Bump the major-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the major-dependencies group with 3 updates in the / directory: github.com/docker/docker, github.com/opencontainers/runc and github.com/opencontainers/selinux.

Updates github.com/docker/docker from 27.0.2+incompatible to 27.5.1+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v27.5.1

27.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.5.1 milestone
• moby/moby, 27.5.1 milestone

Bug fixes and enhancements

• Fixed an issue that could persistently prevent daemon startup after failure to initialize the default bridge. moby/moby#49307
• Add a DOCKER_IGNORE_BR_NETFILTER_ERROR environment variable. Setting it to 1 allows running on hosts that cannot load br_netfilter. Some things won't work, including disabling inter-container communication in a bridge network. With the userland proxy disabled, it won't be possible to access one container's published ports from another container on the same network. moby/moby#49306

Packaging updates

• Update Go runtime to 1.22.11 (fix CVE-2024-45341, CVE-2024-45336). moby/moby#49312, docker/docker-ce-packaging#1147, docker/cli#5762
• Update RootlessKit to v2.3.2 to support passt >= 2024_10_30.ee7d0b6. moby/moby#49304
• Update Buildx to v0.20.0. docker/docker-ce-packaging#1149

v27.5.0

27.5.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 27.5.0 milestone
• moby/moby, 27.5.0 milestone

Bugfixes and enhancements

• containerd image store: Fix passing a build context via tarball to the /build endpoint. moby/moby#49194
• Builder garbage collection policies without a keepStorage value now inherit the defaultKeepStorage limit as intended. moby/moby#49137
• Preserve network labels during daemon startup. moby/moby#49200
• Fix a potential race condition error when deleting a container. moby/moby#49239

Go SDK

• pkg/sysinfo: deprecate NumCPU. This utility has the same behavior as runtime.NumCPU. moby/moby#49247
• pkg/fileutils: deprecate GetTotalUsedFds: this function is only used internally and will be removed in the next release. moby/moby#49209
• pkg/ioutils: deprecate BytesPipe, NewBytesPipe, ErrClosed, WriteCounter, NewWriteCounter, NewReaderErrWrapper, NopFlusher, NopWriter, NopWriteCloser. They were only used internally and will be removed in the next release. moby/moby#49246, moby/moby#49255
• pkg/reexec: This package is deprecated and moved to a separate module. Use github.com/moby/sys/reexec instead. moby/moby#49135

Packaging updates

• Update containerd to v1.7.25 moby/moby#49253
• Update runc to v1.2.4 moby/moby#49243
• Update BuildKit to v0.18.2 moby/moby#48949
• Update Compose to v2.32.2 docker/docker-ce-packaging#1140

v27.5.0-rc.2

... (truncated)

Commits

• 4c9b3b0 Merge pull request #49317 from thaJeztah/27.x_backport_bump_dev_tools
• 0da7a26 Dockerfile: update compose to v2.32.4
• 4c8ec29 Dockerfile: update buildx to v0.20.0
• fbc854d Dockerfile: update docker CLI to v27.5.0
• 36c72d4 Merge pull request #49322 from thaJeztah/27.x_backport_bake-v6
• e85906c ci(bin-image): fix bake build
• 542e33c ci: update bake-action to v6
• c0df678 Merge pull request #49314 from vvoland/49313-27.x
• 95d1819 gha: Adjust release branches
• 13eca88 Merge pull request #49312 from thaJeztah/27.x_bump_golang_1.22.11
• Additional commits viewable in compare view

Updates github.com/opencontainers/runc from 1.1.12 to 1.2.4

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It includes a fix for a regression introduced in 1.2.0 related to the default device list.

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.2.4] - 2025-01-07

Христос се роди!

Fixed

• Re-add tun/tap devices to built-in allowed devices lists.

  In runc 1.2.0 we removed these devices from the default allow-list (which were added seemingly by accident early in Docker's history) as a precaution in order to try to reduce the attack surface of device inodes available to most containers (#3468). At the time we thought that the vast majority of users using tun/tap would already be specifying what devices they need (such as by using --device with Docker/Podman) as opposed to doing the mknod manually, and thus there would've been no user-visible change.

  Unfortunately, it seems that this regressed a noticeable number of users (and not all higher-level tools provide easy ways to specify devices to allow) and so this change needed to be reverted. Users that do not need these devices are recommended to explicitly disable them by adding deny rules in their container configuration. (#4555, #4556)

[1.2.3] - 2024-12-12

Winter is not a season, it's a celebration.

Fixed

• Fixed a regression in use of securejoin.MkdirAll, where multiple runc processes racing to create the same mountpoint in a shared rootfs would result in spurious EEXIST errors. In particular, this regression caused issues with BuildKit. (#4543, #4550)
• Fixed a regression in eBPF support for pre-5.6 kernels after upgrading Cilium's eBPF library version to 0.16 in runc. (#3008, #4551)

[1.2.2] - 2024-11-15

Specialization is for insects.

Fixed

• Fixed the failure of runc delete on a rootless container with no dedicated cgroup on a system with read-only /sys/fs/cgroup mount. This is a regression in runc 1.2.0, causing a failure when using rootless buildkit. (#4518, #4531)
• Using runc on a system where /run/runc and /usr/bin are on different filesystems no longer results in harmless but annoying messages ("overlayfs: "xino" feature enabled using 3 upper inode bits") appearing in the kernel log. (#4508, #4530)

Changed

• Better memfd-bind documentation. (#4530)
• CI: bump Fedora 40 -> 41. (#4528)

... (truncated)

Commits

• 6c52b3f VERSION: release v1.2.4
• 5243eba Merge pull request #4556 from cyphar/1.2-readd-tuntap
• 33ed43b [1.2] Re-add tun/tap to default device rules
• 2dec17d Merge pull request #4554 from kolyshkin/1.2-4553
• e9c9dad keyring: update @​kolyshkin key expiry
• d4534b2 merge #4552 into opencontainers/runc:release-1.2
• b01ffa0 VERSION: back to development
• 0d37cfd VERSION: release v1.2.3
• a640df5 Merge pull request #4550 from cyphar/1.2-racing-mkdirall
• fceb5ef Merge pull request #4551 from cyphar/1.2-ebf-enotsup
• Additional commits viewable in compare view

Updates github.com/opencontainers/selinux from 1.11.0 to 1.11.1

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.11.1

What's Changed

• Bump to v1.11.0 by @​rhatdan in opencontainers/selinux#197
• fix some error by @​ningmingxiao in opencontainers/selinux#200
• ci: update Go 1.21 support by @​michalbiesek in opencontainers/selinux#202
• Extend build-cross target with riscv64 arch by @​michalbiesek in opencontainers/selinux#201
• Remove nolint annotations for unix errno comparisons by @​kolyshkin in opencontainers/selinux#203
• ci: bump some actions by @​kolyshkin in opencontainers/selinux#205
• Misc nitpicks by @​kolyshkin in opencontainers/selinux#206
• pwalk, pwalkdir: fix walk vs remove race by @​kolyshkin in opencontainers/selinux#204
• Update GitHub Actions CI Go matrix for Go v1.22 by @​austinvazquez in opencontainers/selinux#209
• Update GitHub Actions packages to resolve deprecation warnings. by @​austinvazquez in opencontainers/selinux#208
• Add dependabot config by @​kolyshkin in opencontainers/selinux#210
• build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1 by @​dependabot in opencontainers/selinux#211
• build(deps): bump golangci/golangci-lint-action from 4 to 6 by @​dependabot in opencontainers/selinux#213
• Show SELinux label on failure by @​rhatdan in opencontainers/selinux#216

New Contributors

• @​ningmingxiao made their first contribution in opencontainers/selinux#200
• @​michalbiesek made their first contribution in opencontainers/selinux#202
• @​dependabot made their first contribution in opencontainers/selinux#211

Full Changelog: opencontainers/selinux@v1.11.0...v1.11.1

Commits

• 44b3337 Merge pull request #216 from rhatdan/main
• 5bdefc7 Show SELinux label on failure
• bb1ec25 Merge pull request #213 from opencontainers/dependabot/github_actions/golangc...
• 13c8f76 build(deps): bump golangci/golangci-lint-action from 4 to 6
• 9dee859 Merge pull request #211 from opencontainers/dependabot/github_actions/tim-act...
• 5f5e8c2 build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1
• a11dd36 Merge pull request #210 from kolyshkin/add-dep
• 2d0d092 Add dependabot config
• 7535250 Merge pull request #208 from austinvazquez/update-github-actions-packages
• 76d8f98 Merge pull request #209 from austinvazquez/update-go-matrix-in-ci
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions