podman create --device invalid-device --privileged does not raise error #23132
Description
Issue Description
I cannot reliably assign static IP addresses, and force to use the custom network in the first place. I've tried multiple ways to specifcy the network and the static IP addresses, and this method seems to fully comply with the (confusing) instructions in the podman create docs.
Steps to reproduce the issue
Create a container that matches this inspect dump:
[
{
"Id": "46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82",
"Created": "2024-06-28T13:48:56.228665411+02:00",
"Path": "/sbin/init",
"Args": [
"/sbin/init"
],
"State": {
"OciVersion": "1.1.0",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 43915,
"ConmonPid": 43913,
"ExitCode": 0,
"Error": "",
"StartedAt": "2024-06-28T13:48:58.517884723+02:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "",
"FailingStreak": 0,
"Log": null
},
"CgroupPath": "/machine.slice/libpod-46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82.scope",
"CheckpointedAt": "0001-01-01T00:00:00Z",
"RestoredAt": "0001-01-01T00:00:00Z"
},
"Image": "b661cbe9df82e3da9b4b59169838199513318e72413d9a57150e77ff1859b254",
"ImageDigest": "sha256:9ccc4a764a4c04a5a7ab891188168b50fa16f1d86b16ceab45b25d5fd8a0ba13",
"ImageName": "ghcr.io/siderolabs/talos:v1.7.5",
"Rootfs": "",
"Pod": "",
"ResolvConfPath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/resolv.conf",
"HostnamePath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/hostname",
"HostsPath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/hosts",
"StaticDir": "/var/lib/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata",
"OCIConfigPath": "/var/lib/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/config.json",
"OCIRuntime": "crun",
"ConmonPidFile": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/conmon.pid",
"PidFile": "/run/taloslinux-projectplatform-src/controlplane-0.pid",
"Name": "controlplane-0",
"RestartCount": 0,
"Driver": "overlay",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"EffectiveCaps": [
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_BPF",
"CAP_CHECKPOINT_RESTORE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_PERFMON",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYSLOG",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_WAKE_ALARM"
],
"BoundingCaps": [
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_BPF",
"CAP_CHECKPOINT_RESTORE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_PERFMON",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYSLOG",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_WAKE_ALARM"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/var/lib/containers/storage/overlay/323e4f85e1289b6242ddf124be9dbbc6631bd1f601709d67e7bc5b61fd25fed5/diff",
"MergedDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/merged",
"UpperDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/diff",
"WorkDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/work"
}
},
"Mounts": [
{
"Type": "volume",
"Name": "c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9",
"Source": "/var/lib/containers/storage/volumes/c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9/_data",
"Destination": "/etc/cni",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5",
"Source": "/var/lib/containers/storage/volumes/45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5/_data",
"Destination": "/etc/kubernetes",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb",
"Source": "/var/lib/containers/storage/volumes/100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb/_data",
"Destination": "/opt",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962",
"Source": "/var/lib/containers/storage/volumes/12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962/_data",
"Destination": "/system/state",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90",
"Source": "/var/lib/containers/storage/volumes/fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90/_data",
"Destination": "/usr/etc/udev",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6",
"Source": "/var/lib/containers/storage/volumes/2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6/_data",
"Destination": "/usr/libexec/kubernetes",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "volume",
"Name": "1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840",
"Source": "/var/lib/containers/storage/volumes/1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840/_data",
"Destination": "/var",
"Driver": "local",
"Mode": "",
"Options": [
"nosuid",
"nodev",
"rbind"
],
"RW": true,
"Propagation": "rprivate"
}
],
"Dependencies": [],
"NetworkSettings": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.17",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "c2:8b:8b:0a:9c:c6",
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/run/netns/netns-2a246366-2a05-8781-3520-57fa82e9987f",
"Networks": {
"podman": {
"EndpointID": "",
"Gateway": "10.88.0.1",
"IPAddress": "10.88.0.17",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "c2:8b:8b:0a:9c:c6",
"NetworkID": "podman",
"DriverOpts": null,
"IPAMConfig": null,
"Links": null,
"Aliases": [
"46e9d4d6bb16",
"controlplane-0"
]
}
}
},
"Namespace": "",
"IsInfra": false,
"IsService": false,
"KubeExitCodePropagation": "invalid",
"lockNumber": 0,
"Config": {
"Hostname": "controlplane-0",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PLATFORM=container",
"USERDATA=CENSORED",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"container=podman",
"HOSTNAME=controlplane-0",
"HOME=",
"container_uuid=46e9d4d6bb1668a720024a2af14fc884"
],
"Cmd": null,
"Image": "ghcr.io/siderolabs/talos:v1.7.5",
"Volumes": null,
"WorkingDir": "/",
"Entrypoint": "/sbin/init",
"OnBuild": null,
"Labels": {
"app": "taloslinux-projectplatform-src",
"org.opencontainers.image.source": "https://github.com/siderolabs/talos"
},
"Annotations": {
"io.container.manager": "libpod",
"io.podman.annotations.privileged": "TRUE",
"io.podman.annotations.seccomp": "unconfined",
"org.opencontainers.image.stopSignal": "37"
},
"StopSignal": 37,
"HealthcheckOnFailureAction": "none",
"CreateCommand": [
"podman",
"container",
"create",
"--env=PLATFORM=container",
"--env=USERDATA=CENSORED",
"--device",
"--network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2",
"--name",
"controlplane-0",
"--hostname",
"controlplane-0",
"--label=app=taloslinux-projectplatform-src",
"--pidfile=/run/taloslinux-projectplatform-src/controlplane-0.pid",
"--mount=type=tmpfs,destination=/run",
"--mount=type=tmpfs,destination=/system",
"--mount=type=tmpfs,destination=/tmp",
"--mount=type=volume,destination=/etc/cni",
"--mount=type=volume,destination=/etc/kubernetes",
"--mount=type=volume,destination=/opt",
"--mount=type=volume,destination=/system/state",
"--mount=type=volume,destination=/usr/etc/udev",
"--mount=type=volume,destination=/usr/libexec/kubernetes",
"--mount=type=volume,destination=/var",
"--privileged",
"--read-only",
"--security-opt",
"seccomp=unconfined",
"--",
"ghcr.io/siderolabs/talos:v1.7.5"
],
"SystemdMode": true,
"Umask": "0022",
"Timeout": 0,
"StopTimeout": 10,
"Passwd": true,
"sdNotifyMode": "container"
},
"HostConfig": {
"Binds": [
"c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9:/etc/cni:rw,rprivate,nosuid,nodev,rbind",
"45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5:/etc/kubernetes:rw,rprivate,nosuid,nodev,rbind",
"100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb:/opt:rw,rprivate,nosuid,nodev,rbind",
"12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962:/system/state:rw,rprivate,nosuid,nodev,rbind",
"fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90:/usr/etc/udev:rw,rprivate,nosuid,nodev,rbind",
"2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6:/usr/libexec/kubernetes:rw,rprivate,nosuid,nodev,rbind",
"1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840:/var:rw,rprivate,nosuid,nodev,rbind"
],
"CgroupManager": "systemd",
"CgroupMode": "private",
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": null,
"Path": "",
"Tag": "",
"Size": "0B"
},
"NetworkMode": "bridge",
"PortBindings": {},
"RestartPolicy": {
"Name": "",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": [],
"CapDrop": [],
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": [],
"GroupAdd": [],
"IpcMode": "shareable",
"Cgroup": "",
"Cgroups": "default",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "private",
"Privileged": true,
"PublishAllPorts": false,
"ReadonlyRootfs": true,
"SecurityOpt": [
"seccomp=unconfined",
"unmask=all"
],
"Tmpfs": {
"/run": "rw,rprivate,nosuid,nodev,tmpcopyup",
"/system": "rw,rprivate,nosuid,nodev,tmpcopyup",
"/tmp": "rw,rprivate,nosuid,nodev,tmpcopyup"
},
"UTSMode": "private",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": 0,
"OomKillDisable": false,
"PidsLimit": 2048,
"Ulimits": [
{
"Name": "RLIMIT_NPROC",
"Soft": 262144,
"Hard": 262144
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"CgroupConf": null
}
}
]And a network that matches this network inspect dump:
[
{
"name": "taloslinux-projectplatform-src",
"id": "bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955",
"driver": "ipvlan",
"network_interface": "ens3",
"created": "2024-06-28T13:48:55.009641169+02:00",
"subnets": [
{
"subnet": "172.16.128.0/24",
"gateway": "172.16.128.1"
},
{
"subnet": "fde5:c139:5e49:5ad6::/63",
"gateway": "fde5:c139:5e49:5ad6::1"
}
],
"ipv6_enabled": true,
"internal": false,
"dns_enabled": false,
"labels": {
"app": "taloslinux-projectplatform-src"
},
"options": {
"mode": "l3s"
},
"ipam_options": {
"driver": "host-local"
}
}
]Describe the results you received
Sometimes (not always, with the same invocation) another IP-address in a custom network's subnet is assigned. Sometimes, the custom network isn't selected but rather the default network podman, and IP-addresses in its subnet.
Describe the results you expected
I expect any fault condition, such as specifying a custom network that cannot be found or used for some reason, to cause a fatal fault, rather than silently reverting to the default network. I also expect that custom networks can be specified including IP address assignment.
podman info output
host:
arch: amd64
buildahVersion: 1.33.5
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_2.1.10+ds1-1build2_amd64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: unknown'
cpuUtilization:
idlePercent: 99.07
systemPercent: 0.41
userPercent: 0.51
cpus: 8
databaseBackend: sqlite
distribution:
codename: noble
distribution: ubuntu
version: "24.04"
eventLogger: journald
freeLocks: 2008
hostname: projectplatform.u-shapedassembl.src.surf-hosted.nl
idMappings:
gidmap: null
uidmap: null
kernel: 6.8.0-36-generic
linkmode: dynamic
logDriver: journald
memFree: 28175257600
memTotal: 33655078912
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.4.0-5_amd64
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.4.0
package: netavark_1.4.0-4_amd64
path: /usr/lib/podman/netavark
version: netavark 1.11.0
ociRuntime:
name: crun
package: crun_1.14.1-1_amd64
path: /usr/bin/crun
version: |-
crun version 1.14.1
commit: de537a7965bfbe9992e2cfae0baeb56a08128171
rundir: /run/user/0/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt_0.0~git20240220.1e6f92b-1_amd64
version: |
pasta unknown version
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/podman/podman.sock
security:
apparmorEnabled: true
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns_1.2.1-1build2_amd64
version: |-
slirp4netns version 1.2.1
commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.5
swapFree: 0
swapTotal: 0
uptime: 1h 40m 52.00s (Approximately 0.04 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries: {}
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 5
paused: 0
running: 5
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/lib/containers/storage
graphRootAllocated: 20617822208
graphRootUsed: 9570705408
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 2
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.9.3
Built: 0
BuiltTime: Thu Jan 1 01:00:00 1970
GitCommit: ""
GoVersion: go1.22.1
Os: linux
OsArch: linux/amd64
Version: 4.9.3Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.1
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64