chore(deps): bump the opencontainers group with 2 updates

[dependabot]

Bumps the opencontainers group with 2 updates: github.com/opencontainers/runc and github.com/opencontainers/runtime-spec.

Updates github.com/opencontainers/runc from 1.3.3 to 1.4.0

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.4.0 -- "路漫漫其修远兮，吾将上下而求索！"

This is the first release of the 1.4.z release branch of runc. It contains a few fixes for issues found in 1.4.0-rc.3. This version of runc supports runtime-spec v1.3 (see [docs/spec-conformance.md][] for the few features that are still missing).

This is the second release of runc following our new release and support policy (see [RELEASES.md][] for more details). This means that, as of this release:

• The runc 1.2.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of April 2026).
• The runc 1.3.z release branch will now only receive security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as possible.
• Despite this release being delayed by a month, users should still expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our [CVE-2025-52881][] mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the [CVE-2025-52881][] mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

Changelog

This file documents all notable changes made to this project since runc 1.0.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

libcontainer API

• The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead.

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)

[1.4.0-rc.1] - 2025-09-05

おめェもボスになったんだろぉ？

This version of runc requires Go 1.24 to build.

libcontainer API

• The deprecated libcontainer/user package has been removed; use github.com/moby/sys/user instead. (#3999, #4617)
• libcontainer/apparmor variables containing public functions have been switched to wrapper functions. (#4725)

Breaking

• runc update no longer allows --l3-cache-schema or --mem-bw-schema if linux.intelRdt was not present in the container’s original config.json.

  Without linux.intelRdt no CLOS (resctrl group) is created at container creation, so it is not possible to apply the updated options with runc update.

  Previously, this scenario did not work as expected. The runc update would create a new CLOS but fail to apply the schema, move only the init process

... (truncated)

Commits

• 8bd78a9 VERSION: release 1.4.0
• 7d84a12 Merge pull request #5005 from cyphar/1.4-hallucinated-paths
• c362d6b Merge pull request #5040 from cyphar/1.4-better-init-errors-4928
• f1d0dd8 runc create/run/exec: show fatal errors from init
• 4615662 libct/nsenter: better read/write errors
• c4a61c0 libct/nsenter: sprinkle missing sane_kill
• 493f1b1 libct/nsenter: add and use bailx
• 7f9fc53 libct/nsenter: save errno in sane_kill
• e18c06b Merge pull request #5041 from lifubang/backport-5014-fd-leaks-flake-1.4
• 5bb8987 libct/int: TestFdLeaks: deflake
• Additional commits viewable in compare view

Updates github.com/opencontainers/runtime-spec from 1.2.1 to 1.3.0

Release notes

Sourced from github.com/opencontainers/runtime-spec's releases.

v1.3.0

This is the fourth minor release of the v1 series of the Open Container Initiative Runtime Specification. This release features the addition of the specification for FreeBSD.

Additions

• config-vm: add hwConfig object (#1209)
• config-linux: add intelRdt.schemata field (#1230)
• config-linux: add netDevices object (#1271)
• config-linux: add memoryPolicy object (#1282)
• config-freebsd: add the spec for FreeBSD (#1286)
• config-linux: add intelRdt.enableMonitoring field (#1287)

Minor fixes

• config-linux: clarify intelRdt configuration (#1196)
• runtime: fail when a poststart hook fails (#1262)
• config-linux: clarify pids cgroup settings (#1279)
• config-linux: define default clos for intelRdt (#1289)
• features-linux: add intelRdt.enableMonitoring field (#1290)
• features-linux: add intelRdt.schemata field (#1291)
• config-linux: fix and elaborate memoryPolicy.nodes field (#1294)
• config-linux, schema: fix FileMode description (#1298)

Documentation, CI & Governance

• add systemd-nspawn to implementations.md (#1272)
• CI: add codespell, bump golangci-lint (#1281)
• docs: add missing backticks for code formatting (#1284)
• docs: fix typo (#1285)
• principles: fix typo (#1288)
• schema: fix json (#1297)
• ci: use supported Go versions (#1300)
• Add minimum supported Go version to CI (#1303)
• Mention FreeBSD platform (#1304)

Thanks to the following contributors for making this release possible: @​Artoria2e5 @​Sharmaann @​aojea @​ariel-anieli @​askervin @​cyphar @​dfr @​gogolok @​ipuustin @​kolyshkin @​marquiz @​oleksiimoisieiev @​tianon

Vote-Results: +9 -0 *2 (#1302) Signed-off-by: Akihiro Suda (@​AkihiroSuda)

Changelog

Sourced from github.com/opencontainers/runtime-spec's changelog.

OpenContainers Specifications

Changes with v1.3.0:

Additions:

• config-vm: add hwConfig object (#1209)
• config-linux: add intelRdt.schemata field (#1230)
• config-linux: add netDevices object (#1271)
• config-linux: add memoryPolicy object (#1282)
• config-freebsd: add the spec for FreeBSD (#1286)
• config-linux: add intelRdt.enableMonitoring field (#1287)

Minor fixes:

• config-linux: clarify intelRdt configuration (#1196)
• runtime: fail when a poststart hook fails (#1262)
• config-linux: clarify pids cgroup settings (#1279)
• config-linux: define default clos for intelRdt (#1289)
• features-linux: add intelRdt.enableMonitoring field (#1290)
• features-linux: add intelRdt.schemata field (#1291)
• config-linux: fix and elaborate memoryPolicy.nodes field (#1294)
• config-linux, schema: fix FileMode description (#1298)

Documentation, CI & Governance:

• add systemd-nspawn to implementations.md (#1272)
• CI: add codespell, bump golangci-lint (#1281)
• docs: add missing backticks for code formatting (#1284)
• docs: fix typo (#1285)
• principles: fix typo (#1288)
• schema: fix json (#1297)
• ci: use supported Go versions (#1300)
• Add minimum supported Go version to CI (#1303)
• Mention FreeBSD platform (#1304)

Changes with v1.2.1:

Additions:

• zos updates (#1273)
• Add support for windows CPU affinity (#1258)
• specs-go: sync SCMP_ARCH_* constants with libseccomp main (#1229)
• Add CPU affinity to executed processes (#1253, #1261)
• config-linux: describe the format of cpus and mems (#1253)

Minor fixes:

• Fix description of errnoRet in Seccomp (#1277)
• config-linux: update for libseccomp v2.6.0 (#1276)

... (truncated)

Commits

• 9224913 version: release v1.3.0
• 6acd32d Merge pull request #1304 from gogolok/add_freebsd_spec_links
• 4df3d11 Mention FreeBSD platform
• dbf183c Merge pull request #1286 from dfr/freebsd-spec
• a257beb Add minimum supported Go version to CI (#1303)
• afdbcb8 Add FreeBSD as a platform
• 5caf304 merge #1300 into opencontainers/runtime-spec:main
• 75d79ee ci: use oldstable and stable Go versions
• 5610abd Merge pull request #1298 from kolyshkin/fix-file-mode
• 3b11014 Merge pull request #1281 from kolyshkin/codespell
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/opencontainers/runtime-spec	[>= 1.3.a, < 1.4]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dtrudg]

Need to review compatibility of 1.3.0 runtime specs across distro runc / crun versions.