Merge pull request #7254 from mxpv/go

Switch to Go 1.19

.github/workflows/build-test-images.yml

@@ -39,7 +39,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.5'
+          go-version: '1.19'
 
       - uses: actions/checkout@v2
         with:

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ on:
 env:
   # Go version we currently use to build containerd across all CI.
   # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
-  GO_VERSION: '1.18.5'
+  GO_VERSION: '1.19'
 
 jobs:
   #
@@ -35,7 +35,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.46.2
+          version: v1.48.0
           skip-cache: true
           args: --timeout=5m
 
@@ -219,7 +219,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-18.04, macos-12, windows-2019, windows-2022]
-        go-version: ['1.17.13', '1.18.5']
+        go-version: ['1.19', '1.18.5']
     steps:
       - uses: actions/setup-go@v2
         with:
@@ -415,13 +415,13 @@ jobs:
       - name: Install containerd dependencies
         env:
           RUNC_FLAVOR: ${{ matrix.runc }}
-          GOFLAGS: -modcacherw
         run: |
           sudo apt-get install -y gperf
-          sudo -E PATH=$PATH script/setup/install-seccomp
+          script/setup/install-seccomp
-          sudo -E PATH=$PATH script/setup/install-runc
+          script/setup/install-runc
-          sudo -E PATH=$PATH script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}')
+          script/setup/install-cni $(grep containernetworking/plugins go.mod | awk '{print $2}')
-          sudo -E PATH=$PATH script/setup/install-critools
+          script/setup/install-critools
+          script/setup/install-failpoint-binaries
 
       - name: Install criu
         run: |
@@ -429,10 +429,6 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y criu
 
-      - name: Install failpoint binaries
-        run: |
-          script/setup/install-failpoint-binaries
-
       - name: Install containerd
         env:
           CGO_ENABLED: 1
@@ -440,7 +436,7 @@ jobs:
           make binaries GO_BUILD_FLAGS="-mod=vendor"
           sudo -E PATH=$PATH make install
 
-      - run: sudo -E PATH=$PATH script/setup/install-gotestsum
+      - run: script/setup/install-gotestsum
       - name: Tests
         env:
           GOPROXY: direct
@@ -540,7 +536,7 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
       - uses: actions/checkout@v2
-      - run: sudo -E PATH=$PATH script/setup/install-gotestsum
+      - run: script/setup/install-gotestsum
       - name: Tests
         env:
           GOPROXY: direct

.github/workflows/codeql.yml

@@ -26,7 +26,7 @@ jobs:
 
     - uses: actions/setup-go@v2
       with:
-        go-version: 1.18.5
+        go-version: 1.19
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/images.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.18.5'
+          go-version: '1.19'
 
       - uses: actions/checkout@v2
         with:

.github/workflows/nightly.yml

@@ -7,7 +7,7 @@ on:
       - '.github/workflows/nightly.yml'
 
 env:
-  GO_VERSION: '1.18.5'
+  GO_VERSION: '1.19'
 
 jobs:
   linux:

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
 name: Containerd Release
 
 env:
-  GO_VERSION: '1.18.5'
+  GO_VERSION: '1.19'
 
 jobs:
   check:

.zuul/playbooks/containerd-build/integration-test.yaml

@@ -2,7 +2,7 @@
   become: yes
   roles:
   - role: config-golang
-    go_version: '1.18.5'
+    go_version: '1.19'
     arch: arm64
   tasks:
   - name: Install pre-requisites

.zuul/playbooks/containerd-build/run.yaml

@@ -2,7 +2,7 @@
   become: yes
   roles:
   - role: config-golang
-    go_version: '1.18.5'
+    go_version: '1.19'
     arch: arm64
   tasks:
   - name: Build containerd

.zuul/playbooks/containerd-build/unit-test.yaml

@@ -2,7 +2,7 @@
   become: yes
   roles:
   - role: config-golang
-    go_version: '1.18.5'
+    go_version: '1.19'
     arch: arm64
   tasks:
   - name: Build and test containerd

Vagrantfile

@@ -97,7 +97,7 @@ EOF
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.18.5",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.19",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash

api/services/containers/v1/containers.pb.go

@@ -310,7 +310,7 @@ type ListContainersRequest struct {
 	// filters. Expanded, containers that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`

api/services/containers/v1/containers.proto

@@ -134,7 +134,7 @@ message ListContainersRequest {
 	// filters. Expanded, containers that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	repeated string filters = 1;

api/services/content/v1/content.pb.go

@@ -403,7 +403,7 @@ type ListContentRequest struct {
 	// filters. Expanded, containers that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`

api/services/content/v1/content.proto

@@ -140,7 +140,7 @@ message ListContentRequest {
 	// filters. Expanded, containers that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	repeated string filters = 1;

api/services/images/v1/images.pb.go

@@ -436,7 +436,7 @@ type ListImagesRequest struct {
 	// filters. Expanded, images that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`

api/services/images/v1/images.proto

@@ -118,7 +118,7 @@ message ListImagesRequest {
 	// filters. Expanded, images that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	repeated string filters = 1;

api/services/introspection/v1/introspection.pb.go

@@ -175,7 +175,7 @@ type PluginsRequest struct {
 	// filters. Expanded, plugins that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	Filters []string `protobuf:"bytes,1,rep,name=filters,proto3" json:"filters,omitempty"`

api/services/introspection/v1/introspection.proto

@@ -88,7 +88,7 @@ message PluginsRequest {
 	// filters. Expanded, plugins that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	repeated string filters = 1;

api/services/snapshots/v1/snapshots.pb.go

@@ -887,7 +887,7 @@ type ListSnapshotsRequest struct {
 	// filters. Expanded, images that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	Filters []string `protobuf:"bytes,2,rep,name=filters,proto3" json:"filters,omitempty"`

api/services/snapshots/v1/snapshots.proto

@@ -154,7 +154,7 @@ message ListSnapshotsRequest{
 	// filters. Expanded, images that match the following will be
 	// returned:
 	//
-	//   filters[0] or filters[1] or ... or filters[n-1] or filters[n]
+	//	filters[0] or filters[1] or ... or filters[n-1] or filters[n]
 	//
 	// If filters is zero-length or nil, all items will be returned.
 	repeated string filters = 2;

cmd/ctr/commands/cni.go

@@ -36,7 +36,7 @@ const (
 	CtrCniMetadataExtension = "ctr.cni-containerd.metadata"
 )
 
-//ctr pass cni network metadata to containerd if ctr run use option of --cni
+// ctr pass cni network metadata to containerd if ctr run use option of --cni
 type NetworkMetaData struct {
 	EnableCni bool
 }

content/local/store.go

@@ -34,7 +34,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/sirupsen/logrus"
 
-	digest "github.com/opencontainers/go-digest"
+	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -643,7 +643,6 @@ func (s *store) ingestRoot(ref string) string {
 // - root: entire ingest directory
 // - ref: name of the starting ref, must be unique
 // - data: file where data is written
-//
 func (s *store) ingestPaths(ref string) (string, string, string) {
 	var (
 		fp = s.ingestRoot(ref)

contrib/Dockerfile.test

@@ -10,7 +10,7 @@
 #
 # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc94 -f Dockerfile.test ../
 
-ARG GOLANG_VERSION=1.18.5
+ARG GOLANG_VERSION=1.19
 ARG GOLANG_IMAGE=golang
 
 FROM ${GOLANG_IMAGE}:${GOLANG_VERSION} AS golang

contrib/fuzz/daemon.go

@@ -13,6 +13,7 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 */
+
 package fuzz
 
 import (

contrib/fuzz/oss_fuzz_build.sh

@@ -40,11 +40,11 @@ compile_fuzzers() {
 
 apt-get update && apt-get install -y wget
 cd $SRC
-wget --quiet https://go.dev/dl/go1.18.5.linux-amd64.tar.gz
+wget --quiet https://go.dev/dl/go1.19.linux-amd64.tar.gz
 
 mkdir temp-go
 rm -rf /root/.go/*
-tar -C temp-go/ -xzf go1.18.5.linux-amd64.tar.gz
+tar -C temp-go/ -xzf go1.19.linux-amd64.tar.gz
 mv temp-go/go/* /root/.go/
 cd $SRC/containerd
 

filters/filter.go

@@ -65,7 +65,6 @@
 // ```
 // name==foo,labels.bar
 // ```
-//
 package filters
 
 import (

filters/parser.go

@@ -45,7 +45,6 @@ field     := quoted | [A-Za-z] [A-Za-z0-9_]+
 operator  := "==" | "!=" | "~="
 value     := quoted | [^\s,]+
 quoted    := <go string syntax>
-
 */
 func Parse(s string) (Filter, error) {
 	// special case empty to match all

filters/quote.go

@@ -31,10 +31,10 @@ var errQuoteSyntax = errors.New("quote syntax error")
 // or character literal represented by the string s.
 // It returns four values:
 //
-//	1) value, the decoded Unicode code point or byte value;
+//  1. value, the decoded Unicode code point or byte value;
-//	2) multibyte, a boolean indicating whether the decoded character requires a multibyte UTF-8 representation;
+//  2. multibyte, a boolean indicating whether the decoded character requires a multibyte UTF-8 representation;
-//	3) tail, the remainder of the string after the character; and
+//  3. tail, the remainder of the string after the character; and
-//	4) an error that will be nil if the character is syntactically valid.
+//  4. an error that will be nil if the character is syntactically valid.
 //
 // The second argument, quote, specifies the type of literal being parsed
 // and therefore which escaped quote character is permitted.

images/archive/importer.go

@@ -55,12 +55,12 @@ func WithImportCompression() ImportOpt {
 }
 
 // ImportIndex imports an index from a tar archive image bundle
-// - implements Docker v1.1, v1.2 and OCI v1.
+//   - implements Docker v1.1, v1.2 and OCI v1.
-// - prefers OCI v1 when provided
+//   - prefers OCI v1 when provided
-// - creates OCI index for Docker formats
+//   - creates OCI index for Docker formats
-// - normalizes Docker references and adds as OCI ref name
+//   - normalizes Docker references and adds as OCI ref name
-//      e.g. alpine:latest -> docker.io/library/alpine:latest
+//     e.g. alpine:latest -> docker.io/library/alpine:latest
-// - existing OCI reference names are untouched
+//   - existing OCI reference names are untouched
 func ImportIndex(ctx context.Context, store content.Store, reader io.Reader, opts ...ImportOpt) (ocispec.Descriptor, error) {
 	var (
 		tr = tar.NewReader(reader)

integration/failpoint/cmd/cni-bridge-fp/main_linux.go

@@ -20,7 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 	"syscall"
@@ -168,7 +168,7 @@ func (c *failpointControl) updateTx(updateFn func(conf *failpointConf) error) er
 	}
 	defer unflock(f.Fd())
 
-	data, err := ioutil.ReadAll(f)
+	data, err := io.ReadAll(f)
 	if err != nil {
 		return fmt.Errorf("failed to read failpoint setting %s: %w", c.confPath, err)
 	}

integration/image_pull_timeout_test.go

@@ -64,7 +64,7 @@ func TestCRIImagePullTimeout(t *testing.T) {
 
 // testCRIImagePullTimeoutByHoldingContentOpenWriter tests that
 //
-//  It should not cancel if there is no active http requests.
+//	It should not cancel if there is no active http requests.
 //
 // When there are several pulling requests for the same blob content, there
 // will only one active http request. It is singleflight. For the waiting pulling
@@ -197,7 +197,7 @@ func testCRIImagePullTimeoutByHoldingContentOpenWriter(t *testing.T) {
 
 // testCRIImagePullTimeoutByNoDataTransferred tests that
 //
-//   It should fail because there is no data transferred in open http request.
+//	It should fail because there is no data transferred in open http request.
 //
 // The case uses the local mirror registry to forward request with circuit
 // breaker. If the local registry has transferred a certain amount of data in

metadata/buckets.go

@@ -26,7 +26,7 @@
 //
 // Generically, we try to do the following:
 //
-// 	<version>/<namespace>/<object>/<key> -> <field>
+//	<version>/<namespace>/<object>/<key> -> <field>
 //
 // version: Currently, this is "v1". Additions can be made to v1 in a backwards
 // compatible way. If the layout changes, a new version must be made, along
@@ -46,77 +46,80 @@
 // the structure is changed in addition to adding a migration and incrementing
 // the database version.
 // Notes:
-//  * `╘══*...*` refers to maps with arbitrary keys
-//  * `version` is a key to a numeric value identifying the minor revisions
-//    of schema version
-//  * a namespace in a schema bucket cannot be named "version"
 //
-//  └──v1                                        - Schema version bucket
+//   - `╘══*...*` refers to maps with arbitrary keys
+//
+//   - `version` is a key to a numeric value identifying the minor revisions
+//     of schema version
+//
+//   - a namespace in a schema bucket cannot be named "version"
+//
+//     └──v1                                        - Schema version bucket
 //     ├──version : <varint>                     - Latest version, see migrations
 //     ╘══*namespace*
-//        ├──labels
+//     ├──labels
-//        │  ╘══*key* : <string>                 - Label value
+//     │  ╘══*key* : <string>                 - Label value
-//        ├──image
+//     ├──image
-//        │  ╘══*image name*
+//     │  ╘══*image name*
-//        │     ├──createdat : <binary time>     - Created at
+//     │     ├──createdat : <binary time>     - Created at
-//        │     ├──updatedat : <binary time>     - Updated at
+//     │     ├──updatedat : <binary time>     - Updated at
-//        │     ├──target
+//     │     ├──target
-//        │     │  ├──digest : <digest>          - Descriptor digest
+//     │     │  ├──digest : <digest>          - Descriptor digest
-//        │     │  ├──mediatype : <string>       - Descriptor media type
+//     │     │  ├──mediatype : <string>       - Descriptor media type
-//        │     │  └──size : <varint>            - Descriptor size
+//     │     │  └──size : <varint>            - Descriptor size
-//        │     └──labels
+//     │     └──labels
-//        │        ╘══*key* : <string>           - Label value
+//     │        ╘══*key* : <string>           - Label value
-//        ├──containers
+//     ├──containers
-//        │  ╘══*container id*
+//     │  ╘══*container id*
-//        │     ├──createdat : <binary time>     - Created at
+//     │     ├──createdat : <binary time>     - Created at
-//        │     ├──updatedat : <binary time>     - Updated at
+//     │     ├──updatedat : <binary time>     - Updated at
-//        │     ├──spec : <binary>               - Proto marshaled spec
+//     │     ├──spec : <binary>               - Proto marshaled spec
-//        │     ├──image : <string>              - Image name
+//     │     ├──image : <string>              - Image name
-//        │     ├──snapshotter : <string>        - Snapshotter name
+//     │     ├──snapshotter : <string>        - Snapshotter name
-//        │     ├──snapshotKey : <string>        - Snapshot key
+//     │     ├──snapshotKey : <string>        - Snapshot key
-//        │     ├──runtime
+//     │     ├──runtime
-//        │     │  ├──name : <string>            - Runtime name
+//     │     │  ├──name : <string>            - Runtime name
-//        │     │  ├──extensions
+//     │     │  ├──extensions
-//        │     │  │  ╘══*name* : <binary>       - Proto marshaled extension
+//     │     │  │  ╘══*name* : <binary>       - Proto marshaled extension
-//        │     │  └──options : <binary>         - Proto marshaled options
+//     │     │  └──options : <binary>         - Proto marshaled options
-//        │     └──labels
+//     │     └──labels
-//        │        ╘══*key* : <string>           - Label value
+//     │        ╘══*key* : <string>           - Label value
-//        ├──snapshots
+//     ├──snapshots
-//        │  ╘══*snapshotter*
+//     │  ╘══*snapshotter*
-//        │     ╘══*snapshot key*
+//     │     ╘══*snapshot key*
-//        │        ├──name : <string>            - Snapshot name in backend
+//     │        ├──name : <string>            - Snapshot name in backend
-//        │        ├──createdat : <binary time>  - Created at
+//     │        ├──createdat : <binary time>  - Created at
-//        │        ├──updatedat : <binary time>  - Updated at
+//     │        ├──updatedat : <binary time>  - Updated at
-//        │        ├──parent : <string>          - Parent snapshot name
+//     │        ├──parent : <string>          - Parent snapshot name
-//        │        ├──children
+//     │        ├──children
-//        │        │  ╘══*snapshot key* : <nil>  - Child snapshot reference
+//     │        │  ╘══*snapshot key* : <nil>  - Child snapshot reference
-//        │        └──labels
+//     │        └──labels
-//        │           ╘══*key* : <string>        - Label value
+//     │           ╘══*key* : <string>        - Label value
-//        ├──content
+//     ├──content
-//        │  ├──blob
+//     │  ├──blob
-//        │  │  ╘══*blob digest*
+//     │  │  ╘══*blob digest*
-//        │  │     ├──createdat : <binary time>  - Created at
+//     │  │     ├──createdat : <binary time>  - Created at
-//        │  │     ├──updatedat : <binary time>  - Updated at
+//     │  │     ├──updatedat : <binary time>  - Updated at
-//        │  │     ├──size : <varint>            - Blob size
+//     │  │     ├──size : <varint>            - Blob size
-//        │  │     └──labels
+//     │  │     └──labels
-//        │  │        ╘══*key* : <string>        - Label value
+//     │  │        ╘══*key* : <string>        - Label value
-//        │  └──ingests
+//     │  └──ingests
-//        │     ╘══*ingest reference*
+//     │     ╘══*ingest reference*
-//        │        ├──ref : <string>             - Ingest reference in backend
+//     │        ├──ref : <string>             - Ingest reference in backend
-//        │        ├──expireat : <binary time>   - Time to expire ingest
+//     │        ├──expireat : <binary time>   - Time to expire ingest
-//        │        └──expected : <digest>        - Expected commit digest
+//     │        └──expected : <digest>        - Expected commit digest
-//        └──leases
+//     └──leases
-//           ╘══*lease id*
+//     ╘══*lease id*
-//              ├──createdat : <binary time>     - Created at
+//     ├──createdat : <binary time>     - Created at
-//              ├──labels
+//     ├──labels
-//              │  ╘══*key* : <string>           - Label value
+//     │  ╘══*key* : <string>           - Label value
-//              ├──snapshots
+//     ├──snapshots
-//              │  ╘══*snapshotter*
+//     │  ╘══*snapshotter*
-//              │     ╘══*snapshot key* : <nil>  - Snapshot reference
+//     │     ╘══*snapshot key* : <nil>  - Snapshot reference
-//              ├──content
+//     ├──content
-//              │  ╘══*blob digest* : <nil>      - Content blob reference
+//     │  ╘══*blob digest* : <nil>      - Content blob reference
-//              └──ingests
+//     └──ingests
-//                 ╘══*ingest reference* : <nil> - Content ingest reference
+//     ╘══*ingest reference* : <nil> - Content ingest reference
 package metadata
 
 import (

metadata/db.go

@@ -274,11 +274,11 @@ func (m *DB) RegisterMutationCallback(fn func(bool)) {
 // to be tracked by go away after reboot or process restart.
 //
 // A few limitations to consider:
-// - Collectible Resources cannot reference other resources.
+//   - Collectible Resources cannot reference other resources.
-// - A failure to complete collection will not fail the garbage collection,
+//   - A failure to complete collection will not fail the garbage collection,
-//   however, the resources can be collected in a later run.
+//     however, the resources can be collected in a later run.
-// - Collectible Resources must track whether the resource is active and/or
+//   - Collectible Resources must track whether the resource is active and/or
-//   lease membership.
+//     lease membership.
 func (m *DB) RegisterCollectibleResource(t gc.ResourceType, c Collector) {
 	if t < resourceEnd {
 		panic("cannot re-register metadata resource")

namespaces/store.go

@@ -24,8 +24,6 @@ import "context"
 // oriented. A namespace is really just a name and a set of labels. Objects
 // that belong to a namespace are returned when the namespace is assigned to a
 // given context.
-//
-//
 type Store interface {
 	Create(ctx context.Context, namespace string, labels map[string]string) error
 	Labels(ctx context.Context, namespace string) (map[string]string, error)

oci/spec_opts.go

@@ -591,7 +591,8 @@ func WithNamespacedCgroup() SpecOpts {
 
 // WithUser sets the user to be used within the container.
 // It accepts a valid user string in OCI Image Spec v1.0.0:
-//   user, uid, user:group, uid:gid, uid:group, user:gid
+//
+//	user, uid, user:group, uid:gid, uid:group, user:gid
 func WithUser(userstr string) SpecOpts {
 	return func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
 		setProcess(s)

oci/spec_opts_nonlinux.go

@@ -28,19 +28,19 @@ import (
 
 // WithAllCurrentCapabilities propagates the effective capabilities of the caller process to the container process.
 // The capability set may differ from WithAllKnownCapabilities when running in a container.
-//nolint: deadcode, unused
+// nolint: deadcode, unused
 var WithAllCurrentCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
 	return WithCapabilities(nil)(ctx, client, c, s)
 }
 
 // WithAllKnownCapabilities sets all the the known linux capabilities for the container process
-//nolint: deadcode, unused
+// nolint: deadcode, unused
 var WithAllKnownCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
 	return WithCapabilities(nil)(ctx, client, c, s)
 }
 
 // WithBlockIO sets the container's blkio parameters
-//nolint: deadcode, unused
+// nolint: deadcode, unused
 func WithBlockIO(blockio interface{}) SpecOpts {
 	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
 		return errors.New("blkio not supported")
@@ -48,7 +48,7 @@ func WithBlockIO(blockio interface{}) SpecOpts {
 }
 
 // WithCPUShares sets the container's cpu shares
-//nolint: deadcode, unused
+// nolint: deadcode, unused
 func WithCPUShares(shares uint64) SpecOpts {
 	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
 		return nil

pkg/apparmor/apparmor.go

@@ -18,10 +18,11 @@ package apparmor
 
 // HostSupports returns true if apparmor is enabled for the host, // On non-Linux returns false
 // On Linux returns true if apparmor_parser is enabled, and if we
-//  are not running docker-in-docker.
 //
-//  It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
+//	are not running docker-in-docker.
-//  check for apparmor_parser to be present, or if we're running docker-in-docker.
+//
+//	It is a modified version of libcontainer/apparmor.IsEnabled(), which does not
+//	check for apparmor_parser to be present, or if we're running docker-in-docker.
 func HostSupports() bool {
 	return hostSupports()
 }

pkg/cri/opts/spec.go

@@ -77,7 +77,8 @@ func WithProcessArgs(config *runtime.ContainerConfig, image *imagespec.ImageConf
 
 // mounts defines how to sort runtime.Mount.
 // This is the same with the Docker implementation:
-//   https://github.com/moby/moby/blob/17.05.x/daemon/volumes.go#L26
+//
+//	https://github.com/moby/moby/blob/17.05.x/daemon/volumes.go#L26
 type orderedMounts []*runtime.Mount
 
 // Len returns the number of mounts. Used in sorting.

pkg/cri/sbserver/events.go

@@ -234,11 +234,11 @@ func convertEvent(e typeurl.Any) (string, interface{}, error) {
 // event monitor.
 //
 // NOTE:
-// 1. start must be called after subscribe.
+//  1. start must be called after subscribe.
-// 2. The task exit event has been handled in individual startSandboxExitMonitor
+//  2. The task exit event has been handled in individual startSandboxExitMonitor
-//    or startContainerExitMonitor goroutine at the first. If the goroutine fails,
+//     or startContainerExitMonitor goroutine at the first. If the goroutine fails,
-//    it puts the event into backoff retry queue and event monitor will handle
+//     it puts the event into backoff retry queue and event monitor will handle
-//    it later.
+//     it later.
 func (em *eventMonitor) start() <-chan error {
 	errCh := make(chan error)
 	if em.ch == nil || em.errCh == nil {

pkg/cri/server/events.go

@@ -234,11 +234,11 @@ func convertEvent(e typeurl.Any) (string, interface{}, error) {
 // event monitor.
 //
 // NOTE:
-// 1. start must be called after subscribe.
+//  1. start must be called after subscribe.
-// 2. The task exit event has been handled in individual startSandboxExitMonitor
+//  2. The task exit event has been handled in individual startSandboxExitMonitor
-//    or startContainerExitMonitor goroutine at the first. If the goroutine fails,
+//     or startContainerExitMonitor goroutine at the first. If the goroutine fails,
-//    it puts the event into backoff retry queue and event monitor will handle
+//     it puts the event into backoff retry queue and event monitor will handle
-//    it later.
+//     it later.
 func (em *eventMonitor) start() <-chan error {
 	errCh := make(chan error)
 	if em.ch == nil || em.errCh == nil {

pkg/cri/streaming/server.go

@@ -45,7 +45,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
-	restful "github.com/emicklei/go-restful/v3"
+	"github.com/emicklei/go-restful/v3"
 
 	"k8s.io/apimachinery/pkg/types"
 	remotecommandconsts "k8s.io/apimachinery/pkg/util/remotecommand"
@@ -162,9 +162,10 @@ func NewServer(config Config, runtime Runtime) (Server, error) {
 	handler.Add(ws)
 	s.handler = handler
 	s.server = &http.Server{
-		Addr:      s.config.Addr,
+		Addr:              s.config.Addr,
-		Handler:   s.handler,
+		Handler:           s.handler,
-		TLSConfig: s.config.TLSConfig,
+		TLSConfig:         s.config.TLSConfig,
+		ReadHeaderTimeout: 3 * time.Second, // Fix linter G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server
 	}
 
 	return s, nil

pkg/failpoint/fail.go

@@ -68,7 +68,7 @@ func (t Type) String() string {
 // user. The user controlled variable will be parsed for how the error injected
 // code should fire. There is the way to set the rule for failpoint.
 //
-// 	<count>*<type>[(arg)][-><more terms>]
+//	<count>*<type>[(arg)][-><more terms>]
 //
 // The <type> argument specifies which action to take; it can be one of:
 //

pkg/ioutil/write_closer.go

@@ -73,10 +73,10 @@ func (n *nopWriteCloser) Close() error {
 // serialWriteCloser wraps a write closer and makes sure all writes
 // are done in serial.
 // Parallel write won't intersect with each other. Use case:
-// 1) Pipe: Write content longer than PIPE_BUF.
+//  1. Pipe: Write content longer than PIPE_BUF.
-//    See http://man7.org/linux/man-pages/man7/pipe.7.html
+//     See http://man7.org/linux/man-pages/man7/pipe.7.html
-// 2) <3.14 Linux Kernel: write is not atomic
+//  2. <3.14 Linux Kernel: write is not atomic
-//    See http://man7.org/linux/man-pages/man2/write.2.html
+//     See http://man7.org/linux/man-pages/man2/write.2.html
 type serialWriteCloser struct {
 	mu sync.Mutex
 	wc io.WriteCloser

pkg/os/os_windows.go

@@ -29,9 +29,10 @@ import (
 // It works for both file and directory paths.
 //
 // We are not able to use builtin Go functionality for opening a directory path:
-// - os.Open on a directory returns a os.File where Fd() is a search handle from FindFirstFile.
+//   - os.Open on a directory returns a os.File where Fd() is a search handle from FindFirstFile.
-// - syscall.Open does not provide a way to specify FILE_FLAG_BACKUP_SEMANTICS, which is needed to
+//   - syscall.Open does not provide a way to specify FILE_FLAG_BACKUP_SEMANTICS, which is needed to
-//   open a directory.
+//     open a directory.
+//
 // We could use os.Open if the path is a file, but it's easier to just use the same code for both.
 // Therefore, we call windows.CreateFile directly.
 func openPath(path string) (windows.Handle, error) {
@@ -58,6 +59,7 @@ func openPath(path string) (windows.Handle, error) {
 }
 
 // GetFinalPathNameByHandle flags.
+//
 //nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
 const (
 	cFILE_NAME_OPENED = 0x8

platforms/platforms.go

@@ -27,40 +27,40 @@
 // The vast majority of use cases should simply use the match function with
 // user input. The first step is to parse a specifier into a matcher:
 //
-//   m, err := Parse("linux")
+//	m, err := Parse("linux")
-//   if err != nil { ... }
+//	if err != nil { ... }
 //
 // Once you have a matcher, use it to match against the platform declared by a
 // component, typically from an image or runtime. Since extracting an images
 // platform is a little more involved, we'll use an example against the
 // platform default:
 //
-//   if ok := m.Match(Default()); !ok { /* doesn't match */ }
+//	if ok := m.Match(Default()); !ok { /* doesn't match */ }
 //
 // This can be composed in loops for resolving runtimes or used as a filter for
 // fetch and select images.
 //
 // More details of the specifier syntax and platform spec follow.
 //
-// Declaring Platform Support
+// # Declaring Platform Support
 //
 // Components that have strict platform requirements should use the OCI
 // platform specification to declare their support. Typically, this will be
 // images and runtimes that should make these declaring which platform they
 // support specifically. This looks roughly as follows:
 //
-//   type Platform struct {
+//	  type Platform struct {
-//	   Architecture string
+//		   Architecture string
-//	   OS           string
+//		   OS           string
-//	   Variant      string
+//		   Variant      string
-//   }
+//	  }
 //
 // Most images and runtimes should at least set Architecture and OS, according
 // to their GOARCH and GOOS values, respectively (follow the OCI image
 // specification when in doubt). ARM should set variant under certain
 // discussions, which are outlined below.
 //
-// Platform Specifiers
+// # Platform Specifiers
 //
 // While the OCI platform specifications provide a tool for components to
 // specify structured information, user input typically doesn't need the full
@@ -77,7 +77,7 @@
 // where the architecture may be known but a runtime may support images from
 // different operating systems.
 //
-// Normalization
+// # Normalization
 //
 // Because not all users are familiar with the way the Go runtime represents
 // platforms, several normalizations have been provided to make this package
@@ -85,17 +85,17 @@
 //
 // The following are performed for architectures:
 //
-//   Value    Normalized
+//	Value    Normalized
-//   aarch64  arm64
+//	aarch64  arm64
-//   armhf    arm
+//	armhf    arm
-//   armel    arm/v6
+//	armel    arm/v6
-//   i386     386
+//	i386     386
-//   x86_64   amd64
+//	x86_64   amd64
-//   x86-64   amd64
+//	x86-64   amd64
 //
 // We also normalize the operating system `macos` to `darwin`.
 //
-// ARM Support
+// # ARM Support
 //
 // To qualify ARM architecture, the Variant field is used to qualify the arm
 // version. The most common arm version, v7, is represented without the variant

process.go

@@ -72,8 +72,10 @@ type ExitStatus struct {
 
 // Result returns the exit code and time of the exit status.
 // An error may be returned here to which indicates there was an error
-//   at some point while waiting for the exit status. It does not signify
+//
-//   an error with the process itself.
+//	at some point while waiting for the exit status. It does not signify
+//	an error with the process itself.
+//
 // If an error is returned, the process may still be running.
 func (s ExitStatus) Result() (uint32, time.Time, error) {
 	return s.code, s.exitedAt, s.err

reference/docker/reference.go

@@ -19,13 +19,13 @@
 //
 // Grammar
 //
-// 	reference                       := name [ ":" tag ] [ "@" digest ]
+//	reference                       := name [ ":" tag ] [ "@" digest ]
 //	name                            := [domain '/'] path-component ['/' path-component]*
 //	domain                          := domain-component ['.' domain-component]* [':' port-number]
 //	domain-component                := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
 //	port-number                     := /[0-9]+/
 //	path-component                  := alpha-numeric [separator alpha-numeric]*
-// 	alpha-numeric                   := /[a-z0-9]+/
+//	alpha-numeric                   := /[a-z0-9]+/
 //	separator                       := /[_.]|__|[-]*/
 //
 //	tag                             := /[\w][\w.-]{0,127}/

remotes/docker/config/hosts.go

@@ -530,13 +530,13 @@ func makeAbsPath(p string, base string) string {
 
 // loadCertsDir loads certs from certsDir like "/etc/docker/certs.d" .
 // Compatible with Docker file layout
-// - files ending with ".crt" are treated as CA certificate files
+//   - files ending with ".crt" are treated as CA certificate files
-// - files ending with ".cert" are treated as client certificates, and
+//   - files ending with ".cert" are treated as client certificates, and
-//   files with the same name but ending with ".key" are treated as the
+//     files with the same name but ending with ".key" are treated as the
-//   corresponding private key.
+//     corresponding private key.
-//   NOTE: If a ".key" file is missing, this function will just return
+//     NOTE: If a ".key" file is missing, this function will just return
-//   the ".cert", which may contain the private key. If the ".cert" file
+//     the ".cert", which may contain the private key. If the ".cert" file
-//   does not contain the private key, the caller should detect and error.
+//     does not contain the private key, the caller should detect and error.
 func loadCertFiles(ctx context.Context, certsDir string) ([]hostConfig, error) {
 	fs, err := os.ReadDir(certsDir)
 	if err != nil && !os.IsNotExist(err) {

remotes/handlers.go

@@ -257,8 +257,8 @@ func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, st
 // An example of this kind of content would be a Windows base layer, which is not supposed to be redistributed.
 //
 // This is based on the media type of the content:
-// 	- application/vnd.oci.image.layer.nondistributable
+//   - application/vnd.oci.image.layer.nondistributable
-// 	- application/vnd.docker.image.rootfs.foreign
+//   - application/vnd.docker.image.rootfs.foreign
 func SkipNonDistributableBlobs(f images.HandlerFunc) images.HandlerFunc {
 	return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
 		if images.IsNonDistributable(desc.MediaType) {

script/setup/install-cni

@@ -25,6 +25,12 @@ CNI_COMMIT=${1:-$(grep containernetworking/plugins "$GOPATH"/src/github.com/cont
 CNI_DIR=${DESTDIR:=''}/opt/cni
 CNI_CONFIG_DIR=${DESTDIR}/etc/cni/net.d
 
+# e2e and Cirrus will fail with "sudo: command not found"
+SUDO=''
+if (( $EUID != 0 )); then
+    SUDO='sudo'
+fi
+
 TMPROOT=$(mktemp -d)
 git clone https://github.com/containernetworking/plugins.git "${TMPROOT}"/plugins
 pushd "${TMPROOT}"/plugins
@@ -32,8 +38,8 @@ git checkout "$CNI_COMMIT"
 ./build_linux.sh
 mkdir -p $CNI_DIR
 cp -r ./bin $CNI_DIR
-mkdir -p $CNI_CONFIG_DIR
+$SUDO mkdir -p $CNI_CONFIG_DIR
-cat << EOF | tee $CNI_CONFIG_DIR/10-containerd-net.conflist
+$SUDO cat << EOF | $SUDO tee $CNI_CONFIG_DIR/10-containerd-net.conflist
 {
   "cniVersion": "1.0.0",
   "name": "containerd-net",

script/setup/install-critools

@@ -22,6 +22,12 @@ set -eu -o pipefail
 
 script_dir="$(cd -- "$(dirname -- "$0")" > /dev/null 2>&1; pwd -P)"
 
+# e2e will fail with "sudo: command not found"
+SUDO=''
+if (( $EUID != 0 )); then
+    SUDO='sudo'
+fi
+
 cd "$(go env GOPATH)"
 go install github.com/onsi/ginkgo/v2/ginkgo@v2.1.4
 
@@ -33,10 +39,10 @@ git clone https://github.com/kubernetes-sigs/cri-tools.git "${TMPROOT}/cri-tools
 pushd "${TMPROOT}"/cri-tools
 git checkout "$CRITEST_COMMIT"
 make
-make install -e DESTDIR="${DESTDIR}" BINDIR=/usr/local/bin
+$SUDO make install -e DESTDIR="${DESTDIR}" BINDIR=/usr/local/bin
 
 mkdir -p "${DESTDIR}/etc/"
-cat << EOF | tee "${DESTDIR}/etc/crictl.yaml"
+$SUDO cat << EOF | $SUDO tee "${DESTDIR}/etc/crictl.yaml"
 runtime-endpoint: unix:///run/containerd/containerd.sock
 EOF
 

script/setup/install-dev-tools

@@ -24,7 +24,7 @@ set -eu -o pipefail
 go install github.com/containerd/protobuild@v0.2.0
 go install github.com/containerd/protobuild/cmd/go-fix-acronym@v0.2.0
 go install github.com/cpuguy83/go-md2man/v2@v2.0.1
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.48.0
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
 go install github.com/containerd/ttrpc/cmd/protoc-gen-go-ttrpc@944ef4a40df3446714a823207972b7d9858ffac5

script/setup/install-runc

@@ -22,6 +22,12 @@ set -eu -o pipefail
 
 script_dir="$(cd -- "$(dirname -- "$0")" > /dev/null 2>&1; pwd -P)"
 
+# e2e and Cirrus will fail with "sudo: command not found"
+SUDO=''
+if (( $EUID != 0 )); then
+    SUDO='sudo'
+fi
+
 function install_runc() {
 	# When updating runc-version, consider updating the runc module in go.mod as well
 	: "${RUNC_VERSION:=$(cat "${script_dir}/runc-version")}"
@@ -31,15 +37,15 @@ function install_runc() {
 	pushd "${TMPROOT}"/runc
 	git checkout "${RUNC_VERSION}"
 	make BUILDTAGS='seccomp' runc
-	make install
+	$SUDO make install
 	popd
 	rm -fR "${TMPROOT}"
 }
 
 function install_crun() {
 	: "${CRUN_VERSION:=$(cat "${script_dir}/crun-version")}"
-	curl -S -o /usr/local/sbin/runc -L https://github.com/containers/crun/releases/download/"${CRUN_VERSION}"/crun-"${CRUN_VERSION}"-linux-"$(go env GOARCH)"
+	$SUDO curl -S -o /usr/local/sbin/runc -L https://github.com/containers/crun/releases/download/"${CRUN_VERSION}"/crun-"${CRUN_VERSION}"-linux-"$(go env GOARCH)"
-	chmod +x /usr/local/sbin/runc
+	$SUDO chmod +x /usr/local/sbin/runc
 }
 
 : "${RUNC_FLAVOR:=runc}"

script/setup/install-seccomp

@@ -30,8 +30,8 @@ curl -fsSL "https://github.com/seccomp/libseccomp/releases/download/v${SECCOMP_V
 	cd "$SECCOMP_PATH"
 	./configure --prefix=/usr/local
 	make
-	make install
+	sudo make install
-	ldconfig
+	sudo ldconfig
 )
 
 rm -rf "$SECCOMP_PATH"

script/setup/prepare_env_windows.ps1

@@ -5,7 +5,7 @@
 # lived test environment.
 Set-MpPreference -DisableRealtimeMonitoring:$true
 
-$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.18.5"; make = ""; nssm = "" }
+$PACKAGES= @{ mingw = "10.2.0"; git = ""; golang = "1.19"; make = ""; nssm = "" }
 
 Write-Host "Downloading chocolatey package"
 curl.exe -L "https://packages.chocolatey.org/chocolatey.0.10.15.nupkg" -o 'c:\choco.zip'

snapshots/devmapper/dmsetup/dmsetup.go

@@ -353,7 +353,8 @@ func BlockDeviceSize(path string) (int64, error) {
 }
 
 // DiscardBlocks discards all blocks for the given thin device
-//  ported from https://github.com/moby/moby/blob/7b9275c0da707b030e62c96b679a976f31f929d3/pkg/devicemapper/devmapper.go#L416
+//
+//	ported from https://github.com/moby/moby/blob/7b9275c0da707b030e62c96b679a976f31f929d3/pkg/devicemapper/devmapper.go#L416
 func DiscardBlocks(deviceName string) error {
 	inUse, err := isInUse(deviceName)
 	if err != nil {
@@ -402,8 +403,10 @@ func tryGetUnixError(output string) (unix.Errno, bool) {
 }
 
 // dmsetup returns error messages in format:
-// 	device-mapper: message ioctl on <name> failed: File exists\n
+//
-// 	Command failed\n
+//	device-mapper: message ioctl on <name> failed: File exists\n
+//	Command failed\n
+//
 // parseDmsetupError extracts text between "failed: " and "\n"
 func parseDmsetupError(output string) string {
 	lines := strings.SplitN(output, "\n", 2)

snapshots/devmapper/pool_device.go

@@ -484,7 +484,9 @@ func (p *PoolDevice) IsLoaded(deviceName string) bool {
 // GetUsage reports total size in bytes consumed by a thin-device.
 // It relies on the number of used blocks reported by 'dmsetup status'.
 // The output looks like:
-//  device2: 0 204800 thin 17280 204799
+//
+//	device2: 0 204800 thin 17280 204799
+//
 // Where 17280 is the number of used sectors
 func (p *PoolDevice) GetUsage(deviceName string) (int64, error) {
 	status, err := dmsetup.Status(deviceName)

snapshots/snapshotter.go

@@ -153,10 +153,10 @@ type WalkFunc func(context.Context, Info) error
 // For consistency, we define the following terms to be used throughout this
 // interface for snapshotter implementations:
 //
-// 	`ctx` - refers to a context.Context
+//	`ctx` - refers to a context.Context
-// 	`key` - refers to an active snapshot
+//	`key` - refers to an active snapshot
-// 	`name` - refers to a committed snapshot
+//	`name` - refers to a committed snapshot
-// 	`parent` - refers to the parent in relation
+//	`parent` - refers to the parent in relation
 //
 // Most methods take various combinations of these identifiers. Typically,
 // `name` and `parent` will be used in cases where a method *only* takes
@@ -167,7 +167,7 @@ type WalkFunc func(context.Context, Info) error
 //
 // We cover several examples below to demonstrate the utility of the snapshotter.
 //
-// Importing a Layer
+// # Importing a Layer
 //
 // To import a layer, we simply have the snapshotter provide a list of
 // mounts to be applied such that our dst will capture a changeset. We start
@@ -184,7 +184,7 @@ type WalkFunc func(context.Context, Info) error
 //		"containerd.io/gc.root": time.Now().UTC().Format(time.RFC3339),
 //	})
 //	mounts, err := snapshotter.Prepare(ctx, key, "", noGcOpt)
-// 	if err != nil { ... }
+//	if err != nil { ... }
 //
 // We get back a list of mounts from snapshotter.Prepare(), with the key identifying
 // the active snapshot. Mount this to the temporary location with the
@@ -201,8 +201,8 @@ type WalkFunc func(context.Context, Info) error
 //
 //	layer, err := os.Open(layerPath)
 //	if err != nil { ... }
-// 	digest, err := unpackLayer(tmpLocation, layer) // unpack into layer location
+//	digest, err := unpackLayer(tmpLocation, layer) // unpack into layer location
-// 	if err != nil { ... }
+//	if err != nil { ... }
 //
 // When the above completes, we should have a filesystem that represents the
 // contents of the layer. Careful implementations should verify that digest
@@ -220,30 +220,30 @@ type WalkFunc func(context.Context, Info) error
 // Now, we have a layer in the snapshotter that can be accessed with the digest
 // provided during commit.
 //
-// Importing the Next Layer
+// # Importing the Next Layer
 //
 // Making a layer depend on the above is identical to the process described
 // above except that the parent is provided as parent when calling
 // snapshotter.Prepare(), assuming a clean, unique key identifier:
 //
-// 	mounts, err := snapshotter.Prepare(ctx, key, parentDigest, noGcOpt)
+//	mounts, err := snapshotter.Prepare(ctx, key, parentDigest, noGcOpt)
 //
 // We then mount, apply and commit, as we did above. The new snapshot will be
 // based on the content of the previous one.
 //
-// Running a Container
+// # Running a Container
 //
 // To run a container, we simply provide snapshotter.Prepare() the committed image
 // snapshot as the parent. After mounting, the prepared path can
 // be used directly as the container's filesystem:
 //
-// 	mounts, err := snapshotter.Prepare(ctx, containerKey, imageRootFSChainID)
+//	mounts, err := snapshotter.Prepare(ctx, containerKey, imageRootFSChainID)
 //
 // The returned mounts can then be passed directly to the container runtime. If
 // one would like to create a new image from the filesystem, snapshotter.Commit() is
 // called:
 //
-// 	if err := snapshotter.Commit(ctx, newImageSnapshot, containerKey); err != nil { ... }
+//	if err := snapshotter.Commit(ctx, newImageSnapshot, containerKey); err != nil { ... }
 //
 // Alternatively, for most container runs, snapshotter.Remove() will be called to
 // signal the snapshotter to abandon the changes.

snapshots/testsuite/testsuite.go

@@ -505,7 +505,7 @@ func checkDeletedFilesInChildSnapshot(ctx context.Context, t *testing.T, snapsho
 
 }
 
-//Create three layers. Deleting intermediate layer must fail.
+// Create three layers. Deleting intermediate layer must fail.
 func checkRemoveIntermediateSnapshot(ctx context.Context, t *testing.T, snapshotter snapshots.Snapshotter, work string) {
 
 	base, err := snapshotterPrepareMount(ctx, snapshotter, "base", "", work)
@@ -559,12 +559,13 @@ func checkRemoveIntermediateSnapshot(ctx context.Context, t *testing.T, snapshot
 
 // baseTestSnapshots creates a base set of snapshots for tests, each snapshot is empty
 // Tests snapshots:
-//  c1 - committed snapshot, no parent
+//
-//  c2 - committed snapshot, c1 is parent
+//	c1 - committed snapshot, no parent
-//  a1 - active snapshot, c2 is parent
+//	c2 - committed snapshot, c1 is parent
-//  a1 - active snapshot, no parent
+//	a1 - active snapshot, c2 is parent
-//  v1 - view snapshot, v1 is parent
+//	a1 - active snapshot, no parent
-//  v2 - view snapshot, no parent
+//	v1 - view snapshot, v1 is parent
+//	v2 - view snapshot, no parent
 func baseTestSnapshots(ctx context.Context, snapshotter snapshots.Snapshotter) error {
 	if _, err := snapshotter.Prepare(ctx, "c1-a", "", opt); err != nil {
 		return err