Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20)

From golangci-lint: > SA1019: rand.Read has been deprecated since Go 1.20 because it >shouldn't be used: For almost all use cases, crypto/rand.Read is more >appropriate. (staticcheck) > SA1019: rand.Seed has been deprecated since Go 1.20 and an alternative >has been available since Go 1.0: Programs that call Seed and then expect >a specific sequence of results from the global random source (using >functions such as Int) can be broken when a dependency changes how >much it consumes from the global random source. To avoid such breakages, >programs that need a specific result sequence should use >NewRand(NewSource(seed)) to obtain a random generator that other >packages cannot access. (staticcheck) See also: - https://pkg.go.dev/math/rand@go1.20#Read - https://pkg.go.dev/math/rand@go1.20#Seed Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-02-14 15:32:14 +09:00 · 2023-02-14 15:32:14 +09:00 · d8b68e3ccc
commit d8b68e3ccc
parent a9ac5f9cb5
17 changed files with 80 additions and 29 deletions
--- a/archive/compression/compression_test.go
+++ b/archive/compression/compression_test.go
@ -20,8 +20,8 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"crypto/rand"
 	"io"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"runtime"
--- a/cmd/containerd/main.go
+++ b/cmd/containerd/main.go
@ -23,12 +23,13 @@ import (

 	"github.com/containerd/containerd/cmd/containerd/command"
 	"github.com/containerd/containerd/pkg/hasher"
-	"github.com/containerd/containerd/pkg/seed"
+	"github.com/containerd/containerd/pkg/seed" //nolint:staticcheck // Global math/rand seed is deprecated, but still used by external dependencies

 	_ "github.com/containerd/containerd/cmd/containerd/builtins"
 )

 func init() {
+	//nolint:staticcheck // Global math/rand seed is deprecated, but still used by external dependencies
 	seed.WithTimeAndRand()
 	crypto.RegisterHash(crypto.SHA256, hasher.NewSHA256)
 }
--- a/cmd/ctr/main.go
+++ b/cmd/ctr/main.go
@ -23,13 +23,14 @@ import (

 	"github.com/containerd/containerd/cmd/ctr/app"
 	"github.com/containerd/containerd/pkg/hasher"
-	"github.com/containerd/containerd/pkg/seed"
+	"github.com/containerd/containerd/pkg/seed" //nolint:staticcheck // Global math/rand seed is deprecated, but still used by external dependencies
 	"github.com/urfave/cli"
 )

 var pluginCmds = []cli.Command{}

 func init() {
+	//nolint:staticcheck // Global math/rand seed is deprecated, but still used by external dependencies
 	seed.WithTimeAndRand()
 	crypto.RegisterHash(crypto.SHA256, hasher.NewSHA256)
 }
--- a/content/helpers.go
+++ b/content/helpers.go
@ -21,12 +21,12 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math/rand"
 	"sync"
 	"time"

 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
@ -123,7 +123,7 @@ func OpenWriter(ctx context.Context, cs Ingester, opts ...WriterOpt) (Writer, er
 			// error or abort. Requires asserting for an ingest manager

 			select {
-			case <-time.After(time.Millisecond * time.Duration(rand.Intn(retry))):
+			case <-time.After(time.Millisecond * time.Duration(randutil.Intn(retry))):
 				if retry < 2048 {
 					retry = retry << 1
 				}
--- a/content/local/store.go
+++ b/content/local/store.go
@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"strconv"
@ -32,6 +31,7 @@ import (
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/filters"
 	"github.com/containerd/containerd/log"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/sirupsen/logrus"

 	"github.com/opencontainers/go-digest"
@ -473,7 +473,7 @@ func (s *store) Writer(ctx context.Context, opts ...content.WriterOpt) (content.
 			lockErr = nil
 			break
 		}
-		time.Sleep(time.Millisecond * time.Duration(rand.Intn(1<<count)))
+		time.Sleep(time.Millisecond * time.Duration(randutil.Intn(1<<count)))
 	}

 	if lockErr != nil {
--- a/content/local/store_test.go
+++ b/content/local/store_test.go
@ -20,10 +20,10 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/rand"
 	_ "crypto/sha256" // required for digest package
 	"fmt"
 	"io"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"reflect"
@ -35,6 +35,7 @@ import (
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/content/testsuite"
 	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/containerd/containerd/pkg/testutil"

 	"github.com/opencontainers/go-digest"
@ -268,7 +269,7 @@ func generateBlobs(t checker, nblobs, maxsize int64) map[digest.Digest][]byte {
 	blobs := map[digest.Digest][]byte{}

 	for i := int64(0); i < nblobs; i++ {
-		p := make([]byte, rand.Int63n(maxsize))
+		p := make([]byte, randutil.Int63n(maxsize))

 		if _, err := rand.Read(p); err != nil {
 			t.Fatal(err)
--- a/diff/walking/differ.go
+++ b/diff/walking/differ.go
@ -18,11 +18,11 @@ package walking

 import (
 	"context"
+	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
-	"math/rand"
 	"time"

 	"github.com/containerd/containerd/archive"
--- a/leases/id.go
+++ b/leases/id.go
@ -17,9 +17,9 @@
 package leases

 import (
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"time"
 )

--- a/mount/losetup_linux.go
+++ b/mount/losetup_linux.go
@ -19,11 +19,11 @@ package mount
 import (
 	"errors"
 	"fmt"
-	"math/rand"
 	"os"
 	"strings"
 	"time"

+	"github.com/containerd/containerd/pkg/randutil"
 	"golang.org/x/sys/unix"
 )

@ -152,7 +152,7 @@ func setupLoop(backingFile string, param LoopParams) (*os.File, error) {
 			// with EBUSY when trying to set it up.
 			if strings.Contains(err.Error(), ebusyString) {
 				// Fallback a bit to avoid live lock
-				time.Sleep(time.Millisecond * time.Duration(rand.Intn(retry*10)))
+				time.Sleep(time.Millisecond * time.Duration(randutil.Intn(retry*10)))
 				continue
 			}
 			return nil, err
--- a/pkg/cri/util/id.go
+++ b/pkg/cri/util/id.go
@ -17,8 +17,8 @@
 package util

 import (
+	"crypto/rand"
 	"encoding/hex"
-	"math/rand"
 )

 // GenerateID generates a random unique id.
--- a/pkg/kmutex/kmutex_test.go
+++ b/pkg/kmutex/kmutex_test.go
@ -18,21 +18,16 @@ package kmutex

 import (
 	"context"
-	"math/rand"
 	"runtime"
 	"strconv"
 	"sync"
 	"testing"
 	"time"

-	"github.com/containerd/containerd/pkg/seed"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/stretchr/testify/assert"
 )

-func init() {
-	seed.WithTimeAndRand()
-}
-
 func TestBasic(t *testing.T) {
 	t.Parallel()

@ -60,7 +55,7 @@ func TestBasic(t *testing.T) {
 				waitLock = true
 				break
 			}
-			time.Sleep(time.Duration(rand.Int63n(100)) * time.Millisecond)
+			time.Sleep(time.Duration(randutil.Int63n(100)) * time.Millisecond)
 		}
 		assert.Equal(t, waitLock, true)
 	}
@ -130,7 +125,7 @@ func TestMultileAcquireOnKeys(t *testing.T) {
 			for i := 0; i < nloops; i++ {
 				km.Lock(ctx, key)

-				time.Sleep(time.Duration(rand.Int63n(100)) * time.Nanosecond)
+				time.Sleep(time.Duration(randutil.Int63n(100)) * time.Nanosecond)

 				km.Unlock(key)
 			}
@ -161,7 +156,7 @@ func TestMultiAcquireOnSameKey(t *testing.T) {
 			for i := 0; i < nloops; i++ {
 				km.Lock(ctx, key)

-				time.Sleep(time.Duration(rand.Int63n(100)) * time.Nanosecond)
+				time.Sleep(time.Duration(randutil.Int63n(100)) * time.Nanosecond)

 				km.Unlock(key)
 			}
--- a/pkg/randutil/randutil.go
+++ b/pkg/randutil/randutil.go
@ -0,0 +1,48 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package randutil provides utilities for [cyrpto/rand].
+package randutil
+
+import (
+	"crypto/rand"
+	"math"
+	"math/big"
+)
+
+// Int63n is similar to [math/rand.Int63n] but uses [crypto/rand.Reader] under the hood.
+func Int63n(n int64) int64 {
+	b, err := rand.Int(rand.Reader, big.NewInt(n))
+	if err != nil {
+		panic(err)
+	}
+	return b.Int64()
+}
+
+// Int63 is similar to [math/rand.Int63] but uses [crypto/rand.Reader] under the hood.
+func Int63() int64 {
+	return Int63n(math.MaxInt64)
+}
+
+// Intn is similar to [math/rand.Intn] but uses [crypto/rand.Reader] under the hood.
+func Intn(n int) int {
+	return int(Int63n(int64(n)))
+}
+
+// Int is similar to [math/rand.Int] but uses [crypto/rand.Reader] under the hood.
+func Int() int {
+	return int(Int63())
+}
--- a/pkg/seed/seed.go
+++ b/pkg/seed/seed.go
@ -14,6 +14,9 @@
   limitations under the License.
 */

+// Package seed provides an initializer for the global [math/rand] seed.
+//
+// Deprecated: Do not rely on the global seed.
 package seed

 import (
@ -23,6 +26,8 @@ import (

 // WithTimeAndRand seeds the global math rand generator with nanoseconds
 // XOR'ed with a crypto component if available for uniqueness.
+//
+// Deprecated: Do not rely on the global seed.
 func WithTimeAndRand() {
 	var (
 		b [4]byte
--- a/pkg/unpack/unpacker.go
+++ b/pkg/unpack/unpacker.go
@ -18,11 +18,11 @@ package unpack

 import (
 	"context"
+	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"math/rand"
 	"strconv"
 	"sync"
 	"sync/atomic"
--- a/rootfs/apply.go
+++ b/rootfs/apply.go
@ -18,9 +18,9 @@ package rootfs

 import (
 	"context"
+	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"time"

 	"github.com/containerd/containerd/diff"
--- a/snapshots/testsuite/helpers.go
+++ b/snapshots/testsuite/helpers.go
@ -19,10 +19,10 @@ package testsuite
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"os"

 	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/containerd/continuity/fs/fstest"
 )
@ -49,7 +49,7 @@ func applyToMounts(m []mount.Mount, work string, a fstest.Applier) (err error) {
 // createSnapshot creates a new snapshot in the snapshotter
 // given an applier to run on top of the given parent.
 func createSnapshot(ctx context.Context, sn snapshots.Snapshotter, parent, work string, a fstest.Applier) (string, error) {
-	n := fmt.Sprintf("%p-%d", a, rand.Int())
+	n := fmt.Sprintf("%p-%d", a, randutil.Int())
 	prepare := fmt.Sprintf("%s-prepare", n)

 	m, err := sn.Prepare(ctx, prepare, parent, opt)
--- a/snapshots/testsuite/testsuite.go
+++ b/snapshots/testsuite/testsuite.go
@ -21,7 +21,6 @@ import (
 	//nolint:revive // go-digest needs the blank import. See https://github.com/opencontainers/go-digest#usage.
 	_ "crypto/sha256"
 	"fmt"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"sort"
@ -32,6 +31,7 @@ import (
 	"github.com/containerd/containerd/log/logtest"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/pkg/randutil"
 	"github.com/containerd/containerd/pkg/testutil"
 	"github.com/containerd/containerd/snapshots"
 	"github.com/containerd/continuity/fs/fstest"
@ -847,7 +847,7 @@ func checkFileFromLowerLayer(ctx context.Context, t *testing.T, snapshotter snap
 }

 func closeTwice(ctx context.Context, t *testing.T, snapshotter snapshots.Snapshotter, work string) {
-	n := fmt.Sprintf("closeTwice-%d", rand.Int())
+	n := fmt.Sprintf("closeTwice-%d", randutil.Int())
 	prepare := fmt.Sprintf("%s-prepare", n)

 	// do some dummy ops to modify the snapshotter internal state