@@ -81,7 +81,7 @@ require (

 	github.com/moby/sys/userns v0.1.0

 	github.com/moby/term v0.5.2

 	github.com/morikuni/aec v1.0.0

-	github.com/opencontainers/cgroups v0.0.1

+	github.com/opencontainers/cgroups v0.0.2

 	github.com/opencontainers/go-digest v1.0.0

 	github.com/opencontainers/image-spec v1.1.1

 	github.com/opencontainers/runtime-spec v1.2.1

@@ -441,8 +441,8 @@ github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C

 github.com/onsi/gomega v1.36.0 h1:Pb12RlruUtj4XUuPUqeEWc6j5DkVVVA49Uf6YLfC95Y=

 github.com/onsi/gomega v1.36.0/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=

 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=

-github.com/opencontainers/cgroups v0.0.1 h1:MXjMkkFpKv6kpuirUa4USFBas573sSAY082B4CiHEVA=

-github.com/opencontainers/cgroups v0.0.1/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=

+github.com/opencontainers/cgroups v0.0.2 h1:A+mAPPMfgKNCEZUUtibESFx06uvhAmvo8sSz3Abwk7o=

+github.com/opencontainers/cgroups v0.0.2/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=

 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=

 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=

new file mode 100644

@@ -0,0 +1,21 @@

+# This is golangci-lint config file which is used to check NEW code in

+# github PRs only (see lint-extra in .github/workflows/validate.yml).

+#

+# For the default linter config, see .golangci.yml. This config should

+# only enable additional linters and/or linter settings not enabled

+# in the default config.

+version: "2"

+

+linters:

+  default: none

+  enable:

+    - godot

+    - revive

+    - staticcheck

+  settings:

+    staticcheck:

+      checks:

+        - all

+        - -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.

+  exclusions:

+    generated: strict

new file mode 100644

@@ -0,0 +1,31 @@

+# For documentation, see https://golangci-lint.run/usage/configuration/

+version: "2"

+

+formatters:

+  enable:

+    - gofumpt

+  exclusions:

+    generated: strict

+

+linters:

+  enable:

+    - errorlint

+    - nolintlint

+    - unconvert

+    - unparam

+  settings:

+    govet:

+      enable:

+        - nilness

+    staticcheck:

+      checks:

+        - all

+        - -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment.

+        - -ST1003 # https://staticcheck.dev/docs/checks/#ST1003 Poorly chosen identifier.

+        - -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string.

+        - -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.

+  exclusions:

+    generated: strict

+    presets:

+      - comments

+      - std-error-handling

@@ -23,7 +23,7 @@ However, specification releases have special restrictions in the [OCI charter][c

 * They are the target of backwards compatibility (§7.g), and

 * They are subject to the OFWa patent grant (§8.d and e).

-To avoid unfortunate side effects (onerous backwards compatibity requirements or Member resignations), the following additional procedures apply to specification releases:

+To avoid unfortunate side effects (onerous backwards compatibility requirements or Member resignations), the following additional procedures apply to specification releases:

 ### Planning a release

@@ -23,16 +23,16 @@ type Cgroup struct {

 	// Path specifies the path to cgroups that are created and/or joined by the container.

 	// The path is assumed to be relative to the host system cgroup mountpoint.

-	Path string `json:"path"`

+	Path string `json:"path,omitempty"`

-	// ScopePrefix describes prefix for the scope name

-	ScopePrefix string `json:"scope_prefix"`

+	// ScopePrefix describes prefix for the scope name.

+	ScopePrefix string `json:"scope_prefix,omitempty"`

-	// Resources contains various cgroups settings to apply

-	*Resources

+	// Resources contains various cgroups settings to apply.

+	*Resources `json:"Resources,omitempty"`

 	// Systemd tells if systemd should be used to manage cgroups.

-	Systemd bool

+	Systemd bool `json:"Systemd,omitempty"`

 	// SystemdProps are any additional properties for systemd,

 	// derived from org.systemd.property.xxx annotations.

@@ -40,7 +40,7 @@ type Cgroup struct {

 	SystemdProps []systemdDbus.Property `json:"-"`

 	// Rootless tells if rootless cgroups should be used.

-	Rootless bool

+	Rootless bool `json:"Rootless,omitempty"`

 	// The host UID that should own the cgroup, or nil to accept

 	// the default ownership.  This should only be set when the

@@ -52,96 +52,96 @@ type Cgroup struct {

 type Resources struct {

 	// Devices is the set of access rules for devices in the container.

-	Devices []*devices.Rule `json:"devices"`

+	Devices []*devices.Rule `json:"devices,omitempty"`

-	// Memory limit (in bytes)

-	Memory int64 `json:"memory"`

+	// Memory limit (in bytes).

+	Memory int64 `json:"memory,omitempty"`

-	// Memory reservation or soft_limit (in bytes)

-	MemoryReservation int64 `json:"memory_reservation"`

+	// Memory reservation or soft_limit (in bytes).

+	MemoryReservation int64 `json:"memory_reservation,omitempty"`

-	// Total memory usage (memory + swap); set `-1` to enable unlimited swap

-	MemorySwap int64 `json:"memory_swap"`

+	// Total memory usage (memory+swap); use -1 for unlimited swap.

+	MemorySwap int64 `json:"memory_swap,omitempty"`

-	// CPU shares (relative weight vs. other containers)

-	CpuShares uint64 `json:"cpu_shares"`

+	// CPU shares (relative weight vs. other containers).

+	CpuShares uint64 `json:"cpu_shares,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuShares should be CPUShares".

 	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.

-	CpuQuota int64 `json:"cpu_quota"`

+	CpuQuota int64 `json:"cpu_quota,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuQuota should be CPUQuota".

 	// CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a given period.

-	CpuBurst *uint64 `json:"cpu_burst"` //nolint:revive

+	CpuBurst *uint64 `json:"cpu_burst,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuBurst should be CPUBurst".

 	// CPU period to be used for hardcapping (in usecs). 0 to use system default.

-	CpuPeriod uint64 `json:"cpu_period"`

+	CpuPeriod uint64 `json:"cpu_period,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuPeriod should be CPUPeriod".

 	// How many time CPU will use in realtime scheduling (in usecs).

-	CpuRtRuntime int64 `json:"cpu_rt_quota"`

+	CpuRtRuntime int64 `json:"cpu_rt_quota,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuRtRuntime should be CPURtRuntime".

 	// CPU period to be used for realtime scheduling (in usecs).

-	CpuRtPeriod uint64 `json:"cpu_rt_period"`

+	CpuRtPeriod uint64 `json:"cpu_rt_period,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuQuota should be CPUQuota".

-	// CPU to use

-	CpusetCpus string `json:"cpuset_cpus"`

+	// Cpuset CPUs to use.

+	CpusetCpus string `json:"cpuset_cpus,omitempty"`

-	// MEM to use

-	CpusetMems string `json:"cpuset_mems"`

+	// Cpuset memory nodes to use.

+	CpusetMems string `json:"cpuset_mems,omitempty"`

-	// cgroup SCHED_IDLE

+	// Cgroup's SCHED_IDLE value.

 	CPUIdle *int64 `json:"cpu_idle,omitempty"`

 	// Process limit; set <= `0' to disable limit.

-	PidsLimit int64 `json:"pids_limit"`

+	PidsLimit int64 `json:"pids_limit,omitempty"`

 	// Specifies per cgroup weight, range is from 10 to 1000.

-	BlkioWeight uint16 `json:"blkio_weight"`

+	BlkioWeight uint16 `json:"blkio_weight,omitempty"`

-	// Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only

-	BlkioLeafWeight uint16 `json:"blkio_leaf_weight"`

+	// Tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only.

+	BlkioLeafWeight uint16 `json:"blkio_leaf_weight,omitempty"`

 	// Weight per cgroup per device, can override BlkioWeight.

-	BlkioWeightDevice []*WeightDevice `json:"blkio_weight_device"`

+	BlkioWeightDevice []*WeightDevice `json:"blkio_weight_device,omitempty"`

 	// IO read rate limit per cgroup per device, bytes per second.

-	BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device"`

+	BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device,omitempty"`

 	// IO write rate limit per cgroup per device, bytes per second.

-	BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device"`

+	BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device,omitempty"`

 	// IO read rate limit per cgroup per device, IO per second.

-	BlkioThrottleReadIOPSDevice []*ThrottleDevice `json:"blkio_throttle_read_iops_device"`

+	BlkioThrottleReadIOPSDevice []*ThrottleDevice `json:"blkio_throttle_read_iops_device,omitempty"`

 	// IO write rate limit per cgroup per device, IO per second.

-	BlkioThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkio_throttle_write_iops_device"`

+	BlkioThrottleWriteIOPSDevice []*ThrottleDevice `json:"blkio_throttle_write_iops_device,omitempty"`

-	// set the freeze value for the process

-	Freezer FreezerState `json:"freezer"`

+	// Freeze value for the process.

+	Freezer FreezerState `json:"freezer,omitempty"`

-	// Hugetlb limit (in bytes)

-	HugetlbLimit []*HugepageLimit `json:"hugetlb_limit"`

+	// Hugetlb limit (in bytes).

+	HugetlbLimit []*HugepageLimit `json:"hugetlb_limit,omitempty"`

-	// Whether to disable OOM Killer

-	OomKillDisable bool `json:"oom_kill_disable"`

+	// Whether to disable OOM killer.

+	OomKillDisable bool `json:"oom_kill_disable,omitempty"`

-	// Tuning swappiness behaviour per cgroup

-	MemorySwappiness *uint64 `json:"memory_swappiness"`

+	// Tuning swappiness behaviour per cgroup.

+	MemorySwappiness *uint64 `json:"memory_swappiness,omitempty"`

-	// Set priority of network traffic for container

-	NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"`

+	// Set priority of network traffic for container.

+	NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap,omitempty"`

-	// Set class identifier for container's network packets

-	NetClsClassid uint32 `json:"net_cls_classid_u"`

+	// Set class identifier for container's network packets.

+	NetClsClassid uint32 `json:"net_cls_classid_u,omitempty"`

-	// Rdma resource restriction configuration

-	Rdma map[string]LinuxRdma `json:"rdma"`

+	// Rdma resource restriction configuration.

+	Rdma map[string]LinuxRdma `json:"rdma,omitempty"`

 	// Used on cgroups v2:

 	// CpuWeight sets a proportional bandwidth limit.

-	CpuWeight uint64 `json:"cpu_weight"`

+	CpuWeight uint64 `json:"cpu_weight,omitempty"` //nolint:revive // Suppress "var-naming: struct field CpuWeight should be CPUWeight".

 	// Unified is cgroupv2-only key-value map.

-	Unified map[string]string `json:"unified"`

+	Unified map[string]string `json:"unified,omitempty"`

 	// SkipDevices allows to skip configuring device permissions.

 	// Used by e.g. kubelet while creating a parent cgroup (kubepods)

@@ -165,5 +165,5 @@ type Resources struct {

 	// MemoryCheckBeforeUpdate is a flag for cgroup v2 managers to check

 	// if the new memory limits (Memory and MemorySwap) being set are lower

 	// than the current memory usage, and reject if so.

-	MemoryCheckBeforeUpdate bool `json:"memory_check_before_update"`

+	MemoryCheckBeforeUpdate bool `json:"memory_check_before_update,omitempty"`

 }

@@ -20,10 +20,10 @@ type Device struct {

 	FileMode os.FileMode `json:"file_mode"`

 	// Uid of the device.

-	Uid uint32 `json:"uid"`

+	Uid uint32 `json:"uid,omitempty"` //nolint:revive // Suppress "var-naming: struct field Uid should be UID".

 	// Gid of the device.

-	Gid uint32 `json:"gid"`

+	Gid uint32 `json:"gid,omitempty"` //nolint:revive // Suppress "var-naming: struct field Gid should be GID".

 }

 // Permissions is a cgroupv1-style string to represent device access. It

@@ -9,6 +9,14 @@ type ThrottlingData struct {

 	ThrottledTime uint64 `json:"throttled_time,omitempty"`

 }

+type BurstData struct {

+	// Number of periods bandwidth burst occurs

+	BurstsPeriods uint64 `json:"bursts_periods,omitempty"`

+	// Cumulative wall-time that any cpus has used above quota in respective periods

+	// Units: nanoseconds.

+	BurstTime uint64 `json:"burst_time,omitempty"`

+}

+

 // CpuUsage denotes the usage of a CPU.

 // All CPU stats are aggregate since container inception.

 type CpuUsage struct {

@@ -48,6 +56,7 @@ type CpuStats struct {

 	CpuUsage       CpuUsage       `json:"cpu_usage,omitempty"`

 	ThrottlingData ThrottlingData `json:"throttling_data,omitempty"`

 	PSI            *PSIStats      `json:"psi,omitempty"`

+	BurstData      BurstData      `json:"burst_data,omitempty"`

 }

 type CPUSetStats struct {

@@ -231,7 +231,7 @@ func rmdir(path string, retry bool) error {

 again:

 	err := unix.Rmdir(path)

-	switch err { // nolint:errorlint // unix errors are bare

+	switch err {

 	case nil, unix.ENOENT:

 		return nil

 	case unix.EINTR:

@@ -395,7 +395,7 @@ func WriteCgroupProc(dir string, pid int) error {

 	}

 	defer file.Close()

-	for i := 0; i < 5; i++ {

+	for range 5 {

 		_, err = file.WriteString(strconv.Itoa(pid))

 		if err == nil {

 			return nil

@@ -5,6 +5,7 @@ import (

 	"fmt"

 	"os"

 	"path/filepath"

+	"slices"

 	"strings"

 	"sync"

 	"syscall"

@@ -144,10 +145,8 @@ func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string,

 func findCgroupMountpointAndRootFromMI(mounts []*mountinfo.Info, cgroupPath, subsystem string) (string, string, error) {

 	for _, mi := range mounts {

 		if strings.HasPrefix(mi.Mountpoint, cgroupPath) {

-			for _, opt := range strings.Split(mi.VFSOptions, ",") {

-				if opt == subsystem {

-					return mi.Mountpoint, mi.Root, nil

-				}

+			if slices.Contains(strings.Split(mi.VFSOptions, ","), subsystem) {

+				return mi.Mountpoint, mi.Root, nil

 			}

 		}

 	}

@@ -1060,7 +1060,7 @@ github.com/morikuni/aec

 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822

 ## explicit

 github.com/munnerz/goautoneg

-# github.com/opencontainers/cgroups v0.0.1

+# github.com/opencontainers/cgroups v0.0.2

 ## explicit; go 1.23.0

 github.com/opencontainers/cgroups

 github.com/opencontainers/cgroups/devices/config