zlayer-hcs 0.11.23

Safe Rust wrapper for the Windows Host Compute Service (HCS)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

# zlayer-hcs

Safe Rust wrapper for the Windows Host Compute Service (HCS).

## Overview

HCS is the OS-level API powering Windows containers and Hyper-V-isolated
workloads. The underlying surface lives in `vmcompute.dll`. This crate is
the authoritative HCS FFI boundary for ZLayer: it wraps the raw entry points
behind RAII handle types, async helpers that translate HCS's native
completion-callback model into Rust futures, and `serde` JSON schema types
that match the current `hcsshim` schema v2.

It is the foundation that `zlayer-agent`'s `HcsRuntime` is built on — the
runtime ZLayer uses to start, stop, and inspect Windows containers natively
without Docker Desktop.

## Platform

Windows only. The crate root is gated with `#![cfg(windows)]`, so on every
other platform it compiles to an empty stub. Callers can depend on it
unconditionally.

The crate carries `#![allow(unsafe_code)]` because it is the single allowed
location in the workspace for `vmcompute.dll` FFI. Every `unsafe` site has a
`SAFETY:` comment.

## Public API

The crate exposes one module per HCS concern:

- `zlayer_hcs::system::ComputeSystem` — RAII handle for an HCS compute system
  (a Windows container or VM). Create / open and drive lifecycle: `create`,
  `open`, `start`, `shutdown`, `terminate`, `pause`, `resume`, `save`,
  `properties`, `modify`.
- `zlayer_hcs::process::ComputeProcess` — RAII handle for a process running
  inside an HCS system: `create`, `spawn`, `open`, `signal`, `terminate`,
  `modify`, `resize_console`, `properties`.
- `zlayer_hcs::operation::run_operation` — Bridges HCS's asynchronous
  `HcsCreateOperation` / completion-callback model into a Rust future
  resolving to the result JSON.
- `zlayer_hcs::events::{EventSubscription, HcsEvent, HcsEventKind, subscribe}`
  — Subscribe to system events (state changes, exits) as a stream.
- `zlayer_hcs::enumerate::{EnumeratedSystem, EnumerateQuery, list, list_by_owner}`
  — Enumerate live compute systems on the host.
- `zlayer_hcs::error::{HcsError, HcsResult}``thiserror`-based error type
  classifying HCS HRESULT codes (`NotFound`, `AccessDenied`, `InvalidSchema`,
  `Other`, ...).
- `zlayer_hcs::handle::{SendHandle, OwnedSystem, OwnedProcess, OwnedOperation}`
  — Raw HCS handle wrappers with `Drop` impls. `SendHandle<T>` is re-exported
  from the crate root for callers that need to move handles across threads.
- `zlayer_hcs::schema``serde`-driven schema v2 types: `ComputeSystem`,
  `Container`, `VirtualMachine`, `Topology`, `Statistics`, `ProcessParameters`,
  `ProcessStatus`, etc. PascalCase wire format matches HCS expectations.
- `zlayer_hcs::stats` — Helpers around the `Statistics` schema for
  observability scrapes.

## Use from ZLayer

Consumed by `zlayer-agent`:

- `crates/zlayer-agent/src/runtimes/hcs.rs` exposes `HcsRuntime`,
  `HcsConfig`, and `IsolationMode`. `HcsRuntime` is selected as the primary
  Windows runtime in `crates/zlayer-agent/src/lib.rs`, with
  `Wsl2DelegateRuntime` (from `zlayer-wsl`) handling Linux-image workloads.
- `crates/zlayer-agent/src/overlay_manager.rs` coordinates DNS / endpoint
  plumbing with the HCS runtime so overlay networks attach correctly at
  container start.

This is an internal ZLayer crate. The workspace `version = "0.0.0-dev"` is
unpublished; consume it via the workspace path dependency, not crates.io.

## Tests

Integration tests live in `tests/integration.rs` and are also
`#[cfg(windows)]`-gated. They include:

- `schema_round_trip` and `parse_statistics_fixture` — schema-only, no HCS.
- `empty_vm_create_and_terminate``#[ignore]` end-to-end lifecycle test
  that requires a host with the Hyper-V role enabled and an elevated token.
- `enumerate_self_empty` — calls `list_by_owner` against a synthetic owner
  string.
- `open_nonexistent_process_errors_cleanly` — ensures `ComputeProcess::open`
  on a null `HCS_SYSTEM` returns a classified `HcsError` instead of
  panicking. Skipped automatically when running in Windows services
  session 0 (e.g. as the Forgejo runner service account), where HCS's
  null-handle behavior diverges from interactive sessions.

The test helpers gate live HCS calls behind elevation and session-zero
probes so the suite stays green on unprivileged developer machines and
non-Hyper-V CI runners.

## When to edit this crate

Edit `zlayer-hcs` when you need to:

- Wrap a new `vmcompute.dll` entry point (always behind a safe API + a
  `SAFETY:` comment).
- Extend the schema v2 types to match a newer `hcsshim` schema.
- Adjust how an HCS HRESULT classifies into `HcsError`.
- Add a new event kind to `HcsEventKind` or change subscription wiring.

Container-runtime policy (image pull, mount layout, isolation defaults)
lives in `zlayer-agent/src/runtimes/hcs.rs`, not here.

Repository: <https://github.com/BlackLeafDigital/ZLayer>