chore(deps): bump github.com/opencontainers/runc from 1.2.6 to 1.3.0

[dependabot]

Bumps github.com/opencontainers/runc from 1.2.6 to 1.3.0.

Changelog

Sourced from github.com/opencontainers/runc's changelog.

Changelog

This file documents all notable changes made to this project since runc 1.0.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[1.3.0-rc.1] - 2025-03-04

No tengo miedo al invierno, con tu recuerdo lleno de sol.

libcontainer API

• configs.CommandHook struct has changed, Command is now a pointer. Also, configs.NewCommandHook now accepts a *Command. (#4325)
• The Process struct has User string field replaced with numeric UID and GID fields, and AdditionalGroups changed its type from []string to []int. Essentially, resolution of user and group names to IDs is no longer performed by libcontainer, so if a libcontainer user previously relied on this feature, now they have to convert names to IDs before calling libcontainer; it is recommended to use Go package github.com/moby/sys/user for that. (#3999)
• Move libcontainer/cgroups to a separate repository. (#4618)

Fixed

• runc exec -p no longer ignores specified ioPriority and scheduler settings. Similarly, libcontainer's Container.Start and Container.Run methods no longer ignore Process.IOPriority and Process.Scheduler settings. (#4585)
• We no longer use F_SEAL_FUTURE_WRITE when sealing the runc binary, as it turns out this had some unfortunate bugs in older kernel versions and was never necessary in the first place. (#4641, #4640)
• runc now uses a more flexible method of joining namespaces, which better matches the behaviour of nsenter(8). This is mainly useful for users that create a container with a runc-managed user namespace but want the container to join some externally-managed namespace as well. (#4492)
• runc now properly handles joining time namespaces (such as with runc exec). Previously we would attempt to set the time offsets when joining, which would fail. (#4635, #4636)
• Handle EINTR retries correctly for socket-related direct golang.org/x/sys/unix system calls. (#4637)
• Handle close_range(2) errors more gracefully. (#4596)
• Fix a stall issue that would happen if setting O_CLOEXEC with CloseExecFrom failed (#4599).
• Handle errors on older kernels when resetting ambient capabilities more gracefully. (#4597)

Changed

• runc now has an official release policy to help provide more consistency around our release schedules and better define our support policy for old

... (truncated)

Commits

• 4ca628d VERSION: release v1.3.0
• 889b4bd Merge pull request #4749 from rata/release-1.3
• 60e2125 go.mod: Delete exclude directives
• 8d2e095 Merge pull request #4744 from kolyshkin/1.3-4718
• 7031f31 runc: embed version from VERSION file
• 51b5267 runc --version: use a function
• 3ffa349 Merge pull request #4745 from lifubang/1.3-golangcilint-2.0
• 7b2b95d ci: bump to golangci-lint v2.0
• 6a39b49 libct/intelrdt: fix staticcheck ST1020 warnings
• 1ceca37 Fix staticcheck ST1020/ST1021 warnings
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #601.