vendor: github.com/opencontainers/runc v1.2.0-rc.1

[thaJeztah]

• depends on / stacked on vendor: golang.org/x/net v0.23.0 #47673
• depends on / stacked on vendor: github.com/cilium/ebpf v0.12.3 #47739

vendor: github.com/opencontainers/runtime-spec v1.2.0

• deprecate Prestart hook
• deprecate kernel memory limits

Additions

• config: add idmap and ridmap mount options
• config.md: allow empty mappings for [r]idmap
• features-linux: Expose idmap information
• mount: Allow relative mount destinations on Linux
• features: add potentiallyUnsafeConfigAnnotations
• config: add support for org.opencontainers.image annotations

Minor fixes:

• config: improve bind mount and propagation doc

full diff: opencontainers/runtime-spec@v1.1.0...v1.2.0

vendor: github.com/cilium/ebpf v0.12.3

full diff: cilium/ebpf@v0.11.0...v0.12.3

vendor: github.com/opencontainers/runc v1.2.0-rc.1

full diff: opencontainers/runc@v1.1.12...v1.2.0-rc.1

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

OK, looks like some changes are needed;

0.345 + go build -mod=vendor -modfile=vendor.mod -o /tmp/bundles/dynbinary-daemon/dockerd -tags ' journald' -buildmode=pie -ldflags '-w -X "github.com/docker/docker/dockerversion.Version=dev" -X "github.com/docker/docker/dockerversion.GitCommit=HEAD" -X "github.com/docker/docker/dockerversion.BuildTime=2024-04-03T12:29:20.000000000+00:00" -X "github.com/docker/docker/dockerversion.PlatformName=" -X "github.com/docker/docker/dockerversion.ProductName=" -X "github.com/docker/docker/dockerversion.DefaultProductLicense="   ' -gcflags= github.com/docker/docker/cmd/dockerd
57.03 # github.com/docker/docker/daemon
57.03 daemon/oci_linux.go:828:29: undefined: cgroups.GetInitCgroup

[thaJeztah]

Relates to opencontainers/runc@fd5debf

• libct/cg: rm GetInitCgroup[Path] opencontainers/runc#3810

Trying to figure out what the replacement would be; it looks like we're currently checking both a parent path and "own";

moby/daemon/oci_linux.go

Lines 826 to 837 in b7c0598

	p := cgroupsPath
	if useSystemd {
	initPath, err := cgroups.GetInitCgroup("cpu")
	if err != nil {
	return errors.Wrap(err, "unable to init CPU RT controller")
	}
	_, err = cgroups.GetOwnCgroup("cpu")
	if err != nil {
	return errors.Wrap(err, "unable to init CPU RT controller")
	}
	p = filepath.Join(initPath, s.Linux.CgroupsPath)
	}

This commit / comment may be related as well; opencontainers/runc@54e2021

libctr/cgroups: don't take init's cgroup into account

Sometimes, the init process is not in the root cgroup.
This can be noted by GetInitPath, which already scrubs the path of init.scope.

This was encountered when trying to patch the Kubelet to handle systemd being in a separate cpuset
from root (to allow load balance disabling for containers). At present, there's no way to have libcontainer or runc
manage cgroups in a hierarchy outside of the one init is in (unless the path contains init.scope, which is limiting)