build(deps): bump github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc94

[dependabot-preview]

Bumps github.com/opencontainers/runc from 1.0.0-rc9 to 1.0.0-rc94.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc 1.0-rc93 -- "I never could get the hang of Thursdays."

This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.

• runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:

  • The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly.
  • We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths).

• runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.

• runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).

  This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.

• runc now supports the following new runtime-spec features:

  • The umask of a container can now be specified.
  • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported.
  • The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2.

• Various rootless containers improvements:

  • runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence.
  • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

• runc --root is now always treated as local to the current working directory.

• The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).

• A large number of code cleanliness and other various cleanups, including

... (truncated)

Commits

• 2c7861b VERSION: release v1.0.0-rc94
• 62250c1 merge branch 'pr-2944'
• 12e9cac Vagrantfile.fedora: set Delegate=yes
• ac70a9a tests/int: run rootless_cgroup tests for v2+systemd
• 601cf58 tests/int/cgroups: don't check for hugetlb
• 40b9791 tests/int: enable/use requires cgroups_<ctrl>
• 44fcbfd tests/int/helpers: generalize require cgroups_freezer
• 353f2ad tests/int/update.bats: don't set cpuset in setup
• 4f8ccc5 libct/cg/sd/v2: call initPath from Path
• 0ed1f80 tests/int/helpers: rm old code
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #54.