Bump github.com/opencontainers/runc from 1.3.3 to 1.4.0

[dependabot]

Bumps github.com/opencontainers/runc from 1.3.3 to 1.4.0.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.4.0 -- "路漫漫其修远兮，吾将上下而求索！"

This is the first release of the 1.4.z release branch of runc. It contains a few fixes for issues found in 1.4.0-rc.3. This version of runc supports runtime-spec v1.3 (see [docs/spec-conformance.md][] for the few features that are still missing).

This is the second release of runc following our new release and support policy (see [RELEASES.md][] for more details). This means that, as of this release:

• The runc 1.2.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of April 2026).
• The runc 1.3.z release branch will now only receive security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as possible.
• Despite this release being delayed by a month, users should still expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our [CVE-2025-52881][] mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the [CVE-2025-52881][] mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

Changelog

This file documents all notable changes made to this project since runc 1.0.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

libcontainer API

• The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead.

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)

[1.4.0-rc.1] - 2025-09-05

おめェもボスになったんだろぉ？

This version of runc requires Go 1.24 to build.

libcontainer API

• The deprecated libcontainer/user package has been removed; use github.com/moby/sys/user instead. (#3999, #4617)
• libcontainer/apparmor variables containing public functions have been switched to wrapper functions. (#4725)

Breaking

• runc update no longer allows --l3-cache-schema or --mem-bw-schema if linux.intelRdt was not present in the container’s original config.json.

  Without linux.intelRdt no CLOS (resctrl group) is created at container creation, so it is not possible to apply the updated options with runc update.

  Previously, this scenario did not work as expected. The runc update would create a new CLOS but fail to apply the schema, move only the init process

... (truncated)

Commits

• 8bd78a9 VERSION: release 1.4.0
• 7d84a12 Merge pull request #5005 from cyphar/1.4-hallucinated-paths
• c362d6b Merge pull request #5040 from cyphar/1.4-better-init-errors-4928
• f1d0dd8 runc create/run/exec: show fatal errors from init
• 4615662 libct/nsenter: better read/write errors
• c4a61c0 libct/nsenter: sprinkle missing sane_kill
• 493f1b1 libct/nsenter: add and use bailx
• 7f9fc53 libct/nsenter: save errno in sane_kill
• e18c06b Merge pull request #5041 from lifubang/backport-5014-fd-leaks-flake-1.4
• 5bb8987 libct/int: TestFdLeaks: deflake
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[elezar]

/ok-to-test 6e26bac

[coveralls]

Pull Request Test Coverage Report for Build 20752563786

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 36.927%

---

Totals
Change from base Build 20752209082:	0.0%
Covered Lines:	5203
Relevant Lines:	14090

---

💛 - Coveralls

[ArangoGutierrez]

/ok to test

[copy-pr-bot]

/ok to test

@ArangoGutierrez, there was an error processing your request: E1

See the following link for more information: https://docs.gha-runners.nvidia.com/cpr/e/1/

[ArangoGutierrez]

/ok to test 3a34c1a

[ArangoGutierrez]

/ok to test 7e69031

[ArangoGutierrez]

/ok to test 241edc9

[elezar]

Here we are copying code from the runc repo without properly attributing it.

What is the "correct" way to do this? While I agree that this is a valid way to handle breaking dependency changes in a patch release, I would like to consider what the scalable way to do this is for the next minor release.

[elezar]

Also, looking at the changes here, this is not actually required. Yes, I understand that this function is deprecated with the v1.4 release, but it is not being removed until v1.5. Why is it that we can't just add a //nolint check?

For reference: https://github.com/NVIDIA/nvidia-container-toolkit/actions/runs/19817146909/job/56770852753

Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:40:9: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
  	       ^
  Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:52:8: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  	err = utils.WithProcfd(containerRootDirPath, modifiedParamsFilePath, func(modifiedParamsFileFdPath string) error {
  	      ^
  Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:63:9: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  		err = utils.WithProcfd(containerRootDirPath, nvidiaDriverParamsPath, func(nvidiaDriverParamsFdPath string) error {
  		      ^

[ArangoGutierrez]

What is the "correct" way to do this? While I agree that this is a valid way to handle breaking dependency changes in a patch release, I would like to consider what the scalable way to do this is for the next minor release.

Ack, will look into a better way

[elezar]

As mentioned in the comment, I don't think duplicating the runc functionality is something that we should do before we investigate other options.

[elezar]

Also, looking at the changes here, this is not actually required. Yes, I understand that this function is deprecated with the v1.4 release, but it is not being removed until v1.5. Why is it that we can't just add a //nolint check?

For reference: https://github.com/NVIDIA/nvidia-container-toolkit/actions/runs/19817146909/job/56770852753

Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:40:9: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {
  	       ^
  Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:52:8: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  	err = utils.WithProcfd(containerRootDirPath, modifiedParamsFilePath, func(modifiedParamsFileFdPath string) error {
  	      ^
  Error: cmd/nvidia-cdi-hook/disable-device-node-modification/params_linux.go:63:9: SA1019: utils.WithProcfd is deprecated: This function is an internal implementation detail of runc and is no longer used. It will be removed in runc 1.5. (staticcheck)
  		err = utils.WithProcfd(containerRootDirPath, nvidiaDriverParamsPath, func(nvidiaDriverParamsFdPath string) error {
  		      ^

[ArangoGutierrez]

As mentioned in the comment, I don't think duplicating the runc functionality is something that we should do before we investigate other options.

I have edited this PR to for now only ignore the deprecation lint, adding a TODO to work on it on our side

[ArangoGutierrez]

/ok to test c33efe8

[ArangoGutierrez]

/ok to test 3705397

now we simply do a //nolint and add a TODO note

[elezar]

Instead of modifying two lines. Let's just have a single on that includes the nolint flag and the TODO.

Suggested change

	// TODO (ArangoGutierrez): Remove the nolint:staticcheck and properly fix the deprecation warning.
	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error { //nolint:staticcheck
	//nolint:staticcheck // TODO (ArangoGutierrez): Remove the nolint:staticcheck and properly fix the deprecation warning.
	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {

[ArangoGutierrez]

Done

[elezar]

Suggested change

	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error { //nolint:staticcheck // TODO (ArangoGutierrez): Remove the nolint:staticcheck and properly fix the deprecation warning.
	//nolint:staticcheck // TODO (ArangoGutierrez): Remove the nolint:staticcheck and properly fix the deprecation warning.
	err := utils.WithProcfd(containerRootDirPath, hookScratchDirPath, func(hookScratchDirFdPath string) error {

[elezar]

The trailing comment is not as visible -- especially since we have a TODO there too.

[ArangoGutierrez]

Done

[elezar]

This should not be in the change set. You need to ensure that you don't have a local libnvidia-container change when adding the changes to the pr.