containers · MayorFaj · Dec 17, 2025 · Dec 17, 2025 · Dec 22, 2025 · Honny1
diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go
@@ -24,6 +24,8 @@ import (
 	"go.podman.io/common/libimage"
 	"go.podman.io/common/libnetwork/pasta"
 	"go.podman.io/common/libnetwork/slirp4netns"
+	"go.podman.io/common/pkg/libartifact/store"
+	libartTypes "go.podman.io/common/pkg/libartifact/types"
 	"tags.cncf.io/container-device-interface/pkg/parser"
 )
 
@@ -233,7 +235,7 @@ func MakeContainer(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGener
 	command := makeCommand(s, imageData)
 
 	infraVol := len(compatibleOptions.Mounts) > 0 || len(compatibleOptions.Volumes) > 0 || len(compatibleOptions.ImageVolumes) > 0 || len(compatibleOptions.OverlayVolumes) > 0
-	opts, err := createContainerOptions(rt, s, pod, finalVolumes, finalOverlays, imageData, command, infraVol, *compatibleOptions)
+	opts, err := createContainerOptions(ctx, rt, s, pod, finalVolumes, finalOverlays, imageData, command, infraVol, *compatibleOptions)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -351,7 +353,7 @@ func isCDIDevice(device string) bool {
 	return parser.IsQualifiedName(device)
 }
 
-func createContainerOptions(rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, imageData *libimage.ImageData, command []string, infraVolumes bool, compatibleOptions libpod.InfraInherit) ([]libpod.CtrCreateOption, error) {
+func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen.SpecGenerator, pod *libpod.Pod, volumes []*specgen.NamedVolume, overlays []*specgen.OverlayVolume, imageData *libimage.ImageData, command []string, infraVolumes bool, compatibleOptions libpod.InfraInherit) ([]libpod.CtrCreateOption, error) {
 	var options []libpod.CtrCreateOption
 	var err error
 
@@ -509,6 +511,11 @@ func createContainerOptions(rt *libpod.Runtime, s *specgen.SpecGenerator, pod *l
 	}
 
 	if len(s.ArtifactVolumes) != 0 {
+		// Validate artifacts exist before creating the container
+		if err := validateArtifactVolumes(ctx, rt, s.ArtifactVolumes); err != nil {
+			return nil, err
+		}
+
 		vols := make([]*libpod.ContainerArtifactVolume, 0, len(s.ArtifactVolumes))
 		for _, v := range s.ArtifactVolumes {
 			vols = append(vols, &libpod.ContainerArtifactVolume{
@@ -755,3 +762,39 @@ func Inherit(infra *libpod.Container, s *specgen.SpecGenerator, rt *libpod.Runti
 	}
 	return options, infraSpec, compatibleOptions, nil
 }
+
+// validateArtifactVolumes checks that all artifacts exist and are accessible
+// at container creation time, preventing creation of containers that can never start.
+func validateArtifactVolumes(ctx context.Context, rt *libpod.Runtime, artifactVolumes []*specgen.ArtifactVolume) error {
+	if len(artifactVolumes) == 0 {
+		return nil
+	}
+
+	artStore, err := rt.ArtifactStore()
+	if err != nil {
+		return fmt.Errorf("accessing artifact store: %w", err)
+	}
+
+	for _, artifactMount := range artifactVolumes {
+		// Use the same artifact store resolution logic as at start time
+		// to ensure consistent validation behavior
+		asr, err := store.NewArtifactStorageReference(artifactMount.Source)
+		if err != nil {
+			return fmt.Errorf("invalid artifact reference %q: %w", artifactMount.Source, err)
+		}
+
+		// Validate artifact exists using the same logic as container start.
+		// This ensures consistent behavior between creation and start time.
+		_ /*paths*/, err = artStore.BlobMountPaths(ctx, asr, &libartTypes.BlobMountPathOptions{
+			FilterBlobOptions: libartTypes.FilterBlobOptions{
+				Title:  artifactMount.Title,
+				Digest: artifactMount.Digest,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("validating artifact %q: %w", artifactMount.Source, err)
+		}
+	}
+
+	return nil
+}
diff --git a/test/e2e/artifact_mount_test.go b/test/e2e/artifact_mount_test.go
@@ -245,4 +245,45 @@ var _ = Describe("Podman artifact mount", func() {
 			Expect(session).To(ExitWithError(125, "/test: duplicate mount destination"))
 		}
 	})
+
+	It("podman create should fail with non-existent artifact", func() {
+		// Verify that creating a container with a non-existent artifact fails at creation time
+		cmd := []string{
+			"create",
+			"--name", "test-nonexistent",
+			"--mount", "type=artifact,source=nonexistent-artifact,destination=/data",
+			ALPINE,
+			"echo", "hello",
+		}
+		session := podmanTest.Podman(cmd)
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError(125, "validating artifact"))
+		Expect(session.ErrorToString()).To(ContainSubstring("nonexistent-artifact"))
+
+		// Ensure container was not created
+		rmSession := podmanTest.Podman([]string{"rm", "test-nonexistent"})
+		rmSession.WaitWithDefaultTimeout()
+		Expect(rmSession).To(ExitWithError(1, "no such container"))
+	})
+
+	It("podman run should fail with non-existent artifact", func() {
+		// Verify that running a container with a non-existent artifact fails at creation time
+		cmd := []string{
+			"run",
+			"--name", "test-run-nonexistent",
+			"--mount", "type=artifact,source=invalid-artifact-ref,destination=/test",
+			ALPINE,
+			"echo", "hello",
+		}
+		session := podmanTest.Podman(cmd)
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError(125, "validating artifact"))
+		Expect(session.ErrorToString()).To(ContainSubstring("invalid-artifact-ref"))
+
+		// Ensure container was not created
+		psSession := podmanTest.Podman([]string{"ps", "-a", "--filter", "name=test-run-nonexistent"})
+		psSession.WaitWithDefaultTimeout()
+		Expect(psSession).Should(ExitCleanly())
+		Expect(psSession.OutputToString()).ToNot(ContainSubstring("test-run-nonexistent"))
+	})
 })