From b01335e45fb3dfd3a8602c18c3efdbd7f1cf2107 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:10:13 -0800 Subject: [PATCH 01/12] Remove obsoleted +build tags Generated by go fix ./... Signed-off-by: Kir Kolyshkin --- generate/seccomp/seccomp_default_linux.go | 1 - generate/seccomp/seccomp_default_unsupported.go | 1 - validate/validate_linux.go | 1 - validate/validate_unsupported.go | 1 - 4 files changed, 4 deletions(-) diff --git a/generate/seccomp/seccomp_default_linux.go b/generate/seccomp/seccomp_default_linux.go index 5ca9a6da..aac5c2bb 100644 --- a/generate/seccomp/seccomp_default_linux.go +++ b/generate/seccomp/seccomp_default_linux.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package seccomp diff --git a/generate/seccomp/seccomp_default_unsupported.go b/generate/seccomp/seccomp_default_unsupported.go index b8c1bc26..a8d58267 100644 --- a/generate/seccomp/seccomp_default_unsupported.go +++ b/generate/seccomp/seccomp_default_unsupported.go @@ -1,5 +1,4 @@ //go:build !linux -// +build !linux package seccomp diff --git a/validate/validate_linux.go b/validate/validate_linux.go index 9aaff120..2c7cdb75 100644 --- a/validate/validate_linux.go +++ b/validate/validate_linux.go @@ -1,5 +1,4 @@ //go:build linux -// +build linux package validate diff --git a/validate/validate_unsupported.go b/validate/validate_unsupported.go index 2ffa8811..0d1836b4 100644 --- a/validate/validate_unsupported.go +++ b/validate/validate_unsupported.go @@ -1,5 +1,4 @@ //go:build !linux -// +build !linux package validate From bd70e019888131f2fbe6a5fbc7ea376e022854ef Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:12:23 -0800 Subject: [PATCH 02/12] Modernize the code 1. Replaces interface{} with any. 2. Use slices.Contains where appropriate. Generated by modernize -fix ./... Signed-off-by: Kir Kolyshkin --- cgroups/cgroups.go | 7 +++---- cmd/runtimetest/main.go | 28 ++++++++++++++-------------- generate/generate.go | 7 +++---- validate/validate.go | 15 ++++++--------- validation/misc_props/misc_props.go | 2 +- validation/util/test.go | 2 +- 6 files changed, 28 insertions(+), 33 deletions(-) diff --git a/cgroups/cgroups.go b/cgroups/cgroups.go index 2e03ddf6..48beba06 100644 --- a/cgroups/cgroups.go +++ b/cgroups/cgroups.go @@ -5,6 +5,7 @@ import ( "fmt" "os" "path/filepath" + "slices" "strings" rspec "github.com/opencontainers/runtime-spec/specs-go" @@ -89,10 +90,8 @@ func GetSubsystemPath(pid int, subsystem string) (string, error) { continue } subelems := strings.Split(elem[1], ",") - for _, subelem := range subelems { - if subelem == subsystem { - return elem[2], nil - } + if slices.Contains(subelems, subsystem) { + return elem[2], nil } } diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index eba21324..c344744e 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -236,13 +236,13 @@ func (c *complianceTester) validateLinuxProcess(spec *rspec.Spec) error { args := bytes.Split(bytes.Trim(cmdlineBytes, "\x00"), []byte("\x00")) c.harness.Ok(len(args) == len(spec.Process.Args), "has expected number of process arguments") - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "expected": spec.Process.Args, "actual": args, }) for i, a := range args { c.harness.Ok(string(a) == spec.Process.Args[i], fmt.Sprintf("has expected process argument %d", i)) - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "index": i, "expected": spec.Process.Args[i], "actual": string(a), @@ -362,7 +362,7 @@ func (c *complianceTester) validateRlimits(spec *rspec.Spec) error { if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "type": r.Type, @@ -374,7 +374,7 @@ func (c *complianceTester) validateRlimits(spec *rspec.Spec) error { if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "type": r.Type, @@ -727,7 +727,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": device.Path, @@ -738,7 +738,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": device.Path, @@ -756,7 +756,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": device.Path, @@ -777,7 +777,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": device.Path, @@ -793,7 +793,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": device.Path, @@ -838,7 +838,7 @@ func (c *complianceTester) validateDefaultSymlinks(spec *rspec.Spec) error { if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "path": symlink, @@ -991,7 +991,7 @@ func (c *complianceTester) validateOOMScoreAdj(spec *rspec.Spec) error { if err != nil { return err } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "expected": expected, @@ -1052,7 +1052,7 @@ func (c *complianceTester) validateIDMappings(mappings []rspec.LinuxIDMapping, p return err } c.harness.Ok(len(idMaps) == len(mappings), fmt.Sprintf("%s has expected number of mappings", path)) - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "expected": mappings, "actual": idMaps, }) @@ -1185,13 +1185,13 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error { } else { rfcError, err = c.Ok(foundInOrder, specerror.MountsInOrder, spec.Version, fmt.Sprintf("mounts[%d] (%s) found in order", i, configMount.Destination)) } - _ = c.harness.YAML(map[string]interface{}{ + _ = c.harness.YAML(map[string]any{ "level": rfcError.Level.String(), "reference": rfcError.Reference, "config": configMount, "indexConfig": i, "indexSystem": configSys[i], - "earlier": map[string]interface{}{ + "earlier": map[string]any{ "config": spec.Mounts[highestMatchedConfig], "indexConfig": highestMatchedConfig, "indexSystem": configSys[highestMatchedConfig], diff --git a/generate/generate.go b/generate/generate.go index ae5a9984..ea6357c2 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "os" + "slices" "strings" "github.com/moby/sys/capability" @@ -595,10 +596,8 @@ func (g *Generator) ClearProcessAdditionalGids() { // AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids. func (g *Generator) AddProcessAdditionalGid(gid uint32) { g.initConfigProcess() - for _, group := range g.Config.Process.User.AdditionalGids { - if group == gid { - return - } + if slices.Contains(g.Config.Process.User.AdditionalGids, gid) { + return } g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid) } diff --git a/validate/validate.go b/validate/validate.go index fdb3916a..0e85e135 100644 --- a/validate/validate.go +++ b/validate/validate.go @@ -11,6 +11,7 @@ import ( "reflect" "regexp" "runtime" + "slices" "strings" "unicode" "unicode/utf8" @@ -719,17 +720,13 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) { } if v.platform == "linux" { - for _, val := range linuxRlimits { - if val == rlimit.Type { - return - } + if slices.Contains(linuxRlimits, rlimit.Type) { + return } errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version)) } else if v.platform == "solaris" { - for _, val := range posixRlimits { - if val == rlimit.Type { - return - } + if slices.Contains(posixRlimits, rlimit.Type) { + return } errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version)) } else { @@ -787,7 +784,7 @@ func checkMandatoryUnit(field reflect.Value, tagField reflect.StructField, paren return } -func checkMandatory(obj interface{}) (errs error) { +func checkMandatory(obj any) (errs error) { objT := reflect.TypeOf(obj) objV := reflect.ValueOf(obj) if isStructPtr(objT) { diff --git a/validation/misc_props/misc_props.go b/validation/misc_props/misc_props.go index d4640427..6524f5e6 100644 --- a/validation/misc_props/misc_props.go +++ b/validation/misc_props/misc_props.go @@ -14,7 +14,7 @@ import ( "github.com/opencontainers/runtime-tools/validation/util" ) -func saveConfig(path string, v interface{}) error { +func saveConfig(path string, v any) error { data, err := json.Marshal(v) if err != nil { return err diff --git a/validation/util/test.go b/validation/util/test.go index 626499e6..bdfcdf29 100644 --- a/validation/util/test.go +++ b/validation/util/test.go @@ -92,7 +92,7 @@ func Fatal(err error) { } // Skip skips a full TAP suite. -func Skip(message string, diagnostic interface{}) { +func Skip(message string, diagnostic any) { t := tap.New() t.Header(1) t.Skip(1, message) From 59d9b891153baa1bbc580400da9f9118a7510db3 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:19:57 -0800 Subject: [PATCH 03/12] cmd/runtimetest: use strings.ReplaceAll Signed-off-by: Kir Kolyshkin --- cmd/runtimetest/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index c344744e..010bbe0e 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -392,7 +392,7 @@ func (c *complianceTester) validateSysctls(spec *rspec.Spec) error { } for k, v := range spec.Linux.Sysctl { - keyPath := filepath.Join("/proc/sys", strings.Replace(k, ".", "/", -1)) + keyPath := filepath.Join("/proc/sys", strings.ReplaceAll(k, ".", "/")) vBytes, err := os.ReadFile(keyPath) if err != nil { return err From 5bae0b9ca3fb3ea28602b1853ba4a1347f501822 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:20:32 -0800 Subject: [PATCH 04/12] generate/seccomp: remove double package import The same package is imported twice for no reason. Reported by staticcheck: > generate/seccomp/seccomp_default.go:6:2: ST1019: package "github.com/opencontainers/runtime-spec/specs-go" is being imported more than once (staticcheck) > "github.com/opencontainers/runtime-spec/specs-go" > ^ >generate/seccomp/seccomp_default.go:7:2: ST1019(related information): other import of "github.com/opencontainers/runtime-spec/specs-go" (staticcheck) > rspec "github.com/opencontainers/runtime-spec/specs-go" Signed-off-by: Kir Kolyshkin --- generate/seccomp/seccomp_default.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/generate/seccomp/seccomp_default.go b/generate/seccomp/seccomp_default.go index 12aa482c..64ec8a1f 100644 --- a/generate/seccomp/seccomp_default.go +++ b/generate/seccomp/seccomp_default.go @@ -3,7 +3,6 @@ package seccomp import ( "runtime" - "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go" ) @@ -31,7 +30,7 @@ func arches() []rspec.Arch { } // DefaultProfile defines the whitelist for the default seccomp profile. -func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { +func DefaultProfile(rs *rspec.Spec) *rspec.LinuxSeccomp { syscalls := []rspec.LinuxSyscall{ { Names: []string{ From b00213a76ad49955732c384c2bbea31ca6d7b959 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:25:41 -0800 Subject: [PATCH 05/12] Fix staticcheck QF1003 warnings Use switch instead of if/else where appropriate. Signed-off-by: Kir Kolyshkin --- cmd/runtimetest/main.go | 10 ++++++---- generate/generate.go | 5 +++-- validate/validate.go | 7 ++++--- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index 010bbe0e..b46536ea 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -454,9 +454,10 @@ func testFileReadAccess(path string) (readable bool, err error) { defer f.Close() b := make([]byte, 1) _, err = f.Read(b) - if err == nil { + switch err { + case nil: return true, nil - } else if err == io.EOF { + case io.EOF: // Our validation/ tests only use non-empty files for read-access // tests. So if we get an EOF on the first read, the runtime did // successfully block readability. @@ -1310,10 +1311,11 @@ func run(context *cli.Context) error { } validations := defaultValidations - if platform == "linux" { + switch platform { + case "linux": validations = append(validations, posixValidations...) validations = append(validations, linuxValidations...) - } else if platform == "solaris" { + case "solaris": validations = append(validations, posixValidations...) } diff --git a/generate/generate.go b/generate/generate.go index ea6357c2..35ca48ee 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -89,7 +89,8 @@ func New(os string) (generator Generator, err error) { } } - if os == "linux" { + switch os { + case "linux": config.Process.Capabilities = &rspec.LinuxCapabilities{ Bounding: []string{ "CAP_CHOWN", @@ -238,7 +239,7 @@ func New(os string) (generator Generator, err error) { }, Seccomp: seccomp.DefaultProfile(&config), } - } else if os == "freebsd" { + case "freebsd": config.Mounts = []rspec.Mount{ { Destination: "/dev", diff --git a/validate/validate.go b/validate/validate.go index 0e85e135..35bd8092 100644 --- a/validate/validate.go +++ b/validate/validate.go @@ -719,17 +719,18 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) { errs = multierror.Append(errs, fmt.Errorf("hard limit of rlimit %s should not be less than soft limit", rlimit.Type)) } - if v.platform == "linux" { + switch v.platform { + case "linux": if slices.Contains(linuxRlimits, rlimit.Type) { return } errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version)) - } else if v.platform == "solaris" { + case "solaris": if slices.Contains(posixRlimits, rlimit.Type) { return } errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version)) - } else { + default: logrus.Warnf("process.rlimits validation not yet implemented for platform %q", v.platform) } From 9e878689fd4727845e6e6e0c58a5490329f36082 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:29:36 -0800 Subject: [PATCH 06/12] Add annotations to ignore some staticcheck warnings These are the ones we don't want to fix. Signed-off-by: Kir Kolyshkin --- generate/generate.go | 2 +- validate/validate.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/generate/generate.go b/generate/generate.go index 35ca48ee..17ea6f4c 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -595,7 +595,7 @@ func (g *Generator) ClearProcessAdditionalGids() { } // AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids. -func (g *Generator) AddProcessAdditionalGid(gid uint32) { +func (g *Generator) AddProcessAdditionalGid(gid uint32) { //nolint:staticcheck // Ignore ST1003: method AddProcessAdditionalGid should be AddProcessAdditionalGID g.initConfigProcess() if slices.Contains(g.Config.Process.User.AdditionalGids, gid) { return diff --git a/validate/validate.go b/validate/validate.go index 35bd8092..48fb52ca 100644 --- a/validate/validate.go +++ b/validate/validate.go @@ -441,7 +441,7 @@ func (v *Validator) CheckCapabilities() (errs error) { if effective && !permitted { errs = multierror.Append(errs, fmt.Errorf("effective capability %q is not allowed, as it's not permitted", capability)) } - if ambient && !(permitted && inheritable) { + if ambient && !(permitted && inheritable) { //nolint:staticcheck // Ignore QF1001: could apply De Morgan's law. errs = multierror.Append(errs, fmt.Errorf("ambient capability %q is not allowed, as it's not permitted and inheribate", capability)) } } From 827638e3a50739aa6c08dd29e5f5b5f9d0436418 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:35:45 -0800 Subject: [PATCH 07/12] validation/linux_cgroups_relative_cpus: fix staticcheck warning Staticcheck complains: > validation/linux_cgroups_relative_cpus/linux_cgroups_relative_cpus.go:14:17: ST1023: should omit type string from declaration; it will be inferred from the right-hand side (staticcheck) > var cpus, mems string = "0-1", "0" > ^ Fix this, and while at it, use constants. Signed-off-by: Kir Kolyshkin --- .../linux_cgroups_relative_cpus.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/validation/linux_cgroups_relative_cpus/linux_cgroups_relative_cpus.go b/validation/linux_cgroups_relative_cpus/linux_cgroups_relative_cpus.go index 29086075..b0dff504 100644 --- a/validation/linux_cgroups_relative_cpus/linux_cgroups_relative_cpus.go +++ b/validation/linux_cgroups_relative_cpus/linux_cgroups_relative_cpus.go @@ -8,10 +8,12 @@ import ( ) func main() { - var shares uint64 = 1024 - var period uint64 = 100000 - var quota int64 = 50000 - var cpus, mems string = "0-1", "0" + const ( + shares uint64 = 1024 + period uint64 = 100000 + quota int64 = 50000 + cpus, mems = "0-1", "0" + ) t := tap.New() t.Header(0) From 80497fb4204caaba3f491daaf8a2f5833cf746ff Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 18:48:55 -0800 Subject: [PATCH 08/12] validation: fix ST1017: don't use Yoda conditions Or, in other words, un-Yoda-fy. Signed-off-by: Kir Kolyshkin --- validation/hostname/hostname.go | 2 +- validation/linux_cgroups_blkio/linux_cgroups_blkio.go | 2 +- validation/linux_cgroups_cpus/linux_cgroups_cpus.go | 2 +- validation/linux_cgroups_hugetlb/linux_cgroups_hugetlb.go | 2 +- validation/linux_cgroups_memory/linux_cgroups_memory.go | 2 +- validation/linux_cgroups_network/linux_cgroups_network.go | 2 +- validation/linux_ns_itype/linux_ns_itype.go | 2 +- validation/linux_ns_nopath/linux_ns_nopath.go | 2 +- validation/linux_ns_path/linux_ns_path.go | 2 +- validation/linux_ns_path_type/linux_ns_path_type.go | 2 +- validation/process_capabilities/process_capabilities.go | 2 +- .../process_capabilities_fail/process_capabilities_fail.go | 2 +- validation/process_rlimits/process_rlimits.go | 2 +- validation/process_rlimits_fail/process_rlimits_fail.go | 2 +- validation/root_readonly_true/root_readonly_true.go | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/validation/hostname/hostname.go b/validation/hostname/hostname.go index 02e01754..670afed0 100644 --- a/validation/hostname/hostname.go +++ b/validation/hostname/hostname.go @@ -30,7 +30,7 @@ func main() { t.Header(0) defer t.AutoPlan() - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { t.Skip(1, "linux-specific namespace test") } diff --git a/validation/linux_cgroups_blkio/linux_cgroups_blkio.go b/validation/linux_cgroups_blkio/linux_cgroups_blkio.go index 5b335f50..0004613a 100644 --- a/validation/linux_cgroups_blkio/linux_cgroups_blkio.go +++ b/validation/linux_cgroups_blkio/linux_cgroups_blkio.go @@ -50,7 +50,7 @@ func testBlkioCgroups(rate uint64, isEmpty bool) error { } func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Fatal(fmt.Errorf("linux-specific cgroup test")) } diff --git a/validation/linux_cgroups_cpus/linux_cgroups_cpus.go b/validation/linux_cgroups_cpus/linux_cgroups_cpus.go index a1370758..ca92d450 100644 --- a/validation/linux_cgroups_cpus/linux_cgroups_cpus.go +++ b/validation/linux_cgroups_cpus/linux_cgroups_cpus.go @@ -119,7 +119,7 @@ func testEmptyCPU() error { } func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Fatal(fmt.Errorf("linux-specific cgroup test")) } diff --git a/validation/linux_cgroups_hugetlb/linux_cgroups_hugetlb.go b/validation/linux_cgroups_hugetlb/linux_cgroups_hugetlb.go index 154b8736..5aa2a078 100644 --- a/validation/linux_cgroups_hugetlb/linux_cgroups_hugetlb.go +++ b/validation/linux_cgroups_hugetlb/linux_cgroups_hugetlb.go @@ -88,7 +88,7 @@ func testWrongHugetlb() error { } func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Fatal(fmt.Errorf("linux-specific cgroup test")) } diff --git a/validation/linux_cgroups_memory/linux_cgroups_memory.go b/validation/linux_cgroups_memory/linux_cgroups_memory.go index 89e88bd7..e83be675 100644 --- a/validation/linux_cgroups_memory/linux_cgroups_memory.go +++ b/validation/linux_cgroups_memory/linux_cgroups_memory.go @@ -10,7 +10,7 @@ import ( ) func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Fatal(fmt.Errorf("linux-specific cgroup test")) } diff --git a/validation/linux_cgroups_network/linux_cgroups_network.go b/validation/linux_cgroups_network/linux_cgroups_network.go index f91cf986..6208cd7c 100644 --- a/validation/linux_cgroups_network/linux_cgroups_network.go +++ b/validation/linux_cgroups_network/linux_cgroups_network.go @@ -98,7 +98,7 @@ func testNetworkCgroups() error { } func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Fatal(fmt.Errorf("linux-specific cgroup test")) } diff --git a/validation/linux_ns_itype/linux_ns_itype.go b/validation/linux_ns_itype/linux_ns_itype.go index 1b08b458..662d2aec 100644 --- a/validation/linux_ns_itype/linux_ns_itype.go +++ b/validation/linux_ns_itype/linux_ns_itype.go @@ -118,7 +118,7 @@ func main() { t := tap.New() t.Header(0) - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { t.Skip(1, "linux-specific namespace test") } diff --git a/validation/linux_ns_nopath/linux_ns_nopath.go b/validation/linux_ns_nopath/linux_ns_nopath.go index 7aea78d0..9e1fbc81 100644 --- a/validation/linux_ns_nopath/linux_ns_nopath.go +++ b/validation/linux_ns_nopath/linux_ns_nopath.go @@ -119,7 +119,7 @@ func main() { t := tap.New() t.Header(0) - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { t.Skip(1, "linux-specific namespace test") } diff --git a/validation/linux_ns_path/linux_ns_path.go b/validation/linux_ns_path/linux_ns_path.go index 8744fb59..9e4d2f04 100644 --- a/validation/linux_ns_path/linux_ns_path.go +++ b/validation/linux_ns_path/linux_ns_path.go @@ -148,7 +148,7 @@ func main() { } for _, c := range cases { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { t.Skip(1, fmt.Sprintf("linux-specific namespace test: %s", c)) } diff --git a/validation/linux_ns_path_type/linux_ns_path_type.go b/validation/linux_ns_path_type/linux_ns_path_type.go index 82846831..99b18b20 100644 --- a/validation/linux_ns_path_type/linux_ns_path_type.go +++ b/validation/linux_ns_path_type/linux_ns_path_type.go @@ -93,7 +93,7 @@ func main() { } for _, c := range cases { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { t.Skip(1, fmt.Sprintf("linux-specific namespace test: %s", c)) } diff --git a/validation/process_capabilities/process_capabilities.go b/validation/process_capabilities/process_capabilities.go index 5e71cd13..4be5b7c8 100644 --- a/validation/process_capabilities/process_capabilities.go +++ b/validation/process_capabilities/process_capabilities.go @@ -8,7 +8,7 @@ import ( ) func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Skip("linux-specific process.capabilities test", map[string]string{"OS": runtime.GOOS}) os.Exit(0) } diff --git a/validation/process_capabilities_fail/process_capabilities_fail.go b/validation/process_capabilities_fail/process_capabilities_fail.go index 21c94f32..a1a524bb 100644 --- a/validation/process_capabilities_fail/process_capabilities_fail.go +++ b/validation/process_capabilities_fail/process_capabilities_fail.go @@ -11,7 +11,7 @@ import ( ) func main() { - if "linux" != runtime.GOOS { + if runtime.GOOS != "linux" { util.Skip("linux-specific process.capabilities test", map[string]string{"OS": runtime.GOOS}) os.Exit(0) } diff --git a/validation/process_rlimits/process_rlimits.go b/validation/process_rlimits/process_rlimits.go index 9f22382c..21e8d4cb 100644 --- a/validation/process_rlimits/process_rlimits.go +++ b/validation/process_rlimits/process_rlimits.go @@ -8,7 +8,7 @@ import ( ) func main() { - if "linux" != runtime.GOOS && "solaris" != runtime.GOOS { + if runtime.GOOS != "linux" && runtime.GOOS != "solaris" { util.Skip("POSIX-specific process.rlimits test", map[string]string{"OS": runtime.GOOS}) os.Exit(0) } diff --git a/validation/process_rlimits_fail/process_rlimits_fail.go b/validation/process_rlimits_fail/process_rlimits_fail.go index bf1584b6..772557ce 100644 --- a/validation/process_rlimits_fail/process_rlimits_fail.go +++ b/validation/process_rlimits_fail/process_rlimits_fail.go @@ -11,7 +11,7 @@ import ( ) func main() { - if "linux" != runtime.GOOS && "solaris" != runtime.GOOS { + if runtime.GOOS != "linux" && runtime.GOOS != "solaris" { util.Skip("POSIX-specific process.rlimits test", map[string]string{"OS": runtime.GOOS}) os.Exit(0) } diff --git a/validation/root_readonly_true/root_readonly_true.go b/validation/root_readonly_true/root_readonly_true.go index 74229d32..881e32ae 100644 --- a/validation/root_readonly_true/root_readonly_true.go +++ b/validation/root_readonly_true/root_readonly_true.go @@ -8,7 +8,7 @@ import ( ) func main() { - if "windows" == runtime.GOOS { + if runtime.GOOS == "windows" { util.Skip("non-Windows root.readonly test", map[string]string{"OS": runtime.GOOS}) os.Exit(0) } From 2734868096560514a9385b75715bf3c484b9ed70 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 19:20:01 -0800 Subject: [PATCH 09/12] generate: fix a comment Signed-off-by: Kir Kolyshkin --- generate/generate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generate/generate.go b/generate/generate.go index 17ea6f4c..16e8f5cd 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -868,7 +868,7 @@ func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) { } } -// AddLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified +// SetLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified. func (g *Generator) SetLinuxResourcesUnified(unified map[string]string) { g.initConfigLinuxResourcesUnified() for k, v := range unified { From 12164660168ad0ab7ac53db251e442f249e05e60 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 19:25:18 -0800 Subject: [PATCH 10/12] golangci-lint: switch to v2 While at it, bump lint job actions to latest versions. Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 10 +++++----- .golangci.yml | 12 +++++++++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 01b8f7c1..1352bac0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,15 +11,15 @@ on: jobs: lint: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - - uses: actions/setup-go@v5 + - uses: actions/setup-go@v6 with: go-version: 1.x # latest - - uses: actions/checkout@v4 - - uses: golangci/golangci-lint-action@v6 + - uses: actions/checkout@v5 + - uses: golangci/golangci-lint-action@v8 with: - version: v1.61 + version: v2.6 commit: runs-on: ubuntu-22.04 diff --git a/.golangci.yml b/.golangci.yml index 3ee5b4bc..aa8bba11 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,5 +1,15 @@ -# For documentation, see https://golangci-lint.run/usage/configuration/ +version: "2" + +formatters: + enable: + - gofmt linters: disable: - errcheck + settings: + staticcheck: + checks: + - all # Enable all checks, except... + - -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string. + - -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment. From 4da4e5ed9e90d0b60e5222bfcda7baf86a4f271d Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 19:32:37 -0800 Subject: [PATCH 11/12] ci: bump actions etc. to latest versions Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1352bac0..87ed2e8f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,25 +22,25 @@ jobs: version: v2.6 commit: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 # Only check commits on pull requests. if: github.event_name == 'pull_request' steps: - name: get pr commits id: 'get-pr-commits' - uses: tim-actions/get-pr-commits@v1.1.0 + uses: tim-actions/get-pr-commits@v1.3.1 with: token: ${{ secrets.GITHUB_TOKEN }} - name: check subject line length - uses: tim-actions/commit-message-checker-with-regex@v0.3.1 + uses: tim-actions/commit-message-checker-with-regex@v0.3.2 with: commits: ${{ steps.get-pr-commits.outputs.commits }} pattern: '^.{0,72}(\n.*)*$' error: 'Subject too long (max 72)' test: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: @@ -49,9 +49,9 @@ jobs: steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: install go ${{ matrix.go-version }} - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - name: build From 79a3f0f83c828942ed7de38fcefb377c1e8498b2 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 5 Nov 2025 19:43:07 -0800 Subject: [PATCH 12/12] ci: use "oldstable" and "stable" Go versions In addition to the one from go.mod (currently 1.21). Signed-off-by: Kir Kolyshkin --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 87ed2e8f..0385ebc9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/setup-go@v6 with: - go-version: 1.x # latest + go-version: stable - uses: actions/checkout@v5 - uses: golangci/golangci-lint-action@v8 with: @@ -44,7 +44,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.21.x, 1.22.x, 1.23.x] + go-version: [1.21.x, oldstable, stable] race: ["-race", ""] steps: