Implement artifact validation during container creation and add validation utility

Signed-off-by: MayorFaj <[email protected]>

Author: MayorFaj

libpod/container_internal_common.go

@@ -544,6 +544,19 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 	}
 
 	if len(c.config.ArtifactVolumes) > 0 {
+		// Validate all artifacts exist before attempting to mount
+		mounts := make([]ArtifactMountValidation, len(c.config.ArtifactVolumes))
+		for i, av := range c.config.ArtifactVolumes {
+			mounts[i] = ArtifactMountValidation{
+				Source: av.Source,
+				Title:  av.Title,
+				Digest: av.Digest,
+			}
+		}
+		if err := c.runtime.ValidateArtifactMounts(ctx, mounts); err != nil {
+			return nil, nil, err
+		}
+
 		artStore, err := c.runtime.ArtifactStore()
 		if err != nil {
 			return nil, nil, err
@@ -3167,3 +3180,37 @@ func maybeClampOOMScoreAdj(oomScoreValue int) (int, error) {
 	}
 	return oomScoreValue, nil
 }
+
+// ValidateArtifactMounts checks that all artifact mounts are valid by verifying
+// the artifacts exist and can be accessed. This is used during both container
+// creation and start to provide early validation.
+func (r *Runtime) ValidateArtifactMounts(ctx context.Context, mounts []ArtifactMountValidation) error {
+	if len(mounts) == 0 {
+		return nil
+	}
+
+	artStore, err := r.ArtifactStore()
+	if err != nil {
+		return fmt.Errorf("accessing artifact store: %w", err)
+	}
+
+	for _, mount := range mounts {
+		asr, err := store.NewArtifactStorageReference(mount.Source)
+		if err != nil {
+			return fmt.Errorf("invalid artifact reference %q: %w", mount.Source, err)
+		}
+
+		// Validate artifact exists by attempting to resolve its blob mount paths
+		_, err = artStore.BlobMountPaths(ctx, asr, &libartTypes.BlobMountPathOptions{
+			FilterBlobOptions: libartTypes.FilterBlobOptions{
+				Title:  mount.Title,
+				Digest: mount.Digest,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("validating artifact %q: %w", mount.Source, err)
+		}
+	}
+
+	return nil
+}

libpod/runtime.go

@@ -47,6 +47,15 @@ import (
 	"go.podman.io/storage/pkg/unshare"
 )
 
+// ArtifactMountValidation contains the minimal information needed to validate
+// an artifact mount without requiring the full ContainerArtifactVolume structure.
+// This type is used to pass validation data to Runtime.ValidateArtifactMounts.
+type ArtifactMountValidation struct {
+	Source string
+	Title  string
+	Digest string
+}
+
 // Set up the JSON library for all of Libpod
 var json = jsoniter.ConfigCompatibleWithStandardLibrary
 

pkg/specgen/generate/container_create.go

@@ -24,8 +24,6 @@ import (
 	"go.podman.io/common/libimage"
 	"go.podman.io/common/libnetwork/pasta"
 	"go.podman.io/common/libnetwork/slirp4netns"
-	"go.podman.io/common/pkg/libartifact/store"
-	libartTypes "go.podman.io/common/pkg/libartifact/types"
 	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
@@ -512,7 +510,15 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.
 
 	if len(s.ArtifactVolumes) != 0 {
 		// Validate artifacts exist before creating the container
-		if err := validateArtifactVolumes(ctx, rt, s.ArtifactVolumes); err != nil {
+		mounts := make([]libpod.ArtifactMountValidation, len(s.ArtifactVolumes))
+		for i, av := range s.ArtifactVolumes {
+			mounts[i] = libpod.ArtifactMountValidation{
+				Source: av.Source,
+				Title:  av.Title,
+				Digest: av.Digest,
+			}
+		}
+		if err := rt.ValidateArtifactMounts(ctx, mounts); err != nil {
 			return nil, err
 		}
 
@@ -762,39 +768,3 @@ func Inherit(infra *libpod.Container, s *specgen.SpecGenerator, rt *libpod.Runti
 	}
 	return options, infraSpec, compatibleOptions, nil
 }
-
-// validateArtifactVolumes checks that all artifacts exist and are accessible
-// at container creation time, preventing creation of containers that can never start.
-func validateArtifactVolumes(ctx context.Context, rt *libpod.Runtime, artifactVolumes []*specgen.ArtifactVolume) error {
-	if len(artifactVolumes) == 0 {
-		return nil
-	}
-
-	artStore, err := rt.ArtifactStore()
-	if err != nil {
-		return fmt.Errorf("accessing artifact store: %w", err)
-	}
-
-	for _, artifactMount := range artifactVolumes {
-		// Use the same artifact store resolution logic as at start time
-		// to ensure consistent validation behavior
-		asr, err := store.NewArtifactStorageReference(artifactMount.Source)
-		if err != nil {
-			return fmt.Errorf("invalid artifact reference %q: %w", artifactMount.Source, err)
-		}
-
-		// Validate artifact exists using the same logic as container start.
-		// This ensures consistent behavior between creation and start time.
-		_ /*paths*/, err = artStore.BlobMountPaths(ctx, asr, &libartTypes.BlobMountPathOptions{
-			FilterBlobOptions: libartTypes.FilterBlobOptions{
-				Title:  artifactMount.Title,
-				Digest: artifactMount.Digest,
-			},
-		})
-		if err != nil {
-			return fmt.Errorf("validating artifact %q: %w", artifactMount.Source, err)
-		}
-	}
-
-	return nil
-}