Add artifact validation during container creation and enhance tests for non-existent artifacts

MayorFaj · MayorFaj · commit c9cce5f787b3 · 2025-12-17T19:21:04.000Z
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
@@ -24,6 +24,7 @@ import (
 	"go.podman.io/common/libimage"
 	"go.podman.io/common/libnetwork/pasta"
 	"go.podman.io/common/libnetwork/slirp4netns"
+	"go.podman.io/common/pkg/libartifact/store"
 	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
@@ -509,6 +510,11 @@ func createContainerOptions(rt *libpod.Runtime, s *specgen.SpecGenerator, pod *l
 	}
 
 	if len(s.ArtifactVolumes) != 0 {
+		// Validate artifacts exist before creating the container
+		if err := validateArtifactVolumes(ctx, rt, s.ArtifactVolumes); err != nil {
+			return nil, nil, nil, err
+		}
+
 		vols := make([]*libpod.ContainerArtifactVolume, 0, len(s.ArtifactVolumes))
 		for _, v := range s.ArtifactVolumes {
 			vols = append(vols, &libpod.ContainerArtifactVolume{
@@ -755,3 +761,39 @@ func Inherit(infra *libpod.Container, s *specgen.SpecGenerator, rt *libpod.Runti
 	}
 	return options, infraSpec, compatibleOptions, nil
 }
+
+// validateArtifactVolumes checks that all artifacts exist and are accessible
+// at container creation time, preventing creation of containers that can never start.
+func validateArtifactVolumes(ctx context.Context, rt *libpod.Runtime, artifactVolumes []*specgen.ArtifactVolume) error {
+	if len(artifactVolumes) == 0 {
+		return nil
+	}
+
+	artStore, err := rt.ArtifactStore()
+	if err != nil {
+		return fmt.Errorf("accessing artifact store: %w", err)
+	}
+
+	for _, artifactMount := range artifactVolumes {
+		// Use the same artifact store resolution logic as at start time
+		// to ensure consistent validation behavior
+		asr, err := artStore.NewArtifactStorageReference(artifactMount.Source)
+		if err != nil {
+			return fmt.Errorf("invalid artifact reference %q: %w", artifactMount.Source, err)
+		}
+
+		// Validate artifact exists using the same logic as container start.
+		// This ensures consistent behavior between creation and start time.
+		_ /*paths*/, err = artStore.BlobMountPaths(ctx, asr, &store.BlobMountPathOptions{
+			FilterBlobOptions: store.FilterBlobOptions{
+				Title:  artifactMount.Title,
+				Digest: artifactMount.Digest,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("validating artifact %q: %w", artifactMount.Source, err)
+		}
+	}
+
+	return nil
+}
diff --git a/test/e2e/artifact_mount_test.go b/test/e2e/artifact_mount_test.go
@@ -245,4 +245,54 @@ var _ = Describe("Podman artifact mount", func() {
 			Expect(session).To(ExitWithError(125, "/test: duplicate mount destination"))
 		}
 	})
+
+	It("podman create should fail with non-existent artifact", func() {
+		// Verify that creating a container with a non-existent artifact fails at creation time
+		cmd := []string{
+			"create",
+			"--name", "test-nonexistent",
+			"--mount", "type=artifact,source=nonexistent-artifact,destination=/data",
+			ALPINE,
+			"echo", "hello",
+		}
+		session := podmanTest.Podman(cmd)
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(125))
+		// Verify error comes from our validation code
+		Expect(session.ErrorToString()).To(SatisfyAll(
+			ContainSubstring("validating artifact"),
+			ContainSubstring("nonexistent-artifact"),
+		))
+
+		// Ensure container was not created
+		rmSession := podmanTest.Podman([]string{"rm", "test-nonexistent"})
+		rmSession.WaitWithDefaultTimeout()
+		Expect(rmSession).Should(Exit(1))
+		Expect(rmSession.ErrorToString()).To(ContainSubstring("no such container"))
+	})
+
+	It("podman run should fail with non-existent artifact", func() {
+		// Verify that running a container with a non-existent artifact fails at creation time
+		cmd := []string{
+			"run",
+			"--name", "test-run-nonexistent",
+			"--mount", "type=artifact,source=invalid-artifact-ref,destination=/test",
+			ALPINE,
+			"echo", "hello",
+		}
+		session := podmanTest.Podman(cmd)
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(125))
+		// Verify error comes from our validation code
+		Expect(session.ErrorToString()).To(SatisfyAll(
+			ContainSubstring("validating artifact"),
+			ContainSubstring("invalid-artifact-ref"),
+		))
+
+		// Ensure container was not created
+		psSession := podmanTest.Podman([]string{"ps", "-a", "--filter", "name=test-run-nonexistent"})
+		psSession.WaitWithDefaultTimeout()
+		Expect(psSession).Should(Exit(0))
+		Expect(psSession.OutputToString()).ToNot(ContainSubstring("test-run-nonexistent"))
+	})
 })
