[release-1.29] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565

[cevich]

What type of PR is this?

/kind other

What this PR does / why we need it:

Backport PR #6484 & #6511

How to verify it

CI + Manual

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

The commits in this PR were created with the assistance of AI, based on the source #6520. When reviewing please pay special attention to the following:

1. Vendor directory consistency:

   • Vendor directory was completely regenerated using make vendor-in-container after each go.mod change
   • Never manually edited, ensuring consistency with go.mod and go.sum
   • Backport change: Same process as source branch - vendor directory was regenerated after dependency updates to ensure consistency.

2. All compilation verified:

   • Project compiles successfully with make after every commit
   • All compilation errors encountered during backport were resolved and ammended to the commit.

3. "Disable lint checking"

   • This check fails on the branch even w/o any changes.
   • In CI the problem is difficult to diagnose as no output is provided,
     rather the process is simply killed.
   • Backport change: This commit was manually created, it does not exist on the
     source PRs.

4. "Bump runc to v1.2.8 - CVE-2025-52881" and subsequent commits include extensive .Get() method calls:

   • run_common.go: Added .Get() calls for defaultConfig.Containers.DNSServers.Get(), DNSSearches.Get(), and DNSOptions.Get()
   • run_linux.go: Added .Get() call for defaultContainerConfig.Containers.DefaultUlimits.Get()
   • pkg/cli/common.go: Added .Get() calls for defaultContainerConfig.Containers.Volumes, Devices, DNSSearches, DNSServers, and DNSOptions
   • imagebuildah/executor.go: Added .Get() calls for defaultContainerConfig.Containers.Devices and Volumes
   • cmd/buildah/from.go: Added .Get() calls for defaultContainerConfig.Containers.DefaultUlimits and Devices
   • cmd/buildah/main.go: Added .Get() call for defaultContainerConfig.Engine.Env
   • Reason: The containers/common package changed attributedstring.Slice types to require explicit .Get() method calls to convert to []string before use.

5. "run: handle relabeling bind mounts ourselves" - SELinux relabeling changes:

   • Added relabel() function in run_common.go that wraps label.Relabel() with error handling for ENOTSUP cases
   • Modified run_linux.go to detect and handle z and Z mount flags before passing mounts to the runtime, removing these flags from mount options after relabeling
   • Backport change: The source branch had similar logic, but the relabel() function was added as a helper to centralize the relabeling logic.

6. "vendor: switch to moby/sys/capability" - Capability library migration:

   • Switched from github.com/syndtr/gocapability to github.com/moby/sys/capability in go.mod
   • Updated all imports and changed capability.List() to capability.ListKnown()
   • Backport change: Applied identically to the source branch. No adaptations were needed as the capability handling code structure is consistent between release-1.29 and release-1.33.

7. SELinux API updates - Direct selinux package usage:

   • Backport change: Applied identically to the source branch. The duplicate import removal was necessary to resolve compilation errors during the backport.

8. "Don't set ambient capabilities" - Ambient capability handling:

   • Modified chroot/run_linux.go to set ambient capabilities to empty array {} instead of using spec.Process.Capabilities.Ambient
   • Backport change: The source branch also modified cmd/buildah/unshare.go in the debugCapabilities function, but this was skipped during backport because the debugCapabilities function does not exist in the release-1.29 branch. Only the chroot/run_linux.go changes were applied.

9. "Integration tests: run git daemon on a random-but-bind()able port" and "Add a dummy 'runtime' that just dumps its config file" - New test infrastructure:

   • Backport change: Applied identically to the source branch. The test infrastructure additions were straightforward and required no adaptations.

10. "runUsingRuntime: use named constants for runtime states" - Runtime state constants:

    • Backport change: Applied identically to the source branch. The constants are available in the same specs package version used by release-1.29.

11. "Bump Buildah to v1.29.6" - Version and changelog updates:

    • Content manually generated using buildah_release 1.29.6 script.

Does this PR introduce a user-facing change?

None

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cevich
Once this PR has been reviewed and has the lgtm label, please assign rhatdan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TomSweeneyRedHat]

@cevich I'm not sure where all these PRs came from when you put this together, regardless, it looks like a man page or two may need tweaking:

[+0017s] xref-helpmsgs-manpages: buildah login --help lists --compat-auth-file, but --compat-auth-file not in docs/buildah-login.1.md
[+0017s] xref-helpmsgs-manpages: buildah logout --help lists --compat-auth-file, but --compat-auth-file not in docs/buildah-logout.1.md

[cevich]

Actually the documentation is correct. My clanker helped identify the change as being caused by an update to Cobra w/ behavior changes, as part of the runc v1.2.8 update. So sadly, code changes are needed to fix this here and in #6540

[cevich]

@cevich I'm not sure where all these PRs

I've lost track days ago. With David out this week, I'm just going down my list of what needs updating and trying to make as much backport progress as I can (based on the next higher version). I'm hoping when the dust settles, it will all get worked out in the end.

[cevich]

Testing out a fix to the CLI options / Cobra update problem over in PR #6540

[cevich]

Added "Handle Cobra v1.5 -> v1.8 behavior changes" commit.

[cevich]

Suggestion from Tom/Nalin:

the commits on the tip of https://github.com/nalind/buildah/tree/ci-1.29, particularly bumping the version of golang.org/x/tools and the linter in the tests/tools subdirectory, should get that further along.

[cevich]

Backported:

• 2a3f3ef [release-1.29] Bump x/tools to v0.26.0
• 70b7314 [release-1.29] finish switching to moby/sys/capability

Note: I saw a few commits (6bf7400 and 56eadec) I may consider bringing here in place of disabling the lint-checking, but it's a low priority ATM.

[cevich]

Note to me: CI first turned green in becc9db

[cevich]

force-push: Injected backport of "Partially work around containers/common" commit.

[cevich]

Re-running about half the integration tests. All are networking flakes.

[TomSweeneyRedHat]

LGTM
once the tests are happy

[cevich]

Re-ran: "Integration fedora-40 using crun w/ vfs" - Another likely flake, this time some kind of "out of disk space" error 😞

[cevich]

Oof, re-ran again, different flakes this time 😢

[mheon]

LGTM, for reference...

[cevich]

Note: The "[Partially work around containers/common]" commit is missing from the changelog 😞