[1.4] Release 1.4.0

[lifubang]

[1.4.0] - 2025-11-27

路漫漫其修远兮，吾将上下而求索！

Deprecated

• Deprecate cgroup v1. (Deprecate cgroup v1 #4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from
  libcontainer/utils. (pathrs: add "hallucination" helpers for SecureJoin magic #4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance
  from the OCI runtime specification. In particular, now a maximum limit value
  of 0 will be treated as an actual limit (due to limitations with systemd,
  it will be treated the same as a limit value of 1). We only expect users
  that explicitly set pids.limit to 0 will see a behaviour change.
  (config: switch PidsLimit to *int64 cgroups#48, runtime-spec: update pids.limit handling to match new guidance #4949)

Fixed

• cgroups: provide iocost statistics for cgroupv2. (fs2: add iocost statistics cgroups#43)
• cgroups: retry DBus connection when it fails with EAGAIN.
  (systemd: retry when the dbus connection returns EAGAIN cgroups#45)
• cgroups: improve cpuacct.usage_all resilience when parsing data from
  patched kernels (such as the Tencent kernels). (kubelet fails to start due to cgroups CPU stat parsing failed in k8s 1.34 cgroups#46,
  fs: fix/improve cpuacct.usage_all parsing cgroups#50)
• libct: close child fds on prepareCgroupFD error. ([1.4] libct: close child fds on prepareCgroupFD error #4936)
• libct: fix mips compilation. (Fails to build on mips64le #4962, [1.4] libct: fix mips compilation #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target
  path already existed. This fixes a regression introduced in our
  CVE-2025-52881 mitigation patches. (Recent security update changed default permissions of tmpfs #4971, [1.4] rootfs: only set mode= for tmpfs mount if target already existed #4976)
• Fix various file descriptor leaks and add additional tests to detect them as
  comprehensively as possible. ([v1.3.3] Error response from daemon: failed to create task for container #5007, [1.2.8] runc appears to apply rlimits to itself prior to validating device nodes #5021, [1.4] fix fd leaks and detect them as comprehensively as possible #5034)
• The "hallucination" helpers added as part of the CVE-2025-52881
  mitigation have been made more generic and now apply to all of our pathrs
  helper functions, which should ensure we will not regress dangling symlink
  users. (pathrs: add "hallucination" helpers for SecureJoin magic #4985)

Changed

• libct: switch to (*CPUSet).Fill. ([1.4] libct: switch to (*CPUSet).Fill #4927)
• docs/spec-conformance.md: update for spec v1.3.0. (docs/spec-conformance.md: update for spec v1.3.0 #4948)

[lifubang]

Awaiting #5005

[rata]

LGTM, thanks!

[rata]

Awaiting #5005

Merged!

[cyphar]

Let me see if I can push to lifubang's repo...

(While I do appreciate other people dealing with the changelog "fun", doing releases from someone else's PR can be a little more annoying than doing it from a local branch I control. I had planned to open release PRs after we'd merged all of the outstanding backport PRs.)

[cyphar]

I'll prepare and publish the releases tomorrow.