libpod: validate artifact volume on create

Fixes: #27747 Signed-off-by: Alessio Attilio <attilio.alessio@protonmail.com>
2026-02-19 07:26:18 -05:00 · 2026-02-12 18:24:16 +01:00
parent 1af4caf888
commit df0e3b6ec7
3 changed files with 30 additions and 2 deletions
--- a/libpod/container_validate.go
+++ b/libpod/container_validate.go
@@ -3,11 +3,13 @@
 package libpod

 import (
+	"context"
 	"fmt"
 	"strings"

 	"github.com/containers/podman/v6/libpod/define"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"go.podman.io/common/pkg/libartifact/store"
 	"go.podman.io/image/v5/docker"
 	"go.podman.io/image/v5/pkg/shortnames"
 	"go.podman.io/image/v5/transports/alltransports"
@@ -177,6 +179,23 @@ func (c *Container) validate() error {
 		return fmt.Errorf("default rootfs-based infra container is set for non-infra container")
 	}

+	if len(c.config.ArtifactVolumes) > 0 {
+		artStore, err := c.runtime.ArtifactStore()
+		if err != nil {
+			return err
+		}
+		for _, artifactMount := range c.config.ArtifactVolumes {
+			asr, err := store.NewArtifactStorageReference(artifactMount.Source)
+			if err != nil {
+				return err
+			}
+			_, err = artStore.Inspect(context.Background(), asr)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	return nil
 }

--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -306,6 +306,8 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 		ctr.config.Networks = normalizeNetworks
 	}

+	ctr.runtime = r
+
 	// Validate the container
 	if err := ctr.validate(); err != nil {
 		return nil, err
@@ -337,8 +339,6 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai

 	ctr.valid = true
 	ctr.state.State = define.ContainerStateConfigured
-	ctr.runtime = r
-
 	if ctr.config.OCIRuntime == "" {
 		ctr.ociRuntime = r.defaultOCIRuntime
 	} else {
--- a/test/system/702-artifact.bats
+++ b/test/system/702-artifact.bats
@@ -151,5 +151,14 @@ function teardown() {
    run_podman artifact rm "$artifact_name"
 }

+@test "podman artifact volume validation at creation" {
+    # Issue #27747: Artifact volume validation should fail at creation, not start
+    local artifact_name="localhost/test/nonexistent-artifact"
+
+    # Creation should fail if the artifact does not exist
+    run_podman 125 create --name test-artifact-fail --mount type=artifact,source=$artifact_name,target=/tmp $IMAGE
+    assert "$output" = "Error: $artifact_name:latest: artifact does not exist" "creation should fail for nonexistent artifact"
+}
+

 # vim: filetype=sh