[28.x backport] Dockerfile: update runc binary to v1.3.0

[vvoland]

• backport: Dockerfile: update runc binary to v1.3.0 #50644

• release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.0

• full diff: https://github.com/opencontainers/runc/compare/v1.2.6..v1.3.0

---

This is the first release of the 1.3.z release branch of runc. It contains a few minor fixes for issues found in 1.3.0-rc.2.

This is the first release of runc that will follow our new release and support policy (see RELEASES.md for more details). This means that, as of this release:

• As of this release, the runc 1.2.z release branch will now only receive security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.3.0 as soon as possible.
• Due to its particular situation, runc 1.1.z is officially no longer supported and will no longer receive any updates (not even for critical security issues). Users are urged (in the strongest possible terms) to upgrade to a supported version of runc.
• Barring any future changes to our release policy, users should expect a runc 1.4.0 release in late October 2025.

Fixed

• Removed pre-emptive "full access to cgroups" warning when calling runc pause or runc unpause as an unprivileged user without --systemd-cgroups. Now the warning is only emitted if an actual permission error was encountered.
• Several fixes to our CI, mainly related to AlmaLinux and CRIU.

Changed

• In runc 1.2, we changed our mount behaviour to correctly handle clearing flags. However, the error messages we returned did not provide as much information to users about what clearing flags were conflicting with locked mount flags. We now provide more diagnostic information if there is an error when in the fallback path to handle locked mount flags.
• Upgrade our CI to use golangci-lint v2.0.
• runc version information is now filled in using //go:embed rather than being set through Makefile. This allows go install or other non-make builds to contain the correct version information. Note that make EXTRA_VERSION=... still works.
• Remove exclude directives from our go.mod for broken cilium/ebpf versions. v0.17.3 resolved the issue we had, and exclude directives are incompatible with go install.

- What I did

- How I did it

- How to verify it

- Human readable description for the release notes

Update `runc` to [v1.3.0](https://github.com/opencontainers/runc/releases/tag/v1.3.0)

- A picture of a cute animal (not mandatory but encouraged)

[austinvazquez]

LGTM on green CI

[austinvazquez]

=== RUN TestLegacyLink/no_link
bridge_linux_test.go:706: assertion failed: string "Connecting to 172.18.0.2 (172.18.0.2:80)\nwget: server returned error: HTTP/1.0 404 Not Found\n" does not contain "download timed out"

Opened #50701 to investigate.

[austinvazquez]

=== FAIL: github.com/docker/docker/integration/container TestExecResize/success (0.01s)
exec_test.go:144: assertion failed: error is not nil: Error response from daemon: NotFound: exec: 'edfc163c54e07afe61672e106c5f61cca6a48eb1fd847538eb6181abfd073283' in task: '63b1edbec5e576be7fe9a89d1deaf1073730421504e525ae5c6a76428315c2c5' not found: not found

Known flaky on Windows. Already have #50402 to track and #50698 to log and skip the test failures on Windows. Rerunning.

[austinvazquez]

Let's go ahead and bring this in. The last remaining check is only failing for flaky test on Windows which there is another backport that has the log&skip.