build(deps): bump github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc93

[dependabot-preview]

Bumps github.com/opencontainers/runc from 1.0.0-rc91 to 1.0.0-rc93.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc 1.0-rc93 -- "I never could get the hang of Thursdays."

This is the last feature-rich RC release and we are in a feature-freeze until 1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only, and 1.0.0 will be released soon afterwards.

• runc's cgroupv2 support is no longer considered experimental. It is now believed to be fully ready for production deployments. In addition, runc's cgroup code has been improved:

  • The systemd cgroup driver has been improved to be more resilient and handle more systemd properties correctly.
  • We now make use of openat2(2) when possible to improve the security of cgroup operations (in future runc will be wholesale ported to libpathrs to get this protection in all codepaths).

• runc's mountinfo parsing code has been reworked significantly, making container startup times significantly faster and less wasteful in general.

• runc now has special handling for seccomp profiles to avoid making new syscalls unusable for glibc. This is done by installing a custom prefix to all seccomp filters which returns -ENOSYS for syscalls that are newer than any syscall in the profile (meaning they have a larger syscall number).

  This should not cause any regressions (because previously users would simply get -EPERM rather than -ENOSYS, and the rule applied above is the most conservative rule possible) but please report any regressions you find as a result of this change -- in particular, programs which have special fallback code that is only run in the case of -EPERM.

• runc now supports the following new runtime-spec features:

  • The umask of a container can now be specified.
  • The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE) are now supported.
  • The "unified" cgroup configuration option, which allows users to explicitly specify the limits based on the cgroup file names rather than abstracting them through OCI configuration. This is currently limited in scope to cgroupv2.

• Various rootless containers improvements:

  • runc will no longer cause conflicts if a user specifies a custom device which conflicts with a user-configured device -- the user device takes precedence.
  • runc no longer panics if /sys/fs/cgroup is missing in rootless mode.

• runc --root is now always treated as local to the current working directory.

• The --no-pivot-root hardening was improved to handle nested mounts properly (please note that we still strongly recommend that users do not use --no-pivot-root -- it is still an insecure option).

• A large number of code cleanliness and other various cleanups, including

... (truncated)

Commits

• 12644e6 VERSION: release 1.0.0~rc93
• 7e3c3e8 merge branch 'pr-2780'
• cc988c1 merge branch 'pr-2774'
• 76ae1f5 libct/cg/fs/freezer: fix freezing race
• c4bc3b0 Remove "PatchAndLoad" stub as it's not used without seccomp enabled
• 6c85f63 Merge pull request #2775 from cyphar/fix-build
• 4074b47 merge branch 'pr-2636'
• 2046f26 Merge pull request #2755 from kolyshkin/numa-stat
• 6ddfaa5 cgroupfs: cpuset: fix broken build
• 091dd32 merge branch 'pr-2607'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)