Fix various linting issues

libcontainer/apparmor/apparmor.go

@@ -0,0 +1,16 @@
+package apparmor
+
+import "errors"
+
+var (
+	// IsEnabled returns true if apparmor is enabled for the host.
+	IsEnabled = isEnabled
+
+	// ApplyProfile will apply the profile with the specified name to the process after
+	// the next exec. It is only supported on Linux and produces an ErrApparmorNotEnabled
+	// on other platforms.
+	ApplyProfile = applyProfile
+
+	// ErrApparmorNotEnabled indicates that AppArmor is not enabled or not supported.
+	ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
+)

libcontainer/apparmor/apparmor_linux.go

@@ -15,8 +15,8 @@ var (
 	checkAppArmor   sync.Once
 )
 
-// IsEnabled returns true if apparmor is enabled for the host.
-func IsEnabled() bool {
+// isEnabled returns true if apparmor is enabled for the host.
+func isEnabled() bool {
 	checkAppArmor.Do(func() {
 		if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil {
 			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
@@ -57,9 +57,10 @@ func changeOnExec(name string) error {
 	return nil
 }
 
-// ApplyProfile will apply the profile with the specified name to the process after
-// the next exec.
-func ApplyProfile(name string) error {
+// applyProfile will apply the profile with the specified name to the process after
+// the next exec. It is only supported on Linux and produces an error on other
+// platforms.
+func applyProfile(name string) error {
 	if name == "" {
 		return nil
 	}

libcontainer/apparmor/apparmor_unsupported.go

@@ -2,17 +2,11 @@
 
 package apparmor
 
-import (
-	"errors"
-)
-
-var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported")
-
-func IsEnabled() bool {
+func isEnabled() bool {
 	return false
 }
 
-func ApplyProfile(name string) error {
+func applyProfile(name string) error {
 	if name != "" {
 		return ErrApparmorNotEnabled
 	}

libcontainer/cgroups/devices/devices_emulator.go

@@ -258,9 +258,9 @@ func (e *Emulator) Apply(rule devices.Rule) error {
 
 	if rule.Allow {
 		return e.allow(innerRule)
-	} else {
-		return e.deny(innerRule)
 	}
+
+	return e.deny(innerRule)
 }
 
 // EmulatorFromList takes a reader to a "devices.list"-like source, and returns

libcontainer/configs/cgroup_linux.go

@@ -13,12 +13,12 @@ const (
 	Thawed    FreezerState = "THAWED"
 )
 
+// Cgroup holds properties of a cgroup on Linux.
 type Cgroup struct {
-	// Deprecated, use Path instead
+	// Name specifies the name of the cgroup
 	Name string `json:"name,omitempty"`
 
-	// name of parent of cgroup or slice
-	// Deprecated, use Path instead
+	// Parent specifies the name of parent of cgroup or slice
 	Parent string `json:"parent,omitempty"`
 
 	// Path specifies the path to cgroups that are created and/or joined by the container.

libcontainer/configs/cgroup_unsupported.go

@@ -2,6 +2,7 @@
 
 package configs
 
+// Cgroup holds properties of a cgroup on Linux
 // TODO Windows: This can ultimately be entirely factored out on Windows as
 // cgroups are a Unix-specific construct.
 type Cgroup struct{}

libcontainer/configs/mount.go

@@ -3,7 +3,7 @@ package configs
 const (
 	// EXT_COPYUP is a directive to copy up the contents of a directory when
 	// a tmpfs is mounted over it.
-	EXT_COPYUP = 1 << iota
+	EXT_COPYUP = 1 << iota //nolint:golint // ignore "don't use ALL_CAPS" warning
 )
 
 type Mount struct {

libcontainer/configs/network.go

@@ -50,23 +50,26 @@ type Network struct {
 	HairpinMode bool `json:"hairpin_mode"`
 }
 
-// Routes can be specified to create entries in the route table as the container is started
+// Route defines a routing table entry.
+//
+// Routes can be specified to create entries in the routing table as the container
+// is started.
 //
 // All of destination, source, and gateway should be either IPv4 or IPv6.
 // One of the three options must be present, and omitted entries will use their
 // IP family default for the route table.  For IPv4 for example, setting the
 // gateway to 1.2.3.4 and the interface to eth0 will set up a standard
 // destination of 0.0.0.0(or *) when viewed in the route table.
 type Route struct {
-	// Sets the destination and mask, should be a CIDR.  Accepts IPv4 and IPv6
+	// Destination specifies the destination IP address and mask in the CIDR form.
 	Destination string `json:"destination"`
 
-	// Sets the source and mask, should be a CIDR.  Accepts IPv4 and IPv6
+	// Source specifies the source IP address and mask in the CIDR form.
 	Source string `json:"source"`
 
-	// Sets the gateway.  Accepts IPv4 and IPv6
+	// Gateway specifies the gateway IP address.
 	Gateway string `json:"gateway"`
 
-	// The device to set this route up for, for example: eth0
+	// InterfaceName specifies the device to set this route up for, for example eth0.
 	InterfaceName string `json:"interface_name"`
 }

libcontainer/devices/device_unix.go

@@ -27,8 +27,9 @@ func mkDev(d *Rule) (uint64, error) {
 	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
 }
 
-// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the
-// information about a linux device and return that information as a Device struct.
+// DeviceFromPath takes the path to a device and its cgroup_permissions (which
+// cannot be easily queried) to look up the information about a linux device
+// and returns that information as a Device struct.
 func DeviceFromPath(path, permissions string) (*Device, error) {
 	var stat unix.Stat_t
 	err := unixLstat(path, &stat)

libcontainer/keys/keyctl.go

@@ -14,18 +14,18 @@ import (
 type KeySerial uint32
 
 func JoinSessionKeyring(name string) (KeySerial, error) {
-	sessKeyId, err := unix.KeyctlJoinSessionKeyring(name)
+	sessKeyID, err := unix.KeyctlJoinSessionKeyring(name)
 	if err != nil {
 		return 0, errors.Wrap(err, "create session key")
 	}
-	return KeySerial(sessKeyId), nil
+	return KeySerial(sessKeyID), nil
 }
 
 // ModKeyringPerm modifies permissions on a keyring by reading the current permissions,
 // anding the bits with the given mask (clearing permissions) and setting
 // additional permission bits
-func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error {
-	dest, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(ringId))
+func ModKeyringPerm(ringID KeySerial, mask, setbits uint32) error {
+	dest, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(ringID))
 	if err != nil {
 		return err
 	}
@@ -43,5 +43,5 @@ func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error {
 
 	perm := (uint32(perm64) & mask) | setbits
 
-	return unix.KeyctlSetperm(int(ringId), perm)
+	return unix.KeyctlSetperm(int(ringID), perm)
 }

libcontainer/nsenter/test/escape.go

@@ -14,7 +14,7 @@ import (
 	"unsafe"
 )
 
-func testEscapeJsonString(t *testing.T, input, want string) {
+func testEscapeJSONString(t *testing.T, input, want string) {
 	in := C.CString(input)
 	out := C.escape_json_string(in)
 	got := C.GoString(out)
@@ -25,7 +25,7 @@ func testEscapeJsonString(t *testing.T, input, want string) {
 	}
 }
 
-func testEscapeJson(t *testing.T) {
+func testEscapeJSON(t *testing.T) {
 	testCases := []struct {
 		input, output string
 	}{
@@ -48,6 +48,6 @@ func testEscapeJson(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		testEscapeJsonString(t, tc.input, tc.output)
+		testEscapeJSONString(t, tc.input, tc.output)
 	}
 }

libcontainer/nsenter/test/escape_test.go

@@ -6,6 +6,6 @@ import "testing"
 // so that it can use cgo (import "C").
 // This wrapper is here for gotest to find.
 
-func TestEscapeJson(t *testing.T) {
-	testEscapeJson(t)
+func TestEscapeJSON(t *testing.T) {
+	testEscapeJSON(t)
 }

libcontainer/system/userns_deprecated.go

@@ -2,4 +2,6 @@ package system
 
 import "github.com/opencontainers/runc/libcontainer/userns"
 
+// RunningInUserNS detects whether we are currently running in a user namespace.
+// Deprecated: use github.com/opencontainers/runc/libcontainer/userns.RunningInUserNS instead
 var RunningInUserNS = userns.RunningInUserNS

libcontainer/user/user.go

@@ -11,19 +11,17 @@ import (
 )
 
 const (
-	minId = 0
-	maxId = 1<<31 - 1 // for 32-bit systems compatibility
+	minID = 0
+	maxID = 1<<31 - 1 // for 32-bit systems compatibility
 )
 
 var (
-	// The current operating system does not provide the required data for user lookups.
-	ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
-
-	// No matching entries found in file.
+	// ErrNoPasswdEntries is returned if no matching entries were found in /etc/group.
 	ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
-	ErrNoGroupEntries  = errors.New("no matching entries in group file")
-
-	ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
+	// ErrNoGroupEntries is returned if no matching entries were found in /etc/passwd.
+	ErrNoGroupEntries = errors.New("no matching entries in group file")
+	// ErrRange is returned if a UID or GID is outside of the valid range.
+	ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minID, maxID)
 )
 
 type User struct {
@@ -328,7 +326,7 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
 		user.Uid = uidArg
 
 		// Must be inside valid uid range.
-		if user.Uid < minId || user.Uid > maxId {
+		if user.Uid < minID || user.Uid > maxID {
 			return nil, ErrRange
 		}
 
@@ -377,7 +375,7 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
 				user.Gid = gidArg
 
 				// Must be inside valid gid range.
-				if user.Gid < minId || user.Gid > maxId {
+				if user.Gid < minID || user.Gid > maxID {
 					return nil, ErrRange
 				}
 
@@ -439,7 +437,7 @@ func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, err
 				return nil, fmt.Errorf("Unable to find group %s", ag)
 			}
 			// Ensure gid is inside gid range.
-			if gid < minId || gid > maxId {
+			if gid < minID || gid > maxID {
 				return nil, ErrRange
 			}
 			gidMap[int(gid)] = struct{}{}