Artifact volume validation fails at container start instead of creation, creating unstartable containers #27747
Description
Issue Description
When creating a container with --mount type=artifact, validation of the artifact (checking if it exists and is accessible) occurs during container start rather than container creation. This allows users to create containers that can never be started, resulting in orphaned, unusable containers.
Steps to reproduce the issue
Steps to reproduce the issue
podman create --name test --mount type=artifact,source=nonexistent-artifact,destination=/data alpine echo hellopodman start test
Or
podman run --name test --mount type=artifact,source=nonexistent-artifact,destination=/data alpine echo hellopodman ps -a
Describe the results you received
podman createsucceeds even with invalid/non-existent artifactspodman startfails with artifact-related errorspodman runfails with artifact-related errors but creates container- Container exists in "created" state but can never transition to "running"
Describe the results you expected
podman create/runshould validate artifacts exist and are accessible before start of container- Prevent creation of containers that can never start
- Consistent with validation behavior of other mount types (bind mounts, volumes)
podman info output
host:
arch: arm64
buildahVersion: 1.42.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-1.20251202104442456352.main.122.gb0ee2e4.fc41.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 98.52
systemPercent: 0.54
userPercent: 0.94
cpus: 6
databaseBackend: sqlite
distribution:
distribution: fedora
variant: workstation
version: "41"
emulatedArchitectures:
- linux/386
- linux/amd64
- linux/arm64be
- linux/loong64
- linux/mips
- linux/mips64
- linux/ppc
- linux/ppc64
- linux/ppc64le
- linux/riscv32
- linux/riscv64
- linux/s390x
eventLogger: journald
freeLocks: 2045
hostname: fedora-mac-vm
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.17.10-100.fc41.aarch64
linkmode: dynamic
logDriver: journald
memFree: 9982431232
memTotal: 16719392768
networkBackend: netavark
networkBackendInfo:
backend: netavark
defaultNetwork: podman
dns:
package: aardvark-dns-2.0.0~dev-1.20251203121042890811.main.10.g0976393.fc41.aarch64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 2.0.0-dev
package: netavark-2.0.0~dev-1.20251205174917558827.main.22.g6f77f76.fc41.aarch64
path: /usr/libexec/podman/netavark
version: netavark 2.0.0-dev
ociRuntime:
name: crun
package: crun-1.25.1-1.20251209091027568508.main.7.g357d650f.fc41.aarch64
path: /usr/bin/crun
version: |-
crun version UNKNOWN
commit: 38f1a12cd9fd9e444420c39365c02d2cbe71eb19
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250919.g623dbf6-1.fc41.aarch64
version: |
pasta 0^20250919.g623dbf6-1.fc41.aarch64-pasta
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 8589930496
swapTotal: 8589930496
uptime: 0h 56m 14.00s
variant: v8
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/jrodak/.config/containers/storage.conf
containerStore:
number: 3
paused: 0
running: 0
stopped: 3
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/jrodak/.local/share/containers/storage
graphRootAllocated: 67014492160
graphRootUsed: 26597588992
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 22
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/jrodak/.local/share/containers/storage/volumes
version:
APIVersion: 6.0.0-dev
BuildOrigin: 'Copr: rhcontainerbot/podman-next'
Built: 1765238400
BuiltTime: Tue Dec 9 01:00:00 2025
GitCommit: f8e0b700638a407bab45c5a411f934e7005ff38d
GoVersion: go1.24.10
Os: linux
OsArch: linux/arm64
Version: 6.0.0-devPodman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Artifact validation happens in libpod/container_internal_common.go:generateSpec() (called at start time) also in pkg/specgen/generate/storage.go:finalizeMounts() (called at creation time).