}
+	file, err := LoadComposeFileWithArch("../", "docker-compose.yaml", func() (string, string) {
+		return "x86_64", "Linux"
+	})
+
+	if err != nil {
+		t.Fatalf("unable to load compose file: %s", err)
+	}
+
+	svcs, err := ParseCompose(file)
+	if err != nil {
+		t.Fatalf("unable to parse compose file: %s", err)
+	}
+
+	for _, s := range svcs {
+		log.Printf("Service: %s\n", s.Name)
+		for _, d := range s.DependsOn {
+			log.Printf("Link: %s => %s\n", s.Name, d)
+		}
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	queueWorker := indexStr(order, "queue-worker")
+	nats := indexStr(order, "nats")
+	gateway := indexStr(order, "gateway")
+	prometheus := indexStr(order, "prometheus")
+
+	if prometheus > gateway {
+		t.Fatalf("Prometheus order was after gateway, and should be before")
+	}
+	if nats > gateway {
+		t.Fatalf("NATS order was after gateway, and should be before")
+	}
+	if nats > queueWorker {
+		t.Fatalf("NATS order was after queue-worker, and should be before")
+	}
+}
+
+func Test_buildDeploymentOrderOpenFaaS(t *testing.T) {
+	svcs := []Service{
+		{
+			Name:      "queue-worker",
+			DependsOn: []string{"nats"},
+		},
+		{
+			Name:      "prometheus",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "gateway",
+			DependsOn: []string{"prometheus", "nats", "basic-auth-plugin"},
+		},
+		{
+			Name:      "basic-auth-plugin",
+			DependsOn: []string{},
+		},
+		{
+			Name:      "nats",
+			DependsOn: []string{},
+		},
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	if len(order) < len(svcs) {
+		t.Fatalf("length of order too short: %d", len(order))
+	}
+
+	queueWorker := indexStr(order, "queue-worker")
+	nats := indexStr(order, "nats")
+	gateway := indexStr(order, "gateway")
+	prometheus := indexStr(order, "prometheus")
+
+	if prometheus > gateway {
+		t.Fatalf("Prometheus order was after gateway, and should be before")
+	}
+	if nats > gateway {
+		t.Fatalf("NATS order was after gateway, and should be before")
+	}
+	if nats > queueWorker {
+		t.Fatalf("NATS order was after queue-worker, and should be before")
+	}
+}
+
+func indexStr(st []string, t string) int {
+	for n, s := range st {
+		if s == t {
+			return n
+		}
+
+	}
+	return -1
+}
--- a/pkg/local_resolver.go
+++ b/pkg/local_resolver.go
@ -0,0 +1,104 @@
+package pkg
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+// LocalResolver provides hostname to IP look-up for faasd core services
+type LocalResolver struct {
+	Path  string
+	Map   map[string]string
+	Mutex *sync.RWMutex
+}
+
+// NewLocalResolver creates a new resolver for reading from a hosts file
+func NewLocalResolver(path string) Resolver {
+	return &LocalResolver{
+		Path:  path,
+		Mutex: &sync.RWMutex{},
+		Map:   make(map[string]string),
+	}
+}
+
+// Start polling the disk for the hosts file in Path
+func (l *LocalResolver) Start() {
+	var lastStat os.FileInfo
+
+	for {
+		rebuild := false
+		if info, err := os.Stat(l.Path); err == nil {
+			if lastStat == nil {
+				rebuild = true
+			} else {
+				if !lastStat.ModTime().Equal(info.ModTime()) {
+					rebuild = true
+				}
+			}
+			lastStat = info
+		}
+
+		if rebuild {
+			log.Printf("Resolver rebuilding map")
+			l.rebuild()
+		}
+		time.Sleep(time.Second * 3)
+	}
+}
+
+func (l *LocalResolver) rebuild() {
+	l.Mutex.Lock()
+	defer l.Mutex.Unlock()
+
+	fileData, fileErr := ioutil.ReadFile(l.Path)
+	if fileErr != nil {
+		log.Printf("resolver rebuild error: %s", fileErr.Error())
+		return
+	}
+
+	lines := strings.Split(string(fileData), "\n")
+
+	for _, line := range lines {
+		index := strings.Index(line, "\t")
+
+		if len(line) > 0 && index > -1 {
+			ip := line[:index]
+			host := line[index+1:]
+			log.Printf("Resolver: %q=%q", host, ip)
+			l.Map[host] = ip
+		}
+	}
+}
+
+// Get resolves a hostname to an IP, or timesout after the duration has passed
+func (l *LocalResolver) Get(upstream string, got chan<- string, timeout time.Duration) {
+	start := time.Now()
+	for {
+		if val := l.get(upstream); len(val) > 0 {
+			got <- val
+			break
+		}
+
+		if time.Now().After(start.Add(timeout)) {
+			log.Printf("Timed out after %s getting host %q", timeout.String(), upstream)
+			break
+		}
+
+		time.Sleep(time.Millisecond * 250)
+	}
+}
+
+func (l *LocalResolver) get(upstream string) string {
+	l.Mutex.RLock()
+	defer l.Mutex.RUnlock()
+
+	if val, ok := l.Map[upstream]; ok {
+		return val
+	}
+
+	return ""
+}
--- a/pkg/logs/requestor.go
+++ b/pkg/logs/requestor.go
@ -0,0 +1,183 @@
+package logs
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"os/exec"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/openfaas/faas-provider/logs"
+
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+type requester struct{}
+
+// New returns a new journalctl log Requester
+func New() logs.Requester {
+	return &requester{}
+}
+
+// Query submits a log request to the actual logging system.
+func (r *requester) Query(ctx context.Context, req logs.Request) (<-chan logs.Message, error) {
+	_, err := exec.LookPath("journalctl")
+	if err != nil {
+		return nil, fmt.Errorf("can not find journalctl: %w", err)
+	}
+
+	cmd := buildCmd(ctx, req)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl pipe: %w", err)
+	}
+
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl err pipe: %w", err)
+	}
+
+	err = cmd.Start()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create journalctl: %w", err)
+	}
+
+	// call start and get the stdout prior to streaming so that we can return a meaningful
+	// error for as long as possible. If the cmd starts correctly, we are highly likely to
+	// succeed anyway
+	msgs := make(chan logs.Message)
+	go streamLogs(ctx, cmd, stdout, msgs)
+	go logErrOut(stderr)
+
+	return msgs, nil
+}
+
+// buildCmd reeturns the equivalent of
+//
+// 	journalctl -t <namespace>:<name>  \
+// 		--output=json \
+// 		--since=<timestamp> \
+// 		<--follow> \
+func buildCmd(ctx context.Context, req logs.Request) *exec.Cmd {
+	// // set the cursor position based on req, default to 5m
+	since := time.Now().Add(-5 * time.Minute)
+	if req.Since != nil && req.Since.Before(time.Now()) {
+		since = *req.Since
+	}
+
+	namespace := req.Namespace
+	if namespace == "" {
+		namespace = faasd.DefaultFunctionNamespace
+	}
+
+	// find the description of the fields here
+	// https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+	// the available fields can vary greatly, the selected fields were detemined by
+	// trial and error with journalctl in an ubuntu VM  (via multipass)
+	args := []string{
+		"--utc",
+		"--no-pager",
+		"--output=json",
+		"--identifier=" + namespace + ":" + req.Name,
+		fmt.Sprintf("--since=%s", since.UTC().Format("2006-01-02 15:04:05")),
+	}
+
+	if req.Follow {
+		args = append(args, "--follow")
+	}
+
+	if req.Tail > 0 {
+		args = append(args, fmt.Sprintf("--lines=%d", req.Tail))
+	}
+
+	return exec.CommandContext(ctx, "journalctl", args...)
+}
+
+// streamLogs copies log entries from the journalctl `cmd`/`out` to `msgs`
+// the loop is based on the Decoder example in the docs
+// https://golang.org/pkg/encoding/json/#Decoder.Decode
+func streamLogs(ctx context.Context, cmd *exec.Cmd, out io.ReadCloser, msgs chan logs.Message) {
+	log.Println("starting journal stream using ", cmd.String())
+
+	// will ensure `out` is closed and all related resources cleaned up
+	go func() {
+		err := cmd.Wait()
+		log.Println("wait result", err)
+	}()
+
+	defer func() {
+		log.Println("closing journal stream")
+		close(msgs)
+	}()
+
+	dec := json.NewDecoder(out)
+	for dec.More() {
+		if ctx.Err() != nil {
+			log.Println("log stream context cancelled")
+			return
+		}
+
+		// the journalctl outputs all the values as a string, so a struct with json
+		// tags wont help much
+		entry := map[string]string{}
+		err := dec.Decode(&entry)
+		if err != nil {
+			log.Printf("error decoding journalctl output: %s", err)
+			return
+		}
+
+		msg, err := parseEntry(entry)
+		if err != nil {
+			log.Printf("error parsing journalctl output: %s", err)
+			return
+		}
+
+		msgs <- msg
+	}
+}
+
+// parseEntry reads the deserialized json from journalctl into a log.Message
+//
+// The following fields are parsed from the journal
+// - MESSAGE
+// - _PID
+// - SYSLOG_IDENTIFIER
+// - __REALTIME_TIMESTAMP
+func parseEntry(entry map[string]string) (logs.Message, error) {
+	logMsg := logs.Message{
+		Text:     entry["MESSAGE"],
+		Instance: entry["_PID"],
+	}
+
+	identifier := entry["SYSLOG_IDENTIFIER"]
+	parts := strings.Split(identifier, ":")
+	if len(parts) != 2 {
+		return logMsg, fmt.Errorf("invalid SYSLOG_IDENTIFIER")
+	}
+	logMsg.Namespace = parts[0]
+	logMsg.Name = parts[1]
+
+	ts, ok := entry["__REALTIME_TIMESTAMP"]
+	if !ok {
+		return logMsg, fmt.Errorf("missing required field __REALTIME_TIMESTAMP")
+	}
+
+	ms, err := strconv.ParseInt(ts, 10, 64)
+	if err != nil {
+		return logMsg, fmt.Errorf("invalid timestamp: %w", err)
+	}
+	logMsg.Timestamp = time.Unix(0, ms*1000).UTC()
+
+	return logMsg, nil
+}
+
+func logErrOut(out io.ReadCloser) {
+	defer log.Println("stderr closed")
+	defer out.Close()
+
+	io.Copy(log.Writer(), out)
+}
--- a/pkg/logs/requestor_test.go
+++ b/pkg/logs/requestor_test.go
@ -0,0 +1,73 @@
+package logs
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/openfaas/faas-provider/logs"
+)
+
+func Test_parseEntry(t *testing.T) {
+	rawEntry := `{ "__CURSOR" : "s=71c4550142d14ace8e2959e3540cc15c;i=133c;b=44864010f0d94baba7b6bf8019f82a56;m=2945cd3;t=5a00d4eb59180;x=8ed47f7f9b3d798", "__REALTIME_TIMESTAMP" : "1583353899094400", "__MONOTONIC_TIMESTAMP" : "43277523", "_BOOT_ID" : "44864010f0d94baba7b6bf8019f82a56", "SYSLOG_IDENTIFIER" : "openfaas-fn:nodeinfo", "_PID" : "2254", "MESSAGE" : "2020/03/04 20:31:39 POST / - 200 OK - ContentLength: 83", "_SOURCE_REALTIME_TIMESTAMP" : "1583353899094372" }`
+	expectedEntry := logs.Message{
+		Name:      "nodeinfo",
+		Namespace: "openfaas-fn",
+		Text:      "2020/03/04 20:31:39 POST / - 200 OK - ContentLength: 83",
+		Timestamp: time.Unix(0, 1583353899094400*1000).UTC(),
+	}
+
+	value := map[string]string{}
+	json.Unmarshal([]byte(rawEntry), &value)
+
+	entry, err := parseEntry(value)
+	if err != nil {
+		t.Fatalf("unexpected error %s", err)
+	}
+
+	if entry.Name != expectedEntry.Name {
+		t.Fatalf("want Name: %q, got %q", expectedEntry.Name, entry.Name)
+	}
+
+	if entry.Namespace != expectedEntry.Namespace {
+		t.Fatalf("want Namespace: %q, got %q", expectedEntry.Namespace, entry.Namespace)
+	}
+
+	if entry.Timestamp != expectedEntry.Timestamp {
+		t.Fatalf("want Timestamp: %q, got %q", expectedEntry.Timestamp, entry.Timestamp)
+	}
+
+	if entry.Text != expectedEntry.Text {
+		t.Fatalf("want Text: %q, got %q", expectedEntry.Text, entry.Text)
+	}
+}
+
+func Test_buildCmd(t *testing.T) {
+	ctx := context.TODO()
+	now := time.Now()
+	req := logs.Request{
+		Name:      "loggyfunc",
+		Namespace: "spacetwo",
+		Follow:    true,
+		Since:     &now,
+		Tail:      5,
+	}
+
+	expectedArgs := fmt.Sprintf(
+		"--utc --no-pager --output=json --identifier=spacetwo:loggyfunc --since=%s --follow --lines=5",
+		now.UTC().Format("2006-01-02 15:04:05"),
+	)
+
+	cmd := buildCmd(ctx, req).String()
+	wantCmd := "journalctl"
+	if !strings.Contains(cmd, wantCmd) {
+		t.Fatalf("cmd want: %q, got: %q", wantCmd, cmd)
+	}
+
+	if !strings.HasSuffix(cmd, expectedArgs) {
+		t.Fatalf("arg want: %q\ngot: %q", expectedArgs, cmd)
+	}
+}
--- a/pkg/provider/config/read.go
+++ b/pkg/provider/config/read.go
@ -20,9 +20,11 @@ func ReadFromEnv(hasEnv types.HasEnv) (*types.FaaSConfig, *ProviderConfig, error

 	serviceTimeout := types.ParseIntOrDurationValue(hasEnv.Getenv("service_timeout"), time.Second*60)

-	config.EnableHealth = true
 	config.ReadTimeout = serviceTimeout
 	config.WriteTimeout = serviceTimeout
+	config.EnableBasicAuth = true
+	config.MaxIdleConns = types.ParseIntValue(hasEnv.Getenv("max_idle_conns"), 1024)
+	config.MaxIdleConnsPerHost = types.ParseIntValue(hasEnv.Getenv("max_idle_conns_per_host"), 1024)

 	port := types.ParseIntValue(hasEnv.Getenv("port"), 8081)
 	config.TCPPort = &port
--- a/pkg/provider/handlers/delete.go
+++ b/pkg/provider/handlers/delete.go
@ -11,7 +11,9 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
-	"github.com/openfaas/faas/gateway/requests"
+
+	"github.com/openfaas/faas-provider/types"
+	"github.com/openfaas/faasd/pkg"
 	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 )
@ -30,7 +32,7 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 		body, _ := ioutil.ReadAll(r.Body)
 		log.Printf("[Delete] request: %s\n", string(body))

-		req := requests.DeleteFunctionRequest{}
+		req := types.DeleteFunctionRequest{}
 		err := json.Unmarshal(body, &req)
 		if err != nil {
 			log.Printf("[Delete] error parsing input: %s\n", err)
@ -39,9 +41,27 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}

+		// namespace moved from the querystring into the body
+		namespace := req.Namespace
+		if namespace == "" {
+			namespace = pkg.DefaultFunctionNamespace
+		}
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.FunctionName

-		function, err := GetFunction(client, name)
+		function, err := GetFunction(client, name, namespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Delete] %s\n", msg)
@ -49,7 +69,7 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			return
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)

 		// TODO: this needs to still happen if the task is paused
 		if function.replicas != 0 {
@ -59,10 +79,9 @@ func MakeDeleteHandler(client *containerd.Client, cni gocni.CNI) func(w http.Res
 			}
 		}

-		containerErr := service.Remove(ctx, client, name)
-		if containerErr != nil {
-			log.Printf("[Delete] error removing %s, %s\n", name, containerErr)
-			http.Error(w, containerErr.Error(), http.StatusInternalServerError)
+		if err := service.Remove(ctx, client, name); err != nil {
+			log.Printf("[Delete] error removing %s, %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

--- a/pkg/provider/handlers/deploy.go
+++ b/pkg/provider/handlers/deploy.go
@ -9,9 +9,11 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"time"

 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	gocni "github.com/containerd/go-cni"
@ -21,10 +23,13 @@ import (
 	cninetwork "github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
 )

-func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) func(w http.ResponseWriter, r *http.Request) {
+const annotationLabelPrefix = "com.openfaas.annotations."

+// MakeDeployHandler returns a handler to deploy a function
+func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {

 		if r.Body == nil {
@ -46,15 +51,32 @@ func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}

-		err = validateSecrets(secretMountPath, req.Secrets)
+		namespace := getRequestNamespace(req.Namespace)
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
 		}

 		name := req.Service
-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)

-		deployErr := deploy(ctx, req, client, cni, secretMountPath, alwaysPull)
+		deployErr := deploy(ctx, req, client, cni, namespaceSecretMountPath, alwaysPull)
 		if deployErr != nil {
 			log.Printf("[Deploy] error deploying %s, error: %s\n", name, deployErr)
 			http.Error(w, deployErr.Error(), http.StatusBadRequest)
@ -63,11 +85,16 @@ func MakeDeployHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 	}
 }

-func deploy(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) error {
+// prepull is an optimization which means an image can be pulled before a deployment
+// request, since a deployment request first deletes the active function before
+// trying to deploy a new one.
+func prepull(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, alwaysPull bool) (containerd.Image, error) {
+	start := time.Now()
 	r, err := reference.ParseNormalizedNamed(req.Image)
 	if err != nil {
-		return err
+		return nil, err
 	}
+
 	imgRef := reference.TagNameOnly(r).String()

 	snapshotter := ""
@ -77,14 +104,29 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container

 	image, err := service.PrepareImage(ctx, client, imgRef, snapshotter, alwaysPull)
 	if err != nil {
-		return errors.Wrapf(err, "unable to pull image %s", imgRef)
+		return nil, errors.Wrapf(err, "unable to pull image %s", imgRef)
 	}

 	size, _ := image.Size(ctx)
-	log.Printf("Deploy %s size: %d\n", image.Name(), size)
+	log.Printf("Image for: %s size: %d, took: %fs\n", image.Name(), size, time.Since(start).Seconds())
+
+	return image, nil
+}
+
+func deploy(ctx context.Context, req types.FunctionDeployment, client *containerd.Client, cni gocni.CNI, secretMountPath string, alwaysPull bool) error {
+
+	snapshotter := ""
+	if val, ok := os.LookupEnv("snapshotter"); ok {
+		snapshotter = val
+	}
+
+	image, err := prepull(ctx, req, client, alwaysPull)
+	if err != nil {
+		return err
+	}

 	envs := prepareEnv(req.EnvProcess, req.EnvVars)
-	mounts := getMounts()
+	mounts := getOSMounts()

 	for _, secret := range req.Secrets {
 		mounts = append(mounts, specs.Mount{
@ -97,6 +139,23 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container

 	name := req.Service

+	labels, err := buildLabels(&req)
+	if err != nil {
+		return fmt.Errorf("unable to apply labels to container: %s, error: %w", name, err)
+	}
+
+	var memory *specs.LinuxMemory
+	if req.Limits != nil && len(req.Limits.Memory) > 0 {
+		memory = &specs.LinuxMemory{}
+
+		qty, err := resource.ParseQuantity(req.Limits.Memory)
+		if err != nil {
+			log.Printf("error parsing (%q) as quantity: %s", req.Limits.Memory, err.Error())
+		}
+		v := qty.Value()
+		memory.Limit = &v
+	}
+
 	container, err := client.NewContainer(
 		ctx,
 		name,
@ -104,45 +163,71 @@ func deploy(ctx context.Context, req types.FunctionDeployment, client *container
 		containerd.WithSnapshotter(snapshotter),
 		containerd.WithNewSnapshot(name+"-snapshot", image),
 		containerd.WithNewSpec(oci.WithImageConfig(image),
+			oci.WithHostname(name),
 			oci.WithCapabilities([]string{"CAP_NET_RAW"}),
 			oci.WithMounts(mounts),
-			oci.WithEnv(envs)),
-		containerd.WithContainerLabels(*req.Labels),
+			oci.WithEnv(envs),
+			withMemory(memory)),
+		containerd.WithContainerLabels(labels),
 	)

 	if err != nil {
-		return fmt.Errorf("unable to create container: %s, error: %s", name, err)
+		return fmt.Errorf("unable to create container: %s, error: %w", name, err)
 	}

-	return createTask(ctx, client, container, cni)
+	return createTask(ctx, container, cni)

 }

-func createTask(ctx context.Context, client *containerd.Client, container containerd.Container, cni gocni.CNI) error {
+func buildLabels(request *types.FunctionDeployment) (map[string]string, error) {
+	// Adapted from faas-swarm/handlers/deploy.go:buildLabels
+	labels := map[string]string{}
+
+	if request.Labels != nil {
+		for k, v := range *request.Labels {
+			labels[k] = v
+		}
+	}
+
+	if request.Annotations != nil {
+		for k, v := range *request.Annotations {
+			key := fmt.Sprintf("%s%s", annotationLabelPrefix, k)
+			if _, ok := labels[key]; !ok {
+				labels[key] = v
+			} else {
+				return nil, errors.New(fmt.Sprintf("Key %s cannot be used as a label due to a conflict with annotation prefix %s", k, annotationLabelPrefix))
+			}
+		}
+	}
+
+	return labels, nil
+}
+
+func createTask(ctx context.Context, container containerd.Container, cni gocni.CNI) error {

 	name := container.ID()
-	// task, taskErr := container.NewTask(ctx, cio.NewCreator(cio.WithStdio))

 	task, taskErr := container.NewTask(ctx, cio.BinaryIO("/usr/local/bin/faasd", nil))

 	if taskErr != nil {
-		return fmt.Errorf("unable to start task: %s, error: %s", name, taskErr)
+		return fmt.Errorf("unable to start task: %s, error: %w", name, taskErr)
 	}

 	log.Printf("Container ID: %s\tTask ID %s:\tTask PID: %d\t\n", name, task.ID(), task.Pid())

 	labels := map[string]string{}
-	network, err := cninetwork.CreateCNINetwork(ctx, cni, task, labels)
+	_, err := cninetwork.CreateCNINetwork(ctx, cni, task, labels)

 	if err != nil {
 		return err
 	}

-	ip, err := cninetwork.GetIPAddress(network, task)
+	ip, err := cninetwork.GetIPAddress(name, task.Pid())
 	if err != nil {
 		return err
 	}
-	log.Printf("%s has IP: %s.\n", name, ip.String())
+
+	log.Printf("%s has IP: %s.\n", name, ip)

 	_, waitErr := task.Wait(ctx)
 	if waitErr != nil {
@ -177,20 +262,28 @@ func prepareEnv(envProcess string, reqEnvVars map[string]string) []string {
 	return envs
 }

-func getMounts() []specs.Mount {
-	wd, _ := os.Getwd()
+// getOSMounts provides a mount for os-specific files such
+// as the hosts file and resolv.conf
+func getOSMounts() []specs.Mount {
+	// Prior to hosts_dir env-var, this value was set to
+	// os.Getwd()
+	hostsDir := "/var/lib/faasd"
+	if v, ok := os.LookupEnv("hosts_dir"); ok && len(v) > 0 {
+		hostsDir = v
+	}
+
 	mounts := []specs.Mount{}
 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/resolv.conf",
 		Type:        "bind",
-		Source:      path.Join(wd, "resolv.conf"),
+		Source:      path.Join(hostsDir, "resolv.conf"),
 		Options:     []string{"rbind", "ro"},
 	})

 	mounts = append(mounts, specs.Mount{
 		Destination: "/etc/hosts",
 		Type:        "bind",
-		Source:      path.Join(wd, "hosts"),
+		Source:      path.Join(hostsDir, "hosts"),
 		Options:     []string{"rbind", "ro"},
 	})
 	return mounts
@ -204,3 +297,21 @@ func validateSecrets(secretMountPath string, secrets []string) error {
 	}
 	return nil
 }
+
+func withMemory(mem *specs.LinuxMemory) oci.SpecOpts {
+	return func(ctx context.Context, _ oci.Client, c *containers.Container, s *oci.Spec) error {
+		if mem != nil {
+			if s.Linux == nil {
+				s.Linux = &specs.Linux{}
+			}
+			if s.Linux.Resources == nil {
+				s.Linux.Resources = &specs.LinuxResources{}
+			}
+			if s.Linux.Resources.Memory == nil {
+				s.Linux.Resources.Memory = &specs.LinuxMemory{}
+			}
+			s.Linux.Resources.Memory.Limit = mem.Limit
+		}
+		return nil
+	}
+}
--- a/pkg/provider/handlers/deploy_test.go
+++ b/pkg/provider/handlers/deploy_test.go
@ -0,0 +1,77 @@
+package handlers
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/openfaas/faas-provider/types"
+)
+
+func Test_BuildLabels_WithAnnotations(t *testing.T) {
+	// Test each combination of nil/non-nil annotation + label
+	tables := []struct {
+		name       string
+		label      map[string]string
+		annotation map[string]string
+		result     map[string]string
+	}{
+		{"Empty label and annotations returns empty table map", nil, nil, map[string]string{}},
+		{
+			"Label with empty annotation returns valid map",
+			map[string]string{"L1": "V1"},
+			nil,
+			map[string]string{"L1": "V1"}},
+		{
+			"Annotation with empty label returns valid map",
+			nil,
+			map[string]string{"A1": "V2"},
+			map[string]string{fmt.Sprintf("%sA1", annotationLabelPrefix): "V2"}},
+		{
+			"Label and annotation provided returns valid combined map",
+			map[string]string{"L1": "V1"},
+			map[string]string{"A1": "V2"},
+			map[string]string{
+				"L1": "V1",
+				fmt.Sprintf("%sA1", annotationLabelPrefix): "V2",
+			},
+		},
+	}
+
+	for _, tc := range tables {
+
+		t.Run(tc.name, func(t *testing.T) {
+			request := &types.FunctionDeployment{
+				Labels:      &tc.label,
+				Annotations: &tc.annotation,
+			}
+
+			val, err := buildLabels(request)
+
+			if err != nil {
+				t.Fatalf("want: no error got: %v", err)
+			}
+
+			if !reflect.DeepEqual(val, tc.result) {
+				t.Errorf("Want: %s, got: %s", val, tc.result)
+			}
+		})
+	}
+}
+
+func Test_BuildLabels_WithAnnotationCollision(t *testing.T) {
+	request := &types.FunctionDeployment{
+		Labels: &map[string]string{
+			"function_name": "echo",
+			fmt.Sprintf("%scurrent-time", annotationLabelPrefix): "Wed 25 Jul 06:41:43 BST 2018",
+		},
+		Annotations: &map[string]string{"current-time": "Wed 25 Jul 06:41:43 BST 2018"},
+	}
+
+	val, err := buildLabels(request)
+
+	if err == nil {
+		t.Errorf("Expected an error, got %d values", len(val))
+	}
+
+}
--- a/pkg/provider/handlers/functions.go
+++ b/pkg/provider/handlers/functions.go
@ -2,90 +2,241 @@ package handlers

 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
+	"strings"
+	"time"
+
+	"github.com/opencontainers/runtime-spec/specs-go"

 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
+	"github.com/openfaas/faasd/pkg"
+	faasd "github.com/openfaas/faasd/pkg"
 	"github.com/openfaas/faasd/pkg/cninetwork"
 )

 type Function struct {
-	name      string
-	namespace string
-	image     string
-	pid       uint32
-	replicas  int
-	IP        string
-	labels    map[string]string
+	name        string
+	namespace   string
+	image       string
+	pid         uint32
+	replicas    int
+	IP          string
+	labels      map[string]string
+	annotations map[string]string
+	secrets     []string
+	envVars     map[string]string
+	envProcess  string
+	memoryLimit int64
+	createdAt   time.Time
 }

-const (
-	// FunctionNamespace is the containerd namespace functions are created
-	FunctionNamespace = "openfaas-fn"
-)
-
 // ListFunctions returns a map of all functions with running tasks on namespace
-func ListFunctions(client *containerd.Client) (map[string]Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
-	functions := make(map[string]Function)
+func ListFunctions(client *containerd.Client, namespace string) (map[string]*Function, error) {

-	containers, _ := client.Containers(ctx)
-	for _, k := range containers {
-		name := k.ID()
-		functions[name], _ = GetFunction(client, name)
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(client.NamespaceService(), namespace)
+	if err != nil {
+		return nil, err
 	}
+
+	if !valid {
+		return nil, errors.New("namespace not valid")
+	}
+
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
+	functions := make(map[string]*Function)
+
+	containers, err := client.Containers(ctx)
+	if err != nil {
+		return functions, err
+	}
+
+	for _, c := range containers {
+		name := c.ID()
+		f, err := GetFunction(client, name, namespace)
+		if err != nil {
+			log.Printf("skipping %s, error: %s", name, err)
+		} else {
+			functions[name] = &f
+		}
+	}
+
 	return functions, nil
 }

 // GetFunction returns a function that matches name
-func GetFunction(client *containerd.Client, name string) (Function, error) {
-	ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+func GetFunction(client *containerd.Client, name string, namespace string) (Function, error) {
+	ctx := namespaces.WithNamespace(context.Background(), namespace)
+	fn := Function{}
+
 	c, err := client.LoadContainer(ctx, name)
+	if err != nil {
+		return Function{}, fmt.Errorf("unable to find function: %s, error %w", name, err)
+	}

+	image, err := c.Image(ctx)
+	if err != nil {
+		return fn, err
+	}
+
+	containerName := c.ID()
+	allLabels, labelErr := c.Labels(ctx)
+
+	if labelErr != nil {
+		log.Printf("cannot list container %s labels: %s", containerName, labelErr)
+	}
+
+	labels, annotations := buildLabelsAndAnnotations(allLabels)
+
+	spec, err := c.Spec(ctx)
+	if err != nil {
+		return Function{}, fmt.Errorf("unable to load function %s error: %w", name, err)
+	}
+
+	info, err := c.Info(ctx)
+	if err != nil {
+		return Function{}, fmt.Errorf("can't load info for: %s, error %w", name, err)
+	}
+
+	envVars, envProcess := readEnvFromProcessEnv(spec.Process.Env)
+	secrets := readSecretsFromMounts(spec.Mounts)
+
+	fn.name = containerName
+	fn.namespace = namespace
+	fn.image = image.Name()
+	fn.labels = labels
+	fn.annotations = annotations
+	fn.secrets = secrets
+	fn.envVars = envVars
+	fn.envProcess = envProcess
+	fn.createdAt = info.CreatedAt
+	fn.memoryLimit = readMemoryLimitFromSpec(spec)
+
+	replicas := 0
+	task, err := c.Task(ctx, nil)
 	if err == nil {
-
-		image, _ := c.Image(ctx)
-
-		containerName := c.ID()
-		labels, labelErr := c.Labels(ctx)
-		if labelErr != nil {
-			log.Printf("cannot list container %s labels: %s", containerName, labelErr.Error())
+		// Task for container exists
+		svc, err := task.Status(ctx)
+		if err != nil {
+			return Function{}, fmt.Errorf("unable to get task status for container: %s %w", name, err)
 		}

-		f := Function{
-			name:      containerName,
-			namespace: FunctionNamespace,
-			image:     image.Name(),
-			labels:    labels,
-		}
+		if svc.Status == "running" {
+			replicas = 1
+			fn.pid = task.Pid()

-		replicas := 0
-		task, err := c.Task(ctx, nil)
-		if err == nil {
-			// Task for container exists
-			svc, err := task.Status(ctx)
+			// Get container IP address
+			ip, err := cninetwork.GetIPAddress(name, task.Pid())
 			if err != nil {
-				return Function{}, fmt.Errorf("unable to get task status for container: %s %s", name, err)
+				return Function{}, err
 			}
-			if svc.Status == "running" {
-				replicas = 1
-				f.pid = task.Pid()
+			fn.IP = ip
+		}
+	} else {
+		replicas = 0
+	}

-				// Get container IP address
-				ip, err := cninetwork.GetIPfromPID(int(task.Pid()))
-				if err != nil {
-					return Function{}, err
-				}
-				f.IP = ip.String()
-			}
-		} else {
-			replicas = 0
+	fn.replicas = replicas
+	return fn, nil
+}
+
+func readEnvFromProcessEnv(env []string) (map[string]string, string) {
+	foundEnv := make(map[string]string)
+	fprocess := ""
+	for _, e := range env {
+		kv := strings.Split(e, "=")
+		if len(kv) == 1 {
+			continue
 		}

-		f.replicas = replicas
-		return f, nil
+		if kv[0] == "PATH" {
+			continue
+		}
+
+		if kv[0] == "fprocess" {
+			fprocess = kv[1]
+			continue
+		}
+
+		foundEnv[kv[0]] = kv[1]
+	}
+
+	return foundEnv, fprocess
+}
+
+func readSecretsFromMounts(mounts []specs.Mount) []string {
+	secrets := []string{}
+	for _, mnt := range mounts {
+		x := strings.Split(mnt.Destination, "/var/openfaas/secrets/")
+		if len(x) > 1 {
+			secrets = append(secrets, x[1])
+		}

 	}
-	return Function{}, fmt.Errorf("unable to find function: %s, error %s", name, err)
+	return secrets
+}
+
+// buildLabelsAndAnnotations returns a separated list with labels first,
+// followed by annotations by checking each key of ctrLabels for a prefix.
+func buildLabelsAndAnnotations(ctrLabels map[string]string) (map[string]string, map[string]string) {
+	labels := make(map[string]string)
+	annotations := make(map[string]string)
+
+	for k, v := range ctrLabels {
+		if strings.HasPrefix(k, annotationLabelPrefix) {
+			annotations[strings.TrimPrefix(k, annotationLabelPrefix)] = v
+		} else {
+			labels[k] = v
+		}
+	}
+
+	return labels, annotations
+}
+
+func ListNamespaces(client *containerd.Client) []string {
+	set := []string{}
+	store := client.NamespaceService()
+	namespaces, err := store.List(context.Background())
+	if err != nil {
+		log.Printf("Error listing namespaces: %s", err.Error())
+		set = append(set, faasd.DefaultFunctionNamespace)
+		return set
+	}
+
+	for _, namespace := range namespaces {
+		labels, err := store.Labels(context.Background(), namespace)
+		if err != nil {
+			log.Printf("Error listing label for namespace %s: %s", namespace, err.Error())
+			continue
+		}
+
+		if _, found := labels[pkg.NamespaceLabel]; found {
+			set = append(set, namespace)
+		}
+
+		if !findNamespace(faasd.DefaultFunctionNamespace, set) {
+			set = append(set, faasd.DefaultFunctionNamespace)
+		}
+	}
+
+	return set
+}
+
+func findNamespace(target string, items []string) bool {
+	for _, n := range items {
+		if n == target {
+			return true
+		}
+	}
+	return false
+}
+
+func readMemoryLimitFromSpec(spec *specs.Spec) int64 {
+	if spec.Linux == nil || spec.Linux.Resources == nil || spec.Linux.Resources.Memory == nil || spec.Linux.Resources.Memory.Limit == nil {
+		return 0
+	}
+	return *spec.Linux.Resources.Memory.Limit
 }
--- a/pkg/provider/handlers/functions_test.go
+++ b/pkg/provider/handlers/functions_test.go
@ -0,0 +1,133 @@
+package handlers
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func Test_BuildLabelsAndAnnotationsFromServiceSpec_Annotations(t *testing.T) {
+	container := map[string]string{
+		"qwer": "ty",
+		"dvor": "ak",
+		fmt.Sprintf("%scurrent-time", annotationLabelPrefix): "5 Nov 20:10:20 PST 1955",
+		fmt.Sprintf("%sfuture-time", annotationLabelPrefix):  "21 Oct 20:10:20 PST 2015",
+	}
+
+	labels, annotation := buildLabelsAndAnnotations(container)
+
+	if len(labels) != 2 {
+		t.Errorf("want: %d labels got: %d", 2, len(labels))
+	}
+
+	if len(annotation) != 2 {
+		t.Errorf("want: %d annotation got: %d", 1, len(annotation))
+	}
+
+	if _, ok := annotation["current-time"]; !ok {
+		t.Errorf("want: '%s' entry in annotation map got: key not found", "current-time")
+	}
+}
+
+func Test_SplitMountToSecrets(t *testing.T) {
+	type testCase struct {
+		Name  string
+		Input []specs.Mount
+		Want  []string
+	}
+	tests := []testCase{
+		{Name: "No matching openfaas secrets", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "Nil mounts", Input: nil, Want: []string{}},
+		{Name: "No Mounts", Input: []specs.Mount{{Destination: "/foo/"}}, Want: []string{}},
+		{Name: "One Mounts IS secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts 1 secret", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/some/other/path"}}, Want: []string{"secret1"}},
+		{Name: "Multiple Mounts all secrets", Input: []specs.Mount{{Destination: "/var/openfaas/secrets/secret1"}, {Destination: "/var/openfaas/secrets/secret2"}}, Want: []string{"secret1", "secret2"}},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := readSecretsFromMounts(tc.Input)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want %s, got %s", tc.Want, got)
+			}
+		})
+	}
+}
+
+func Test_ProcessEnvToEnvVars(t *testing.T) {
+	type testCase struct {
+		Name     string
+		Input    []string
+		Want     map[string]string
+		fprocess string
+	}
+	tests := []testCase{
+		{Name: "No matching EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py"}, Want: make(map[string]string), fprocess: "python index.py"},
+		{Name: "No EnvVars", Input: []string{}, Want: make(map[string]string), fprocess: ""},
+		{Name: "One EnvVar", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "fprocess=python index.py", "env=this"}, Want: map[string]string{"env": "this"}, fprocess: "python index.py"},
+		{Name: "Multiple EnvVars", Input: []string{"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "this=that", "env=var", "fprocess=python index.py"}, Want: map[string]string{"this": "that", "env": "var"}, fprocess: "python index.py"},
+		{Name: "Nil EnvVars", Input: nil, Want: make(map[string]string)},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got, fprocess := readEnvFromProcessEnv(tc.Input)
+			if !reflect.DeepEqual(got, tc.Want) {
+				t.Fatalf("Want: %s, got: %s", tc.Want, got)
+			}
+
+			if fprocess != tc.fprocess {
+				t.Fatalf("Want fprocess: %s, got: %s", tc.fprocess, got)
+
+			}
+		})
+	}
+}
+
+func Test_findNamespace(t *testing.T) {
+	type testCase struct {
+		Name            string
+		foundNamespaces []string
+		namespace       string
+		Want            bool
+	}
+	tests := []testCase{
+		{Name: "Namespace Found", namespace: "fn", foundNamespaces: []string{"fn", "openfaas-fn"}, Want: true},
+		{Name: "namespace Not Found", namespace: "fn", foundNamespaces: []string{"openfaas-fn"}, Want: false},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := findNamespace(tc.namespace, tc.foundNamespaces)
+			if got != tc.Want {
+				t.Fatalf("Want %t, got %t", tc.Want, got)
+			}
+		})
+	}
+}
+
+func Test_readMemoryLimitFromSpec(t *testing.T) {
+	type testCase struct {
+		Name string
+		Spec *specs.Spec
+		Want int64
+	}
+	testLimit := int64(64)
+	tests := []testCase{
+		{Name: "specs.Linux not found", Spec: &specs.Spec{Linux: nil}, Want: int64(0)},
+		{Name: "specs.LinuxResource not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: nil}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: nil}}}, Want: int64(0)},
+		{Name: "specs.LinuxMemory.Limit not found", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: nil}}}}, Want: int64(0)},
+		{Name: "Memory limit set as Want", Spec: &specs.Spec{Linux: &specs.Linux{Resources: &specs.LinuxResources{Memory: &specs.LinuxMemory{Limit: &testLimit}}}}, Want: int64(64)},
+	}
+	for _, tc := range tests {
+		t.Run(tc.Name, func(t *testing.T) {
+			got := readMemoryLimitFromSpec(tc.Spec)
+			if got != tc.Want {
+				t.Fatalf("Want %d, got %d", tc.Want, got)
+			}
+		})
+	}
+}
--- a/pkg/provider/handlers/info.go
+++ b/pkg/provider/handlers/info.go
@ -22,10 +22,10 @@ func MakeInfoHandler(version, sha string) http.HandlerFunc {
 			defer r.Body.Close()
 		}

-		infoResponse := types.InfoResponse{
+		infoResponse := types.ProviderInfo{
 			Orchestration: OrchestrationIdentifier,
-			Provider:      ProviderName,
-			Version: types.ProviderVersion{
+			Name:          ProviderName,
+			Version: &types.VersionInfo{
 				Release: version,
 				SHA:     sha,
 			},
--- a/pkg/provider/handlers/info_test.go
+++ b/pkg/provider/handlers/info_test.go
@ -15,14 +15,14 @@ func Test_InfoHandler(t *testing.T) {
 	r := httptest.NewRequest("GET", "/", nil)
 	handler(w, r)

-	resp := types.InfoResponse{}
+	resp := types.ProviderInfo{}
 	err := json.Unmarshal(w.Body.Bytes(), &resp)
 	if err != nil {
 		t.Fatalf("unexpected error unmarshalling the response")
 	}

-	if resp.Provider != ProviderName {
-		t.Fatalf("expected provider %q, got %q", ProviderName, resp.Provider)
+	if resp.Name != ProviderName {
+		t.Fatalf("expected provider %q, got %q", ProviderName, resp.Name)
 	}

 	if resp.Orchestration != OrchestrationIdentifier {
--- a/pkg/provider/handlers/invoke_resolver.go
+++ b/pkg/provider/handlers/invoke_resolver.go
@ -4,8 +4,10 @@ import (
 	"fmt"
 	"log"
 	"net/url"
+	"strings"

 	"github.com/containerd/containerd"
+	faasd "github.com/openfaas/faasd/pkg"
 )

 const watchdogPort = 8080
@ -19,11 +21,18 @@ func NewInvokeResolver(client *containerd.Client) *InvokeResolver {
 }

 func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {
-	log.Printf("Resolve: %q\n", functionName)
+	actualFunctionName := functionName
+	log.Printf("Resolve: %q\n", actualFunctionName)

-	function, err := GetFunction(i.client, functionName)
+	namespace := getNamespaceOrDefault(functionName, faasd.DefaultFunctionNamespace)
+
+	if strings.Contains(functionName, ".") {
+		actualFunctionName = strings.TrimSuffix(functionName, "."+namespace)
+	}
+
+	function, err := GetFunction(i.client, actualFunctionName, namespace)
 	if err != nil {
-		return url.URL{}, fmt.Errorf("%s not found", functionName)
+		return url.URL{}, fmt.Errorf("%s not found", actualFunctionName)
 	}

 	serviceIP := function.IP
@ -37,3 +46,11 @@ func (i *InvokeResolver) Resolve(functionName string) (url.URL, error) {

 	return *urlRes, nil
 }
+
+func getNamespaceOrDefault(name, defaultNamespace string) string {
+	namespace := defaultNamespace
+	if strings.Contains(name, ".") {
+		namespace = name[strings.LastIndexAny(name, ".")+1:]
+	}
+	return namespace
+}
--- a/pkg/provider/handlers/mutate_namespaces.go
+++ b/pkg/provider/handlers/mutate_namespaces.go
@ -0,0 +1,285 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/containerd/containerd"
+	"github.com/gorilla/mux"
+	"github.com/openfaas/faas-provider/types"
+)
+
+func MakeMutateNamespace(client *containerd.Client) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Body != nil {
+			defer r.Body.Close()
+		}
+
+		switch r.Method {
+		case http.MethodPost:
+			createNamespace(client, w, r)
+		case http.MethodGet:
+			getNamespace(client, w, r)
+		case http.MethodDelete:
+			deleteNamespace(client, w, r)
+		case http.MethodPut:
+			updateNamespace(client, w, r)
+
+		default:
+			w.WriteHeader(http.StatusMethodNotAllowed)
+		}
+	}
+}
+
+func updateNamespace(client *containerd.Client, w http.ResponseWriter, r *http.Request) {
+	req, err := parseNamespaceRequest(r)
+	if err != nil {
+		http.Error(w, err.Error(), err.(*HttpError).Status)
+		return
+	}
+
+	namespaceExists, err := namespaceExists(r.Context(), client, req.Name)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !namespaceExists {
+		http.Error(w, fmt.Sprintf("namespace %s not found", req.Name), http.StatusNotFound)
+		return
+	}
+
+	originalLabels, err := client.NamespaceService().Labels(r.Context(), req.Name)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !hasOpenFaaSLabel(originalLabels) {
+		http.Error(w, fmt.Sprintf("namespace %s is not an openfaas namespace", req.Name), http.StatusBadRequest)
+		return
+	}
+
+	var exclusions []string
+
+	// build exclusions
+	for key, _ := range originalLabels {
+		if _, ok := req.Labels[key]; !ok {
+			exclusions = append(exclusions, key)
+		}
+	}
+
+	// Call SetLabel with empty string if label is to be removed
+	for _, key := range exclusions {
+		if err := client.NamespaceService().SetLabel(r.Context(), req.Name, key, ""); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	// Now add the new labels
+	for key, value := range req.Labels {
+		if err := client.NamespaceService().SetLabel(r.Context(), req.Name, key, value); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+	}
+
+	w.WriteHeader(http.StatusAccepted)
+}
+
+func deleteNamespace(client *containerd.Client, w http.ResponseWriter, r *http.Request) {
+	req, err := parseNamespaceRequest(r)
+	if err != nil {
+		http.Error(w, err.Error(), err.(*HttpError).Status)
+		return
+	}
+
+	if err := client.NamespaceService().Delete(r.Context(), req.Name); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			http.Error(w, fmt.Sprintf("namespace %s not found", req.Name), http.StatusNotFound)
+			return
+		}
+
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusAccepted)
+}
+
+func namespaceExists(ctx context.Context, client *containerd.Client, name string) (bool, error) {
+	ns, err := client.NamespaceService().List(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	found := false
+	for _, namespace := range ns {
+		if namespace == name {
+			found = true
+			break
+		}
+	}
+
+	return found, nil
+}
+
+func getNamespace(client *containerd.Client, w http.ResponseWriter, r *http.Request) {
+	req, err := parseNamespaceRequest(r)
+	if err != nil {
+		http.Error(w, err.Error(), err.(*HttpError).Status)
+		return
+	}
+
+	namespaceExists, err := namespaceExists(r.Context(), client, req.Name)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !namespaceExists {
+		http.Error(w, fmt.Sprintf("namespace %s not found", req.Name), http.StatusNotFound)
+		return
+	}
+
+	labels, err := client.NamespaceService().Labels(r.Context(), req.Name)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !hasOpenFaaSLabel(labels) {
+		http.Error(w, fmt.Sprintf("namespace %s not found", req.Name), http.StatusNotFound)
+		return
+	}
+
+	res := types.FunctionNamespace{
+		Name:   req.Name,
+		Labels: labels,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(res); err != nil {
+		log.Printf("Get Namespace error: %s", err)
+	}
+}
+
+func createNamespace(client *containerd.Client, w http.ResponseWriter, r *http.Request) {
+	req, err := parseNamespaceRequest(r)
+	if err != nil {
+		http.Error(w, err.Error(), err.(*HttpError).Status)
+		return
+	}
+
+	// Check if namespace exists, and it has the openfaas label
+	namespaces, err := client.NamespaceService().List(r.Context())
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	found := false
+	for _, namespace := range namespaces {
+		if namespace == req.Name {
+			found = true
+			break
+		}
+	}
+
+	if found {
+		http.Error(w, fmt.Sprintf("namespace %s already exists", req.Name), http.StatusConflict)
+		return
+	}
+
+	if err := client.NamespaceService().Create(r.Context(), req.Name, req.Labels); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+}
+
+// getNamespace returns a namespace object or an error
+func parseNamespaceRequest(r *http.Request) (types.FunctionNamespace, error) {
+	var req types.FunctionNamespace
+
+	vars := mux.Vars(r)
+	namespaceInPath := vars["name"]
+
+	if r.Method == http.MethodGet {
+		if namespaceInPath == "" {
+			return req, &HttpError{
+				Err:    fmt.Errorf("namespace not specified in URL"),
+				Status: http.StatusBadRequest,
+			}
+		}
+
+		return types.FunctionNamespace{
+			Name: namespaceInPath,
+		}, nil
+	}
+
+	body, _ := io.ReadAll(r.Body)
+
+	if err := json.Unmarshal(body, &req); err != nil {
+		return req, &HttpError{
+			Err:    fmt.Errorf("error parsing request body: %s", err.Error()),
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	if r.Method != http.MethodPost {
+		if namespaceInPath == "" {
+			return req, &HttpError{
+				Err:    fmt.Errorf("namespace not specified in URL"),
+				Status: http.StatusBadRequest,
+			}
+		}
+		if req.Name != namespaceInPath {
+			return req, &HttpError{
+				Err:    fmt.Errorf("namespace in request body does not match namespace in URL"),
+				Status: http.StatusBadRequest,
+			}
+		}
+	}
+
+	if req.Name == "" {
+		return req, &HttpError{
+			Err:    fmt.Errorf("namespace not specified in request body"),
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	if ok := hasOpenFaaSLabel(req.Labels); !ok {
+		return req, &HttpError{
+			Err:    fmt.Errorf("request does not have openfaas=1 label"),
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	return req, nil
+}
+
+func hasOpenFaaSLabel(labels map[string]string) bool {
+	if v, ok := labels["openfaas"]; ok && v == "1" {
+		return true
+	}
+
+	return false
+}
+
+type HttpError struct {
+	Err    error
+	Status int
+}
+
+func (e *HttpError) Error() string {
+	return e.Err.Error()
+}
--- a/pkg/provider/handlers/namespaces.go
+++ b/pkg/provider/handlers/namespaces.go
@ -0,0 +1,18 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/containerd/containerd"
+)
+
+func MakeNamespacesLister(client *containerd.Client) func(w http.ResponseWriter, r *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		list := ListNamespaces(client)
+		body, _ := json.Marshal(list)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		w.Write(body)
+	}
+}
--- a/pkg/provider/handlers/read.go
+++ b/pkg/provider/handlers/read.go
@ -5,6 +5,8 @@ import (
 	"log"
 	"net/http"

+	"k8s.io/apimachinery/pkg/api/resource"
+
 	"github.com/containerd/containerd"
 	"github.com/openfaas/faas-provider/types"
 )
@ -13,27 +15,57 @@ func MakeReadHandler(client *containerd.Client) func(w http.ResponseWriter, r *h

 	return func(w http.ResponseWriter, r *http.Request) {

+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		res := []types.FunctionStatus{}
-		funcs, err := ListFunctions(client)
+		fns, err := ListFunctions(client, lookupNamespace)
 		if err != nil {
 			log.Printf("[Read] error listing functions. Error: %s\n", err)
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
-		for _, function := range funcs {
-			res = append(res, types.FunctionStatus{
-				Name:      function.name,
-				Image:     function.image,
-				Replicas:  uint64(function.replicas),
-				Namespace: function.namespace,
-				Labels:    &function.labels,
-			})
+
+		for _, fn := range fns {
+			annotations := &fn.annotations
+			labels := &fn.labels
+			memory := resource.NewQuantity(fn.memoryLimit, resource.BinarySI)
+			status := types.FunctionStatus{
+				Name:        fn.name,
+				Image:       fn.image,
+				Replicas:    uint64(fn.replicas),
+				Namespace:   fn.namespace,
+				Labels:      labels,
+				Annotations: annotations,
+				Secrets:     fn.secrets,
+				EnvVars:     fn.envVars,
+				EnvProcess:  fn.envProcess,
+				CreatedAt:   fn.createdAt,
+			}
+
+			// Do not remove below memory check for 0
+			// Memory limit should not be included in status until set explicitly
+			limit := &types.FunctionResources{Memory: memory.String()}
+			if limit.Memory != "0" {
+				status.Limits = limit
+			}
+
+			res = append(res, status)
 		}

 		body, _ := json.Marshal(res)
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		w.Write(body)
-
 	}
 }
--- a/pkg/provider/handlers/replicas.go
+++ b/pkg/provider/handlers/replicas.go
@ -14,14 +14,33 @@ func MakeReplicaReaderHandler(client *containerd.Client) func(w http.ResponseWri
 	return func(w http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 		functionName := vars["name"]
+		lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))

-		if f, err := GetFunction(client, functionName); err == nil {
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), lookupNamespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		if f, err := GetFunction(client, functionName, lookupNamespace); err == nil {
 			found := types.FunctionStatus{
 				Name:              functionName,
+				Image:             f.image,
 				AvailableReplicas: uint64(f.replicas),
 				Replicas:          uint64(f.replicas),
 				Namespace:         f.namespace,
 				Labels:            &f.labels,
+				Annotations:       &f.annotations,
+				Secrets:           f.secrets,
+				EnvVars:           f.envVars,
+				EnvProcess:        f.envProcess,
+				CreatedAt:         f.createdAt,
 			}

 			functionBytes, _ := json.Marshal(found)
--- a/pkg/provider/handlers/scale.go
+++ b/pkg/provider/handlers/scale.go
@ -11,7 +11,9 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
+
 	"github.com/openfaas/faas-provider/types"
+	"github.com/openfaas/faasd/pkg"
 )

 func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w http.ResponseWriter, r *http.Request) {
@ -29,25 +31,40 @@ func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w h
 		log.Printf("[Scale] request: %s\n", string(body))

 		req := types.ScaleServiceRequest{}
-		err := json.Unmarshal(body, &req)
-
-		if err != nil {
+		if err := json.Unmarshal(body, &req); err != nil {
 			log.Printf("[Scale] error parsing input: %s\n", err)
 			http.Error(w, err.Error(), http.StatusBadRequest)

 			return
 		}

+		namespace := req.Namespace
+		if namespace == "" {
+			namespace = pkg.DefaultFunctionNamespace
+		}
+
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
 		name := req.ServiceName

-		if _, err := GetFunction(client, name); err != nil {
+		if _, err := GetFunction(client, name, namespace); err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Scale] %s\n", msg)
 			http.Error(w, msg, http.StatusNotFound)
 			return
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)

 		ctr, ctrErr := client.LoadContainer(ctx, name)
 		if ctrErr != nil {
@ -57,46 +74,71 @@ func MakeReplicaUpdateHandler(client *containerd.Client, cni gocni.CNI) func(w h
 			return
 		}

-		taskExists := true
+		var taskExists bool
+		var taskStatus *containerd.Status
+
 		task, taskErr := ctr.Task(ctx, nil)
 		if taskErr != nil {
 			msg := fmt.Sprintf("cannot load task for service %s, error: %s", name, taskErr)
 			log.Printf("[Scale] %s\n", msg)
 			taskExists = false
+		} else {
+			taskExists = true
+			status, statusErr := task.Status(ctx)
+			if statusErr != nil {
+				msg := fmt.Sprintf("cannot load task status for %s, error: %s", name, statusErr)
+				log.Printf("[Scale] %s\n", msg)
+				http.Error(w, msg, http.StatusInternalServerError)
+				return
+			} else {
+				taskStatus = &status
+			}
 		}

-		if req.Replicas > 0 {
-			if taskExists {
-				if status, statusErr := task.Status(ctx); statusErr == nil {
-					if status.Status == containerd.Paused {
-						if resumeErr := task.Resume(ctx); resumeErr != nil {
-							log.Printf("[Scale] error resuming task %s, error: %s\n", name, resumeErr)
-							http.Error(w, resumeErr.Error(), http.StatusBadRequest)
-						}
-					}
-				}
-			} else {
-				deployErr := createTask(ctx, client, ctr, cni)
-				if deployErr != nil {
-					log.Printf("[Scale] error deploying %s, error: %s\n", name, deployErr)
-					http.Error(w, deployErr.Error(), http.StatusBadRequest)
+		createNewTask := false
+
+		// Scale to zero
+		if req.Replicas == 0 {
+			// If a task is running, pause it
+			if taskExists && taskStatus.Status == containerd.Running {
+				if pauseErr := task.Pause(ctx); pauseErr != nil {
+					wrappedPauseErr := fmt.Errorf("error pausing task %s, error: %s", name, pauseErr)
+					log.Printf("[Scale] %s\n", wrappedPauseErr.Error())
+					http.Error(w, wrappedPauseErr.Error(), http.StatusNotFound)
 					return
 				}
-				return
-			}
-		} else {
-			if taskExists {
-				if status, statusErr := task.Status(ctx); statusErr == nil {
-					if status.Status == containerd.Running {
-						if pauseErr := task.Pause(ctx); pauseErr != nil {
-							log.Printf("[Scale] error pausing task %s, error: %s\n", name, pauseErr)
-							http.Error(w, pauseErr.Error(), http.StatusBadRequest)
-						}
-					}
-				}
 			}
 		}

-	}
+		if taskExists {
+			if taskStatus != nil {
+				if taskStatus.Status == containerd.Paused {
+					if resumeErr := task.Resume(ctx); resumeErr != nil {
+						log.Printf("[Scale] error resuming task %s, error: %s\n", name, resumeErr)
+						http.Error(w, resumeErr.Error(), http.StatusBadRequest)
+						return
+					}
+				} else if taskStatus.Status == containerd.Stopped {
+					// Stopped tasks cannot be restarted, must be removed, and created again
+					if _, delErr := task.Delete(ctx); delErr != nil {
+						log.Printf("[Scale] error deleting stopped task %s, error: %s\n", name, delErr)
+						http.Error(w, delErr.Error(), http.StatusBadRequest)
+						return
+					}
+					createNewTask = true
+				}
+			}
+		} else {
+			createNewTask = true
+		}

+		if createNewTask {
+			deployErr := createTask(ctx, ctr, cni)
+			if deployErr != nil {
+				log.Printf("[Scale] error deploying %s, error: %s\n", name, deployErr)
+				http.Error(w, deployErr.Error(), http.StatusBadRequest)
+				return
+			}
+		}
+	}
 }
--- a/pkg/provider/handlers/secret.go
+++ b/pkg/provider/handlers/secret.go
@ -2,19 +2,22 @@ package handlers

 import (
 	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
 	"path"
+	"strings"

-	"github.com/containerd/containerd"
 	"github.com/openfaas/faas-provider/types"
+	provider "github.com/openfaas/faasd/pkg/provider"
 )

 const secretFilePermission = 0644
+const secretDirPermission = 0755

-func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.ResponseWriter, r *http.Request) {
+func MakeSecretHandler(store provider.Labeller, mountPath string) func(w http.ResponseWriter, r *http.Request) {

 	err := os.MkdirAll(mountPath, secretFilePermission)
 	if err != nil {
@ -28,13 +31,13 @@ func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.Respo

 		switch r.Method {
 		case http.MethodGet:
-			listSecrets(c, w, r, mountPath)
+			listSecrets(store, w, r, mountPath)
 		case http.MethodPost:
-			createSecret(c, w, r, mountPath)
+			createSecret(w, r, mountPath)
 		case http.MethodPut:
-			createSecret(c, w, r, mountPath)
+			createSecret(w, r, mountPath)
 		case http.MethodDelete:
-			deleteSecret(c, w, r, mountPath)
+			deleteSecret(w, r, mountPath)
 		default:
 			w.WriteHeader(http.StatusBadRequest)
 			return
@ -43,23 +46,46 @@ func MakeSecretHandler(c *containerd.Client, mountPath string) func(w http.Respo
 	}
 }

-func listSecrets(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
-	files, err := ioutil.ReadDir(mountPath)
+func listSecrets(store provider.Labeller, w http.ResponseWriter, r *http.Request, mountPath string) {
+
+	lookupNamespace := getRequestNamespace(readNamespaceFromQuery(r))
+	// Check if namespace exists, and it has the openfaas label
+	valid, err := validNamespace(store, lookupNamespace)
 	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	if !valid {
+		http.Error(w, "namespace not valid", http.StatusBadRequest)
+		return
+	}
+
+	mountPath = getNamespaceSecretMountPath(mountPath, lookupNamespace)
+
+	files, err := os.ReadDir(mountPath)
+	if os.IsNotExist(err) {
+		bytesOut, _ := json.Marshal([]types.Secret{})
+		w.Write(bytesOut)
+		return
+	}
+
+	if err != nil {
+		fmt.Printf("Error Occured: %s \n", err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

 	secrets := []types.Secret{}
 	for _, f := range files {
-		secrets = append(secrets, types.Secret{Name: f.Name()})
+		secrets = append(secrets, types.Secret{Name: f.Name(), Namespace: lookupNamespace})
 	}

 	bytesOut, _ := json.Marshal(secrets)
 	w.Write(bytesOut)
 }

-func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
+func createSecret(w http.ResponseWriter, r *http.Request, mountPath string) {
 	secret, err := parseSecret(r)
 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@ -67,7 +93,50 @@ func createSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request,
 		return
 	}

-	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), []byte(secret.Value), secretFilePermission)
+	err = validateSecret(secret)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	log.Printf("[secret] is valid: %q", secret.Name)
+	namespace := getRequestNamespace(secret.Namespace)
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
+	err = os.MkdirAll(mountPath, secretDirPermission)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	data := secret.RawValue
+	if len(data) == 0 {
+		data = []byte(secret.Value)
+	}
+
+	err = ioutil.WriteFile(path.Join(mountPath, secret.Name), data, secretFilePermission)
+
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+}
+
+func deleteSecret(w http.ResponseWriter, r *http.Request, mountPath string) {
+	secret, err := parseSecret(r)
+	if err != nil {
+		log.Printf("[secret] error %s", err.Error())
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	namespace := getRequestNamespace(readNamespaceFromQuery(r))
+	mountPath = getNamespaceSecretMountPath(mountPath, namespace)
+
+	err = os.Remove(path.Join(mountPath, secret.Name))

 	if err != nil {
 		log.Printf("[secret] error %s", err.Error())
@ -84,22 +153,26 @@ func parseSecret(r *http.Request) (types.Secret, error) {
 	}

 	err = json.Unmarshal(bytesOut, &secret)
+	if err != nil {
+		return secret, err
+	}
+
 	return secret, err
 }

-func deleteSecret(c *containerd.Client, w http.ResponseWriter, r *http.Request, mountPath string) {
-	secret, err := parseSecret(r)
-	if err != nil {
-		log.Printf("[secret] error %s", err.Error())
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
+const traverseErrorSt = "directory traversal found in name"

-	err = os.Remove(path.Join(mountPath, secret.Name))
-
-	if err != nil {
-		log.Printf("[secret] error %s", err.Error())
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
+func isTraversal(name string) bool {
+	return strings.Contains(name, fmt.Sprintf("%s", string(os.PathSeparator))) ||
+		strings.Contains(name, "..")
+}
+
+func validateSecret(secret types.Secret) error {
+	if strings.TrimSpace(secret.Name) == "" {
+		return fmt.Errorf("non-empty name is required")
+	}
+	if isTraversal(secret.Name) {
+		return fmt.Errorf(traverseErrorSt)
+	}
+	return nil
 }
--- a/pkg/provider/handlers/secret_test.go
+++ b/pkg/provider/handlers/secret_test.go
@ -0,0 +1,252 @@
+package handlers
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/openfaas/faas-provider/types"
+	"github.com/openfaas/faasd/pkg"
+	provider "github.com/openfaas/faasd/pkg/provider"
+)
+
+func Test_parseSecret(t *testing.T) {
+	cases := []struct {
+		name      string
+		payload   string
+		expError  string
+		expSecret types.Secret
+	}{
+		{
+			name:      "no error when name is valid without extention and with no traversal",
+			payload:   `{"name": "authorized_keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized_keys", Value: "foo"},
+		},
+		{
+			name:      "no error when name is valid and parses RawValue correctly",
+			payload:   `{"name": "authorized_keys", "rawValue": "YmFy"}`,
+			expSecret: types.Secret{Name: "authorized_keys", RawValue: []byte("bar")},
+		},
+		{
+			name:      "no error when name is valid with dot and with no traversal",
+			payload:   `{"name": "authorized.keys", "value": "foo"}`,
+			expSecret: types.Secret{Name: "authorized.keys", Value: "foo"},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			reader := strings.NewReader(tc.payload)
+			r := httptest.NewRequest(http.MethodPost, "/", reader)
+			secret, err := parseSecret(r)
+			if err != nil && tc.expError == "" {
+				t.Fatalf("unexpected error: %s", err)
+				return
+			}
+
+			if tc.expError != "" {
+				if err == nil {
+					t.Fatalf("expected error: %s, got nil", tc.expError)
+				}
+				if err.Error() != tc.expError {
+					t.Fatalf("expected error: %s, got: %s", tc.expError, err)
+				}
+
+				return
+			}
+
+			if !reflect.DeepEqual(secret, tc.expSecret) {
+				t.Fatalf("expected secret: %+v, got: %+v", tc.expSecret, secret)
+			}
+		})
+	}
+}
+
+func TestSecretCreation(t *testing.T) {
+	mountPath, err := os.MkdirTemp("", "test_secret_creation")
+	if err != nil {
+		t.Fatalf("unexpected error while creating temp directory: %s", err)
+	}
+
+	defer os.RemoveAll(mountPath)
+
+	handler := MakeSecretHandler(nil, mountPath)
+
+	cases := []struct {
+		name       string
+		verb       string
+		payload    string
+		status     int
+		secretPath string
+		secret     string
+		err        string
+	}{
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "/root/.ssh/authorized_keys", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "returns error when the name contains a traversal",
+			verb:    http.MethodPost,
+			payload: `{"name": "..", "value": "foo"}`,
+			status:  http.StatusBadRequest,
+			err:     "directory traversal found in name\n",
+		},
+		{
+			name:    "empty request returns a validation error",
+			verb:    http.MethodPost,
+			payload: `{}`,
+			status:  http.StatusBadRequest,
+			err:     "non-empty name is required\n",
+		},
+		{
+			name:       "can create secret from string",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "value": "bar"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "foo", "rawValue": "YmFy"}`,
+			status:     http.StatusOK,
+			secretPath: "/openfaas-fn/foo",
+			secret:     "bar",
+		},
+		{
+			name:       "can create secret in non-default namespace from raw value",
+			verb:       http.MethodPost,
+			payload:    `{"name": "pity", "rawValue": "dGhlIGZvbw==", "namespace": "a-team"}`,
+			status:     http.StatusOK,
+			secretPath: "/a-team/pity",
+			secret:     "the foo",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(tc.verb, "http://example.com/foo", strings.NewReader(tc.payload))
+			w := httptest.NewRecorder()
+
+			handler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != tc.status {
+				t.Logf("response body: %s", w.Body.String())
+				t.Fatalf("expected status: %d, got: %d", tc.status, resp.StatusCode)
+			}
+
+			if resp.StatusCode != http.StatusOK && w.Body.String() != tc.err {
+				t.Fatalf("expected error message: %q, got %q", tc.err, w.Body.String())
+
+			}
+
+			if tc.secretPath != "" {
+				data, err := os.ReadFile(filepath.Join(mountPath, tc.secretPath))
+				if err != nil {
+					t.Fatalf("can not read the secret from disk: %s", err)
+				}
+
+				if string(data) != tc.secret {
+					t.Fatalf("expected secret value: %s, got %s", tc.secret, string(data))
+				}
+			}
+		})
+	}
+}
+
+func TestListSecrets(t *testing.T) {
+	mountPath, err := os.MkdirTemp("", "test_secret_creation")
+	if err != nil {
+		t.Fatalf("unexpected error while creating temp directory: %s", err)
+	}
+
+	defer os.RemoveAll(mountPath)
+
+	cases := []struct {
+		name       string
+		verb       string
+		namespace  string
+		labels     map[string]string
+		status     int
+		secretPath string
+		secret     string
+		err        string
+		expected   []types.Secret
+	}{
+		{
+			name:       "Get empty secret list for default namespace having no secret",
+			verb:       http.MethodGet,
+			status:     http.StatusOK,
+			secretPath: "/test-fn/foo",
+			secret:     "bar",
+			expected:   make([]types.Secret, 0),
+		},
+		{
+			name:       "Get empty secret list for non-default namespace having no secret",
+			verb:       http.MethodGet,
+			status:     http.StatusOK,
+			secretPath: "/test-fn/foo",
+			secret:     "bar",
+			expected:   make([]types.Secret, 0),
+			namespace:  "other-ns",
+			labels: map[string]string{
+				pkg.NamespaceLabel: "true",
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			labelStore := provider.NewFakeLabeller(tc.labels)
+
+			handler := MakeSecretHandler(labelStore, mountPath)
+
+			path := "http://example.com/foo"
+			if len(tc.namespace) > 0 {
+				path = path + fmt.Sprintf("?namespace=%s", tc.namespace)
+			}
+			req := httptest.NewRequest(tc.verb, path, nil)
+			w := httptest.NewRecorder()
+
+			handler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != tc.status {
+				t.Fatalf("want status: %d, but got: %d", tc.status, resp.StatusCode)
+			}
+
+			if resp.StatusCode != http.StatusOK && w.Body.String() != tc.err {
+				t.Fatalf("want error message: %q, but got %q", tc.err, w.Body.String())
+			}
+
+			body, err := ioutil.ReadAll(resp.Body)
+			if err != nil {
+				t.Fatalf("can't read response of list %v", err)
+			}
+
+			var res []types.Secret
+			err = json.Unmarshal(body, &res)
+
+			if err != nil {
+				t.Fatalf("unable to unmarshal %q, error: %v", string(body), err)
+			}
+
+			if !reflect.DeepEqual(res, tc.expected) {
+				t.Fatalf("want response: %v, but got: %v", tc.expected, res)
+			}
+		})
+	}
+}
--- a/pkg/provider/handlers/update.go
+++ b/pkg/provider/handlers/update.go
@ -12,6 +12,7 @@ import (
 	"github.com/containerd/containerd/namespaces"
 	gocni "github.com/containerd/go-cni"
 	"github.com/openfaas/faas-provider/types"
+
 	"github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
 )
@ -39,8 +40,23 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}
 		name := req.Service
+		namespace := getRequestNamespace(req.Namespace)

-		function, err := GetFunction(client, name)
+		// Check if namespace exists, and it has the openfaas label
+		valid, err := validNamespace(client.NamespaceService(), namespace)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		if !valid {
+			http.Error(w, "namespace not valid", http.StatusBadRequest)
+			return
+		}
+
+		namespaceSecretMountPath := getNamespaceSecretMountPath(secretMountPath, namespace)
+
+		function, err := GetFunction(client, name, namespace)
 		if err != nil {
 			msg := fmt.Sprintf("service %s not found", name)
 			log.Printf("[Update] %s\n", msg)
@ -48,12 +64,18 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			return
 		}

-		err = validateSecrets(secretMountPath, req.Secrets)
+		err = validateSecrets(namespaceSecretMountPath, req.Secrets)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 		}

-		ctx := namespaces.WithNamespace(context.Background(), FunctionNamespace)
+		ctx := namespaces.WithNamespace(context.Background(), namespace)
+
+		if _, err := prepull(ctx, req, client, alwaysPull); err != nil {
+			log.Printf("[Update] error with pre-pull: %s, %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
 		if function.replicas != 0 {
 			err = cninetwork.DeleteCNINetwork(ctx, cni, client, name)
 			if err != nil {
@ -61,19 +83,19 @@ func MakeUpdateHandler(client *containerd.Client, cni gocni.CNI, secretMountPath
 			}
 		}

-		containerErr := service.Remove(ctx, client, name)
-		if containerErr != nil {
-			log.Printf("[Update] error removing %s, %s\n", name, containerErr)
-			http.Error(w, containerErr.Error(), http.StatusInternalServerError)
+		if err := service.Remove(ctx, client, name); err != nil {
+			log.Printf("[Update] error removing %s, %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

-		deployErr := deploy(ctx, req, client, cni, secretMountPath, alwaysPull)
-		if deployErr != nil {
-			log.Printf("[Update] error deploying %s, error: %s\n", name, deployErr)
-			http.Error(w, deployErr.Error(), http.StatusBadRequest)
+		// The pull has already been done in prepull, so we can force this pull to "false"
+		pull := false
+
+		if err := deploy(ctx, req, client, cni, namespaceSecretMountPath, pull); err != nil {
+			log.Printf("[Update] error deploying %s, error: %s\n", name, err)
+			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
 	}
-
 }
--- a/pkg/provider/handlers/utils.go
+++ b/pkg/provider/handlers/utils.go
@ -0,0 +1,47 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"path"
+
+	"github.com/openfaas/faasd/pkg"
+	faasd "github.com/openfaas/faasd/pkg"
+	provider "github.com/openfaas/faasd/pkg/provider"
+)
+
+func getRequestNamespace(namespace string) string {
+
+	if len(namespace) > 0 {
+		return namespace
+	}
+	return faasd.DefaultFunctionNamespace
+}
+
+func readNamespaceFromQuery(r *http.Request) string {
+	q := r.URL.Query()
+	return q.Get("namespace")
+}
+
+func getNamespaceSecretMountPath(userSecretPath string, namespace string) string {
+	return path.Join(userSecretPath, namespace)
+}
+
+// validNamespace indicates whether the namespace is eligable to be
+// used for OpenFaaS functions.
+func validNamespace(store provider.Labeller, namespace string) (bool, error) {
+	if namespace == faasd.DefaultFunctionNamespace {
+		return true, nil
+	}
+
+	labels, err := store.Labels(context.Background(), namespace)
+	if err != nil {
+		return false, err
+	}
+
+	if value, found := labels[pkg.NamespaceLabel]; found && value == "true" {
+		return true, nil
+	}
+
+	return false, nil
+}
--- a/pkg/provider/handlers/utils_test.go
+++ b/pkg/provider/handlers/utils_test.go
@ -0,0 +1,75 @@
+package handlers
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	faasd "github.com/openfaas/faasd/pkg"
+)
+
+func Test_getRequestNamespace(t *testing.T) {
+	tables := []struct {
+		name              string
+		requestNamespace  string
+		expectedNamespace string
+	}{
+		{name: "RequestNamespace is not provided", requestNamespace: "", expectedNamespace: faasd.DefaultFunctionNamespace},
+		{name: "RequestNamespace is provided", requestNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getRequestNamespace(tc.requestNamespace)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}
+
+func Test_getNamespaceSecretMountPath(t *testing.T) {
+	userSecretPath := "/var/openfaas/secrets"
+	tables := []struct {
+		name               string
+		requestNamespace   string
+		expectedSecretPath string
+	}{
+		{name: "Default Namespace is provided", requestNamespace: faasd.DefaultFunctionNamespace, expectedSecretPath: "/var/openfaas/secrets/" + faasd.DefaultFunctionNamespace},
+		{name: "User Namespace is provided", requestNamespace: "user-namespace", expectedSecretPath: "/var/openfaas/secrets/user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+			actualNamespace := getNamespaceSecretMountPath(userSecretPath, tc.requestNamespace)
+			if actualNamespace != tc.expectedSecretPath {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedSecretPath)
+			}
+		})
+	}
+}
+
+func Test_readNamespaceFromQuery(t *testing.T) {
+	tables := []struct {
+		name              string
+		queryNamespace    string
+		expectedNamespace string
+	}{
+		{name: "No Namespace is provided", queryNamespace: "", expectedNamespace: ""},
+		{name: "User Namespace is provided", queryNamespace: "user-namespace", expectedNamespace: "user-namespace"},
+	}
+
+	for _, tc := range tables {
+		t.Run(tc.name, func(t *testing.T) {
+
+			url := fmt.Sprintf("/test?namespace=%s", tc.queryNamespace)
+			r := httptest.NewRequest(http.MethodGet, url, nil)
+
+			actualNamespace := readNamespaceFromQuery(r)
+			if actualNamespace != tc.expectedNamespace {
+				t.Errorf("Want: %s, got: %s", actualNamespace, tc.expectedNamespace)
+			}
+		})
+	}
+}
--- a/pkg/provider/labeller.go
+++ b/pkg/provider/labeller.go
@ -0,0 +1,25 @@
+package provider
+
+import "context"
+
+// Labeller can return labels for a namespace from containerd.
+type Labeller interface {
+	Labels(ctx context.Context, namespace string) (map[string]string, error)
+}
+
+//
+// FakeLabeller can be used to fake labels applied on namespace to mark
+// them valid/invalid for openfaas functions
+type FakeLabeller struct {
+	labels map[string]string
+}
+
+func NewFakeLabeller(labels map[string]string) Labeller {
+	return &FakeLabeller{
+		labels: labels,
+	}
+}
+
+func (s *FakeLabeller) Labels(ctx context.Context, namespace string) (map[string]string, error) {
+	return s.labels, nil
+}
--- a/pkg/proxy.go
+++ b/pkg/proxy.go
@ -1,122 +1,116 @@
 package pkg

 import (
-	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
+	"strconv"
+	"strings"

 	"time"
 )

-func NewProxy(port int, timeout time.Duration) *Proxy {
+// NewProxy creates a HTTP proxy to expose a host
+func NewProxy(upstream string, listenPort uint32, hostIP string, timeout time.Duration, resolver Resolver) *Proxy {

 	return &Proxy{
-		Port:    port,
-		Timeout: timeout,
+		Upstream: upstream,
+		Port:     listenPort,
+		HostIP:   hostIP,
+		Timeout:  timeout,
+		Resolver: resolver,
 	}
 }

+// Proxy for exposing a private container
 type Proxy struct {
 	Timeout time.Duration
-	Port    int
+
+	// Port on which to listen to traffic
+	Port uint32
+
+	// Upstream is where to send traffic when received
+	Upstream string
+
+	// The IP to use to bind locally
+	HostIP string
+
+	Resolver Resolver
 }

-func (p *Proxy) Start(gatewayChan chan string, done chan bool) error {
-	tcp := p.Port
+// Start listening and forwarding HTTP to the host
+func (p *Proxy) Start() error {

 	http.DefaultClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
-	ps := proxyState{
-		Host: "",
+	upstreamHost, upstreamPort, err := getUpstream(p.Upstream, p.Port)
+	if err != nil {
+		return err
 	}

-	ps.Host = <-gatewayChan
+	log.Printf("Looking up IP for: %q", upstreamHost)
+	got := make(chan string, 1)

-	log.Printf("Starting faasd proxy on %d\n", tcp)
+	go p.Resolver.Get(upstreamHost, got, time.Second*5)

-	fmt.Printf("Gateway: %s\n", ps.Host)
+	ipAddress := <-got
+	close(got)

-	s := &http.Server{
-		Addr:           fmt.Sprintf(":%d", tcp),
-		ReadTimeout:    p.Timeout,
-		WriteTimeout:   p.Timeout,
-		MaxHeaderBytes: 1 << 20, // Max header of 1MB
-		Handler:        http.HandlerFunc(makeProxy(&ps)),
+	upstreamAddr := fmt.Sprintf("%s:%d", ipAddress, upstreamPort)
+
+	localBind := fmt.Sprintf("%s:%d", p.HostIP, p.Port)
+	log.Printf("Proxy from: %s, to: %s (%s)\n", localBind, p.Upstream, ipAddress)
+
+	l, err := net.Listen("tcp", localBind)
+	if err != nil {
+		log.Printf("Error: %s", err.Error())
+		return err
 	}

-	go func() {
-		log.Printf("[proxy] Begin listen on %d\n", p.Port)
-		if err := s.ListenAndServe(); err != http.ErrServerClosed {
-			log.Printf("Error ListenAndServe: %v", err)
+	defer l.Close()
+	for {
+		// Wait for a connection.
+		conn, err := l.Accept()
+		if err != nil {
+			acceptErr := fmt.Errorf("Unable to accept on %d, error: %s",
+				p.Port,
+				err.Error())
+			log.Printf("%s", acceptErr.Error())
+			return acceptErr
 		}
-	}()

-	log.Println("[proxy] Wait for done")
-	<-done
-	log.Println("[proxy] Done received")
-	if err := s.Shutdown(context.Background()); err != nil {
-		log.Printf("[proxy] Error in Shutdown: %v", err)
-	}
+		upstream, err := net.Dial("tcp", upstreamAddr)

-	return nil
-}
+		if err != nil {
+			log.Printf("unable to dial to %s, error: %s", upstreamAddr, err.Error())
+			return err
+		}

-// copyHeaders clones the header values from the source into the destination.
-func copyHeaders(destination http.Header, source *http.Header) {
-	for k, v := range *source {
-		vClone := make([]string, len(v))
-		copy(vClone, v)
-		destination[k] = vClone
+		go pipe(conn, upstream)
+		go pipe(upstream, conn)
 	}
 }

-type proxyState struct {
-	Host string
+func pipe(from net.Conn, to net.Conn) {
+	defer from.Close()
+	io.Copy(from, to)
 }

-func makeProxy(ps *proxyState) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
+func getUpstream(val string, defaultPort uint32) (string, uint32, error) {
+	upstreamHostname := val
+	upstreamPort := defaultPort

-		query := ""
-		if len(r.URL.RawQuery) > 0 {
-			query = "?" + r.URL.RawQuery
+	if in := strings.Index(val, ":"); in > -1 {
+		upstreamHostname = val[:in]
+		port, err := strconv.ParseInt(val[in+1:], 10, 32)
+		if err != nil {
+			return "", defaultPort, err
 		}
-
-		upstream := fmt.Sprintf("http://%s%s%s", ps.Host, r.URL.Path, query)
-		fmt.Printf("[faasd] proxy: %s\n", upstream)
-
-		if r.Body != nil {
-			defer r.Body.Close()
-		}
-
-		wrapper := ioutil.NopCloser(r.Body)
-		upReq, upErr := http.NewRequest(r.Method, upstream, wrapper)
-
-		copyHeaders(upReq.Header, &r.Header)
-
-		if upErr != nil {
-			log.Println(upErr)
-
-			http.Error(w, upErr.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		upRes, upResErr := http.DefaultClient.Do(upReq)
-
-		if upResErr != nil {
-			log.Println(upResErr)
-
-			http.Error(w, upResErr.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		copyHeaders(w.Header(), &upRes.Header)
-
-		w.WriteHeader(upRes.StatusCode)
-		io.Copy(w, upRes.Body)
+		upstreamPort = uint32(port)
 	}
+
+	return upstreamHostname, upstreamPort, nil
 }
--- a/pkg/proxy_test.go
+++ b/pkg/proxy_test.go
@ -16,7 +16,7 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {

 	wantBodyText := "OK"
 	wantBody := []byte(wantBodyText)
-	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	upstreamSvr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

 		if r.Body != nil {
 			defer r.Body.Close()
@ -27,17 +27,19 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {

 	}))

-	defer upstream.Close()
+	defer upstreamSvr.Close()
 	port := 8080
-	proxy := NewProxy(port, time.Second*1)
+	u, _ := url.Parse(upstreamSvr.URL)
+	log.Println("Host", u.Host)
+
+	upstreamAddr := u.Host
+	proxy := NewProxy(upstreamAddr, 8080, "127.0.0.1", time.Second*1, &mockResolver{})

 	gwChan := make(chan string, 1)
 	doneCh := make(chan bool)

-	go proxy.Start(gwChan, doneCh)
+	go proxy.Start()

-	u, _ := url.Parse(upstream.URL)
-	log.Println("Host", u.Host)
 	wg := sync.WaitGroup{}
 	wg.Add(1)
 	go func() {
@ -71,3 +73,14 @@ func Test_Proxy_ToPrivateServer(t *testing.T) {
 		doneCh <- true
 	}()
 }
+
+type mockResolver struct {
+}
+
+func (m *mockResolver) Start() {
+
+}
+
+func (m *mockResolver) Get(upstream string, got chan<- string, timeout time.Duration) {
+	got <- upstream
+}
--- a/pkg/resolver.go
+++ b/pkg/resolver.go
@ -0,0 +1,12 @@
+package pkg
+
+import "time"
+
+// Resolver resolves an upstream IP address for a given upstream host
+type Resolver interface {
+	// Start any polling or connections required to resolve
+	Start()
+
+	// Get an IP address using an asynchronous operation
+	Get(upstream string, got chan<- string, timeout time.Duration)
+}
--- a/pkg/service/service.go
+++ b/pkg/service/service.go
@ -27,31 +27,34 @@ func Remove(ctx context.Context, client *containerd.Client, name string) error {
 	container, containerErr := client.LoadContainer(ctx, name)

 	if containerErr == nil {
-		found := true
+		taskFound := true
 		t, err := container.Task(ctx, nil)
 		if err != nil {
 			if errdefs.IsNotFound(err) {
-				found = false
+				taskFound = false
 			} else {
-				return fmt.Errorf("unable to get task %s: ", err)
+				return fmt.Errorf("unable to get task %w: ", err)
 			}
 		}

-		if found {
-			status, _ := t.Status(ctx)
-			fmt.Printf("Status of %s is: %s\n", name, status.Status)
-
-			log.Printf("Need to kill %s\n", name)
-			err := killTask(ctx, t)
+		if taskFound {
+			status, err := t.Status(ctx)
 			if err != nil {
-				return fmt.Errorf("error killing task %s, %s, %s", container.ID(), name, err)
+				log.Printf("Unable to get status for: %s, error: %s", name, err.Error())
+			} else {
+				log.Printf("Status of %s is: %s\n", name, status.Status)
+			}
+
+			log.Printf("Need to kill task: %s\n", name)
+			if err = killTask(ctx, t); err != nil {
+				return fmt.Errorf("error killing task %s, %s, %w", container.ID(), name, err)
 			}
 		}

-		err = container.Delete(ctx, containerd.WithSnapshotCleanup)
-		if err != nil {
-			return fmt.Errorf("error deleting container %s, %s, %s", container.ID(), name, err)
+		if err := container.Delete(ctx, containerd.WithSnapshotCleanup); err != nil {
+			return fmt.Errorf("error deleting container %s, %s, %w", container.ID(), name, err)
 		}
+
 	} else {
 		service := client.SnapshotService("")
 		key := name + "snapshot"
@ -70,14 +73,16 @@ func killTask(ctx context.Context, task containerd.Task) error {
 	wg := &sync.WaitGroup{}
 	wg.Add(1)
 	var err error
+
 	go func() {
 		defer wg.Done()
 		if task != nil {
 			wait, err := task.Wait(ctx)
 			if err != nil {
-				err = fmt.Errorf("error waiting on task: %s", err)
+				log.Printf("error waiting on task: %s", err)
 				return
 			}
+
 			if err := task.Kill(ctx, unix.SIGTERM, containerd.WithKillAll); err != nil {
 				log.Printf("error killing container task: %s", err)
 			}
@ -114,6 +119,7 @@ func getResolver(ctx context.Context, configFile *configfile.ConfigFile) (remote
 		}
 		return ac.Username, ac.Password, nil
 	}
+
 	authOpts := []docker.AuthorizerOpt{docker.WithAuthCreds(credFunc)}
 	authorizer := docker.NewDockerAuthorizer(authOpts...)
 	opts := docker.ResolverOptions{
@ -128,7 +134,7 @@ func PrepareImage(ctx context.Context, client *containerd.Client, imageName, sna
 		resolver remotes.Resolver
 	)

-	if _, stErr := os.Stat(filepath.Join(dockerConfigDir, config.ConfigFileName)); stErr == nil {
+	if _, statErr := os.Stat(filepath.Join(dockerConfigDir, config.ConfigFileName)); statErr == nil {
 		configFile, err := config.Load(dockerConfigDir)
 		if err != nil {
 			return nil, err
@ -137,8 +143,8 @@ func PrepareImage(ctx context.Context, client *containerd.Client, imageName, sna
 		if err != nil {
 			return empty, err
 		}
-	} else if !os.IsNotExist(stErr) {
-		return empty, stErr
+	} else if !os.IsNotExist(statErr) {
+		return empty, statErr
 	}

 	var image containerd.Image
@ -150,7 +156,6 @@ func PrepareImage(ctx context.Context, client *containerd.Client, imageName, sna

 		image = img
 	} else {
-
 		img, err := client.GetImage(ctx, imageName)
 		if err != nil {
 			if !errdefs.IsNotFound(err) {
@ -187,9 +192,11 @@ func pullImage(ctx context.Context, client *containerd.Client, resolver remotes.
 	rOpts := []containerd.RemoteOpt{
 		containerd.WithPullUnpack,
 	}
+
 	if resolver != nil {
 		rOpts = append(rOpts, containerd.WithResolver(resolver))
 	}
+
 	img, err := client.Pull(ctx, imageName, rOpts...)
 	if err != nil {
 		return empty, fmt.Errorf("cannot pull: %s", err)
--- a/pkg/supervisor.go
+++ b/pkg/supervisor.go
@ -7,34 +7,53 @@ import (
 	"log"
 	"os"
 	"path"
+	"sort"
+	"strconv"
+	"strings"

+	"github.com/alexellis/arkade/pkg/env"
+	"github.com/compose-spec/compose-go/loader"
+	compose "github.com/compose-spec/compose-go/types"
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	gocni "github.com/containerd/go-cni"
+	"github.com/docker/distribution/reference"
 	"github.com/openfaas/faasd/pkg/cninetwork"
 	"github.com/openfaas/faasd/pkg/service"
+	"github.com/pkg/errors"

 	"github.com/containerd/containerd/namespaces"
+	units "github.com/docker/go-units"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

 const (
-	defaultSnapshotter         = "overlayfs"
-	workingDirectoryPermission = 0644
-	// faasdNamespace is the containerd namespace services are created
-	faasdNamespace         = "default"
-	faasServicesPullAlways = false
+	// workingDirectoryPermission user read/write/execute, group and others: read-only
+	workingDirectoryPermission = 0744
 )

 type Service struct {
-	Image  string
-	Env    []string
-	Name   string
-	Mounts []Mount
-	Caps   []string
-	Args   []string
+	// Image is the container image registry reference, in an OCI format.
+	Image     string
+	Env       []string
+	Name      string
+	Mounts    []Mount
+	Caps      []string
+	Args      []string
+	DependsOn []string
+	Ports     []ServicePort
+
+	// User in the docker-compose.yaml spec can set as follows:
+	// a user-id, username, userid:groupid or user:group
+	User string
+}
+
+type ServicePort struct {
+	TargetPort uint32
+	Port       uint32
+	HostIP     string
 }

 type Mount struct {
@ -65,7 +84,7 @@ func NewSupervisor(sock string) (*Supervisor, error) {
 }

 func (s *Supervisor) Start(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)

 	wd, _ := os.Getwd()

@ -87,24 +106,45 @@ func (s *Supervisor) Start(svcs []Service) error {
 	images := map[string]containerd.Image{}

 	for _, svc := range svcs {
-		fmt.Printf("Preparing: %s with image: %s\n", svc.Name, svc.Image)
+		fmt.Printf("Preparing %s with image: %s\n", svc.Name, svc.Image)

-		img, err := service.PrepareImage(ctx, s.client, svc.Image, defaultSnapshotter, faasServicesPullAlways)
+		r, err := reference.ParseNormalizedNamed(svc.Image)
+		if err != nil {
+			return err
+		}
+
+		imgRef := reference.TagNameOnly(r).String()
+
+		img, err := service.PrepareImage(ctx, s.client, imgRef, defaultSnapshotter, faasServicesPullAlways)
 		if err != nil {
 			return err
 		}
 		images[svc.Name] = img
 		size, _ := img.Size(ctx)
-		fmt.Printf("Prepare done for: %s, %d bytes\n", svc.Image, size)
+		fmt.Printf("Prepare done for: %s, %s\n", svc.Image, units.HumanSize(float64(size)))
 	}

 	for _, svc := range svcs {
-		fmt.Printf("Reconciling: %s\n", svc.Name)
-
+		fmt.Printf("Removing old container for: %s\n", svc.Name)
 		containerErr := service.Remove(ctx, s.client, svc.Name)
 		if containerErr != nil {
 			return containerErr
 		}
+	}
+
+	order := buildDeploymentOrder(svcs)
+
+	for _, key := range order {
+
+		var svc *Service
+		for _, s := range svcs {
+			if s.Name == key {
+				svc = &s
+				break
+			}
+		}
+
+		fmt.Printf("Starting: %s\n", svc.Name)

 		image := images[svc.Name]

@ -117,8 +157,29 @@ func (s *Supervisor) Start(svcs []Service) error {
 					Type:        "bind",
 					Options:     []string{"rbind", "rw"},
 				})
-			}

+				// Only create directories, not files.
+				// Some files don't have a suffix, such as secrets.
+				if len(path.Ext(mnt.Src)) == 0 &&
+					!strings.HasPrefix(mnt.Src, "/var/lib/faasd/secrets/") {
+					// src is already prefixed with wd from an earlier step
+					src := mnt.Src
+					fmt.Printf("Creating local directory: %s\n", src)
+					if err := os.MkdirAll(src, workingDirectoryPermission); err != nil {
+						if !errors.Is(os.ErrExist, err) {
+							fmt.Printf("Unable to create: %s, %s\n", src, err)
+						}
+					}
+					if len(svc.User) > 0 {
+						uid, err := strconv.Atoi(svc.User)
+						if err == nil {
+							if err := os.Chown(src, uid, -1); err != nil {
+								fmt.Printf("Unable to chown: %s to %d, error: %s\n", src, uid, err)
+							}
+						}
+					}
+				}
+			}
 		}

 		mounts = append(mounts, specs.Mount{
@ -135,59 +196,67 @@ func (s *Supervisor) Start(svcs []Service) error {
 			Options:     []string{"rbind", "ro"},
 		})

-		newContainer, containerCreateErr := s.client.NewContainer(
+		if len(svc.User) > 0 {
+			log.Printf("Running %s with user: %q", svc.Name, svc.User)
+		}
+
+		newContainer, err := s.client.NewContainer(
 			ctx,
 			svc.Name,
 			containerd.WithImage(image),
 			containerd.WithNewSnapshot(svc.Name+"-snapshot", image),
 			containerd.WithNewSpec(oci.WithImageConfig(image),
+				oci.WithHostname(svc.Name),
+				withUserOrDefault(svc.User),
 				oci.WithCapabilities(svc.Caps),
 				oci.WithMounts(mounts),
 				withOCIArgs(svc.Args),
 				oci.WithEnv(svc.Env)),
 		)

-		if containerCreateErr != nil {
-			log.Printf("Error creating container %s\n", containerCreateErr)
-			return containerCreateErr
+		if err != nil {
+			log.Printf("Error creating container: %s\n", err)
+			return err
 		}

-		log.Printf("Created container %s\n", newContainer.ID())
+		log.Printf("Created container: %s\n", newContainer.ID())

-		task, err := newContainer.NewTask(ctx, cio.NewCreator(cio.WithStdio))
+		task, err := newContainer.NewTask(ctx, cio.BinaryIO("/usr/local/bin/faasd", nil))
 		if err != nil {
 			log.Printf("Error creating task: %s\n", err)
 			return err
 		}

 		labels := map[string]string{}
-		network, err := cninetwork.CreateCNINetwork(ctx, s.cni, task, labels)
-
+		_, err = cninetwork.CreateCNINetwork(ctx, s.cni, task, labels)
 		if err != nil {
+			log.Printf("Error creating CNI for %s: %s", svc.Name, err)
 			return err
 		}

-		ip, err := cninetwork.GetIPAddress(network, task)
+		ip, err := cninetwork.GetIPAddress(svc.Name, task.Pid())
 		if err != nil {
+			log.Printf("Error getting IP for %s: %s", svc.Name, err)
 			return err
 		}
-		log.Printf("%s has IP: %s\n", newContainer.ID(), ip.String())

-		hosts, _ := ioutil.ReadFile("hosts")
+		log.Printf("%s has IP: %s\n", newContainer.ID(), ip)
+
+		hosts, err := ioutil.ReadFile("hosts")
+		if err != nil {
+			log.Printf("Unable to read hosts file: %s\n", err.Error())
+		}

 		hosts = []byte(string(hosts) + fmt.Sprintf(`
 %s	%s
 `, ip, svc.Name))
-		writeErr := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission)

-		if writeErr != nil {
-			log.Printf("Error writing file %s %s\n", "hosts", writeErr)
+		if err := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission); err != nil {
+			log.Printf("Error writing file: %s %s\n", "hosts", err)
 		}
-		// os.Chown("hosts", 101, 101)

-		_, err = task.Wait(ctx)
-		if err != nil {
-			log.Printf("Wait err: %s\n", err)
+		if _, err := task.Wait(ctx); err != nil {
+			log.Printf("Task wait error: %s\n", err)
 			return err
 		}

@ -195,7 +264,7 @@ func (s *Supervisor) Start(svcs []Service) error {
 		// log.Println("Exited: ", exitStatusC)

 		if err = task.Start(ctx); err != nil {
-			log.Printf("Task err: %s\n", err)
+			log.Printf("Task start error: %s\n", err)
 			return err
 		}
 	}
@ -208,7 +277,7 @@ func (s *Supervisor) Close() {
 }

 func (s *Supervisor) Remove(svcs []Service) error {
-	ctx := namespaces.WithNamespace(context.Background(), faasdNamespace)
+	ctx := namespaces.WithNamespace(context.Background(), FaasdNamespace)

 	for _, svc := range svcs {
 		err := cninetwork.DeleteCNINetwork(ctx, s.cni, s.client, svc.Name)
@ -225,6 +294,16 @@ func (s *Supervisor) Remove(svcs []Service) error {
 	return nil
 }

+func withUserOrDefault(userstr string) oci.SpecOpts {
+	if len(userstr) > 0 {
+		return oci.WithUser(userstr)
+	}
+
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
+		return nil
+	}
+}
+
 func withOCIArgs(args []string) oci.SpecOpts {
 	if len(args) > 0 {
 		return oci.WithProcessArgs(args...)
@ -234,3 +313,137 @@ func withOCIArgs(args []string) oci.SpecOpts {
 		return nil
 	}
 }
+
+// ParseCompose converts a docker-compose Config into a service list that we can
+// pass to the supervisor client Start.
+//
+// The only anticipated error is a failure if the value mounts are not of type 	`bind`.
+func ParseCompose(config *compose.Config) ([]Service, error) {
+	services := make([]Service, len(config.Services))
+	for idx, s := range config.Services {
+		// environment is a map[string]*string
+		// but we want a []string
+
+		var env []string
+
+		envKeys := sortedEnvKeys(s.Environment)
+		for _, name := range envKeys {
+			value := s.Environment[name]
+			if value == nil {
+				env = append(env, fmt.Sprintf(`%s=""`, name))
+			} else {
+				env = append(env, fmt.Sprintf(`%s=%s`, name, *value))
+			}
+		}
+
+		var mounts []Mount
+		for _, v := range s.Volumes {
+			if v.Type != "bind" {
+				return nil, errors.Errorf("unsupported volume mount type '%s' when parsing service '%s'", v.Type, s.Name)
+			}
+			mounts = append(mounts, Mount{
+				Src:  v.Source,
+				Dest: v.Target,
+			})
+		}
+
+		services[idx] = Service{
+			Name:  s.Name,
+			Image: s.Image,
+			// ShellCommand is just an alias of string slice
+			Args:      []string(s.Command),
+			Caps:      s.CapAdd,
+			Env:       env,
+			Mounts:    mounts,
+			DependsOn: s.DependsOn,
+			User:      s.User,
+			Ports:     convertPorts(s.Ports),
+		}
+	}
+
+	return services, nil
+}
+
+func convertPorts(ports []compose.ServicePortConfig) []ServicePort {
+	servicePorts := []ServicePort{}
+	for _, p := range ports {
+		servicePorts = append(servicePorts, ServicePort{
+			Port:       p.Published,
+			TargetPort: p.Target,
+			HostIP:     p.HostIP,
+		})
+	}
+
+	return servicePorts
+}
+
+// LoadComposeFile is a helper method for loading a docker-compose file
+func LoadComposeFile(wd string, file string) (*compose.Config, error) {
+	return LoadComposeFileWithArch(wd, file, env.GetClientArch)
+}
+
+// LoadComposeFileWithArch is a helper method for loading a docker-compose file
+func LoadComposeFileWithArch(wd string, file string, archGetter ArchGetter) (*compose.Config, error) {
+
+	file = path.Join(wd, file)
+	b, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := loader.ParseYAML(b)
+	if err != nil {
+		return nil, err
+	}
+
+	archSuffix, err := GetArchSuffix(archGetter)
+	if err != nil {
+		return nil, err
+	}
+
+	var files []compose.ConfigFile
+	files = append(files, compose.ConfigFile{Filename: file, Config: config})
+
+	return loader.Load(compose.ConfigDetails{
+		WorkingDir:  wd,
+		ConfigFiles: files,
+		Environment: map[string]string{
+			"ARCH_SUFFIX": archSuffix,
+		},
+	})
+}
+
+func sortedEnvKeys(env map[string]*string) (keys []string) {
+	for k := range env {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// ArchGetter provides client CPU architecture and
+// client OS
+type ArchGetter func() (string, string)
+
+// GetArchSuffix provides client CPU architecture and
+// client OS from ArchGetter
+func GetArchSuffix(getClientArch ArchGetter) (suffix string, err error) {
+	clientArch, clientOS := getClientArch()
+
+	if clientOS != "Linux" {
+		return "", fmt.Errorf("you can only use faasd with Linux")
+	}
+
+	switch clientArch {
+	case "x86_64":
+		// no suffix needed
+		return "", nil
+	case "armhf", "armv7l":
+		return "-armhf", nil
+	case "arm64", "aarch64":
+		return "-arm64", nil
+	default:
+		// unknown, so use the default without suffix for now
+		return "", nil
+	}
+}
--- a/pkg/supervisor_test.go
+++ b/pkg/supervisor_test.go
@ -0,0 +1,262 @@
+package pkg
+
+import (
+	"path"
+	"reflect"
+	"testing"
+)
+
+func Test_ParseCompose(t *testing.T) {
+
+	wd := "testdata"
+
+	want := map[string]Service{
+		"basic-auth-plugin": {
+			Name:  "basic-auth-plugin",
+			Image: "docker.io/openfaas/basic-auth-plugin:0.18.17",
+			Env: []string{
+				"pass_filename=basic-auth-password",
+				"port=8080",
+				"secret_mount_path=/run/secrets",
+				"user_filename=basic-auth-user",
+			},
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+		"nats": {
+			Name:  "nats",
+			Image: "docker.io/library/nats-streaming:0.11.2",
+			Args:  []string{"/nats-streaming-server", "-m", "8222", "--store=memory", "--cluster_id=faas-cluster"},
+		},
+		"prometheus": {
+			Name:  "prometheus",
+			Image: "docker.io/prom/prometheus:v2.14.0",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "prometheus.yml"),
+					Dest: "/etc/prometheus/prometheus.yml",
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+		"gateway": {
+			Name: "gateway",
+			Env: []string{
+				"auth_proxy_pass_body=false",
+				"auth_proxy_url=http://basic-auth-plugin:8080/validate",
+				"basic_auth=true",
+				"direct_functions=false",
+				"faas_nats_address=nats",
+				"faas_nats_port=4222",
+				"functions_provider_url=http://faasd-provider:8081/",
+				"read_timeout=60s",
+				"scale_from_zero=true",
+				"secret_mount_path=/run/secrets",
+				"upstream_timeout=65s",
+				"write_timeout=60s",
+			},
+			Image: "docker.io/openfaas/gateway:0.18.17",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps:      []string{"CAP_NET_RAW"},
+			DependsOn: []string{"nats"},
+		},
+		"queue-worker": {
+			Name: "queue-worker",
+			Env: []string{
+				"ack_wait=5m5s",
+				"basic_auth=true",
+				"faas_gateway_address=gateway",
+				"faas_nats_address=nats",
+				"faas_nats_port=4222",
+				"gateway_invoke=true",
+				"max_inflight=1",
+				"secret_mount_path=/run/secrets",
+				"write_debug=false",
+			},
+			Image: "docker.io/openfaas/queue-worker:0.11.2",
+			Mounts: []Mount{
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-password"),
+					Dest: path.Join("/run/secrets", "basic-auth-password"),
+				},
+				{
+					Src:  path.Join(wd, "secrets", "basic-auth-user"),
+					Dest: path.Join("/run/secrets", "basic-auth-user"),
+				},
+			},
+			Caps: []string{"CAP_NET_RAW"},
+		},
+	}
+
+	compose, err := LoadComposeFileWithArch(wd, "docker-compose.yaml", func() (string, string) { return "x86_64", "Linux" })
+	if err != nil {
+		t.Fatalf("can't read docker-compose file: %s", err)
+	}
+
+	services, err := ParseCompose(compose)
+	if err != nil {
+		t.Fatalf("can't parse compose services: %s", err)
+	}
+
+	if len(services) != len(want) {
+		t.Fatalf("want: %d services, got: %d", len(want), len(services))
+	}
+
+	for _, service := range services {
+		exp, ok := want[service.Name]
+
+		if service.Name == "gateway" {
+			if len(service.DependsOn) == 0 {
+				t.Fatalf("gateway should have at least one depends_on entry")
+			}
+		}
+
+		if !ok {
+			t.Fatalf("incorrect service: %s", service.Name)
+		}
+
+		if service.Name != exp.Name {
+			t.Fatalf("incorrect service Name:\n\twant: %s,\n\tgot: %s", exp.Name, service.Name)
+		}
+
+		if service.Image != exp.Image {
+			t.Fatalf("incorrect service Image:\n\twant: %s,\n\tgot: %s", exp.Image, service.Image)
+		}
+
+		equalStringSlice(t, exp.Env, service.Env)
+		equalStringSlice(t, exp.Caps, service.Caps)
+		equalStringSlice(t, exp.Args, service.Args)
+
+		if !reflect.DeepEqual(exp.Mounts, service.Mounts) {
+			t.Fatalf("incorrect service Mounts:\n\twant: %+v,\n\tgot: %+v", exp.Mounts, service.Mounts)
+		}
+	}
+}
+
+func equalStringSlice(t *testing.T, want, found []string) {
+	t.Helper()
+	if (want == nil) != (found == nil) {
+		t.Fatalf("unexpected nil slice: want %+v, got %+v", want, found)
+	}
+
+	if len(want) != len(found) {
+		t.Fatalf("unequal slice length: want %+v, got %+v", want, found)
+	}
+
+	for i := range want {
+		if want[i] != found[i] {
+			t.Fatalf("unexpected value at postition %d: want %s, got %s", i, want[i], found[i])
+		}
+	}
+}
+
+func equalMountSlice(t *testing.T, want, found []Mount) {
+	t.Helper()
+	if (want == nil) != (found == nil) {
+		t.Fatalf("unexpected nil slice: want %+v, got %+v", want, found)
+	}
+
+	if len(want) != len(found) {
+		t.Fatalf("unequal slice length: want %+v, got %+v", want, found)
+	}
+
+	for i := range want {
+		if !reflect.DeepEqual(want[i], found[i]) {
+			t.Fatalf("unexpected value at postition %d: want %s, got %s", i, want[i], found[i])
+		}
+	}
+}
+
+func Test_GetArchSuffix(t *testing.T) {
+	cases := []struct {
+		name      string
+		want      string
+		foundArch string
+		foundOS   string
+		err       string
+	}{
+		{
+			name:    "error if os is not linux",
+			foundOS: "mac",
+			err:     "you can only use faasd with Linux",
+		},
+		{
+			name:      "x86 has no suffix",
+			foundOS:   "Linux",
+			foundArch: "x86_64",
+			want:      "",
+		},
+		{
+			name:      "unknown arch has no suffix",
+			foundOS:   "Linux",
+			foundArch: "anything_else",
+			want:      "",
+		},
+		{
+			name:      "armhf has armhf suffix",
+			foundOS:   "Linux",
+			foundArch: "armhf",
+			want:      "-armhf",
+		},
+		{
+			name:      "armv7l has armhf suffix",
+			foundOS:   "Linux",
+			foundArch: "armv7l",
+			want:      "-armhf",
+		},
+		{
+			name:      "arm64 has arm64 suffix",
+			foundOS:   "Linux",
+			foundArch: "arm64",
+			want:      "-arm64",
+		},
+		{
+			name:      "aarch64 has arm64 suffix",
+			foundOS:   "Linux",
+			foundArch: "aarch64",
+			want:      "-arm64",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			suffix, err := GetArchSuffix(testArchGetter(tc.foundArch, tc.foundOS))
+			if tc.err != "" && err == nil {
+				t.Fatalf("want error %s but got nil", tc.err)
+			} else if tc.err != "" && err.Error() != tc.err {
+				t.Fatalf("want error %s, got %s", tc.err, err.Error())
+			} else if tc.err == "" && err != nil {
+				t.Fatalf("unexpected error %s", err.Error())
+			}
+
+			if suffix != tc.want {
+				t.Fatalf("want suffix %s, got %s", tc.want, suffix)
+			}
+		})
+	}
+}
+
+func testArchGetter(arch, os string) ArchGetter {
+	return func() (string, string) {
+		return arch, os
+	}
+}
--- a/pkg/testdata/docker-compose.yaml
+++ b/pkg/testdata/docker-compose.yaml
@ -0,0 +1,98 @@
+version: "3.7"
+services:
+  basic-auth-plugin:
+    image: "docker.io/openfaas/basic-auth-plugin:0.18.17${ARCH_SUFFIX}"
+    environment:
+      - port=8080
+      - secret_mount_path=/run/secrets
+      - user_filename=basic-auth-user
+      - pass_filename=basic-auth-password
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+
+  nats:
+    image: docker.io/library/nats-streaming:0.11.2
+    command:
+      - "/nats-streaming-server"
+      - "-m"
+      - "8222"
+      - "--store=memory"
+      - "--cluster_id=faas-cluster"
+    ports:
+       - "127.0.0.1:8222:8222"
+
+  prometheus:
+    image: docker.io/prom/prometheus:v2.14.0
+    volumes:
+      - type: bind
+        source: ./prometheus.yml
+        target: /etc/prometheus/prometheus.yml
+    cap_add:
+      - CAP_NET_RAW
+    ports:
+       - "127.0.0.1:9090:9090"
+
+  gateway:
+    image: "docker.io/openfaas/gateway:0.18.17${ARCH_SUFFIX}"
+    environment:
+      - basic_auth=true
+      - functions_provider_url=http://faasd-provider:8081/
+      - direct_functions=false
+      - read_timeout=60s
+      - write_timeout=60s
+      - upstream_timeout=65s
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - auth_proxy_url=http://basic-auth-plugin:8080/validate
+      - auth_proxy_pass_body=false
+      - secret_mount_path=/run/secrets
+      - scale_from_zero=true
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - basic-auth-plugin
+      - nats
+      - prometheus
+    ports:
+       - "8080:8080"
+
+  queue-worker:
+    image: docker.io/openfaas/queue-worker:0.11.2
+    environment:
+      - faas_nats_address=nats
+      - faas_nats_port=4222
+      - gateway_invoke=true
+      - faas_gateway_address=gateway
+      - ack_wait=5m5s
+      - max_inflight=1
+      - write_debug=false
+      - basic_auth=true
+      - secret_mount_path=/run/secrets
+    volumes:
+      # we assume cwd == /var/lib/faasd
+      - type: bind
+        source: ./secrets/basic-auth-password
+        target: /run/secrets/basic-auth-password
+      - type: bind
+        source: ./secrets/basic-auth-user
+        target: /run/secrets/basic-auth-user
+    cap_add:
+      - CAP_NET_RAW
+    depends_on:
+      - nats
--- a/prometheus.yml
+++ b/prometheus.yml
@ -26,3 +26,7 @@ scrape_configs:
  - job_name: 'gateway'
    static_configs:
    - targets: ['gateway:8082']
+
+  - job_name: 'provider'
+    static_configs:
+    - targets: ['faasd-provider:8081']
--- a/vendor/github.com/Microsoft/hcsshim/pkg/go-runhcs/LICENSE
+++ b/vendor/github.com/Microsoft/hcsshim/pkg/go-runhcs/LICENSE
--- a/vendor/github.com/AdaLogics/go-fuzz-headers/README.md
+++ b/vendor/github.com/AdaLogics/go-fuzz-headers/README.md
@ -0,0 +1,93 @@
+# go-fuzz-headers
+This repository contains various helper functions for go fuzzing. It is mostly used in combination with [go-fuzz](https://github.com/dvyukov/go-fuzz), but compatibility with fuzzing in the standard library will also be supported. Any coverage guided fuzzing engine that provides an array or slice of bytes can be used with go-fuzz-headers.
+
+
+## Usage
+Using go-fuzz-headers is easy. First create a new consumer with the bytes provided by the fuzzing engine:
+
+```go
+import (
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+)
+data := []byte{'R', 'a', 'n', 'd', 'o', 'm'}
+f := fuzz.NewConsumer(data)
+
+```
+
+This creates a `Consumer` that consumes the bytes of the input as it uses them to fuzz different types.
+
+After that, `f` can be used to easily create fuzzed instances of different types. Below are some examples:
+
+### Structs
+One of the most useful features of go-fuzz-headers is its ability to fill structs with the data provided by the fuzzing engine. This is done with a single line:
+```go
+type Person struct {
+    Name string
+    Age  int
+}
+p := Person{}
+// Fill p with values based on the data provided by the fuzzing engine:
+err := f.GenerateStruct(&p)
+```
+
+This includes nested structs too. In this example, the fuzz Consumer will also insert values in `p.BestFriend`:
+```go
+type PersonI struct {
+    Name       string
+    Age        int
+    BestFriend PersonII
+}
+type PersonII struct {
+    Name string
+    Age  int
+}
+p := PersonI{}
+err := f.GenerateStruct(&p)
+```
+
+If the consumer should insert values for unexported fields as well as exported, this can be enabled with:
+
+```go
+f.AllowUnexportedFields()
+```
+
+...and disabled with:
+
+```go
+f.DisallowUnexportedFields()
+```
+
+### Other types:
+
+Other useful APIs:
+
+```go
+createdString, err := f.GetString() // Gets a string
+createdInt, err := f.GetInt() // Gets an integer
+createdByte, err := f.GetByte() // Gets a byte
+createdBytes, err := f.GetBytes() // Gets a byte slice
+createdBool, err := f.GetBool() // Gets a boolean
+err := f.FuzzMap(target_map) // Fills a map
+createdTarBytes, err := f.TarBytes() // Gets bytes of a valid tar archive
+err := f.CreateFiles(inThisDir) // Fills inThisDir with files
+createdString, err := f.GetStringFrom("anyCharInThisString", ofThisLength) // Gets a string that consists of chars from "anyCharInThisString" and has the exact length "ofThisLength"
+```
+
+Most APIs are added as they are needed.
+
+## Projects that use go-fuzz-headers
+- [runC](https://github.com/opencontainers/runc)
+- [Istio](https://github.com/istio/istio)
+- [Vitess](https://github.com/vitessio/vitess)
+- [Containerd](https://github.com/containerd/containerd)
+
+Feel free to add your own project to the list, if you use go-fuzz-headers to fuzz it.
+
+
+ 
+
+## Status
+The project is under development and will be updated regularly.
+
+## References
+go-fuzz-headers' approach to fuzzing structs is strongly inspired by [gofuzz](https://github.com/google/gofuzz).
--- a/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go
+++ b/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go
@ -0,0 +1,899 @@
+// Copyright 2023 The go-fuzz-headers Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gofuzzheaders
+
+import (
+	"archive/tar"
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"time"
+	"unsafe"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+)
+
+var (
+	MaxTotalLen uint32 = 2000000
+	maxDepth           = 100
+)
+
+func SetMaxTotalLen(newLen uint32) {
+	MaxTotalLen = newLen
+}
+
+type ConsumeFuzzer struct {
+	data                 []byte
+	dataTotal            uint32
+	CommandPart          []byte
+	RestOfArray          []byte
+	NumberOfCalls        int
+	position             uint32
+	fuzzUnexportedFields bool
+	curDepth             int
+	Funcs                map[reflect.Type]reflect.Value
+}
+
+func IsDivisibleBy(n int, divisibleby int) bool {
+	return (n % divisibleby) == 0
+}
+
+func NewConsumer(fuzzData []byte) *ConsumeFuzzer {
+	return &ConsumeFuzzer{
+		data:      fuzzData,
+		dataTotal: uint32(len(fuzzData)),
+		Funcs:     make(map[reflect.Type]reflect.Value),
+		curDepth:  0,
+	}
+}
+
+func (f *ConsumeFuzzer) Split(minCalls, maxCalls int) error {
+	if f.dataTotal == 0 {
+		return errors.New("could not split")
+	}
+	numberOfCalls := int(f.data[0])
+	if numberOfCalls < minCalls || numberOfCalls > maxCalls {
+		return errors.New("bad number of calls")
+	}
+	if int(f.dataTotal) < numberOfCalls+numberOfCalls+1 {
+		return errors.New("length of data does not match required parameters")
+	}
+
+	// Define part 2 and 3 of the data array
+	commandPart := f.data[1 : numberOfCalls+1]
+	restOfArray := f.data[numberOfCalls+1:]
+
+	// Just a small check. It is necessary
+	if len(commandPart) != numberOfCalls {
+		return errors.New("length of commandPart does not match number of calls")
+	}
+
+	// Check if restOfArray is divisible by numberOfCalls
+	if !IsDivisibleBy(len(restOfArray), numberOfCalls) {
+		return errors.New("length of commandPart does not match number of calls")
+	}
+	f.CommandPart = commandPart
+	f.RestOfArray = restOfArray
+	f.NumberOfCalls = numberOfCalls
+	return nil
+}
+
+func (f *ConsumeFuzzer) AllowUnexportedFields() {
+	f.fuzzUnexportedFields = true
+}
+
+func (f *ConsumeFuzzer) DisallowUnexportedFields() {
+	f.fuzzUnexportedFields = false
+}
+
+func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error {
+	e := reflect.ValueOf(targetStruct).Elem()
+	return f.fuzzStruct(e, false)
+}
+
+func (f *ConsumeFuzzer) setCustom(v reflect.Value) error {
+	// First: see if we have a fuzz function for it.
+	doCustom, ok := f.Funcs[v.Type()]
+	if !ok {
+		return fmt.Errorf("could not find a custom function")
+	}
+
+	switch v.Kind() {
+	case reflect.Ptr:
+		if v.IsNil() {
+			if !v.CanSet() {
+				return fmt.Errorf("could not use a custom function")
+			}
+			v.Set(reflect.New(v.Type().Elem()))
+		}
+	case reflect.Map:
+		if v.IsNil() {
+			if !v.CanSet() {
+				return fmt.Errorf("could not use a custom function")
+			}
+			v.Set(reflect.MakeMap(v.Type()))
+		}
+	default:
+		return fmt.Errorf("could not use a custom function")
+	}
+
+	verr := doCustom.Call([]reflect.Value{v, reflect.ValueOf(Continue{
+		F: f,
+	})})
+
+	// check if we return an error
+	if verr[0].IsNil() {
+		return nil
+	}
+	return fmt.Errorf("could not use a custom function")
+}
+
+func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error {
+	if f.curDepth >= maxDepth {
+		// return err or nil here?
+		return nil
+	}
+	f.curDepth++
+	defer func() { f.curDepth-- }()
+
+	// We check if we should check for custom functions
+	if customFunctions && e.IsValid() && e.CanAddr() {
+		err := f.setCustom(e.Addr())
+		if err != nil {
+			return err
+		}
+	}
+
+	switch e.Kind() {
+	case reflect.Struct:
+		for i := 0; i < e.NumField(); i++ {
+			var v reflect.Value
+			if !e.Field(i).CanSet() {
+				if f.fuzzUnexportedFields {
+					v = reflect.NewAt(e.Field(i).Type(), unsafe.Pointer(e.Field(i).UnsafeAddr())).Elem()
+				}
+				if err := f.fuzzStruct(v, customFunctions); err != nil {
+					return err
+				}
+			} else {
+				v = e.Field(i)
+				if err := f.fuzzStruct(v, customFunctions); err != nil {
+					return err
+				}
+			}
+		}
+	case reflect.String:
+		str, err := f.GetString()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetString(str)
+		}
+	case reflect.Slice:
+		var maxElements uint32
+		// Byte slices should not be restricted
+		if e.Type().String() == "[]uint8" {
+			maxElements = 10000000
+		} else {
+			maxElements = 50
+		}
+
+		randQty, err := f.GetUint32()
+		if err != nil {
+			return err
+		}
+		numOfElements := randQty % maxElements
+		if (f.dataTotal - f.position) < numOfElements {
+			numOfElements = f.dataTotal - f.position
+		}
+
+		uu := reflect.MakeSlice(e.Type(), int(numOfElements), int(numOfElements))
+
+		for i := 0; i < int(numOfElements); i++ {
+			// If we have more than 10, then we can proceed with that.
+			if err := f.fuzzStruct(uu.Index(i), customFunctions); err != nil {
+				if i >= 10 {
+					if e.CanSet() {
+						e.Set(uu)
+					}
+					return nil
+				} else {
+					return err
+				}
+			}
+		}
+		if e.CanSet() {
+			e.Set(uu)
+		}
+	case reflect.Uint16:
+		newInt, err := f.GetUint16()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(newInt))
+		}
+	case reflect.Uint32:
+		newInt, err := f.GetUint32()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(newInt))
+		}
+	case reflect.Uint64:
+		newInt, err := f.GetInt()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(newInt))
+		}
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		newInt, err := f.GetInt()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetInt(int64(newInt))
+		}
+	case reflect.Float32:
+		newFloat, err := f.GetFloat32()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetFloat(float64(newFloat))
+		}
+	case reflect.Float64:
+		newFloat, err := f.GetFloat64()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetFloat(float64(newFloat))
+		}
+	case reflect.Map:
+		if e.CanSet() {
+			e.Set(reflect.MakeMap(e.Type()))
+			const maxElements = 50
+			randQty, err := f.GetInt()
+			if err != nil {
+				return err
+			}
+			numOfElements := randQty % maxElements
+			for i := 0; i < numOfElements; i++ {
+				key := reflect.New(e.Type().Key()).Elem()
+				if err := f.fuzzStruct(key, customFunctions); err != nil {
+					return err
+				}
+				val := reflect.New(e.Type().Elem()).Elem()
+				if err = f.fuzzStruct(val, customFunctions); err != nil {
+					return err
+				}
+				e.SetMapIndex(key, val)
+			}
+		}
+	case reflect.Ptr:
+		if e.CanSet() {
+			e.Set(reflect.New(e.Type().Elem()))
+			if err := f.fuzzStruct(e.Elem(), customFunctions); err != nil {
+				return err
+			}
+			return nil
+		}
+	case reflect.Uint8:
+		b, err := f.GetByte()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(b))
+		}
+	}
+	return nil
+}
+
+func (f *ConsumeFuzzer) GetStringArray() (reflect.Value, error) {
+	// The max size of the array:
+	const max uint32 = 20
+
+	arraySize := f.position
+	if arraySize > max {
+		arraySize = max
+	}
+	stringArray := reflect.MakeSlice(reflect.SliceOf(reflect.TypeOf("string")), int(arraySize), int(arraySize))
+	if f.position+arraySize >= f.dataTotal {
+		return stringArray, errors.New("could not make string array")
+	}
+
+	for i := 0; i < int(arraySize); i++ {
+		stringSize := uint32(f.data[f.position])
+		if f.position+stringSize >= f.dataTotal {
+			return stringArray, nil
+		}
+		stringToAppend := string(f.data[f.position : f.position+stringSize])
+		strVal := reflect.ValueOf(stringToAppend)
+		stringArray = reflect.Append(stringArray, strVal)
+		f.position += stringSize
+	}
+	return stringArray, nil
+}
+
+func (f *ConsumeFuzzer) GetInt() (int, error) {
+	if f.position >= f.dataTotal {
+		return 0, errors.New("not enough bytes to create int")
+	}
+	returnInt := int(f.data[f.position])
+	f.position++
+	return returnInt, nil
+}
+
+func (f *ConsumeFuzzer) GetByte() (byte, error) {
+	if f.position >= f.dataTotal {
+		return 0x00, errors.New("not enough bytes to get byte")
+	}
+	returnByte := f.data[f.position]
+	f.position++
+	return returnByte, nil
+}
+
+func (f *ConsumeFuzzer) GetNBytes(numberOfBytes int) ([]byte, error) {
+	if f.position >= f.dataTotal {
+		return nil, errors.New("not enough bytes to get byte")
+	}
+	returnBytes := make([]byte, 0, numberOfBytes)
+	for i := 0; i < numberOfBytes; i++ {
+		newByte, err := f.GetByte()
+		if err != nil {
+			return nil, err
+		}
+		returnBytes = append(returnBytes, newByte)
+	}
+	return returnBytes, nil
+}
+
+func (f *ConsumeFuzzer) GetUint16() (uint16, error) {
+	u16, err := f.GetNBytes(2)
+	if err != nil {
+		return 0, err
+	}
+	littleEndian, err := f.GetBool()
+	if err != nil {
+		return 0, err
+	}
+	if littleEndian {
+		return binary.LittleEndian.Uint16(u16), nil
+	}
+	return binary.BigEndian.Uint16(u16), nil
+}
+
+func (f *ConsumeFuzzer) GetUint32() (uint32, error) {
+	i, err := f.GetInt()
+	if err != nil {
+		return uint32(0), err
+	}
+	return uint32(i), nil
+}
+
+func (f *ConsumeFuzzer) GetUint64() (uint64, error) {
+	u64, err := f.GetNBytes(8)
+	if err != nil {
+		return 0, err
+	}
+	littleEndian, err := f.GetBool()
+	if err != nil {
+		return 0, err
+	}
+	if littleEndian {
+		return binary.LittleEndian.Uint64(u64), nil
+	}
+	return binary.BigEndian.Uint64(u64), nil
+}
+
+func (f *ConsumeFuzzer) GetBytes() ([]byte, error) {
+	if f.position >= f.dataTotal {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	length, err := f.GetUint32()
+	if err != nil {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	if f.position+length > MaxTotalLen {
+		return nil, errors.New("created too large a string")
+	}
+	byteBegin := f.position - 1
+	if byteBegin >= f.dataTotal {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	if length == 0 {
+		return nil, errors.New("zero-length is not supported")
+	}
+	if byteBegin+length >= f.dataTotal {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	if byteBegin+length < byteBegin {
+		return nil, errors.New("numbers overflow")
+	}
+	f.position = byteBegin + length
+	return f.data[byteBegin:f.position], nil
+}
+
+func (f *ConsumeFuzzer) GetString() (string, error) {
+	if f.position >= f.dataTotal {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	length, err := f.GetUint32()
+	if err != nil {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	if f.position > MaxTotalLen {
+		return "nil", errors.New("created too large a string")
+	}
+	byteBegin := f.position
+	if byteBegin >= f.dataTotal {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	if byteBegin+length > f.dataTotal {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	if byteBegin > byteBegin+length {
+		return "nil", errors.New("numbers overflow")
+	}
+	f.position = byteBegin + length
+	return string(f.data[byteBegin:f.position]), nil
+}
+
+func (f *ConsumeFuzzer) GetBool() (bool, error) {
+	if f.position >= f.dataTotal {
+		return false, errors.New("not enough bytes to create bool")
+	}
+	if IsDivisibleBy(int(f.data[f.position]), 2) {
+		f.position++
+		return true, nil
+	} else {
+		f.position++
+		return false, nil
+	}
+}
+
+func (f *ConsumeFuzzer) FuzzMap(m interface{}) error {
+	return f.GenerateStruct(m)
+}
+
+func returnTarBytes(buf []byte) ([]byte, error) {
+	// Count files
+	var fileCounter int
+	tr := tar.NewReader(bytes.NewReader(buf))
+	for {
+		_, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		fileCounter++
+	}
+	if fileCounter >= 1 {
+		return buf, nil
+	}
+	return nil, fmt.Errorf("not enough files were created\n")
+}
+
+func setTarHeaderFormat(hdr *tar.Header, f *ConsumeFuzzer) error {
+	ind, err := f.GetInt()
+	if err != nil {
+		return err
+	}
+	switch ind % 4 {
+	case 0:
+		hdr.Format = tar.FormatUnknown
+	case 1:
+		hdr.Format = tar.FormatUSTAR
+	case 2:
+		hdr.Format = tar.FormatPAX
+	case 3:
+		hdr.Format = tar.FormatGNU
+	}
+	return nil
+}
+
+func setTarHeaderTypeflag(hdr *tar.Header, f *ConsumeFuzzer) error {
+	ind, err := f.GetInt()
+	if err != nil {
+		return err
+	}
+	switch ind % 13 {
+	case 0:
+		hdr.Typeflag = tar.TypeReg
+	case 1:
+		hdr.Typeflag = tar.TypeLink
+		linkname, err := f.GetString()
+		if err != nil {
+			return err
+		}
+		hdr.Linkname = linkname
+	case 2:
+		hdr.Typeflag = tar.TypeSymlink
+		linkname, err := f.GetString()
+		if err != nil {
+			return err
+		}
+		hdr.Linkname = linkname
+	case 3:
+		hdr.Typeflag = tar.TypeChar
+	case 4:
+		hdr.Typeflag = tar.TypeBlock
+	case 5:
+		hdr.Typeflag = tar.TypeDir
+	case 6:
+		hdr.Typeflag = tar.TypeFifo
+	case 7:
+		hdr.Typeflag = tar.TypeCont
+	case 8:
+		hdr.Typeflag = tar.TypeXHeader
+	case 9:
+		hdr.Typeflag = tar.TypeXGlobalHeader
+	case 10:
+		hdr.Typeflag = tar.TypeGNUSparse
+	case 11:
+		hdr.Typeflag = tar.TypeGNULongName
+	case 12:
+		hdr.Typeflag = tar.TypeGNULongLink
+	}
+	return nil
+}
+
+func tooSmallFileBody(length uint32) bool {
+	if length < 2 {
+		return true
+	}
+	if length < 4 {
+		return true
+	}
+	if length < 10 {
+		return true
+	}
+	if length < 100 {
+		return true
+	}
+	if length < 500 {
+		return true
+	}
+	if length < 1000 {
+		return true
+	}
+	if length < 2000 {
+		return true
+	}
+	if length < 4000 {
+		return true
+	}
+	if length < 8000 {
+		return true
+	}
+	if length < 16000 {
+		return true
+	}
+	if length < 32000 {
+		return true
+	}
+	if length < 64000 {
+		return true
+	}
+	if length < 128000 {
+		return true
+	}
+	if length < 264000 {
+		return true
+	}
+	return false
+}
+
+func (f *ConsumeFuzzer) createTarFileBody() ([]byte, error) {
+	length, err := f.GetUint32()
+	if err != nil {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+
+	shouldUseLargeFileBody, err := f.GetBool()
+	if err != nil {
+		return nil, errors.New("not enough bytes to check long file body")
+	}
+
+	if shouldUseLargeFileBody && tooSmallFileBody(length) {
+		return nil, errors.New("File body was too small")
+	}
+
+	// A bit of optimization to attempt to create a file body
+	// when we don't have as many bytes left as "length"
+	remainingBytes := f.dataTotal - f.position
+	if remainingBytes == 0 {
+		return nil, errors.New("created too large a string")
+	}
+	if f.position+length > MaxTotalLen {
+		return nil, errors.New("created too large a string")
+	}
+	byteBegin := f.position
+	if byteBegin >= f.dataTotal {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	if length == 0 {
+		return nil, errors.New("zero-length is not supported")
+	}
+	if byteBegin+length >= f.dataTotal {
+		return nil, errors.New("not enough bytes to create byte array")
+	}
+	if byteBegin+length < byteBegin {
+		return nil, errors.New("numbers overflow")
+	}
+	f.position = byteBegin + length
+	return f.data[byteBegin:f.position], nil
+}
+
+// getTarFileName is similar to GetString(), but creates string based
+// on the length of f.data to reduce the likelihood of overflowing
+// f.data.
+func (f *ConsumeFuzzer) getTarFilename() (string, error) {
+	length, err := f.GetUint32()
+	if err != nil {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+
+	// A bit of optimization to attempt to create a file name
+	// when we don't have as many bytes left as "length"
+	remainingBytes := f.dataTotal - f.position
+	if remainingBytes == 0 {
+		return "nil", errors.New("created too large a string")
+	}
+	if remainingBytes < 50 {
+		length = length % remainingBytes
+	} else if f.dataTotal < 500 {
+		length = length % f.dataTotal
+	}
+	if f.position > MaxTotalLen {
+		return "nil", errors.New("created too large a string")
+	}
+	byteBegin := f.position
+	if byteBegin >= f.dataTotal {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	if byteBegin+length > f.dataTotal {
+		return "nil", errors.New("not enough bytes to create string")
+	}
+	if byteBegin > byteBegin+length {
+		return "nil", errors.New("numbers overflow")
+	}
+	f.position = byteBegin + length
+	return string(f.data[byteBegin:f.position]), nil
+}
+
+// TarBytes returns valid bytes for a tar archive
+func (f *ConsumeFuzzer) TarBytes() ([]byte, error) {
+	numberOfFiles, err := f.GetInt()
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+	defer tw.Close()
+
+	const maxNoOfFiles = 1000
+	for i := 0; i < numberOfFiles%maxNoOfFiles; i++ {
+		filename, err := f.getTarFilename()
+		if err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		filebody, err := f.createTarFileBody()
+		if err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		sec, err := f.GetInt()
+		if err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		nsec, err := f.GetInt()
+		if err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+
+		hdr := &tar.Header{
+			Name:    filename,
+			Size:    int64(len(filebody)),
+			Mode:    0o600,
+			ModTime: time.Unix(int64(sec), int64(nsec)),
+		}
+		if err := setTarHeaderTypeflag(hdr, f); err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		if err := setTarHeaderFormat(hdr, f); err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		if err := tw.WriteHeader(hdr); err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+		if _, err := tw.Write(filebody); err != nil {
+			return returnTarBytes(buf.Bytes())
+		}
+	}
+	return buf.Bytes(), nil
+}
+
+// CreateFiles creates pseudo-random files in rootDir.
+// It creates subdirs and places the files there.
+// It is the callers responsibility to ensure that
+// rootDir exists.
+func (f *ConsumeFuzzer) CreateFiles(rootDir string) error {
+	numberOfFiles, err := f.GetInt()
+	if err != nil {
+		return err
+	}
+	maxNumberOfFiles := numberOfFiles % 4000 // This is completely arbitrary
+	if maxNumberOfFiles == 0 {
+		return errors.New("maxNumberOfFiles is nil")
+	}
+
+	var noOfCreatedFiles int
+	for i := 0; i < maxNumberOfFiles; i++ {
+		// The file to create:
+		fileName, err := f.GetString()
+		if err != nil {
+			if noOfCreatedFiles > 0 {
+				// If files have been created, we don't return an error.
+				break
+			} else {
+				return errors.New("could not get fileName")
+			}
+		}
+		fullFilePath, err := securejoin.SecureJoin(rootDir, fileName)
+		if err != nil {
+			return err
+		}
+
+		// Find the subdirectory of the file
+		if subDir := filepath.Dir(fileName); subDir != "" && subDir != "." {
+			// create the dir first; avoid going outside the root dir
+			if strings.Contains(subDir, "../") || (len(subDir) > 0 && subDir[0] == 47) || strings.Contains(subDir, "\\") {
+				continue
+			}
+			dirPath, err := securejoin.SecureJoin(rootDir, subDir)
+			if err != nil {
+				continue
+			}
+			if _, err := os.Stat(dirPath); os.IsNotExist(err) {
+				err2 := os.MkdirAll(dirPath, 0o777)
+				if err2 != nil {
+					continue
+				}
+			}
+			fullFilePath, err = securejoin.SecureJoin(dirPath, fileName)
+			if err != nil {
+				continue
+			}
+		} else {
+			// Create symlink
+			createSymlink, err := f.GetBool()
+			if err != nil {
+				if noOfCreatedFiles > 0 {
+					break
+				} else {
+					return errors.New("could not create the symlink")
+				}
+			}
+			if createSymlink {
+				symlinkTarget, err := f.GetString()
+				if err != nil {
+					return err
+				}
+				err = os.Symlink(symlinkTarget, fullFilePath)
+				if err != nil {
+					return err
+				}
+				// stop loop here, since a symlink needs no further action
+				noOfCreatedFiles++
+				continue
+			}
+			// We create a normal file
+			fileContents, err := f.GetBytes()
+			if err != nil {
+				if noOfCreatedFiles > 0 {
+					break
+				} else {
+					return errors.New("could not create the file")
+				}
+			}
+			err = os.WriteFile(fullFilePath, fileContents, 0o666)
+			if err != nil {
+				continue
+			}
+			noOfCreatedFiles++
+		}
+	}
+	return nil
+}
+
+// GetStringFrom returns a string that can only consist of characters
+// included in possibleChars. It returns an error if the created string
+// does not have the specified length.
+func (f *ConsumeFuzzer) GetStringFrom(possibleChars string, length int) (string, error) {
+	if (f.dataTotal - f.position) < uint32(length) {
+		return "", errors.New("not enough bytes to create a string")
+	}
+	output := make([]byte, 0, length)
+	for i := 0; i < length; i++ {
+		charIndex, err := f.GetInt()
+		if err != nil {
+			return string(output), err
+		}
+		output = append(output, possibleChars[charIndex%len(possibleChars)])
+	}
+	return string(output), nil
+}
+
+func (f *ConsumeFuzzer) GetRune() ([]rune, error) {
+	stringToConvert, err := f.GetString()
+	if err != nil {
+		return []rune("nil"), err
+	}
+	return []rune(stringToConvert), nil
+}
+
+func (f *ConsumeFuzzer) GetFloat32() (float32, error) {
+	u32, err := f.GetNBytes(4)
+	if err != nil {
+		return 0, err
+	}
+	littleEndian, err := f.GetBool()
+	if err != nil {
+		return 0, err
+	}
+	if littleEndian {
+		u32LE := binary.LittleEndian.Uint32(u32)
+		return math.Float32frombits(u32LE), nil
+	}
+	u32BE := binary.BigEndian.Uint32(u32)
+	return math.Float32frombits(u32BE), nil
+}
+
+func (f *ConsumeFuzzer) GetFloat64() (float64, error) {
+	u64, err := f.GetNBytes(8)
+	if err != nil {
+		return 0, err
+	}
+	littleEndian, err := f.GetBool()
+	if err != nil {
+		return 0, err
+	}
+	if littleEndian {
+		u64LE := binary.LittleEndian.Uint64(u64)
+		return math.Float64frombits(u64LE), nil
+	}
+	u64BE := binary.BigEndian.Uint64(u64)
+	return math.Float64frombits(u64BE), nil
+}
+
+func (f *ConsumeFuzzer) CreateSlice(targetSlice interface{}) error {
+	return f.GenerateStruct(targetSlice)
+}
--- a/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go
+++ b/vendor/github.com/AdaLogics/go-fuzz-headers/funcs.go
@ -0,0 +1,62 @@
+// Copyright 2023 The go-fuzz-headers Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gofuzzheaders
+
+import (
+	"fmt"
+	"reflect"
+)
+
+type Continue struct {
+	F *ConsumeFuzzer
+}
+
+func (f *ConsumeFuzzer) AddFuncs(fuzzFuncs []interface{}) {
+	for i := range fuzzFuncs {
+		v := reflect.ValueOf(fuzzFuncs[i])
+		if v.Kind() != reflect.Func {
+			panic("Need only funcs!")
+		}
+		t := v.Type()
+		if t.NumIn() != 2 || t.NumOut() != 1 {
+			fmt.Println(t.NumIn(), t.NumOut())
+
+			panic("Need 2 in and 1 out params. In must be the type. Out must be an error")
+		}
+		argT := t.In(0)
+		switch argT.Kind() {
+		case reflect.Ptr, reflect.Map:
+		default:
+			panic("fuzzFunc must take pointer or map type")
+		}
+		if t.In(1) != reflect.TypeOf(Continue{}) {
+			panic("fuzzFunc's second parameter must be type Continue")
+		}
+		f.Funcs[argT] = v
+	}
+}
+
+func (f *ConsumeFuzzer) GenerateWithCustom(targetStruct interface{}) error {
+	e := reflect.ValueOf(targetStruct).Elem()
+	return f.fuzzStruct(e, true)
+}
+
+func (c Continue) GenerateStruct(targetStruct interface{}) error {
+	return c.F.GenerateStruct(targetStruct)
+}
+
+func (c Continue) GenerateStructWithCustom(targetStruct interface{}) error {
+	return c.F.GenerateWithCustom(targetStruct)
+}
--- a/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go
+++ b/vendor/github.com/AdaLogics/go-fuzz-headers/sql.go
@ -0,0 +1,556 @@
+// Copyright 2023 The go-fuzz-headers Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gofuzzheaders
+
+import (
+	"fmt"
+	"strings"
+)
+
+// returns a keyword by index
+func getKeyword(f *ConsumeFuzzer) (string, error) {
+	index, err := f.GetInt()
+	if err != nil {
+		return keywords[0], err
+	}
+	for i, k := range keywords {
+		if i == index {
+			return k, nil
+		}
+	}
+	return keywords[0], fmt.Errorf("could not get a kw")
+}
+
+// Simple utility function to check if a string
+// slice contains a string.
+func containsString(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
+
+// These keywords are used specifically for fuzzing Vitess
+var keywords = []string{
+	"accessible", "action", "add", "after", "against", "algorithm",
+	"all", "alter", "always", "analyze", "and", "as", "asc", "asensitive",
+	"auto_increment", "avg_row_length", "before", "begin", "between",
+	"bigint", "binary", "_binary", "_utf8mb4", "_utf8", "_latin1", "bit",
+	"blob", "bool", "boolean", "both", "by", "call", "cancel", "cascade",
+	"cascaded", "case", "cast", "channel", "change", "char", "character",
+	"charset", "check", "checksum", "coalesce", "code", "collate", "collation",
+	"column", "columns", "comment", "committed", "commit", "compact", "complete",
+	"compressed", "compression", "condition", "connection", "constraint", "continue",
+	"convert", "copy", "cume_dist", "substr", "substring", "create", "cross",
+	"csv", "current_date", "current_time", "current_timestamp", "current_user",
+	"cursor", "data", "database", "databases", "day", "day_hour", "day_microsecond",
+	"day_minute", "day_second", "date", "datetime", "dec", "decimal", "declare",
+	"default", "definer", "delay_key_write", "delayed", "delete", "dense_rank",
+	"desc", "describe", "deterministic", "directory", "disable", "discard",
+	"disk", "distinct", "distinctrow", "div", "double", "do", "drop", "dumpfile",
+	"duplicate", "dynamic", "each", "else", "elseif", "empty", "enable",
+	"enclosed", "encryption", "end", "enforced", "engine", "engines", "enum",
+	"error", "escape", "escaped", "event", "exchange", "exclusive", "exists",
+	"exit", "explain", "expansion", "export", "extended", "extract", "false",
+	"fetch", "fields", "first", "first_value", "fixed", "float", "float4",
+	"float8", "flush", "for", "force", "foreign", "format", "from", "full",
+	"fulltext", "function", "general", "generated", "geometry", "geometrycollection",
+	"get", "global", "gtid_executed", "grant", "group", "grouping", "groups",
+	"group_concat", "having", "header", "high_priority", "hosts", "hour", "hour_microsecond",
+	"hour_minute", "hour_second", "if", "ignore", "import", "in", "index", "indexes",
+	"infile", "inout", "inner", "inplace", "insensitive", "insert", "insert_method",
+	"int", "int1", "int2", "int3", "int4", "int8", "integer", "interval",
+	"into", "io_after_gtids", "is", "isolation", "iterate", "invoker", "join",
+	"json", "json_table", "key", "keys", "keyspaces", "key_block_size", "kill", "lag",
+	"language", "last", "last_value", "last_insert_id", "lateral", "lead", "leading",
+	"leave", "left", "less", "level", "like", "limit", "linear", "lines",
+	"linestring", "load", "local", "localtime", "localtimestamp", "lock", "logs",
+	"long", "longblob", "longtext", "loop", "low_priority", "manifest",
+	"master_bind", "match", "max_rows", "maxvalue", "mediumblob", "mediumint",
+	"mediumtext", "memory", "merge", "microsecond", "middleint", "min_rows", "minute",
+	"minute_microsecond", "minute_second", "mod", "mode", "modify", "modifies",
+	"multilinestring", "multipoint", "multipolygon", "month", "name",
+	"names", "natural", "nchar", "next", "no", "none", "not", "no_write_to_binlog",
+	"nth_value", "ntile", "null", "numeric", "of", "off", "offset", "on",
+	"only", "open", "optimize", "optimizer_costs", "option", "optionally",
+	"or", "order", "out", "outer", "outfile", "over", "overwrite", "pack_keys",
+	"parser", "partition", "partitioning", "password", "percent_rank", "plugins",
+	"point", "polygon", "precision", "primary", "privileges", "processlist",
+	"procedure", "query", "quarter", "range", "rank", "read", "reads", "read_write",
+	"real", "rebuild", "recursive", "redundant", "references", "regexp", "relay",
+	"release", "remove", "rename", "reorganize", "repair", "repeat", "repeatable",
+	"replace", "require", "resignal", "restrict", "return", "retry", "revert",
+	"revoke", "right", "rlike", "rollback", "row", "row_format", "row_number",
+	"rows", "s3", "savepoint", "schema", "schemas", "second", "second_microsecond",
+	"security", "select", "sensitive", "separator", "sequence", "serializable",
+	"session", "set", "share", "shared", "show", "signal", "signed", "slow",
+	"smallint", "spatial", "specific", "sql", "sqlexception", "sqlstate",
+	"sqlwarning", "sql_big_result", "sql_cache", "sql_calc_found_rows",
+	"sql_no_cache", "sql_small_result", "ssl", "start", "starting",
+	"stats_auto_recalc", "stats_persistent", "stats_sample_pages", "status",
+	"storage", "stored", "straight_join", "stream", "system", "vstream",
+	"table", "tables", "tablespace", "temporary", "temptable", "terminated",
+	"text", "than", "then", "time", "timestamp", "timestampadd", "timestampdiff",
+	"tinyblob", "tinyint", "tinytext", "to", "trailing", "transaction", "tree",
+	"traditional", "trigger", "triggers", "true", "truncate", "uncommitted",
+	"undefined", "undo", "union", "unique", "unlock", "unsigned", "update",
+	"upgrade", "usage", "use", "user", "user_resources", "using", "utc_date",
+	"utc_time", "utc_timestamp", "validation", "values", "variables", "varbinary",
+	"varchar", "varcharacter", "varying", "vgtid_executed", "virtual", "vindex",
+	"vindexes", "view", "vitess", "vitess_keyspaces", "vitess_metadata",
+	"vitess_migration", "vitess_migrations", "vitess_replication_status",
+	"vitess_shards", "vitess_tablets", "vschema", "warnings", "when",
+	"where", "while", "window", "with", "without", "work", "write", "xor",
+	"year", "year_month", "zerofill",
+}
+
+// Keywords that could get an additional keyword
+var needCustomString = []string{
+	"DISTINCTROW", "FROM", // Select keywords:
+	"GROUP BY", "HAVING", "WINDOW",
+	"FOR",
+	"ORDER BY", "LIMIT",
+	"INTO", "PARTITION", "AS", // Insert Keywords:
+	"ON DUPLICATE KEY UPDATE",
+	"WHERE", "LIMIT", // Delete keywords
+	"INFILE", "INTO TABLE", "CHARACTER SET", // Load keywords
+	"TERMINATED BY", "ENCLOSED BY",
+	"ESCAPED BY", "STARTING BY",
+	"TERMINATED BY", "STARTING BY",
+	"IGNORE",
+	"VALUE", "VALUES", // Replace tokens
+	"SET",                                   // Update tokens
+	"ENGINE =",                              // Drop tokens
+	"DEFINER =", "ON SCHEDULE", "RENAME TO", // Alter tokens
+	"COMMENT", "DO", "INITIAL_SIZE = ", "OPTIONS",
+}
+
+var alterTableTokens = [][]string{
+	{"CUSTOM_FUZZ_STRING"},
+	{"CUSTOM_ALTTER_TABLE_OPTIONS"},
+	{"PARTITION_OPTIONS_FOR_ALTER_TABLE"},
+}
+
+var alterTokens = [][]string{
+	{
+		"DATABASE", "SCHEMA", "DEFINER = ", "EVENT", "FUNCTION", "INSTANCE",
+		"LOGFILE GROUP", "PROCEDURE", "SERVER",
+	},
+	{"CUSTOM_FUZZ_STRING"},
+	{
+		"ON SCHEDULE", "ON COMPLETION PRESERVE", "ON COMPLETION NOT PRESERVE",
+		"ADD UNDOFILE", "OPTIONS",
+	},
+	{"RENAME TO", "INITIAL_SIZE = "},
+	{"ENABLE", "DISABLE", "DISABLE ON SLAVE", "ENGINE"},
+	{"COMMENT"},
+	{"DO"},
+}
+
+var setTokens = [][]string{
+	{"CHARACTER SET", "CHARSET", "CUSTOM_FUZZ_STRING", "NAMES"},
+	{"CUSTOM_FUZZ_STRING", "DEFAULT", "="},
+	{"CUSTOM_FUZZ_STRING"},
+}
+
+var dropTokens = [][]string{
+	{"TEMPORARY", "UNDO"},
+	{
+		"DATABASE", "SCHEMA", "EVENT", "INDEX", "LOGFILE GROUP",
+		"PROCEDURE", "FUNCTION", "SERVER", "SPATIAL REFERENCE SYSTEM",
+		"TABLE", "TABLESPACE", "TRIGGER", "VIEW",
+	},
+	{"IF EXISTS"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"ON", "ENGINE = ", "RESTRICT", "CASCADE"},
+}
+
+var renameTokens = [][]string{
+	{"TABLE"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"TO"},
+	{"CUSTOM_FUZZ_STRING"},
+}
+
+var truncateTokens = [][]string{
+	{"TABLE"},
+	{"CUSTOM_FUZZ_STRING"},
+}
+
+var createTokens = [][]string{
+	{"OR REPLACE", "TEMPORARY", "UNDO"}, // For create spatial reference system
+	{
+		"UNIQUE", "FULLTEXT", "SPATIAL", "ALGORITHM = UNDEFINED", "ALGORITHM = MERGE",
+		"ALGORITHM = TEMPTABLE",
+	},
+	{
+		"DATABASE", "SCHEMA", "EVENT", "FUNCTION", "INDEX", "LOGFILE GROUP",
+		"PROCEDURE", "SERVER", "SPATIAL REFERENCE SYSTEM", "TABLE", "TABLESPACE",
+		"TRIGGER", "VIEW",
+	},
+	{"IF NOT EXISTS"},
+	{"CUSTOM_FUZZ_STRING"},
+}
+
+/*
+// For future use.
+var updateTokens = [][]string{
+	{"LOW_PRIORITY"},
+	{"IGNORE"},
+	{"SET"},
+	{"WHERE"},
+	{"ORDER BY"},
+	{"LIMIT"},
+}
+*/
+
+var replaceTokens = [][]string{
+	{"LOW_PRIORITY", "DELAYED"},
+	{"INTO"},
+	{"PARTITION"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"VALUES", "VALUE"},
+}
+
+var loadTokens = [][]string{
+	{"DATA"},
+	{"LOW_PRIORITY", "CONCURRENT", "LOCAL"},
+	{"INFILE"},
+	{"REPLACE", "IGNORE"},
+	{"INTO TABLE"},
+	{"PARTITION"},
+	{"CHARACTER SET"},
+	{"FIELDS", "COLUMNS"},
+	{"TERMINATED BY"},
+	{"OPTIONALLY"},
+	{"ENCLOSED BY"},
+	{"ESCAPED BY"},
+	{"LINES"},
+	{"STARTING BY"},
+	{"TERMINATED BY"},
+	{"IGNORE"},
+	{"LINES", "ROWS"},
+	{"CUSTOM_FUZZ_STRING"},
+}
+
+// These Are everything that comes after "INSERT"
+var insertTokens = [][]string{
+	{"LOW_PRIORITY", "DELAYED", "HIGH_PRIORITY", "IGNORE"},
+	{"INTO"},
+	{"PARTITION"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"AS"},
+	{"ON DUPLICATE KEY UPDATE"},
+}
+
+// These are everything that comes after "SELECT"
+var selectTokens = [][]string{
+	{"*", "CUSTOM_FUZZ_STRING", "DISTINCTROW"},
+	{"HIGH_PRIORITY"},
+	{"STRAIGHT_JOIN"},
+	{"SQL_SMALL_RESULT", "SQL_BIG_RESULT", "SQL_BUFFER_RESULT"},
+	{"SQL_NO_CACHE", "SQL_CALC_FOUND_ROWS"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"FROM"},
+	{"WHERE"},
+	{"GROUP BY"},
+	{"HAVING"},
+	{"WINDOW"},
+	{"ORDER BY"},
+	{"LIMIT"},
+	{"CUSTOM_FUZZ_STRING"},
+	{"FOR"},
+}
+
+// These are everything that comes after "DELETE"
+var deleteTokens = [][]string{
+	{"LOW_PRIORITY", "QUICK", "IGNORE", "FROM", "AS"},
+	{"PARTITION"},
+	{"WHERE"},
+	{"ORDER BY"},
+	{"LIMIT"},
+}
+
+var alter_table_options = []string{
+	"ADD", "COLUMN", "FIRST", "AFTER", "INDEX", "KEY", "FULLTEXT", "SPATIAL",
+	"CONSTRAINT", "UNIQUE", "FOREIGN KEY", "CHECK", "ENFORCED", "DROP", "ALTER",
+	"NOT", "INPLACE", "COPY", "SET", "VISIBLE", "INVISIBLE", "DEFAULT", "CHANGE",
+	"CHARACTER SET", "COLLATE", "DISABLE", "ENABLE", "KEYS", "TABLESPACE", "LOCK",
+	"FORCE", "MODIFY", "SHARED", "EXCLUSIVE", "NONE", "ORDER BY", "RENAME COLUMN",
+	"AS", "=", "ASC", "DESC", "WITH", "WITHOUT", "VALIDATION", "ADD PARTITION",
+	"DROP PARTITION", "DISCARD PARTITION", "IMPORT PARTITION", "TRUNCATE PARTITION",
+	"COALESCE PARTITION", "REORGANIZE PARTITION", "EXCHANGE PARTITION",
+	"ANALYZE PARTITION", "CHECK PARTITION", "OPTIMIZE PARTITION", "REBUILD PARTITION",
+	"REPAIR PARTITION", "REMOVE PARTITIONING", "USING", "BTREE", "HASH", "COMMENT",
+	"KEY_BLOCK_SIZE", "WITH PARSER", "AUTOEXTEND_SIZE", "AUTO_INCREMENT", "AVG_ROW_LENGTH",
+	"CHECKSUM", "INSERT_METHOD", "ROW_FORMAT", "DYNAMIC", "FIXED", "COMPRESSED", "REDUNDANT",
+	"COMPACT", "SECONDARY_ENGINE_ATTRIBUTE", "STATS_AUTO_RECALC", "STATS_PERSISTENT",
+	"STATS_SAMPLE_PAGES", "ZLIB", "LZ4", "ENGINE_ATTRIBUTE", "KEY_BLOCK_SIZE", "MAX_ROWS",
+	"MIN_ROWS", "PACK_KEYS", "PASSWORD", "COMPRESSION", "CONNECTION", "DIRECTORY",
+	"DELAY_KEY_WRITE", "ENCRYPTION", "STORAGE", "DISK", "MEMORY", "UNION",
+}
+
+// Creates an 'alter table' statement. 'alter table' is an exception
+// in that it has its own function. The majority of statements
+// are created by 'createStmt()'.
+func createAlterTableStmt(f *ConsumeFuzzer) (string, error) {
+	maxArgs, err := f.GetInt()
+	if err != nil {
+		return "", err
+	}
+	maxArgs = maxArgs % 30
+	if maxArgs == 0 {
+		return "", fmt.Errorf("could not create alter table stmt")
+	}
+
+	var stmt strings.Builder
+	stmt.WriteString("ALTER TABLE ")
+	for i := 0; i < maxArgs; i++ {
+		// Calculate if we get existing token or custom string
+		tokenType, err := f.GetInt()
+		if err != nil {
+			return "", err
+		}
+		if tokenType%4 == 1 {
+			customString, err := f.GetString()
+			if err != nil {
+				return "", err
+			}
+			stmt.WriteString(" " + customString)
+		} else {
+			tokenIndex, err := f.GetInt()
+			if err != nil {
+				return "", err
+			}
+			stmt.WriteString(" " + alter_table_options[tokenIndex%len(alter_table_options)])
+		}
+	}
+	return stmt.String(), nil
+}
+
+func chooseToken(tokens []string, f *ConsumeFuzzer) (string, error) {
+	index, err := f.GetInt()
+	if err != nil {
+		return "", err
+	}
+	var token strings.Builder
+	token.WriteString(tokens[index%len(tokens)])
+	if token.String() == "CUSTOM_FUZZ_STRING" {
+		customFuzzString, err := f.GetString()
+		if err != nil {
+			return "", err
+		}
+		return customFuzzString, nil
+	}
+
+	// Check if token requires an argument
+	if containsString(needCustomString, token.String()) {
+		customFuzzString, err := f.GetString()
+		if err != nil {
+			return "", err
+		}
+		token.WriteString(" " + customFuzzString)
+	}
+	return token.String(), nil
+}
+
+var stmtTypes = map[string][][]string{
+	"DELETE":      deleteTokens,
+	"INSERT":      insertTokens,
+	"SELECT":      selectTokens,
+	"LOAD":        loadTokens,
+	"REPLACE":     replaceTokens,
+	"CREATE":      createTokens,
+	"DROP":        dropTokens,
+	"RENAME":      renameTokens,
+	"TRUNCATE":    truncateTokens,
+	"SET":         setTokens,
+	"ALTER":       alterTokens,
+	"ALTER TABLE": alterTableTokens, // ALTER TABLE has its own set of tokens
+}
+
+var stmtTypeEnum = map[int]string{
+	0:  "DELETE",
+	1:  "INSERT",
+	2:  "SELECT",
+	3:  "LOAD",
+	4:  "REPLACE",
+	5:  "CREATE",
+	6:  "DROP",
+	7:  "RENAME",
+	8:  "TRUNCATE",
+	9:  "SET",
+	10: "ALTER",
+	11: "ALTER TABLE",
+}
+
+func createStmt(f *ConsumeFuzzer) (string, error) {
+	stmtIndex, err := f.GetInt()
+	if err != nil {
+		return "", err
+	}
+	stmtIndex = stmtIndex % len(stmtTypes)
+
+	queryType := stmtTypeEnum[stmtIndex]
+	tokens := stmtTypes[queryType]
+
+	// We have custom creator for ALTER TABLE
+	if queryType == "ALTER TABLE" {
+		query, err := createAlterTableStmt(f)
+		if err != nil {
+			return "", err
+		}
+		return query, nil
+	}
+
+	// Here we are creating a query that is not
+	// an 'alter table' query. For available
+	// queries, see "stmtTypes"
+
+	// First specify the first query keyword:
+	var query strings.Builder
+	query.WriteString(queryType)
+
+	// Next create the args for the
+	queryArgs, err := createStmtArgs(tokens, f)
+	if err != nil {
+		return "", err
+	}
+	query.WriteString(" " + queryArgs)
+	return query.String(), nil
+}
+
+// Creates the arguments of a statements. In a select statement
+// that would be everything after "select".
+func createStmtArgs(tokenslice [][]string, f *ConsumeFuzzer) (string, error) {
+	var query, token strings.Builder
+
+	// We go through the tokens in the tokenslice,
+	// create the respective token and add it to
+	// "query"
+	for _, tokens := range tokenslice {
+		// For extra randomization, the fuzzer can
+		// choose to not include this token.
+		includeThisToken, err := f.GetBool()
+		if err != nil {
+			return "", err
+		}
+		if !includeThisToken {
+			continue
+		}
+
+		// There may be several tokens to choose from:
+		if len(tokens) > 1 {
+			chosenToken, err := chooseToken(tokens, f)
+			if err != nil {
+				return "", err
+			}
+			query.WriteString(" " + chosenToken)
+		} else {
+			token.WriteString(tokens[0])
+
+			// In case the token is "CUSTOM_FUZZ_STRING"
+			// we will then create a non-structured string
+			if token.String() == "CUSTOM_FUZZ_STRING" {
+				customFuzzString, err := f.GetString()
+				if err != nil {
+					return "", err
+				}
+				query.WriteString(" " + customFuzzString)
+				continue
+			}
+
+			// Check if token requires an argument.
+			// Tokens that take an argument can be found
+			// in 'needCustomString'. If so, we add a
+			// non-structured string to the token.
+			if containsString(needCustomString, token.String()) {
+				customFuzzString, err := f.GetString()
+				if err != nil {
+					return "", err
+				}
+				token.WriteString(fmt.Sprintf(" %s", customFuzzString))
+			}
+			query.WriteString(fmt.Sprintf(" %s", token.String()))
+		}
+	}
+	return query.String(), nil
+}
+
+// Creates a semi-structured query. It creates a string
+// that is a combination of the keywords and random strings.
+func createQuery(f *ConsumeFuzzer) (string, error) {
+	queryLen, err := f.GetInt()
+	if err != nil {
+		return "", err
+	}
+	maxLen := queryLen % 60
+	if maxLen == 0 {
+		return "", fmt.Errorf("could not create a query")
+	}
+	var query strings.Builder
+	for i := 0; i < maxLen; i++ {
+		// Get a new token:
+		useKeyword, err := f.GetBool()
+		if err != nil {
+			return "", err
+		}
+		if useKeyword {
+			keyword, err := getKeyword(f)
+			if err != nil {
+				return "", err
+			}
+			query.WriteString(" " + keyword)
+		} else {
+			customString, err := f.GetString()
+			if err != nil {
+				return "", err
+			}
+			query.WriteString(" " + customString)
+		}
+	}
+	if query.String() == "" {
+		return "", fmt.Errorf("could not create a query")
+	}
+	return query.String(), nil
+}
+
+// GetSQLString is the API that users interact with.
+//
+// Usage:
+//
+//	f := NewConsumer(data)
+//	sqlString, err := f.GetSQLString()
+func (f *ConsumeFuzzer) GetSQLString() (string, error) {
+	var query string
+	veryStructured, err := f.GetBool()
+	if err != nil {
+		return "", err
+	}
+	if veryStructured {
+		query, err = createStmt(f)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		query, err = createQuery(f)
+		if err != nil {
+			return "", err
+		}
+	}
+	return query, nil
+}
--- a/vendor/github.com/AdamKorcz/go-118-fuzz-build/LICENSE
+++ b/vendor/github.com/AdamKorcz/go-118-fuzz-build/LICENSE
--- a/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/f.go
+++ b/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/f.go
@ -0,0 +1,207 @@
+package testing
+
+import (
+	"fmt"
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	"os"
+	"reflect"
+)
+
+type F struct {
+	Data     []byte
+	T        *T
+	FuzzFunc func(*T, any)
+}
+
+func (f *F) CleanupTempDirs() {
+	f.T.CleanupTempDirs()
+}
+
+func (f *F) Add(args ...any)                   {}
+func (c *F) Cleanup(f func())                  {}
+func (c *F) Error(args ...any)                 {}
+func (c *F) Errorf(format string, args ...any) {}
+func (f *F) Fail()                             {}
+func (c *F) FailNow()                          {}
+func (c *F) Failed() bool                      { return false }
+func (c *F) Fatal(args ...any)                 {}
+func (c *F) Fatalf(format string, args ...any) {}
+func (f *F) Fuzz(ff any) {
+	// we are assuming that ff is a func.
+	// TODO: Add a check for UX purposes
+
+	fn := reflect.ValueOf(ff)
+	fnType := fn.Type()
+	var types []reflect.Type
+	for i := 1; i < fnType.NumIn(); i++ {
+		t := fnType.In(i)
+
+		types = append(types, t)
+	}
+	args := []reflect.Value{reflect.ValueOf(f.T)}
+	fuzzConsumer := fuzz.NewConsumer(f.Data)
+	for _, v := range types {
+		switch v.String() {
+		case "[]uint8":
+			b, err := fuzzConsumer.GetBytes()
+			if err != nil {
+				return
+			}
+			newBytes := reflect.New(v)
+			newBytes.Elem().SetBytes(b)
+			args = append(args, newBytes.Elem())
+		case "string":
+			s, err := fuzzConsumer.GetString()
+			if err != nil {
+				return
+			}
+			newString := reflect.New(v)
+			newString.Elem().SetString(s)
+			args = append(args, newString.Elem())
+		case "int":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newInt := reflect.New(v)
+			newInt.Elem().SetInt(int64(randInt))
+			args = append(args, newInt.Elem())
+		case "int8":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newInt := reflect.New(v)
+			newInt.Elem().SetInt(int64(randInt))
+			args = append(args, newInt.Elem())
+		case "int16":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newInt := reflect.New(v)
+			newInt.Elem().SetInt(int64(randInt))
+			args = append(args, newInt.Elem())
+		case "int32":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newInt := reflect.New(v)
+			newInt.Elem().SetInt(int64(randInt))
+			args = append(args, newInt.Elem())
+		case "int64":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newInt := reflect.New(v)
+			newInt.Elem().SetInt(int64(randInt))
+			args = append(args, newInt.Elem())
+		case "uint":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newUint := reflect.New(v)
+			newUint.Elem().SetUint(uint64(randInt))
+			args = append(args, newUint.Elem())
+		case "uint8":
+			randInt, err := fuzzConsumer.GetInt()
+			if err != nil {
+				return
+			}
+			newUint := reflect.New(v)
+			newUint.Elem().SetUint(uint64(randInt))
+			args = append(args, newUint.Elem())
+		case "uint16":
+			randInt, err := fuzzConsumer.GetUint16()
+			if err != nil {
+				return
+			}
+			newUint16 := reflect.New(v)
+			newUint16.Elem().SetUint(uint64(randInt))
+			args = append(args, newUint16.Elem())
+		case "uint32":
+			randInt, err := fuzzConsumer.GetUint32()
+			if err != nil {
+				return
+			}
+			newUint32 := reflect.New(v)
+			newUint32.Elem().SetUint(uint64(randInt))
+			args = append(args, newUint32.Elem())
+		case "uint64":
+			randInt, err := fuzzConsumer.GetUint64()
+			if err != nil {
+				return
+			}
+			newUint64 := reflect.New(v)
+			newUint64.Elem().SetUint(uint64(randInt))
+			args = append(args, newUint64.Elem())
+		case "rune":
+			randRune, err := fuzzConsumer.GetRune()
+			if err != nil {
+				return
+			}
+			newRune := reflect.New(v)
+			newRune.Elem().Set(reflect.ValueOf(randRune))
+			args = append(args, newRune.Elem())
+		case "float32":
+			randFloat, err := fuzzConsumer.GetFloat32()
+			if err != nil {
+				return
+			}
+			newFloat := reflect.New(v)
+			newFloat.Elem().Set(reflect.ValueOf(randFloat))
+			args = append(args, newFloat.Elem())
+		case "float64":
+			randFloat, err := fuzzConsumer.GetFloat64()
+			if err != nil {
+				return
+			}
+			newFloat := reflect.New(v)
+			newFloat.Elem().Set(reflect.ValueOf(randFloat))
+			args = append(args, newFloat.Elem())
+		case "bool":
+			randBool, err := fuzzConsumer.GetBool()
+			if err != nil {
+				return
+			}
+			newBool := reflect.New(v)
+			newBool.Elem().Set(reflect.ValueOf(randBool))
+			args = append(args, newBool.Elem())
+		default:
+			fmt.Println(v.String())
+		}
+	}
+	fn.Call(args)
+}
+func (f *F) Helper() {}
+func (c *F) Log(args ...any) {
+	fmt.Println(args...)
+}
+func (c *F) Logf(format string, args ...any) {
+	fmt.Println(format, args)
+}
+func (c *F) Name() string             { return "libFuzzer" }
+func (c *F) Setenv(key, value string) {}
+func (c *F) Skip(args ...any) {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+func (c *F) SkipNow() {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+func (c *F) Skipf(format string, args ...any) {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+func (f *F) Skipped() bool { return false }
+
+func (f *F) TempDir() string {
+	dir, err := os.MkdirTemp("", "fuzzdir-")
+	if err != nil {
+		panic(err)
+	}
+	f.T.TempDirs = append(f.T.TempDirs, dir)
+
+	return dir
+}
--- a/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/t.go
+++ b/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/t.go
@ -0,0 +1,129 @@
+package testing
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+)
+
+// T can be used to terminate the current fuzz iteration
+// without terminating the whole fuzz run. To do so, simply
+// panic with the text "GO-FUZZ-BUILD-PANIC" and the fuzzer
+// will recover.
+type T struct {
+	TempDirs []string
+}
+
+func NewT() *T {
+	tempDirs := make([]string, 0)
+	return &T{TempDirs: tempDirs}
+}
+
+func unsupportedApi(name string) string {
+	plsOpenIss := "Please open an issue https://github.com/AdamKorcz/go-118-fuzz-build if you need this feature."
+	var b strings.Builder
+	b.WriteString(fmt.Sprintf("%s is not supported when fuzzing in libFuzzer mode\n.", name))
+	b.WriteString(plsOpenIss)
+	return b.String()
+}
+
+func (t *T) Cleanup(f func()) {
+	f()
+}
+
+func (t *T) Deadline() (deadline time.Time, ok bool) {
+	panic(unsupportedApi("t.Deadline()"))
+}
+
+func (t *T) Error(args ...any) {
+	fmt.Println(args...)
+	panic("error")
+}
+
+func (t *T) Errorf(format string, args ...any) {
+	fmt.Printf(format+"\n", args...)
+	panic("errorf")
+}
+
+func (t *T) Fail() {
+	panic("Called T.Fail()")
+}
+
+func (t *T) FailNow() {
+	panic("Called T.Fail()")
+	panic(unsupportedApi("t.FailNow()"))
+}
+
+func (t *T) Failed() bool {
+	panic(unsupportedApi("t.Failed()"))
+}
+
+func (t *T) Fatal(args ...any) {
+	fmt.Println(args...)
+	panic("fatal")
+}
+func (t *T) Fatalf(format string, args ...any) {
+	fmt.Printf(format+"\n", args...)
+	panic("fatal")
+}
+func (t *T) Helper() {
+	// We can't support it, but it also just impacts how failures are reported, so we can ignore it
+}
+func (t *T) Log(args ...any) {
+	fmt.Println(args...)
+}
+
+func (t *T) Logf(format string, args ...any) {
+	fmt.Println(format)
+	fmt.Println(args...)
+}
+
+func (t *T) Name() string {
+	return "libFuzzer"
+}
+
+func (t *T) Parallel() {
+	panic(unsupportedApi("t.Parallel()"))
+}
+func (t *T) Run(name string, f func(t *T)) bool {
+	panic(unsupportedApi("t.Run()"))
+}
+
+func (t *T) Setenv(key, value string) {
+
+}
+
+func (t *T) Skip(args ...any) {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+func (t *T) SkipNow() {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+
+// Is not really supported. We just skip instead
+// of printing any message. A log message can be
+// added if need be.
+func (t *T) Skipf(format string, args ...any) {
+	panic("GO-FUZZ-BUILD-PANIC")
+}
+func (t *T) Skipped() bool {
+	panic(unsupportedApi("t.Skipped()"))
+}
+func (t *T) TempDir() string {
+	dir, err := os.MkdirTemp("", "fuzzdir-")
+	if err != nil {
+		panic(err)
+	}
+	t.TempDirs = append(t.TempDirs, dir)
+
+	return dir
+}
+
+func (t *T) CleanupTempDirs() {
+	if len(t.TempDirs) > 0 {
+		for _, tempDir := range t.TempDirs {
+			os.RemoveAll(tempDir)
+		}
+	}
+}
--- a/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/unsupported_funcs.go
+++ b/vendor/github.com/AdamKorcz/go-118-fuzz-build/testing/unsupported_funcs.go
@ -0,0 +1,42 @@
+package testing
+
+import (
+	"testing"
+)
+
+func AllocsPerRun(runs int, f func()) (avg float64) {
+	panic(unsupportedApi("testing.AllocsPerRun"))
+}
+func CoverMode() string {
+	panic(unsupportedApi("testing.CoverMode"))
+}
+func Coverage() float64 {
+	panic(unsupportedApi("testing.Coverage"))	
+}
+func Init() {
+	panic(unsupportedApi("testing.Init"))
+
+}
+func RegisterCover(c testing.Cover) {
+	panic(unsupportedApi("testing.RegisterCover"))
+}
+func RunExamples(matchString func(pat, str string) (bool, error), examples []testing.InternalExample) (ok bool) {
+	panic(unsupportedApi("testing.RunExamples"))
+}
+
+func RunTests(matchString func(pat, str string) (bool, error), tests []testing.InternalTest) (ok bool) {
+	panic(unsupportedApi("testing.RunTests"))
+}
+
+func Short() bool {
+	return false
+}
+
+func Verbose() bool {
+	panic(unsupportedApi("testing.Verbose"))
+}
+
+type M struct {}
+func (m *M) Run() (code int) {
+	panic("testing.M is not support in libFuzzer Mode")
+}
--- a/vendor/github.com/Microsoft/go-winio/.gitattributes
+++ b/vendor/github.com/Microsoft/go-winio/.gitattributes
@ -0,0 +1 @@
+* text=auto eol=lf
--- a/vendor/github.com/Microsoft/go-winio/.gitignore
+++ b/vendor/github.com/Microsoft/go-winio/.gitignore
@ -1 +1,10 @@
+.vscode/
+
 *.exe
+
+# testing
+testdata
+
+# go workspaces
+go.work
+go.work.sum
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@ -0,0 +1,149 @@
+run:
+  skip-dirs:
+    - pkg/etw/sample
+
+linters:
+  enable:
+    # style
+    - containedctx # struct contains a context
+    - dupl # duplicate code
+    - errname # erorrs are named correctly
+    - nolintlint # "//nolint" directives are properly explained
+    - revive # golint replacement
+    - unconvert # unnecessary conversions
+    - wastedassign
+
+    # bugs, performance, unused, etc ...
+    - contextcheck # function uses a non-inherited context
+    - errorlint # errors not wrapped for 1.13
+    - exhaustive # check exhaustiveness of enum switch statements
+    - gofmt # files are gofmt'ed
+    - gosec # security
+    - nilerr # returns nil even with non-nil error
+    - unparam # unused function params
+
+issues:
+  exclude-rules:
+    # err is very often shadowed in nested scopes
+    - linters:
+        - govet
+      text: '^shadow: declaration of "err" shadows declaration'
+
+    # ignore long lines for skip autogen directives
+    - linters:
+        - revive
+      text: "^line-length-limit: "
+      source: "^//(go:generate|sys) "
+
+    #TODO: remove after upgrading to go1.18
+    # ignore comment spacing for nolint and sys directives
+    - linters:
+        - revive
+      text: "^comment-spacings: no space between comment delimiter and comment text"
+      source: "//(cspell:|nolint:|sys |todo)"
+
+    # not on go 1.18 yet, so no any
+    - linters:
+        - revive
+      text: "^use-any: since GO 1.18 'interface{}' can be replaced by 'any'"
+
+    # allow unjustified ignores of error checks in defer statements
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errcheck` should provide explanation"
+      source: '^\s*defer '
+
+    # allow unjustified ignores of error lints for io.EOF
+    - linters:
+        - nolintlint
+      text: "^directive `//nolint:errorlint` should provide explanation"
+      source: '[=|!]= io.EOF'
+
+
+linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
+  govet:
+    enable-all: true
+    disable:
+      # struct order is often for Win32 compat
+      # also, ignore pointer bytes/GC issues for now until performance becomes an issue
+      - fieldalignment
+    check-shadowing: true
+  nolintlint:
+    allow-leading-space: false
+    require-explanation: true
+    require-specific: true
+  revive:
+    # revive is more configurable than static check, so likely the preferred alternative to static-check
+    # (once the perf issue is solved: https://github.com/golangci/golangci-lint/issues/2997)
+    enable-all-rules:
+      true
+      # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md
+    rules:
+      # rules with required arguments
+      - name: argument-limit
+        disabled: true
+      - name: banned-characters
+        disabled: true
+      - name: cognitive-complexity
+        disabled: true
+      - name: cyclomatic
+        disabled: true
+      - name: file-header
+        disabled: true
+      - name: function-length
+        disabled: true
+      - name: function-result-limit
+        disabled: true
+      - name: max-public-structs
+        disabled: true
+      # geneally annoying rules
+      - name: add-constant # complains about any and all strings and integers
+        disabled: true
+      - name: confusing-naming # we frequently use "Foo()" and "foo()" together
+        disabled: true
+      - name: flag-parameter # excessive, and a common idiom we use
+        disabled: true
+      - name: unhandled-error # warns over common fmt.Print* and io.Close; rely on errcheck instead
+        disabled: true
+      # general config
+      - name: line-length-limit
+        arguments:
+          - 140
+      - name: var-naming
+        arguments:
+          - []
+          - - CID
+            - CRI
+            - CTRD
+            - DACL
+            - DLL
+            - DOS
+            - ETW
+            - FSCTL
+            - GCS
+            - GMSA
+            - HCS
+            - HV
+            - IO
+            - LCOW
+            - LDAP
+            - LPAC
+            - LTSC
+            - MMIO
+            - NT
+            - OCI
+            - PMEM
+            - PWSH
+            - RX
+            - SACl
+            - SID
+            - SMB
+            - TX
+            - VHD
+            - VHDX
+            - VMID
+            - VPCI
+            - WCOW
+            - WIM
--- a/vendor/github.com/Microsoft/go-winio/CODEOWNERS
+++ b/vendor/github.com/Microsoft/go-winio/CODEOWNERS
@ -0,0 +1 @@
+  * @microsoft/containerplat
--- a/vendor/github.com/Microsoft/go-winio/README.md
+++ b/vendor/github.com/Microsoft/go-winio/README.md
@ -1,4 +1,4 @@
-# go-winio
+# go-winio [![Build Status](https://github.com/microsoft/go-winio/actions/workflows/ci.yml/badge.svg)](https://github.com/microsoft/go-winio/actions/workflows/ci.yml)

 This repository contains utilities for efficiently performing Win32 IO operations in
 Go. Currently, this is focused on accessing named pipes and other file handles, and
@ -11,12 +11,79 @@ package.

 Please see the LICENSE file for licensing information.

-This project has adopted the [Microsoft Open Source Code of
-Conduct](https://opensource.microsoft.com/codeofconduct/). For more information
-see the [Code of Conduct
-FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact
-[opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional
-questions or comments.
+## Contributing

-Thanks to natefinch for the inspiration for this library. See https://github.com/natefinch/npipe
-for another named pipe implementation.
+This project welcomes contributions and suggestions.
+Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that
+you have the right to, and actually do, grant us the rights to use your contribution.
+For details, visit [Microsoft CLA](https://cla.microsoft.com).
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need to
+provide a CLA and decorate the PR appropriately (e.g., label, comment).
+Simply follow the instructions provided by the bot.
+You will only need to do this once across all repos using our CLA.
+
+Additionally, the pull request pipeline requires the following steps to be performed before
+mergining.
+
+### Code Sign-Off
+
+We require that contributors sign their commits using [`git commit --signoff`][git-commit-s]
+to certify they either authored the work themselves or otherwise have permission to use it in this project.
+
+A range of commits can be signed off using [`git rebase --signoff`][git-rebase-s].
+
+Please see [the developer certificate](https://developercertificate.org) for more info,
+as well as to make sure that you can attest to the rules listed.
+Our CI uses the DCO Github app to ensure that all commits in a given PR are signed-off.
+
+### Linting
+
+Code must pass a linting stage, which uses [`golangci-lint`][lint].
+The linting settings are stored in [`.golangci.yaml`](./.golangci.yaml), and can be run
+automatically with VSCode by adding the following to your workspace or folder settings:
+
+```json
+    "go.lintTool": "golangci-lint",
+    "go.lintOnSave": "package",
+```
+
+Additional editor [integrations options are also available][lint-ide].
+
+Alternatively, `golangci-lint` can be [installed locally][lint-install] and run from the repo root:
+
+```shell
+# use . or specify a path to only lint a package
+# to show all lint errors, use flags "--max-issues-per-linter=0 --max-same-issues=0"
+> golangci-lint run ./...
+```
+
+### Go Generate
+
+The pipeline checks that auto-generated code, via `go generate`, are up to date.
+
+This can be done for the entire repo:
+
+```shell
+> go generate ./...
+```
+
+## Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
+## Special Thanks
+
+Thanks to [natefinch][natefinch] for the inspiration for this library.
+See [npipe](https://github.com/natefinch/npipe) for another named pipe implementation.
+
+[lint]: https://golangci-lint.run/
+[lint-ide]: https://golangci-lint.run/usage/integrations/#editor-integration
+[lint-install]: https://golangci-lint.run/usage/install/#local-installation
+
+[git-commit-s]: https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s
+[git-rebase-s]: https://git-scm.com/docs/git-rebase#Documentation/git-rebase.txt---signoff
+
+[natefinch]: https://github.com/natefinch
--- a/vendor/github.com/Microsoft/go-winio/SECURITY.md
+++ b/vendor/github.com/Microsoft/go-winio/SECURITY.md
@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.7 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/vendor/github.com/Microsoft/go-winio/backup.go
+++ b/vendor/github.com/Microsoft/go-winio/backup.go
@ -1,3 +1,4 @@
+//go:build windows
 // +build windows

 package winio
@ -7,11 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"runtime"
 	"syscall"
 	"unicode/utf16"
+
+	"golang.org/x/sys/windows"
 )

 //sys backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupRead
@ -24,7 +26,7 @@ const (
 	BackupAlternateData
 	BackupLink
 	BackupPropertyData
-	BackupObjectId
+	BackupObjectId //revive:disable-line:var-naming ID, not Id
 	BackupReparseData
 	BackupSparseBlock
 	BackupTxfsData
@ -34,14 +36,16 @@ const (
 	StreamSparseAttributes = uint32(8)
 )

+//nolint:revive // var-naming: ALL_CAPS
 const (
-	WRITE_DAC              = 0x40000
-	WRITE_OWNER            = 0x80000
-	ACCESS_SYSTEM_SECURITY = 0x1000000
+	WRITE_DAC              = windows.WRITE_DAC
+	WRITE_OWNER            = windows.WRITE_OWNER
+	ACCESS_SYSTEM_SECURITY = windows.ACCESS_SYSTEM_SECURITY
 )

 // BackupHeader represents a backup stream of a file.
 type BackupHeader struct {
+	//revive:disable-next-line:var-naming ID, not Id
 	Id         uint32 // The backup stream ID
 	Attributes uint32 // Stream attributes
 	Size       int64  // The size of the stream in bytes
@ -49,8 +53,8 @@ type BackupHeader struct {
 	Offset     int64  // The offset of the stream in the file (for BackupSparseBlock only).
 }

-type win32StreamId struct {
-	StreamId   uint32
+type win32StreamID struct {
+	StreamID   uint32
 	Attributes uint32
 	Size       uint64
 	NameSize   uint32
@ -71,7 +75,7 @@ func NewBackupStreamReader(r io.Reader) *BackupStreamReader {
 // Next returns the next backup stream and prepares for calls to Read(). It skips the remainder of the current stream if
 // it was not completely read.
 func (r *BackupStreamReader) Next() (*BackupHeader, error) {
-	if r.bytesLeft > 0 {
+	if r.bytesLeft > 0 { //nolint:nestif // todo: flatten this
 		if s, ok := r.r.(io.Seeker); ok {
 			// Make sure Seek on io.SeekCurrent sometimes succeeds
 			// before trying the actual seek.
@ -82,16 +86,16 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 				r.bytesLeft = 0
 			}
 		}
-		if _, err := io.Copy(ioutil.Discard, r); err != nil {
+		if _, err := io.Copy(io.Discard, r); err != nil {
 			return nil, err
 		}
 	}
-	var wsi win32StreamId
+	var wsi win32StreamID
 	if err := binary.Read(r.r, binary.LittleEndian, &wsi); err != nil {
 		return nil, err
 	}
 	hdr := &BackupHeader{
-		Id:         wsi.StreamId,
+		Id:         wsi.StreamID,
 		Attributes: wsi.Attributes,
 		Size:       int64(wsi.Size),
 	}
@ -102,7 +106,7 @@ func (r *BackupStreamReader) Next() (*BackupHeader, error) {
 		}
 		hdr.Name = syscall.UTF16ToString(name)
 	}
-	if wsi.StreamId == BackupSparseBlock {
+	if wsi.StreamID == BackupSparseBlock {
 		if err := binary.Read(r.r, binary.LittleEndian, &hdr.Offset); err != nil {
 			return nil, err
 		}
@ -147,8 +151,8 @@ func (w *BackupStreamWriter) WriteHeader(hdr *BackupHeader) error {
 		return fmt.Errorf("missing %d bytes", w.bytesLeft)
 	}
 	name := utf16.Encode([]rune(hdr.Name))
-	wsi := win32StreamId{
-		StreamId:   hdr.Id,
+	wsi := win32StreamID{
+		StreamID:   hdr.Id,
 		Attributes: hdr.Attributes,
 		Size:       uint64(hdr.Size),
 		NameSize:   uint32(len(name) * 2),
@ -203,7 +207,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 	var bytesRead uint32
 	err := backupRead(syscall.Handle(r.f.Fd()), b, &bytesRead, false, r.includeSecurity, &r.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupRead", r.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupRead", Path: r.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(r.f)
 	if bytesRead == 0 {
@ -216,7 +220,7 @@ func (r *BackupFileReader) Read(b []byte) (int, error) {
 // the underlying file.
 func (r *BackupFileReader) Close() error {
 	if r.ctx != 0 {
-		backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
+		_ = backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
 		runtime.KeepAlive(r.f)
 		r.ctx = 0
 	}
@ -242,7 +246,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 	var bytesWritten uint32
 	err := backupWrite(syscall.Handle(w.f.Fd()), b, &bytesWritten, false, w.includeSecurity, &w.ctx)
 	if err != nil {
-		return 0, &os.PathError{"BackupWrite", w.f.Name(), err}
+		return 0, &os.PathError{Op: "BackupWrite", Path: w.f.Name(), Err: err}
 	}
 	runtime.KeepAlive(w.f)
 	if int(bytesWritten) != len(b) {
@ -255,7 +259,7 @@ func (w *BackupFileWriter) Write(b []byte) (int, error) {
 // close the underlying file.
 func (w *BackupFileWriter) Close() error {
 	if w.ctx != 0 {
-		backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
+		_ = backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
 		runtime.KeepAlive(w.f)
 		w.ctx = 0
 	}
@ -271,7 +275,13 @@ func OpenForBackup(path string, access uint32, share uint32, createmode uint32)
 	if err != nil {
 		return nil, err
 	}
-	h, err := syscall.CreateFile(&winPath[0], access, share, nil, createmode, syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT, 0)
+	h, err := syscall.CreateFile(&winPath[0],
+		access,
+		share,
+		nil,
+		createmode,
+		syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT,
+		0)
 	if err != nil {
 		err = &os.PathError{Op: "open", Path: path, Err: err}
 		return nil, err
--- a/vendor/github.com/Microsoft/go-winio/backuptar/doc.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/doc.go
@ -0,0 +1,3 @@
+// This file only exists to allow go get on non-Windows platforms.
+
+package backuptar
--- a/vendor/github.com/containerd/containerd/archive/strconv.go
+++ b/vendor/github.com/containerd/containerd/archive/strconv.go
@ -1,34 +1,18 @@
-// +build windows
+//go:build windows

-/*
-   Copyright The containerd Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package archive
+package backuptar

 import (
+	"archive/tar"
+	"fmt"
 	"strconv"
 	"strings"
 	"time"
-
-	"archive/tar"
 )

-// Forked from https://github.com/golang/go/blob/master/src/archive/tar/strconv.go
-// as archive/tar doesn't support CreationTime, but does handle PAX time parsing,
-// and there's no need to re-invent the wheel.
+// Functions copied from https://github.com/golang/go/blob/master/src/archive/tar/strconv.go
+// as we need to manage the LIBARCHIVE.creationtime PAXRecord manually.
+// Idea taken from containerd which did the same thing.

 // parsePAXTime takes a string of the form %d.%d as described in the PAX
 // specification. Note that this implementation allows for negative timestamps,
@ -62,7 +46,25 @@ func parsePAXTime(s string) (time.Time, error) {
 	}
 	nsecs, _ := strconv.ParseInt(sn, 10, 64) // Must succeed
 	if len(ss) > 0 && ss[0] == '-' {
-		return time.Unix(secs, -nsecs), nil // Negative correction
+		return time.Unix(secs, -1*nsecs), nil // Negative correction
 	}
 	return time.Unix(secs, nsecs), nil
 }
+
+// formatPAXTime converts ts into a time of the form %d.%d as described in the
+// PAX specification. This function is capable of negative timestamps.
+func formatPAXTime(ts time.Time) (s string) {
+	secs, nsecs := ts.Unix(), ts.Nanosecond()
+	if nsecs == 0 {
+		return strconv.FormatInt(secs, 10)
+	}
+
+	// If seconds is negative, then perform correction.
+	sign := ""
+	if secs < 0 {
+		sign = "-"             // Remember sign
+		secs = -(secs + 1)     // Add a second to secs
+		nsecs = -(nsecs - 1e9) // Take that second away from nsecs
+	}
+	return strings.TrimRight(fmt.Sprintf("%s%d.%09d", sign, secs, nsecs), "0")
+}
--- a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
@ -0,0 +1,509 @@
+//go:build windows
+// +build windows
+
+package backuptar
+
+import (
+	"archive/tar"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"golang.org/x/sys/windows"
+)
+
+//nolint:deadcode,varcheck // keep unused constants for potential future use
+const (
+	cISUID  = 0004000 // Set uid
+	cISGID  = 0002000 // Set gid
+	cISVTX  = 0001000 // Save text (sticky bit)
+	cISDIR  = 0040000 // Directory
+	cISFIFO = 0010000 // FIFO
+	cISREG  = 0100000 // Regular file
+	cISLNK  = 0120000 // Symbolic link
+	cISBLK  = 0060000 // Block special file
+	cISCHR  = 0020000 // Character special file
+	cISSOCK = 0140000 // Socket
+)
+
+const (
+	hdrFileAttributes        = "MSWINDOWS.fileattr"
+	hdrSecurityDescriptor    = "MSWINDOWS.sd"
+	hdrRawSecurityDescriptor = "MSWINDOWS.rawsd"
+	hdrMountPoint            = "MSWINDOWS.mountpoint"
+	hdrEaPrefix              = "MSWINDOWS.xattr."
+
+	hdrCreationTime = "LIBARCHIVE.creationtime"
+)
+
+// zeroReader is an io.Reader that always returns 0s.
+type zeroReader struct{}
+
+func (zeroReader) Read(b []byte) (int, error) {
+	for i := range b {
+		b[i] = 0
+	}
+	return len(b), nil
+}
+
+func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error {
+	curOffset := int64(0)
+	for {
+		bhdr, err := br.Next()
+		if err == io.EOF { //nolint:errorlint
+			err = io.ErrUnexpectedEOF
+		}
+		if err != nil {
+			return err
+		}
+		if bhdr.Id != winio.BackupSparseBlock {
+			return fmt.Errorf("unexpected stream %d", bhdr.Id)
+		}
+
+		// We can't seek backwards, since we have already written that data to the tar.Writer.
+		if bhdr.Offset < curOffset {
+			return fmt.Errorf("cannot seek back from %d to %d", curOffset, bhdr.Offset)
+		}
+		// archive/tar does not support writing sparse files
+		// so just write zeroes to catch up to the current offset.
+		if _, err = io.CopyN(t, zeroReader{}, bhdr.Offset-curOffset); err != nil {
+			return fmt.Errorf("seek to offset %d: %w", bhdr.Offset, err)
+		}
+		if bhdr.Size == 0 {
+			// A sparse block with size = 0 is used to mark the end of the sparse blocks.
+			break
+		}
+		n, err := io.Copy(t, br)
+		if err != nil {
+			return err
+		}
+		if n != bhdr.Size {
+			return fmt.Errorf("copied %d bytes instead of %d at offset %d", n, bhdr.Size, bhdr.Offset)
+		}
+		curOffset = bhdr.Offset + n
+	}
+	return nil
+}
+
+// BasicInfoHeader creates a tar header from basic file information.
+func BasicInfoHeader(name string, size int64, fileInfo *winio.FileBasicInfo) *tar.Header {
+	hdr := &tar.Header{
+		Format:     tar.FormatPAX,
+		Name:       filepath.ToSlash(name),
+		Size:       size,
+		Typeflag:   tar.TypeReg,
+		ModTime:    time.Unix(0, fileInfo.LastWriteTime.Nanoseconds()),
+		ChangeTime: time.Unix(0, fileInfo.ChangeTime.Nanoseconds()),
+		AccessTime: time.Unix(0, fileInfo.LastAccessTime.Nanoseconds()),
+		PAXRecords: make(map[string]string),
+	}
+	hdr.PAXRecords[hdrFileAttributes] = fmt.Sprintf("%d", fileInfo.FileAttributes)
+	hdr.PAXRecords[hdrCreationTime] = formatPAXTime(time.Unix(0, fileInfo.CreationTime.Nanoseconds()))
+
+	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
+		hdr.Mode |= cISDIR
+		hdr.Size = 0
+		hdr.Typeflag = tar.TypeDir
+	}
+	return hdr
+}
+
+// SecurityDescriptorFromTarHeader reads the SDDL associated with the header of the current file
+// from the tar header and returns the security descriptor into a byte slice.
+func SecurityDescriptorFromTarHeader(hdr *tar.Header) ([]byte, error) {
+	if sdraw, ok := hdr.PAXRecords[hdrRawSecurityDescriptor]; ok {
+		sd, err := base64.StdEncoding.DecodeString(sdraw)
+		if err != nil {
+			// Not returning sd as-is in the error-case, as base64.DecodeString
+			// may return partially decoded data (not nil or empty slice) in case
+			// of a failure: https://github.com/golang/go/blob/go1.17.7/src/encoding/base64/base64.go#L382-L387
+			return nil, err
+		}
+		return sd, nil
+	}
+	// Maintaining old SDDL-based behavior for backward compatibility. All new
+	// tar headers written by this library will have raw binary for the security
+	// descriptor.
+	if sddl, ok := hdr.PAXRecords[hdrSecurityDescriptor]; ok {
+		return winio.SddlToSecurityDescriptor(sddl)
+	}
+	return nil, nil
+}
+
+// ExtendedAttributesFromTarHeader reads the EAs associated with the header of the
+// current file from the tar header and returns it as a byte slice.
+func ExtendedAttributesFromTarHeader(hdr *tar.Header) ([]byte, error) {
+	var eas []winio.ExtendedAttribute //nolint:prealloc // len(eas) <= len(hdr.PAXRecords); prealloc is wasteful
+	for k, v := range hdr.PAXRecords {
+		if !strings.HasPrefix(k, hdrEaPrefix) {
+			continue
+		}
+		data, err := base64.StdEncoding.DecodeString(v)
+		if err != nil {
+			return nil, err
+		}
+		eas = append(eas, winio.ExtendedAttribute{
+			Name:  k[len(hdrEaPrefix):],
+			Value: data,
+		})
+	}
+	var eaData []byte
+	var err error
+	if len(eas) != 0 {
+		eaData, err = winio.EncodeExtendedAttributes(eas)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return eaData, nil
+}
+
+// EncodeReparsePointFromTarHeader reads the ReparsePoint structure from the tar header
+// and encodes it into a byte slice. The file for which this function is called must be a
+// symlink.
+func EncodeReparsePointFromTarHeader(hdr *tar.Header) []byte {
+	_, isMountPoint := hdr.PAXRecords[hdrMountPoint]
+	rp := winio.ReparsePoint{
+		Target:       filepath.FromSlash(hdr.Linkname),
+		IsMountPoint: isMountPoint,
+	}
+	return winio.EncodeReparsePoint(&rp)
+}
+
+// WriteTarFileFromBackupStream writes a file to a tar writer using data from a Win32 backup stream.
+//
+// This encodes Win32 metadata as tar pax vendor extensions starting with MSWINDOWS.
+//
+// The additional Win32 metadata is:
+//
+//   - MSWINDOWS.fileattr: The Win32 file attributes, as a decimal value
+//   - MSWINDOWS.rawsd: The Win32 security descriptor, in raw binary format
+//   - MSWINDOWS.mountpoint: If present, this is a mount point and not a symlink, even though the type is '2' (symlink)
+func WriteTarFileFromBackupStream(t *tar.Writer, r io.Reader, name string, size int64, fileInfo *winio.FileBasicInfo) error {
+	name = filepath.ToSlash(name)
+	hdr := BasicInfoHeader(name, size, fileInfo)
+
+	// If r can be seeked, then this function is two-pass: pass 1 collects the
+	// tar header data, and pass 2 copies the data stream. If r cannot be
+	// seeked, then some header data (in particular EAs) will be silently lost.
+	var (
+		restartPos int64
+		err        error
+	)
+	sr, readTwice := r.(io.Seeker)
+	if readTwice {
+		if restartPos, err = sr.Seek(0, io.SeekCurrent); err != nil {
+			readTwice = false
+		}
+	}
+
+	br := winio.NewBackupStreamReader(r)
+	var dataHdr *winio.BackupHeader
+	for dataHdr == nil {
+		bhdr, err := br.Next()
+		if err == io.EOF { //nolint:errorlint
+			break
+		}
+		if err != nil {
+			return err
+		}
+		switch bhdr.Id {
+		case winio.BackupData:
+			hdr.Mode |= cISREG
+			if !readTwice {
+				dataHdr = bhdr
+			}
+		case winio.BackupSecurity:
+			sd, err := io.ReadAll(br)
+			if err != nil {
+				return err
+			}
+			hdr.PAXRecords[hdrRawSecurityDescriptor] = base64.StdEncoding.EncodeToString(sd)
+
+		case winio.BackupReparseData:
+			hdr.Mode |= cISLNK
+			hdr.Typeflag = tar.TypeSymlink
+			reparseBuffer, _ := io.ReadAll(br)
+			rp, err := winio.DecodeReparsePoint(reparseBuffer)
+			if err != nil {
+				return err
+			}
+			if rp.IsMountPoint {
+				hdr.PAXRecords[hdrMountPoint] = "1"
+			}
+			hdr.Linkname = rp.Target
+
+		case winio.BackupEaData:
+			eab, err := io.ReadAll(br)
+			if err != nil {
+				return err
+			}
+			eas, err := winio.DecodeExtendedAttributes(eab)
+			if err != nil {
+				return err
+			}
+			for _, ea := range eas {
+				// Use base64 encoding for the binary value. Note that there
+				// is no way to encode the EA's flags, since their use doesn't
+				// make any sense for persisted EAs.
+				hdr.PAXRecords[hdrEaPrefix+ea.Name] = base64.StdEncoding.EncodeToString(ea.Value)
+			}
+
+		case winio.BackupAlternateData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData:
+			// ignore these streams
+		default:
+			return fmt.Errorf("%s: unknown stream ID %d", name, bhdr.Id)
+		}
+	}
+
+	err = t.WriteHeader(hdr)
+	if err != nil {
+		return err
+	}
+
+	if readTwice {
+		// Get back to the data stream.
+		if _, err = sr.Seek(restartPos, io.SeekStart); err != nil {
+			return err
+		}
+		for dataHdr == nil {
+			bhdr, err := br.Next()
+			if err == io.EOF { //nolint:errorlint
+				break
+			}
+			if err != nil {
+				return err
+			}
+			if bhdr.Id == winio.BackupData {
+				dataHdr = bhdr
+			}
+		}
+	}
+
+	// The logic for copying file contents is fairly complicated due to the need for handling sparse files,
+	// and the weird ways they are represented by BackupRead. A normal file will always either have a data stream
+	// with size and content, or no data stream at all (if empty). However, for a sparse file, the content can also
+	// be represented using a series of sparse block streams following the data stream. Additionally, the way sparse
+	// files are handled by BackupRead has changed in the OS recently. The specifics of the representation are described
+	// in the list at the bottom of this block comment.
+	//
+	// Sparse files can be represented in four different ways, based on the specifics of the file.
+	// - Size = 0:
+	//     Previously: BackupRead yields no data stream and no sparse block streams.
+	//     Recently: BackupRead yields a data stream with size = 0. There are no following sparse block streams.
+	// - Size > 0, no allocated ranges:
+	//     BackupRead yields a data stream with size = 0. Following is a single sparse block stream with
+	//     size = 0 and offset = <file size>.
+	// - Size > 0, one allocated range:
+	//     BackupRead yields a data stream with size = <file size> containing the file contents. There are no
+	//     sparse block streams. This is the case if you take a normal file with contents and simply set the
+	//     sparse flag on it.
+	// - Size > 0, multiple allocated ranges:
+	//     BackupRead yields a data stream with size = 0. Following are sparse block streams for each allocated
+	//     range of the file containing the range contents. Finally there is a sparse block stream with
+	//     size = 0 and offset = <file size>.
+
+	if dataHdr != nil { //nolint:nestif // todo: reduce nesting complexity
+		// A data stream was found. Copy the data.
+		// We assume that we will either have a data stream size > 0 XOR have sparse block streams.
+		if dataHdr.Size > 0 || (dataHdr.Attributes&winio.StreamSparseAttributes) == 0 {
+			if size != dataHdr.Size {
+				return fmt.Errorf("%s: mismatch between file size %d and header size %d", name, size, dataHdr.Size)
+			}
+			if _, err = io.Copy(t, br); err != nil {
+				return fmt.Errorf("%s: copying contents from data stream: %w", name, err)
+			}
+		} else if size > 0 {
+			// As of a recent OS change, BackupRead now returns a data stream for empty sparse files.
+			// These files have no sparse block streams, so skip the copySparse call if file size = 0.
+			if err = copySparse(t, br); err != nil {
+				return fmt.Errorf("%s: copying contents from sparse block stream: %w", name, err)
+			}
+		}
+	}
+
+	// Look for streams after the data stream. The only ones we handle are alternate data streams.
+	// Other streams may have metadata that could be serialized, but the tar header has already
+	// been written. In practice, this means that we don't get EA or TXF metadata.
+	for {
+		bhdr, err := br.Next()
+		if err == io.EOF { //nolint:errorlint
+			break
+		}
+		if err != nil {
+			return err
+		}
+		switch bhdr.Id {
+		case winio.BackupAlternateData:
+			if (bhdr.Attributes & winio.StreamSparseAttributes) != 0 {
+				// Unsupported for now, since the size of the alternate stream is not present
+				// in the backup stream until after the data has been read.
+				return fmt.Errorf("%s: tar of sparse alternate data streams is unsupported", name)
+			}
+			altName := strings.TrimSuffix(bhdr.Name, ":$DATA")
+			hdr = &tar.Header{
+				Format:     hdr.Format,
+				Name:       name + altName,
+				Mode:       hdr.Mode,
+				Typeflag:   tar.TypeReg,
+				Size:       bhdr.Size,
+				ModTime:    hdr.ModTime,
+				AccessTime: hdr.AccessTime,
+				ChangeTime: hdr.ChangeTime,
+			}
+			err = t.WriteHeader(hdr)
+			if err != nil {
+				return err
+			}
+			_, err = io.Copy(t, br)
+			if err != nil {
+				return err
+			}
+		case winio.BackupEaData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData:
+			// ignore these streams
+		default:
+			return fmt.Errorf("%s: unknown stream ID %d after data", name, bhdr.Id)
+		}
+	}
+	return nil
+}
+
+// FileInfoFromHeader retrieves basic Win32 file information from a tar header, using the additional metadata written by
+// WriteTarFileFromBackupStream.
+func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *winio.FileBasicInfo, err error) {
+	name = hdr.Name
+	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+		size = hdr.Size
+	}
+	fileInfo = &winio.FileBasicInfo{
+		LastAccessTime: windows.NsecToFiletime(hdr.AccessTime.UnixNano()),
+		LastWriteTime:  windows.NsecToFiletime(hdr.ModTime.UnixNano()),
+		ChangeTime:     windows.NsecToFiletime(hdr.ChangeTime.UnixNano()),
+		// Default to ModTime, we'll pull hdrCreationTime below if present
+		CreationTime: windows.NsecToFiletime(hdr.ModTime.UnixNano()),
+	}
+	if attrStr, ok := hdr.PAXRecords[hdrFileAttributes]; ok {
+		attr, err := strconv.ParseUint(attrStr, 10, 32)
+		if err != nil {
+			return "", 0, nil, err
+		}
+		fileInfo.FileAttributes = uint32(attr)
+	} else {
+		if hdr.Typeflag == tar.TypeDir {
+			fileInfo.FileAttributes |= syscall.FILE_ATTRIBUTE_DIRECTORY
+		}
+	}
+	if creationTimeStr, ok := hdr.PAXRecords[hdrCreationTime]; ok {
+		creationTime, err := parsePAXTime(creationTimeStr)
+		if err != nil {
+			return "", 0, nil, err
+		}
+		fileInfo.CreationTime = windows.NsecToFiletime(creationTime.UnixNano())
+	}
+	return name, size, fileInfo, err
+}
+
+// WriteBackupStreamFromTarFile writes a Win32 backup stream from the current tar file. Since this function may process multiple
+// tar file entries in order to collect all the alternate data streams for the file, it returns the next
+// tar file that was not processed, or io.EOF is there are no more.
+func WriteBackupStreamFromTarFile(w io.Writer, t *tar.Reader, hdr *tar.Header) (*tar.Header, error) {
+	bw := winio.NewBackupStreamWriter(w)
+
+	sd, err := SecurityDescriptorFromTarHeader(hdr)
+	if err != nil {
+		return nil, err
+	}
+	if len(sd) != 0 {
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupSecurity,
+			Size: int64(len(sd)),
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(sd)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	eadata, err := ExtendedAttributesFromTarHeader(hdr)
+	if err != nil {
+		return nil, err
+	}
+	if len(eadata) != 0 {
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupEaData,
+			Size: int64(len(eadata)),
+		}
+		err = bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(eadata)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if hdr.Typeflag == tar.TypeSymlink {
+		reparse := EncodeReparsePointFromTarHeader(hdr)
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupReparseData,
+			Size: int64(len(reparse)),
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = bw.Write(reparse)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupData,
+			Size: hdr.Size,
+		}
+		err := bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = io.Copy(bw, t)
+		if err != nil {
+			return nil, err
+		}
+	}
+	// Copy all the alternate data streams and return the next non-ADS header.
+	for {
+		ahdr, err := t.Next()
+		if err != nil {
+			return nil, err
+		}
+		if ahdr.Typeflag != tar.TypeReg || !strings.HasPrefix(ahdr.Name, hdr.Name+":") {
+			return ahdr, nil
+		}
+		bhdr := winio.BackupHeader{
+			Id:   winio.BackupAlternateData,
+			Size: ahdr.Size,
+			Name: ahdr.Name[len(hdr.Name):] + ":$DATA",
+		}
+		err = bw.WriteHeader(&bhdr)
+		if err != nil {
+			return nil, err
+		}
+		_, err = io.Copy(bw, t)
+		if err != nil {
+			return nil, err
+		}
+	}
+}
--- a/vendor/github.com/Microsoft/go-winio/doc.go
+++ b/vendor/github.com/Microsoft/go-winio/doc.go
@ -0,0 +1,22 @@
+// This package provides utilities for efficiently performing Win32 IO operations in Go.
+// Currently, this package is provides support for genreal IO and management of
+//   - named pipes
+//   - files
+//   - [Hyper-V sockets]
+//
+// This code is similar to Go's [net] package, and uses IO completion ports to avoid
+// blocking IO on system threads, allowing Go to reuse the thread to schedule other goroutines.
+//
+// This limits support to Windows Vista and newer operating systems.
+//
+// Additionally, this package provides support for:
+//   - creating and managing GUIDs
+//   - writing to [ETW]
+//   - opening and manageing VHDs
+//   - parsing [Windows Image files]
+//   - auto-generating Win32 API code
+//
+// [Hyper-V sockets]: https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service
+// [ETW]: https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-
+// [Windows Image files]: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/work-with-windows-images
+package winio
--- a/vendor/github.com/Microsoft/go-winio/ea.go
+++ b/vendor/github.com/Microsoft/go-winio/ea.go
@ -33,7 +33,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	err = binary.Read(bytes.NewReader(b), binary.LittleEndian, &info)
 	if err != nil {
 		err = errInvalidEaBuffer
-		return
+		return ea, nb, err
 	}

 	nameOffset := fileFullEaInformationSize
@ -43,7 +43,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	nextOffset := int(info.NextEntryOffset)
 	if valueLen+valueOffset > len(b) || nextOffset < 0 || nextOffset > len(b) {
 		err = errInvalidEaBuffer
-		return
+		return ea, nb, err
 	}

 	ea.Name = string(b[nameOffset : nameOffset+nameLen])
@ -52,7 +52,7 @@ func parseEa(b []byte) (ea ExtendedAttribute, nb []byte, err error) {
 	if info.NextEntryOffset != 0 {
 		nb = b[info.NextEntryOffset:]
 	}
-	return
+	return ea, nb, err
 }

 // DecodeExtendedAttributes decodes a list of EAs from a FILE_FULL_EA_INFORMATION
@ -67,7 +67,7 @@ func DecodeExtendedAttributes(b []byte) (eas []ExtendedAttribute, err error) {
 		eas = append(eas, ea)
 		b = nb
 	}
-	return
+	return eas, err
 }

 func writeEa(buf *bytes.Buffer, ea *ExtendedAttribute, last bool) error {
--- a/Show More
+++ b/Show More