Bump github.com/opencontainers/runc from 1.2.6 to 1.2.7

[dependabot]

Bumps github.com/opencontainers/runc from 1.2.6 to 1.2.7.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.7 -- "さんをつけろよデコ助野郎！"

This is the seventh release of the 1.2.z release branch of runc. It contains some fixes for issues found in runc 1.3.z that were considered "significant" bugfixes (as per our new release and support policy) and thus be worth backporting.

Fixed

• Removed preemptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered. (#4709, #4720)
• Add time namespace to container config after checkpoint/restore. CRIU since version 3.14 uses a time namespace for checkpoint/restore, however it was not joining the time namespace in runc. (#4696, #4714)
• Container processes will no longer inherit the CPU affinity of runc by default. Instead, the default CPU affinity of container processes will be the largest set of CPUs permitted by the container's cpuset cgroup and any other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)
• Close seccomp agent connection to prevent resource leaks. (#4796, #4800)
• Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670, #4728, #4736, #4742)
• Setting linux.rootfsPropagation to shared or unbindable now functions properly. (#1755, #1815, #4724, #4791)
• runc update will no longer clear intelRdt state information. (#4828, #4834)

Changed

• In runc 1.2, we changed our mount behaviour to correctly handle clearing flags. However, the error messages we returned did not provide as much information to users about what clearing flags were conflicting with locked mount flags. We now provide more diagnostic information if there is an error when in the fallback path to handle locked mount flags. (#4734, #4740)
• Ignore the dmem controller in our cgroup tests, as systemd does not yet support it. (#4806, #4811)
• /proc/net/dev is no longer included in the permitted procfs overmount list. Its inclusion was almost certainly an error, and because /proc/net is a symlink to /proc/self/net, overmounting this was almost certainly never useful (and will be blocked by future kernel versions). (#4817, #4820)
• CI: Switch to GitHub-hosted ARM runners. Thanks again to @​alexellis for supporting runc's ARM CI up until now. (#4844, #4856, #4867)
• Simplify the prepareCriuRestoreMounts logic for checkpoint-restore. (#4765, #4872)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.7] - 2025-09-05

さんをつけろよデコ助野郎！

Fixed

• Removed preemptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered. (#4709, #4720)
• Add time namespace to container config after checkpoint/restore. CRIU since version 3.14 uses a time namespace for checkpoint/restore, however it was not joining the time namespace in runc. (#4696, #4714)
• Container processes will no longer inherit the CPU affinity of runc by default. Instead, the default CPU affinity of container processes will be the largest set of CPUs permitted by the container's cpuset cgroup and any other system restrictions (such as isolated CPUs). (#4041, #4815, #4858)
• Close seccomp agent connection to prevent resource leaks. (#4796, #4800)
• Several fixes to our CI, mainly related to AlmaLinux and CRIU. (#4670, #4728, #4736, #4742)
• Setting linux.rootfsPropagation to shared or unbindable now functions properly. (#1755, #1815, #4724, #4791)
• runc update will no longer clear intelRdt state information. (#4828, #4834)

Changed

• In runc 1.2, we changed our mount behaviour to correctly handle clearing flags. However, the error messages we returned did not provide as much information to users about what clearing flags were conflicting with locked mount flags. We now provide more diagnostic information if there is an error when in the fallback path to handle locked mount flags. (#4734, #4740)
• Ignore the dmem controller in our cgroup tests, as systemd does not yet support it. (#4806, #4811)
• /proc/net/dev is no longer included in the permitted procfs overmount list. Its inclusion was almost certainly an error, and because /proc/net is a symlink to /proc/self/net, overmounting this was almost certainly never useful (and will be blocked by future kernel versions). (#4817, #4820)
• CI: Switch to GitHub-hosted ARM runners. Thanks again to @​alexellis for supporting runc's ARM CI up until now. (#4844, #4856, #4867)
• Simplify the prepareCriuRestoreMounts logic for checkpoint-restore. (#4765, #4872)

Commits

• 4774df3 VERSION: release v1.2.7
• daa7a74 Merge pull request #4872 from kolyshkin/1.2-4765
• 66888fb criu: simplify isOnTmpfs check in prepareCriuRestoreMounts
• 8559d3e criu: inline makeCriuRestoreMountpoints
• 83a3755 criu: ignore cgroup early in prepareCriuRestoreMounts
• 881a781 criu: improve prepareCriuRestoreMounts
• 2f9d7ae Merge pull request #4869 from cyphar/1.2-reset-cpu-affinity
• 6983cc7 [1.2] libct: reset CPU affinity by default
• a06ff08 [1.2] tests: add RUNC_CMDLINE for tests incompatible with functions
• 197c7fc [1.2] tests: add sane_run helper
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[ArangoGutierrez]

maintenance branch

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.