There's no specific need mentioned at the points it was added, and it
makes the Windows-hosted test run setup slightly weird.

Signed-off-by: Paul "TBBle" Hampson <[email protected]>
(cherry picked from commit 5b78a9a)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

The directory created by `T.TempDir` is automatically removed when the
test and all its subtests complete.

Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <[email protected]>
(cherry picked from commit 18ec276)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Eng Zer Jun <[email protected]>
(cherry picked from commit 52d307a)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

`gosec` linter is able to identify issues described in containerd#6584

e.g.

$ git revert 54e95e6
[gosec dfc8ca1ec] Revert "fix Implicit memory aliasing in for loop"
 2 files changed, 2 deletions(-)

$ make check
+ proto-fmt
+ check
GOGC=75 golangci-lint run
containerstore.go:192:54: G601: Implicit memory aliasing in for loop. (gosec)
		containers = append(containers, containerFromProto(&container))
		                                                   ^
image_store.go:132:42: G601: Implicit memory aliasing in for loop. (gosec)
		images = append(images, imageFromProto(&image))
		                                       ^
make: *** [check] Error 1

I also disabled following two settings which prevent the linter to show a complete list of issues.

* max-issues-per-linter (default 50)
* max-same-issues (default 3)

Furthermore enabling gosec revealed many other issues. For now I blacklisted the ones except G601.

Will create separate tasks to address them one by one moving next.

Signed-off-by: Henry Wang <[email protected]>
(cherry picked from commit b8bf504)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

This change disables Windows Defender real-time monitoring on the test
workers, and increases the test timeout to 20 minutes (default is 10).

The Windows Defender real time monitoring feature scans any newly
created files for malitious contents. This takes up a lot of CPU when
expanding image archives, which contain lots of files. The CI has been
timing out due to the fact that tests take longer than 10 minutes. This
change should address that issue.

Signed-off-by: Gabriel Adrian Samfira <[email protected]>
(cherry picked from commit c7bdcdf)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit 2d59a39)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit 62c846b)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Kang.Zhang <[email protected]>
(cherry picked from commit fceab7f)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit ea66130)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit ca3b9b5)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit 68bae25)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

It is follow-up of containerd#7254. This commit will increase ReadHeaderTimeout
from 3s to 30m, which prevent from unexpected timeout when the node is
running with high-load. 30 Minutes is longer enough to get close to
before what containerd#7254 changes.

And ideally, we should allow user to configure the streaming server if
the users want this feature.

Signed-off-by: Wei Fu <[email protected]>
(cherry picked from commit 460b053)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Abirdcfly Fu <[email protected]>
(cherry picked from commit dcfaa30)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

    GOGC=75 golangci-lint run
    services/server/server.go:320:27: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        return trapClosedConnErr(http.Serve(l, m))
                                 ^
    services/server/server.go:340:27: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        return trapClosedConnErr(http.Serve(l, m))
                                 ^
    cmd/containerd-stress/main.go:238:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.ListenAndServe(c.Metrics, metrics.Handler()); err != nil {
                      ^

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 3ebeb6d)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

THis makes it easier to find which linters are enabled when going through
the list.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 0eaace3)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

…fy nolint

This `//nolint`  was added in containerd/cri@f5c7ac9
to suppress warnings about the `NameToCertificate` function being deprecated:

    // Deprecated: NameToCertificate only allows associating a single certificate
    // with a given name. Leave that field nil to let the library select the first
    // compatible chain from Certificates.

Looking at that, it was deprecated in Go 1.14 through
golang/go@eb93c68
(https://go-review.googlesource.com/c/go/+/205059), which describes:

    crypto/tls: select only compatible chains from Certificates

    Now that we have a full implementation of the logic to check certificate
    compatibility, we can let applications just list multiple chains in
    Certificates (for example, an RSA and an ECDSA one) and choose the most
    appropriate automatically.

    NameToCertificate only maps each name to one chain, so simply deprecate
    it, and while at it simplify its implementation by not stripping
    trailing dots from the SNI (which is specified not to have any, see RFC
    6066, Section 3) and by not supporting multi-level wildcards, which are
    not a thing in the WebPKI (and in crypto/x509).

We should at least have a comment describing why we are ignoring this, but preferably
review whether we should still use it.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit d215725)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

- fix "nolint" comments to be in the correct format (`//nolint:<linters>[,<linter>`
  no leading space, required colon (`:`) and linters.
- remove "nolint" comments for errcheck, which is disabled in our config.
- remove "nolint" comments that were no longer needed (nolintlint).
- where known, add a comment describing why a "nolint" was applied.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 29c7fc9)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Some changes to account for 91800c4
and 894af07

    runtime/v2/shim/shim.go:178:18: directive `//nolint:staticcheck // Ignore SA4023 as some platforms always return error` is unused for linter "staticcheck" (nolintlint)
        if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
                        ^
    runtime/v2/shim/shim.go:264:18: directive `//nolint:staticcheck // Ignore SA4023 as some platforms always return error` is unused for linter "staticcheck" (nolintlint)
        if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
                        ^
    runtime/v2/shim/shim.go:269:39: directive `//nolint:staticcheck // Ignore SA4023 as some platforms always return error` is unused for linter "staticcheck" (nolintlint)
            if err := subreaper(); err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
                                                ^
    runtime/v2/shim/shim.go:448:67: directive `//nolint:staticcheck // Ignore SA4023 as some platforms always return error` is unused for linter "staticcheck" (nolintlint)
        if err := serve(ctx, server, signals, sd.Shutdown); err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
                                                                         ^
    runtime/v2/shim/shim.go:480:18: directive `//nolint:staticcheck // Ignore SA4023 as some platforms always return error` is unused for linter "staticcheck" (nolintlint)
        if err != nil { //nolint:staticcheck // Ignore SA4023 as some platforms always return error
                        ^
    integration/main_test.go:446:31: directive `//nolint:unused` is unused for linter "unused" (nolintlint)
    func KillPid(pid int) error { //nolint:unused

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Remove nolint-comments that weren't hit by linters, and remove the "structcheck"
and "varcheck" linters, as they have been deprecated:

    WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the golangci/golangci-lint#2649.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit f9c80be)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Also remove "nolint" comments for deadcode, which is deprecated, and removed
from the defaults.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 8b5df7d)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Maksym Pavlenko <[email protected]>
(cherry picked from commit 06bfcd6)
Signed-off-by: Sebastiaan van Stijn <[email protected]>