Merge pull request #7349 from thaJeztah/gofmt_119

clean-up "nolint" comments, remove unused ones, update golangci-lint

.github/workflows/ci.yml

@@ -41,7 +41,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.48.0
+          version: v1.49.0
           skip-cache: true
           args: --timeout=8m
 

.golangci.yml

@@ -1,19 +1,18 @@
 linters:
   enable:
-    - structcheck
+    - exportloopref # Checks for pointers to enclosing loop variables
-    - varcheck
-    - staticcheck
-    - unconvert
     - gofmt
     - goimports
-    - revive
-    - ineffassign
-    - vet
-    - unused
-    - misspell
     - gosec
-    - exportloopref # Checks for pointers to enclosing loop variables
+    - ineffassign
+    - misspell
+    - nolintlint
+    - revive
+    - staticcheck
     - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17
+    - unconvert
+    - unused
+    - vet
   disable:
     - errcheck
 

archive/tar_unix.go

@@ -58,8 +58,7 @@ func setHeaderForSpecialDevice(hdr *tar.Header, name string, fi os.FileInfo) err
 		return errors.New("unsupported stat type")
 	}
 
-	// Rdev is int32 on darwin/bsd, int64 on linux/solaris
+	rdev := uint64(s.Rdev) //nolint:nolintlint,unconvert // rdev is int32 on darwin/bsd, int64 on linux/solaris
-	rdev := uint64(s.Rdev) // nolint: unconvert
 
 	// Currently go does not fill in the major/minors
 	if s.Mode&syscall.S_IFBLK != 0 ||

cmd/containerd-stress/main.go

@@ -235,7 +235,12 @@ func (c config) newClient() (*containerd.Client, error) {
 
 func serve(c config) error {
 	go func() {
-		if err := http.ListenAndServe(c.Metrics, metrics.Handler()); err != nil {
+		srv := &http.Server{
+			Addr:              c.Metrics,
+			Handler:           metrics.Handler(),
+			ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
+		}
+		if err := srv.ListenAndServe(); err != nil {
 			logrus.WithError(err).Error("listen and serve")
 		}
 	}()

contrib/fuzz/content_fuzzer.go

@@ -14,7 +14,7 @@
    limitations under the License.
 */
 
-// nolint: golint
+//nolint:golint
 package fuzz
 
 import (

integration/client/restart_monitor_test.go

@@ -40,8 +40,7 @@ import (
 	exec "golang.org/x/sys/execabs"
 )
 
-// the following nolint is for shutting up gometalinter on non-linux.
+//nolint:unused // Ignore on non-Linux
-// nolint: unused
 func newDaemonWithConfig(t *testing.T, configTOML string) (*Client, *daemon, func()) {
 	if testing.Short() {
 		t.Skip()

integration/main_test.go

@@ -210,7 +210,7 @@ func PodSandboxConfigWithCleanup(t *testing.T, name, ns string, opts ...PodSandb
 }
 
 // Set Windows HostProcess on the pod.
-func WithWindowsHostProcessPod(p *runtime.PodSandboxConfig) { //nolint:unused
+func WithWindowsHostProcessPod(p *runtime.PodSandboxConfig) {
 	if p.Windows == nil {
 		p.Windows = &runtime.WindowsPodSandboxConfig{}
 	}
@@ -237,7 +237,7 @@ func WithTestAnnotations() ContainerOpts {
 }
 
 // Add container resource limits.
-func WithResources(r *runtime.LinuxContainerResources) ContainerOpts { //nolint:unused
+func WithResources(r *runtime.LinuxContainerResources) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		if c.Linux == nil {
 			c.Linux = &runtime.LinuxContainerConfig{}
@@ -247,7 +247,7 @@ func WithResources(r *runtime.LinuxContainerResources) ContainerOpts { //nolint:
 }
 
 // Adds Windows container resource limits.
-func WithWindowsResources(r *runtime.WindowsContainerResources) ContainerOpts { //nolint:unused
+func WithWindowsResources(r *runtime.WindowsContainerResources) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		if c.Windows == nil {
 			c.Windows = &runtime.WindowsContainerConfig{}
@@ -265,7 +265,7 @@ func WithVolumeMount(hostPath, containerPath string) ContainerOpts {
 	}
 }
 
-func WithWindowsUsername(username string) ContainerOpts { //nolint:unused
+func WithWindowsUsername(username string) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		if c.Windows == nil {
 			c.Windows = &runtime.WindowsContainerConfig{}
@@ -277,7 +277,7 @@ func WithWindowsUsername(username string) ContainerOpts { //nolint:unused
 	}
 }
 
-func WithWindowsHostProcessContainer() ContainerOpts { //nolint:unused
+func WithWindowsHostProcessContainer() ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		if c.Windows == nil {
 			c.Windows = &runtime.WindowsContainerConfig{}
@@ -322,7 +322,7 @@ func WithLogPath(path string) ContainerOpts {
 }
 
 // WithSupplementalGroups adds supplemental groups.
-func WithSupplementalGroups(gids []int64) ContainerOpts { //nolint:unused
+func WithSupplementalGroups(gids []int64) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		if c.Linux == nil {
 			c.Linux = &runtime.LinuxContainerConfig{}
@@ -335,7 +335,7 @@ func WithSupplementalGroups(gids []int64) ContainerOpts { //nolint:unused
 }
 
 // WithDevice adds a device mount.
-func WithDevice(containerPath, hostPath, permissions string) ContainerOpts { //nolint:unused
+func WithDevice(containerPath, hostPath, permissions string) ContainerOpts {
 	return func(c *runtime.ContainerConfig) {
 		c.Devices = append(c.Devices, &runtime.Device{
 			ContainerPath: containerPath, HostPath: hostPath, Permissions: permissions,
@@ -558,7 +558,7 @@ func CRIConfig() (*criconfig.Config, error) {
 }
 
 // SandboxInfo gets sandbox info.
-func SandboxInfo(id string) (*runtime.PodSandboxStatus, *server.SandboxInfo, error) { //nolint:unused
+func SandboxInfo(id string) (*runtime.PodSandboxStatus, *server.SandboxInfo, error) {
 	client, err := RawRuntimeClient()
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to get raw runtime client: %w", err)

oci/spec_opts.go

@@ -76,7 +76,6 @@ func setLinux(s *Spec) {
 	}
 }
 
-// nolint
 func setResources(s *Spec) {
 	if s.Linux != nil {
 		if s.Linux.Resources == nil {
@@ -85,7 +84,7 @@ func setResources(s *Spec) {
 	}
 }
 
-// nolint
+//nolint:nolintlint,unused // not used on all platforms
 func setResourcesWindows(s *Spec) {
 	if s.Windows != nil {
 		if s.Windows.Resources == nil {
@@ -94,7 +93,7 @@ func setResourcesWindows(s *Spec) {
 	}
 }
 
-// nolint
+//nolint:nolintlint,unused // not used on all platforms
 func setCPU(s *Spec) {
 	setResources(s)
 	if s.Linux != nil {
@@ -104,7 +103,7 @@ func setCPU(s *Spec) {
 	}
 }
 
-// nolint
+//nolint:nolintlint,unused // not used on all platforms
 func setCPUWindows(s *Spec) {
 	setResourcesWindows(s)
 	if s.Windows != nil {

oci/spec_opts_linux_test.go

@@ -31,7 +31,7 @@ import (
 	"golang.org/x/sys/unix"
 )
 
-// nolint:gosec
+//nolint:gosec
 func TestWithUserID(t *testing.T) {
 	t.Parallel()
 
@@ -86,7 +86,7 @@ guest:x:405:100:guest:/dev/null:/sbin/nologin
 	}
 }
 
-// nolint:gosec
+//nolint:gosec
 func TestWithUsername(t *testing.T) {
 	t.Parallel()
 
@@ -148,7 +148,7 @@ guest:x:405:100:guest:/dev/null:/sbin/nologin
 
 }
 
-// nolint:gosec
+//nolint:gosec
 func TestWithAdditionalGIDs(t *testing.T) {
 	t.Parallel()
 	expectedPasswd := `root:x:0:0:root:/root:/bin/ash

oci/spec_opts_nonlinux.go

@@ -28,19 +28,16 @@ import (
 
 // WithAllCurrentCapabilities propagates the effective capabilities of the caller process to the container process.
 // The capability set may differ from WithAllKnownCapabilities when running in a container.
-// nolint: deadcode, unused
 var WithAllCurrentCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
 	return WithCapabilities(nil)(ctx, client, c, s)
 }
 
 // WithAllKnownCapabilities sets all the known linux capabilities for the container process
-// nolint: deadcode, unused
 var WithAllKnownCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
 	return WithCapabilities(nil)(ctx, client, c, s)
 }
 
 // WithBlockIO sets the container's blkio parameters
-// nolint: deadcode, unused
 func WithBlockIO(blockio interface{}) SpecOpts {
 	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
 		return errors.New("blkio not supported")
@@ -48,7 +45,6 @@ func WithBlockIO(blockio interface{}) SpecOpts {
 }
 
 // WithCPUShares sets the container's cpu shares
-// nolint: deadcode, unused
 func WithCPUShares(shares uint64) SpecOpts {
 	return func(ctx context.Context, _ Client, c *containers.Container, s *Spec) error {
 		return nil

oci/utils_unix.go

@@ -127,7 +127,7 @@ func getDevices(path, containerPath string) ([]specs.LinuxDevice, error) {
 
 // TODO consider adding these consts to the OCI runtime-spec.
 const (
-	wildcardDevice = "a" //nolint // currently unused, but should be included when upstreaming to OCI runtime-spec.
+	wildcardDevice = "a" //nolint:nolintlint,unused,varcheck // currently unused, but should be included when upstreaming to OCI runtime-spec.
 	blockDevice    = "b"
 	charDevice     = "c" // or "u"
 	fifoDevice     = "p"
@@ -148,7 +148,7 @@ func DeviceFromPath(path string) (*specs.LinuxDevice, error) {
 	}
 
 	var (
-		devNumber = uint64(stat.Rdev) //nolint: unconvert // the type is 32bit on mips.
+		devNumber = uint64(stat.Rdev) //nolint:nolintlint,unconvert // the type is 32bit on mips.
 		major     = unix.Major(devNumber)
 		minor     = unix.Minor(devNumber)
 	)

pkg/cri/opts/container.go

@@ -83,7 +83,7 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
 		// if it fails but not RM snapshot data.
 		// refer to https://github.com/containerd/containerd/pull/1868
 		// https://github.com/containerd/containerd/pull/1785
-		defer os.Remove(root) // nolint: errcheck
+		defer os.Remove(root)
 
 		unmounter := func(mountPath string) {
 			if uerr := mount.Unmount(mountPath, 0); uerr != nil {

pkg/cri/sbserver/container_stats.go

@@ -41,7 +41,7 @@ func (c *criService) ContainerStats(ctx context.Context, in *runtime.ContainerSt
 	}
 
 	cs, err := c.containerMetrics(cntr.Metadata, resp.Metrics[0])
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (stats unimplemented)
+	if err != nil {
 		return nil, fmt.Errorf("failed to decode container metrics: %w", err)
 	}
 	return &runtime.ContainerStatsResponse{Stats: cs}, nil

pkg/cri/sbserver/container_stats_list.go

@@ -58,7 +58,7 @@ func (c *criService) toCRIContainerStats(
 	containerStats := new(runtime.ListContainerStatsResponse)
 	for _, cntr := range containers {
 		cs, err := c.containerMetrics(cntr.Metadata, statsMap[cntr.ID])
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (metrics unimplemented)
+		if err != nil {
 			return nil, fmt.Errorf("failed to decode container metrics for %q: %w", cntr.ID, err)
 		}
 		containerStats.Stats = append(containerStats.Stats, cs)

pkg/cri/sbserver/image_pull.go

@@ -318,7 +318,7 @@ func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.C
 		if len(cert.Certificate) != 0 {
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
-		tlsConfig.BuildNameToCertificate() // nolint:staticcheck
+		tlsConfig.BuildNameToCertificate() //nolint:staticcheck // TODO(thaJeztah): verify if we should ignore the deprecation; see https://github.com/containerd/containerd/pull/7349/files#r990644833
 	}
 
 	if registryTLSConfig.CAFile != "" {

pkg/cri/sbserver/sandbox_stats.go

@@ -34,12 +34,12 @@ func (c *criService) PodSandboxStats(
 	}
 
 	metrics, err := metricsForSandbox(sandbox)
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+	if err != nil {
 		return nil, fmt.Errorf("failed getting metrics for sandbox %s: %w", r.GetPodSandboxId(), err)
 	}
 
 	podSandboxStats, err := c.podSandboxStats(ctx, sandbox, metrics)
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+	if err != nil {
 		return nil, fmt.Errorf("failed to decode pod sandbox metrics %s: %w", r.GetPodSandboxId(), err)
 	}
 

pkg/cri/sbserver/sandbox_stats_list.go

@@ -34,12 +34,12 @@ func (c *criService) ListPodSandboxStats(
 	podSandboxStats := new(runtime.ListPodSandboxStatsResponse)
 	for _, sandbox := range sandboxes {
 		metrics, err := metricsForSandbox(sandbox)
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+		if err != nil {
 			return nil, fmt.Errorf("failed to obtain metrics for sandbox %q: %w", sandbox.ID, err)
 		}
 
 		sandboxStats, err := c.podSandboxStats(ctx, sandbox, metrics)
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+		if err != nil {
 			return nil, fmt.Errorf("failed to decode sandbox container metrics for sandbox %q: %w", sandbox.ID, err)
 		}
 		podSandboxStats.Stats = append(podSandboxStats.Stats, sandboxStats)

pkg/cri/sbserver/service.go

@@ -117,7 +117,7 @@ type criService struct {
 	baseOCISpecs map[string]*oci.Spec
 	// allCaps is the list of the capabilities.
 	// When nil, parsed from CapEff of /proc/self/status.
-	allCaps []string // nolint
+	allCaps []string //nolint:nolintlint,unused // Ignore on non-Linux
 	// unpackDuplicationSuppressor is used to make sure that there is only
 	// one in-flight fetch request or unpack handler for a given descriptor's
 	// or chain ID.

pkg/cri/server/container_stats.go

@@ -41,7 +41,7 @@ func (c *criService) ContainerStats(ctx context.Context, in *runtime.ContainerSt
 	}
 
 	cs, err := c.containerMetrics(cntr.Metadata, resp.Metrics[0])
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (stats unimplemented)
+	if err != nil {
 		return nil, fmt.Errorf("failed to decode container metrics: %w", err)
 	}
 	return &runtime.ContainerStatsResponse{Stats: cs}, nil

pkg/cri/server/container_stats_list.go

@@ -61,7 +61,7 @@ func (c *criService) toCRIContainerStats(
 	containerStats := new(runtime.ListContainerStatsResponse)
 	for _, cntr := range containers {
 		cs, err := c.containerMetrics(cntr.Metadata, statsMap[cntr.ID])
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (metrics unimplemented)
+		if err != nil {
 			return nil, fmt.Errorf("failed to decode container metrics for %q: %w", cntr.ID, err)
 		}
 

pkg/cri/server/image_pull.go

@@ -318,7 +318,7 @@ func (c *criService) getTLSConfig(registryTLSConfig criconfig.TLSConfig) (*tls.C
 		if len(cert.Certificate) != 0 {
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
-		tlsConfig.BuildNameToCertificate() // nolint:staticcheck
+		tlsConfig.BuildNameToCertificate() //nolint:staticcheck // TODO(thaJeztah): verify if we should ignore the deprecation; see https://github.com/containerd/containerd/pull/7349/files#r990644833
 	}
 
 	if registryTLSConfig.CAFile != "" {

pkg/cri/server/sandbox_stats.go

@@ -34,12 +34,12 @@ func (c *criService) PodSandboxStats(
 	}
 
 	metrics, err := metricsForSandbox(sandbox)
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+	if err != nil {
 		return nil, fmt.Errorf("failed getting metrics for sandbox %s: %w", r.GetPodSandboxId(), err)
 	}
 
 	podSandboxStats, err := c.podSandboxStats(ctx, sandbox, metrics)
-	if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+	if err != nil {
 		return nil, fmt.Errorf("failed to decode pod sandbox metrics %s: %w", r.GetPodSandboxId(), err)
 	}
 

pkg/cri/server/sandbox_stats_list.go

@@ -34,12 +34,12 @@ func (c *criService) ListPodSandboxStats(
 	podSandboxStats := new(runtime.ListPodSandboxStatsResponse)
 	for _, sandbox := range sandboxes {
 		metrics, err := metricsForSandbox(sandbox)
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+		if err != nil {
 			return nil, fmt.Errorf("failed to obtain metrics for sandbox %q: %w", sandbox.ID, err)
 		}
 
 		sandboxStats, err := c.podSandboxStats(ctx, sandbox, metrics)
-		if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return nil (unimplemented metrics)
+		if err != nil {
 			return nil, fmt.Errorf("failed to decode sandbox container metrics for sandbox %q: %w", sandbox.ID, err)
 		}
 		podSandboxStats.Stats = append(podSandboxStats.Stats, sandboxStats)

pkg/cri/server/service.go

@@ -113,7 +113,7 @@ type criService struct {
 	baseOCISpecs map[string]*oci.Spec
 	// allCaps is the list of the capabilities.
 	// When nil, parsed from CapEff of /proc/self/status.
-	allCaps []string // nolint
+	allCaps []string //nolint:nolintlint,unused // Ignore on non-Linux
 	// unpackDuplicationSuppressor is used to make sure that there is only
 	// one in-flight fetch request or unpack handler for a given descriptor's
 	// or chain ID.

pkg/cri/store/container/container.go

@@ -208,6 +208,6 @@ func (s *Store) Delete(id string) {
 		c.IO.Close()
 	}
 	s.labels.Release(c.ProcessLabel)
-	s.idIndex.Delete(id) // nolint: errcheck
+	s.idIndex.Delete(id)
 	delete(s.containers, id)
 }

pkg/cri/store/container/metadata.go

@@ -28,10 +28,9 @@ import (
 // 2) Metadata is checkpointed as containerd container label.
 
 // metadataVersion is current version of container metadata.
-const metadataVersion = "v1" // nolint
+const metadataVersion = "v1"
 
 // versionedMetadata is the internal versioned container metadata.
-// nolint
 type versionedMetadata struct {
 	// Version indicates the version of the versioned container metadata.
 	Version string

pkg/cri/store/container/status.go

@@ -61,10 +61,9 @@ import (
 //                      DELETED
 
 // statusVersion is current version of container status.
-const statusVersion = "v1" // nolint
+const statusVersion = "v1"
 
 // versionedStatus is the internal used versioned container status.
-// nolint
 type versionedStatus struct {
 	// Version indicates the version of the versioned container status.
 	Version string

pkg/cri/store/image/image.go

@@ -246,6 +246,6 @@ func (s *store) delete(id, ref string) {
 		return
 	}
 	// Remove the image if it is not referenced any more.
-	s.digestSet.Remove(digest) // nolint: errcheck
+	s.digestSet.Remove(digest)
 	delete(s.images, digest.String())
 }

pkg/cri/store/sandbox/metadata.go

@@ -29,10 +29,9 @@ import (
 // 2) Metadata is checkpointed as containerd container label.
 
 // metadataVersion is current version of sandbox metadata.
-const metadataVersion = "v1" // nolint
+const metadataVersion = "v1"
 
 // versionedMetadata is the internal versioned sandbox metadata.
-// nolint
 type versionedMetadata struct {
 	// Version indicates the version of the versioned sandbox metadata.
 	Version string

pkg/cri/store/sandbox/sandbox.go

@@ -160,6 +160,6 @@ func (s *Store) Delete(id string) {
 		return
 	}
 	s.labels.Release(s.sandboxes[id].ProcessLabel)
-	s.idIndex.Delete(id) // nolint: errcheck
+	s.idIndex.Delete(id)
 	delete(s.sandboxes, id)
 }

pkg/netns/netns_linux.go

@@ -77,7 +77,7 @@ func newNS(baseDir string) (nsPath string, err error) {
 	defer func() {
 		// Ensure the mount point is cleaned up on errors
 		if err != nil {
-			os.RemoveAll(nsPath) // nolint: errcheck
+			os.RemoveAll(nsPath)
 		}
 	}()
 
@@ -107,7 +107,7 @@ func newNS(baseDir string) (nsPath string, err error) {
 		}
 
 		// Put this thread back to the orig ns, since it might get reused (pre go1.10)
-		defer origNS.Set() // nolint: errcheck
+		defer origNS.Set()
 
 		// bind mount the netns from the current thread (from /proc) onto the
 		// mount point. This causes the namespace to persist, even when there
@@ -214,6 +214,6 @@ func (n *NetNS) Do(f func(cnins.NetNS) error) error {
 	if err != nil {
 		return fmt.Errorf("get netns fd: %w", err)
 	}
-	defer ns.Close() // nolint: errcheck
+	defer ns.Close()
 	return ns.Do(f)
 }

pkg/progress/escape.go

@@ -19,6 +19,6 @@ package progress
 const (
 	escape = "\x1b"
 	reset  = escape + "[0m"
-	red    = escape + "[31m" // nolint: deadcode, varcheck, unused
+	red    = escape + "[31m" //nolint:nolintlint,unused,varcheck
 	green  = escape + "[32m"
 )

pkg/runtimeoptions/v1/doc.go

@@ -14,4 +14,4 @@
    limitations under the License.
 */
 
-package runtimeoptions_v1 //nolint
+package runtimeoptions_v1 //nolint:revive // Ignore var-naming: don't use an underscore in package name (revive)

script/setup/install-dev-tools

@@ -24,7 +24,7 @@ set -eu -o pipefail
 go install github.com/containerd/protobuild@v0.2.0
 go install github.com/containerd/protobuild/cmd/go-fix-acronym@v0.2.0
 go install github.com/cpuguy83/go-md2man/v2@v2.0.1
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.48.0
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.49.0
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
 go install github.com/containerd/ttrpc/cmd/protoc-gen-go-ttrpc@944ef4a40df3446714a823207972b7d9858ffac5

services/server/server.go

@@ -317,7 +317,11 @@ func (s *Server) ServeTTRPC(l net.Listener) error {
 func (s *Server) ServeMetrics(l net.Listener) error {
 	m := http.NewServeMux()
 	m.Handle("/v1/metrics", metrics.Handler())
-	return trapClosedConnErr(http.Serve(l, m))
+	srv := &http.Server{
+		Handler:           m,
+		ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
+	}
+	return trapClosedConnErr(srv.Serve(l))
 }
 
 // ServeTCP allows services to serve over tcp
@@ -337,7 +341,11 @@ func (s *Server) ServeDebug(l net.Listener) error {
 	m.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
 	m.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
 	m.Handle("/debug/pprof/trace", http.HandlerFunc(pprof.Trace))
-	return trapClosedConnErr(http.Serve(l, m))
+	srv := &http.Server{
+		Handler:           m,
+		ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
+	}
+	return trapClosedConnErr(srv.Serve(l))
 }
 
 // Stop the containerd server canceling any open connections