microsoft · rawahars · May 5, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -13,9 +13,6 @@ type SandboxOptions struct {
 	// EnableScratchEncryption enables encryption for scratch disks.
 	EnableScratchEncryption bool
 
-	// GuestDrivers lists guest drivers which need to be installed on the UVM.
-	GuestDrivers []string
-
 	// PolicyBasedRouting enables policy-based routing in the guest network stack.
 	PolicyBasedRouting bool
 
@@ -25,10 +22,6 @@ type SandboxOptions struct {
 	// FullyPhysicallyBacked indicates all memory allocations are backed by physical memory.
 	FullyPhysicallyBacked bool
 
-	// VPMEMMultiMapping indicates whether VPMem multi-mapping is enabled,
-	// which allows multiple VHDs to be mapped to a single VPMem device.
-	VPMEMMultiMapping bool
-
 	// ConfidentialConfig carries confidential computing fields that are not
 	// part of the HCS document but are needed for confidential VM setup.
 	ConfidentialConfig *ConfidentialConfig

@@ -17,7 +17,6 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/schemaversion"
 	"github.com/Microsoft/hcsshim/internal/vm/vmutils"
-	"github.com/Microsoft/hcsshim/osversion"
 	shimannotations "github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/Microsoft/hcsshim/sandbox-spec/vm/v2"
 
@@ -290,9 +289,20 @@ func processAnnotations(ctx context.Context, opts *runhcsoptions.Options, annota
 	}
 
 	// Check for explicitly unsupported annotations.
-	ncProxy := oci.ParseAnnotationsString(annotations, shimannotations.NetworkConfigProxy, "")
-	if ncProxy != "" {
-		return fmt.Errorf("%s annotation is not supported", shimannotations.NetworkConfigProxy)
+	//
+	// These annotations are only handled by the legacy uvm.CreateLCOW path
+	// (e.g. VirtualMachineKernelDrivers is still parsed in internal/hcsoci);
+	// the v2 shim builder has not implemented them yet. Returning an error
+	// here surfaces the gap so users can request the feature rather than
+	// silently having their annotation ignored.
+	for _, key := range []string{
+		shimannotations.NetworkConfigProxy,
+		shimannotations.VPMemNoMultiMapping,
+		shimannotations.VirtualMachineKernelDrivers,
+	} {
+		if v := oci.ParseAnnotationsString(annotations, key, ""); v != "" {
+			return fmt.Errorf("%s annotation is not supported", key)
+		}
 	}
 
 	log.G(ctx).Debug("processAnnotations completed successfully")
@@ -310,18 +320,7 @@ func parseSandboxOptions(ctx context.Context, platform string, annotations map[s
 		FullyPhysicallyBacked: oci.ParseAnnotationsBool(ctx, annotations, shimannotations.FullyPhysicallyBacked, false),
 		PolicyBasedRouting:    oci.ParseAnnotationsBool(ctx, annotations, iannotations.NetworkingPolicyBasedRouting, false),
 		NoWritableFileShares:  oci.ParseAnnotationsBool(ctx, annotations, shimannotations.DisableWritableFileShares, false),
-		// Multi-mapping is enabled by default on 19H1+, can be disabled via annotation.
-		VPMEMMultiMapping: !(oci.ParseAnnotationsBool(ctx, annotations, shimannotations.VPMemNoMultiMapping, osversion.Build() < osversion.V19H1)),
-	}
-
-	// Parse the list of additional kernel drivers to be injected into the VM.
-	drivers := oci.ParseAnnotationCommaSeparated(shimannotations.VirtualMachineKernelDrivers, annotations)
-	for _, driver := range drivers {
-		if _, err := os.Stat(driver); err != nil {
-			return nil, fmt.Errorf("failed to find path to drivers at %s: %w", driver, err)
-		}
 	}
-	sandboxOptions.GuestDrivers = drivers
 
 	// Determine if this is a confidential VM early, as it affects boot options parsing
 	securityPolicy := oci.ParseAnnotationsString(annotations, shimannotations.LCOWSecurityPolicy, "")

@@ -423,9 +423,8 @@ func TestBuildSandboxConfig(t *testing.T) {
 			},
 			spec: &vm.Spec{
 				Annotations: map[string]string{
-					shimannotations.VPMemCount:          "32",
-					shimannotations.VPMemSize:           "8589934592",
-					shimannotations.VPMemNoMultiMapping: "true",
+					shimannotations.VPMemCount: "32",
+					shimannotations.VPMemSize:  "8589934592",
 				},
 			},
 			wantErr:     true,
@@ -1243,6 +1242,26 @@ func TestBuildSandboxConfig_ErrorPaths(t *testing.T) {
 			wantErr:     true,
 			errContains: "annotation is not supported",
 		},
+		{
+			name: "processAnnotations error - unsupported VPMemNoMultiMapping annotation",
+			spec: &vm.Spec{
+				Annotations: map[string]string{
+					shimannotations.VPMemNoMultiMapping: "true",
+				},
+			},
+			wantErr:     true,
+			errContains: "annotation is not supported",
+		},
+		{
+			name: "processAnnotations error - unsupported VirtualMachineKernelDrivers annotation",
+			spec: &vm.Spec{
+				Annotations: map[string]string{
+					shimannotations.VirtualMachineKernelDrivers: "/some/driver/path",
+				},
+			},
+			wantErr:     true,
+			errContains: "annotation is not supported",
+		},
 		{
 			name: "kernel file not found in boot files path",
 			opts: &runhcsoptions.Options{

@@ -205,7 +205,6 @@ func checkSandboxOptionsParity(t *testing.T, legacyOpts *uvm.OptionsLCOW, sandbo
 		{"EnableScratchEncryption", legacyOpts.EnableScratchEncryption, sandboxOpts.EnableScratchEncryption},
 		{"PolicyBasedRouting", legacyOpts.PolicyBasedRouting, sandboxOpts.PolicyBasedRouting},
 		{"FullyPhysicallyBacked", legacyOpts.FullyPhysicallyBacked, sandboxOpts.FullyPhysicallyBacked},
-		{"VPMEMMultiMapping", !legacyOpts.VPMemNoMultiMapping, sandboxOpts.VPMEMMultiMapping},
 	}
 
 	for _, c := range checks {