Bump the major-dependencies group with 2 updates

[dependabot]

Bumps the major-dependencies group with 2 updates: github.com/docker/docker and github.com/opencontainers/runc.

Updates github.com/docker/docker from 25.0.6+incompatible to 25.0.7+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v25.0.7

25.0.7

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.7 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• [25.0 backport] api: adjust health start interval on swarm update by @​austinvazquez in moby/moby#48253
• [25.0 backport] Move dockerd man page back from docker/cli by @​corhere in moby/moby#48379
• [25.0 backport] seccomp: add riscv64 mapping to seccomp_linux.go by @​gdams in moby/moby#48465
• [25.0 backport] Explicitly disable nvidia device injection for --gpus=0 by @​austinvazquez in moby/moby#48493
• [25.0 backport] man: dockerd: add description for --log-format option by @​thaJeztah in moby/moby#48507
• [25.0 backport] cmd/dockerd: Add workaround for OTEL meter leak by @​austinvazquez in moby/moby#48711
• [25.0 backport] Fix: setup user chains during libnetwork controller initialization by @​pendo324 in moby/moby#48717

Packaging updates

• [25.0 backport] bump containerd v1.7.22 by @​dperny in moby/moby#48548
• [25.0 backport] update to go1.22.8 by @​austinvazquez in moby/moby#48582

Full Changelog: moby/moby@v25.0.6...v25.0.7

Commits

• 7de3a1f Merge pull request #48717 from pendo324/25.x-backport/48560-setup-user-chains
• 60eece3 Fix: setup user chains even if there are running containers
• 9dc7e0b Merge pull request #48711 from austinvazquez/cherry-pick-cca708546415fd3f2baa...
• 54ac8bb cmd/dockerd: Add workaround for OTEL meter leak
• f8383fa Merge pull request #48648 from austinvazquez/cherry-pick-c68c9aed8cb3916669de...
• 6e1af3d gha: remove stray double empty line
• 0eae085 gha: restrict cross and bin-image to 20 minutes
• e6a2c9b gha: add guardrails timeouts on all jobs
• 5ff6cef Merge pull request #48626 from thaJeztah/25.0_backport_fix_buildkit_go_version
• 4b98bfd gha: buildkit: make sure expected Go version is installed
• Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.1.14 to 1.2.4

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list.

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.4] - 2025-01-07

Христос се роди!

Fixed

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

[1.2.3] - 2024-12-12

Winter is not a season, it's a celebration.

Fixed

• Fixed a regression in use of securejoin.MkdirAll, where multiple runc processes racing to create the same mountpoint in a shared rootfs would result in spurious EEXIST errors. In particular, this regression caused issues with BuildKit. (#4543, #4550)
• Fixed a regression in eBPF support for pre-5.6 kernels after upgrading Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

[1.2.2] - 2024-11-15

Specialization is for insects.

Fixed

• Fixed the failure of runc delete on a rootless container with no dedicated cgroup on a system with read-only /sys/fs/cgroup mount. This is a regression in runc 1.2.0, causing a failure when using rootless buildkit. (#4518, #4531)
• Using runc on a system where /run/runc and /usr/bin are on different filesystems no longer results in harmless but annoying messages ("overlayfs: "xino" feature enabled using 3 upper inode bits") appearing in the kernel log. (#4508, #4530)

Changed

• Better memfd-bind documentation. (#4530)
• CI: bump Fedora 40 -> 41. (#4528)

... (truncated)

Commits

• 6c52b3f VERSION: release v1.2.4
• 5243eba Merge pull request #4556 from cyphar/1.2-readd-tuntap
• 33ed43b [1.2] Re-add tun/tap to default device rules
• 2dec17d Merge pull request #4554 from kolyshkin/1.2-4553
• e9c9dad keyring: update @​kolyshkin key expiry
• d4534b2 merge #4552 into opencontainers/runc:release-1.2
• b01ffa0 VERSION: back to development
• 0d37cfd VERSION: release v1.2.3
• a640df5 Merge pull request #4550 from cyphar/1.2-racing-mkdirall
• fceb5ef Merge pull request #4551 from cyphar/1.2-ebf-enotsup
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions