Embedding ETW Name-GUID Mapping for Log Forward Service

internal/oci/uvm.go

@@ -418,12 +418,14 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		if err := handleWCOWSecurityPolicy(ctx, s.Annotations, wopts); err != nil {
 			return nil, err
 		}
-		// If security policy is enable, wopts.ForwardLogs default value should be false
+		// If security policy is enable, wopts.DisableLogForwarding default value should be true (CWCOW should not allow log forwarding by default)
 		if wopts.SecurityPolicyEnabled {
-			wopts.ForwardLogs = false
+			wopts.DisableLogForwarding = true
 		}
 		wopts.LogSources = ParseAnnotationsString(s.Annotations, annotations.LogSources, wopts.LogSources)
-		wopts.ForwardLogs = ParseAnnotationsBool(ctx, s.Annotations, annotations.ForwardLogs, wopts.ForwardLogs)
+		wopts.DisableLogForwarding = ParseAnnotationsBool(ctx, s.Annotations, annotations.DisableForwardLogs, wopts.DisableLogForwarding)
+		wopts.DisableDefaultLogSources = ParseAnnotationsBool(ctx, s.Annotations, annotations.DisableDefaultLogSources, wopts.DisableDefaultLogSources)
+
 		return wopts, nil
 	}
 	return nil, errors.New("cannot create UVM opts spec is not LCOW or WCOW")

internal/uvm/create_wcow.go

@@ -74,9 +74,10 @@ type OptionsWCOW struct {
 	// AdditionalRegistryKeys are Registry keys and their values to additionally add to the uVM.
 	AdditionalRegistryKeys []hcsschema.RegistryValue
 
-	OutputHandlerCreator OutputHandlerCreator // Creates an [OutputHandler] that controls how output received over HVSocket from the UVM is handled. Defaults to parsing output as ETW Log events
-	LogSources           string               // ETW providers to be set for the logging service
-	ForwardLogs          bool                 // Whether to forward logs to the host or not
+	OutputHandlerCreator     OutputHandlerCreator // Creates an [OutputHandler] that controls how output received over HVSocket from the UVM is handled. Defaults to parsing output as ETW Log events
+	LogSources               string               // ETW providers to be set for the logging service
+	DisableLogForwarding     bool                 // Whether to disable forwarding of logs to the host or not
+	DisableDefaultLogSources bool                 // Whether to disable using default log sources
 }
 
 func defaultConfidentialWCOWOSBootFilesPath() string {
@@ -113,9 +114,10 @@ func NewDefaultOptionsWCOW(id, owner string) *OptionsWCOW {
 		ConfidentialWCOWOptions: &ConfidentialWCOWOptions{
 			SecurityPolicyEnabled: false,
 		},
-		OutputHandlerCreator: parseLogrus,
-		ForwardLogs:          true, // Default to true for WCOW, and set to false for CWCOW in internal/oci/uvm.go SpecToUVMCreateOpts
-		LogSources:           "",
+		OutputHandlerCreator:     parseLogrus,
+		DisableLogForwarding:     false, // Default to true for WCOW, and set to false for CWCOW in internal/oci/uvm.go SpecToUVMCreateOpts
+		DisableDefaultLogSources: false,
+		LogSources:               "",
 	}
 }
 
@@ -286,7 +288,7 @@ func prepareCommonConfigDoc(ctx context.Context, uvm *UtilityVM, opts *OptionsWC
 	}
 
 	maps.Copy(doc.VirtualMachine.Devices.HvSocket.HvSocketConfig.ServiceTable, opts.AdditionalHyperVConfig)
-	if opts.ForwardLogs {
+	if !opts.DisableLogForwarding {
 		key := prot.WindowsLoggingHvsockServiceID.String()
 		doc.VirtualMachine.Devices.HvSocket.HvSocketConfig.ServiceTable[key] = hcsschema.HvSocketServiceConfig{
 			AllowWildcardBinds:        true,
@@ -533,22 +535,23 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 	log.G(ctx).WithField("options", log.Format(ctx, opts)).Debug("uvm::CreateWCOW options")
 
 	uvm := &UtilityVM{
-		id:                      opts.ID,
-		owner:                   opts.Owner,
-		operatingSystem:         "windows",
-		scsiControllerCount:     opts.SCSIControllerCount,
-		vsmbDirShares:           make(map[string]*VSMBShare),
-		vsmbFileShares:          make(map[string]*VSMBShare),
-		vpciDevices:             make(map[VPCIDeviceID]*VPCIDevice),
-		noInheritHostTimezone:   opts.NoInheritHostTimezone,
-		physicallyBacked:        !opts.AllowOvercommit,
-		devicesPhysicallyBacked: opts.FullyPhysicallyBacked,
-		vsmbNoDirectMap:         opts.NoDirectMap,
-		noWritableFileShares:    opts.NoWritableFileShares,
-		createOpts:              opts,
-		blockCIMMounts:          make(map[string]*UVMMountedBlockCIMs),
-		logSources:              opts.LogSources,
-		forwardLogs:             opts.ForwardLogs,
+		id:                       opts.ID,
+		owner:                    opts.Owner,
+		operatingSystem:          "windows",
+		scsiControllerCount:      opts.SCSIControllerCount,
+		vsmbDirShares:            make(map[string]*VSMBShare),
+		vsmbFileShares:           make(map[string]*VSMBShare),
+		vpciDevices:              make(map[VPCIDeviceID]*VPCIDevice),
+		noInheritHostTimezone:    opts.NoInheritHostTimezone,
+		physicallyBacked:         !opts.AllowOvercommit,
+		devicesPhysicallyBacked:  opts.FullyPhysicallyBacked,
+		vsmbNoDirectMap:          opts.NoDirectMap,
+		noWritableFileShares:     opts.NoWritableFileShares,
+		createOpts:               opts,
+		blockCIMMounts:           make(map[string]*UVMMountedBlockCIMs),
+		logSources:               opts.LogSources,
+		forwardLogs:              !opts.DisableLogForwarding,
+		disableDefaultLogSources: opts.DisableDefaultLogSources,
 	}
 
 	defer func() {
@@ -588,7 +591,7 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 		return nil, fmt.Errorf("error while creating the compute system: %w", err)
 	}
 
-	if opts.ForwardLogs {
+	if !opts.DisableLogForwarding {
 		// Create a socket that the executed program can send to. This is usually
 		// used by Log Forward Service to send log data.
 		uvm.outputHandler = opts.OutputHandlerCreator(opts.Options)

internal/uvm/etw/default-logsources.json

@@ -0,0 +1,63 @@
+{
+  "LogConfig": {
+    "sources": [
+      {
+        "type": "ETW",
+        "providers": [
+          {
+            "providerName": "Microsoft.Windows.HyperV.Compute",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft-Windows-Guest-Network-Service",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.FileSystem.CimFS",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.FileSystem.UnionFs",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft-Windows-BitLocker-Driver",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft-windows-bitlocker-api",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Security.KeyGuard",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Security.KeyGuard.Attestation.Verify",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Containers.Setup",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Containers.Storage",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Containers.Library",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.Containers.DynamicImage",
+            "level": "Information"
+          },
+          {
+            "providerName": "Microsoft.Windows.LogForwardService.Provider",
+            "level": "Information"
+          }
+        ]
+      }
+    ]
+  }
+}