podman create --device invalid-device --privileged does not raise error

[sanmai-NL]

Issue Description

I cannot reliably assign static IP addresses, and force to use the custom network in the first place. I've tried multiple ways to specifcy the network and the static IP addresses, and this method seems to fully comply with the (confusing) instructions in the podman create docs.

Steps to reproduce the issue

Create a container that matches this inspect dump:

[
     {
          "Id": "46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82",
          "Created": "2024-06-28T13:48:56.228665411+02:00",
          "Path": "/sbin/init",
          "Args": [
               "/sbin/init"
          ],
          "State": {
               "OciVersion": "1.1.0",
               "Status": "running",
               "Running": true,
               "Paused": false,
               "Restarting": false,
               "OOMKilled": false,
               "Dead": false,
               "Pid": 43915,
               "ConmonPid": 43913,
               "ExitCode": 0,
               "Error": "",
               "StartedAt": "2024-06-28T13:48:58.517884723+02:00",
               "FinishedAt": "0001-01-01T00:00:00Z",
               "Health": {
                    "Status": "",
                    "FailingStreak": 0,
                    "Log": null
               },
               "CgroupPath": "/machine.slice/libpod-46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82.scope",
               "CheckpointedAt": "0001-01-01T00:00:00Z",
               "RestoredAt": "0001-01-01T00:00:00Z"
          },
          "Image": "b661cbe9df82e3da9b4b59169838199513318e72413d9a57150e77ff1859b254",
          "ImageDigest": "sha256:9ccc4a764a4c04a5a7ab891188168b50fa16f1d86b16ceab45b25d5fd8a0ba13",
          "ImageName": "ghcr.io/siderolabs/talos:v1.7.5",
          "Rootfs": "",
          "Pod": "",
          "ResolvConfPath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/resolv.conf",
          "HostnamePath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/hostname",
          "HostsPath": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/hosts",
          "StaticDir": "/var/lib/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata",
          "OCIConfigPath": "/var/lib/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/config.json",
          "OCIRuntime": "crun",
          "ConmonPidFile": "/run/containers/storage/overlay-containers/46e9d4d6bb1668a720024a2af14fc884e8bd7521cbae2d19ab2a10039d656a82/userdata/conmon.pid",
          "PidFile": "/run/taloslinux-projectplatform-src/controlplane-0.pid",
          "Name": "controlplane-0",
          "RestartCount": 0,
          "Driver": "overlay",
          "MountLabel": "",
          "ProcessLabel": "",
          "AppArmorProfile": "",
          "EffectiveCaps": [
               "CAP_AUDIT_CONTROL",
               "CAP_AUDIT_READ",
               "CAP_AUDIT_WRITE",
               "CAP_BLOCK_SUSPEND",
               "CAP_BPF",
               "CAP_CHECKPOINT_RESTORE",
               "CAP_CHOWN",
               "CAP_DAC_OVERRIDE",
               "CAP_DAC_READ_SEARCH",
               "CAP_FOWNER",
               "CAP_FSETID",
               "CAP_IPC_LOCK",
               "CAP_IPC_OWNER",
               "CAP_KILL",
               "CAP_LEASE",
               "CAP_LINUX_IMMUTABLE",
               "CAP_MAC_ADMIN",
               "CAP_MAC_OVERRIDE",
               "CAP_MKNOD",
               "CAP_NET_ADMIN",
               "CAP_NET_BIND_SERVICE",
               "CAP_NET_BROADCAST",
               "CAP_NET_RAW",
               "CAP_PERFMON",
               "CAP_SETFCAP",
               "CAP_SETGID",
               "CAP_SETPCAP",
               "CAP_SETUID",
               "CAP_SYSLOG",
               "CAP_SYS_ADMIN",
               "CAP_SYS_BOOT",
               "CAP_SYS_CHROOT",
               "CAP_SYS_MODULE",
               "CAP_SYS_NICE",
               "CAP_SYS_PACCT",
               "CAP_SYS_PTRACE",
               "CAP_SYS_RAWIO",
               "CAP_SYS_RESOURCE",
               "CAP_SYS_TIME",
               "CAP_SYS_TTY_CONFIG",
               "CAP_WAKE_ALARM"
          ],
          "BoundingCaps": [
               "CAP_AUDIT_CONTROL",
               "CAP_AUDIT_READ",
               "CAP_AUDIT_WRITE",
               "CAP_BLOCK_SUSPEND",
               "CAP_BPF",
               "CAP_CHECKPOINT_RESTORE",
               "CAP_CHOWN",
               "CAP_DAC_OVERRIDE",
               "CAP_DAC_READ_SEARCH",
               "CAP_FOWNER",
               "CAP_FSETID",
               "CAP_IPC_LOCK",
               "CAP_IPC_OWNER",
               "CAP_KILL",
               "CAP_LEASE",
               "CAP_LINUX_IMMUTABLE",
               "CAP_MAC_ADMIN",
               "CAP_MAC_OVERRIDE",
               "CAP_MKNOD",
               "CAP_NET_ADMIN",
               "CAP_NET_BIND_SERVICE",
               "CAP_NET_BROADCAST",
               "CAP_NET_RAW",
               "CAP_PERFMON",
               "CAP_SETFCAP",
               "CAP_SETGID",
               "CAP_SETPCAP",
               "CAP_SETUID",
               "CAP_SYSLOG",
               "CAP_SYS_ADMIN",
               "CAP_SYS_BOOT",
               "CAP_SYS_CHROOT",
               "CAP_SYS_MODULE",
               "CAP_SYS_NICE",
               "CAP_SYS_PACCT",
               "CAP_SYS_PTRACE",
               "CAP_SYS_RAWIO",
               "CAP_SYS_RESOURCE",
               "CAP_SYS_TIME",
               "CAP_SYS_TTY_CONFIG",
               "CAP_WAKE_ALARM"
          ],
          "ExecIDs": [],
          "GraphDriver": {
               "Name": "overlay",
               "Data": {
                    "LowerDir": "/var/lib/containers/storage/overlay/323e4f85e1289b6242ddf124be9dbbc6631bd1f601709d67e7bc5b61fd25fed5/diff",
                    "MergedDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/merged",
                    "UpperDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/diff",
                    "WorkDir": "/var/lib/containers/storage/overlay/6c21924a40d40a3b0c1486398e5397759f587abd7ec3dc1c27ee3c7e04307ce7/work"
               }
          },
          "Mounts": [
               {
                    "Type": "volume",
                    "Name": "c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9",
                    "Source": "/var/lib/containers/storage/volumes/c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9/_data",
                    "Destination": "/etc/cni",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5",
                    "Source": "/var/lib/containers/storage/volumes/45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5/_data",
                    "Destination": "/etc/kubernetes",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb",
                    "Source": "/var/lib/containers/storage/volumes/100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb/_data",
                    "Destination": "/opt",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962",
                    "Source": "/var/lib/containers/storage/volumes/12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962/_data",
                    "Destination": "/system/state",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90",
                    "Source": "/var/lib/containers/storage/volumes/fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90/_data",
                    "Destination": "/usr/etc/udev",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6",
                    "Source": "/var/lib/containers/storage/volumes/2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6/_data",
                    "Destination": "/usr/libexec/kubernetes",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               },
               {
                    "Type": "volume",
                    "Name": "1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840",
                    "Source": "/var/lib/containers/storage/volumes/1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840/_data",
                    "Destination": "/var",
                    "Driver": "local",
                    "Mode": "",
                    "Options": [
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               }
          ],
          "Dependencies": [],
          "NetworkSettings": {
               "EndpointID": "",
               "Gateway": "10.88.0.1",
               "IPAddress": "10.88.0.17",
               "IPPrefixLen": 16,
               "IPv6Gateway": "",
               "GlobalIPv6Address": "",
               "GlobalIPv6PrefixLen": 0,
               "MacAddress": "c2:8b:8b:0a:9c:c6",
               "Bridge": "",
               "SandboxID": "",
               "HairpinMode": false,
               "LinkLocalIPv6Address": "",
               "LinkLocalIPv6PrefixLen": 0,
               "Ports": {},
               "SandboxKey": "/run/netns/netns-2a246366-2a05-8781-3520-57fa82e9987f",
               "Networks": {
                    "podman": {
                         "EndpointID": "",
                         "Gateway": "10.88.0.1",
                         "IPAddress": "10.88.0.17",
                         "IPPrefixLen": 16,
                         "IPv6Gateway": "",
                         "GlobalIPv6Address": "",
                         "GlobalIPv6PrefixLen": 0,
                         "MacAddress": "c2:8b:8b:0a:9c:c6",
                         "NetworkID": "podman",
                         "DriverOpts": null,
                         "IPAMConfig": null,
                         "Links": null,
                         "Aliases": [
                              "46e9d4d6bb16",
                              "controlplane-0"
                         ]
                    }
               }
          },
          "Namespace": "",
          "IsInfra": false,
          "IsService": false,
          "KubeExitCodePropagation": "invalid",
          "lockNumber": 0,
          "Config": {
               "Hostname": "controlplane-0",
               "Domainname": "",
               "User": "",
               "AttachStdin": false,
               "AttachStdout": false,
               "AttachStderr": false,
               "Tty": false,
               "OpenStdin": false,
               "StdinOnce": false,
               "Env": [
                    "PLATFORM=container",
                    "USERDATA=CENSORED",
                    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                    "container=podman",
                    "HOSTNAME=controlplane-0",
                    "HOME=",
                    "container_uuid=46e9d4d6bb1668a720024a2af14fc884"
               ],
               "Cmd": null,
               "Image": "ghcr.io/siderolabs/talos:v1.7.5",
               "Volumes": null,
               "WorkingDir": "/",
               "Entrypoint": "/sbin/init",
               "OnBuild": null,
               "Labels": {
                    "app": "taloslinux-projectplatform-src",
                    "org.opencontainers.image.source": "https://github.com/siderolabs/talos"
               },
               "Annotations": {
                    "io.container.manager": "libpod",
                    "io.podman.annotations.privileged": "TRUE",
                    "io.podman.annotations.seccomp": "unconfined",
                    "org.opencontainers.image.stopSignal": "37"
               },
               "StopSignal": 37,
               "HealthcheckOnFailureAction": "none",
               "CreateCommand": [
                    "podman",
                    "container",
                    "create",
                    "--env=PLATFORM=container",
                    "--env=USERDATA=CENSORED",
                    "--device",
                    "--network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2",
                    "--name",
                    "controlplane-0",
                    "--hostname",
                    "controlplane-0",
                    "--label=app=taloslinux-projectplatform-src",
                    "--pidfile=/run/taloslinux-projectplatform-src/controlplane-0.pid",
                    "--mount=type=tmpfs,destination=/run",
                    "--mount=type=tmpfs,destination=/system",
                    "--mount=type=tmpfs,destination=/tmp",
                    "--mount=type=volume,destination=/etc/cni",
                    "--mount=type=volume,destination=/etc/kubernetes",
                    "--mount=type=volume,destination=/opt",
                    "--mount=type=volume,destination=/system/state",
                    "--mount=type=volume,destination=/usr/etc/udev",
                    "--mount=type=volume,destination=/usr/libexec/kubernetes",
                    "--mount=type=volume,destination=/var",
                    "--privileged",
                    "--read-only",
                    "--security-opt",
                    "seccomp=unconfined",
                    "--",
                    "ghcr.io/siderolabs/talos:v1.7.5"
               ],
               "SystemdMode": true,
               "Umask": "0022",
               "Timeout": 0,
               "StopTimeout": 10,
               "Passwd": true,
               "sdNotifyMode": "container"
          },
          "HostConfig": {
               "Binds": [
                    "c8fa46fbe818e8d1faa1e1cd508fcc4038cae161e3e4583dc5a5feea3634cfb9:/etc/cni:rw,rprivate,nosuid,nodev,rbind",
                    "45b50b36c0e8c2a05294f7f0af11b9d4b93d6dc89080b0deedc1f59c08aec8e5:/etc/kubernetes:rw,rprivate,nosuid,nodev,rbind",
                    "100d8c290bcf1866a41e003ea248da5c735d90b5121bc1d2ba844406662248eb:/opt:rw,rprivate,nosuid,nodev,rbind",
                    "12bf6066792df2e0fbc93ddacafb34511e209a39d344ff4bed7e4797b8939962:/system/state:rw,rprivate,nosuid,nodev,rbind",
                    "fed7c8c6e0e65438f093e125f66aa39b817ca3a3e1fa5a1017b84cb1b780df90:/usr/etc/udev:rw,rprivate,nosuid,nodev,rbind",
                    "2f9c669639dc2cb546ac1875b7b416a328a18ac97cacc66d2e5ae20b3392f6e6:/usr/libexec/kubernetes:rw,rprivate,nosuid,nodev,rbind",
                    "1e9aa8273f6be9ea07ff4e9a084de69e5a99f5fb439f7577728619ae7bebb840:/var:rw,rprivate,nosuid,nodev,rbind"
               ],
               "CgroupManager": "systemd",
               "CgroupMode": "private",
               "ContainerIDFile": "",
               "LogConfig": {
                    "Type": "journald",
                    "Config": null,
                    "Path": "",
                    "Tag": "",
                    "Size": "0B"
               },
               "NetworkMode": "bridge",
               "PortBindings": {},
               "RestartPolicy": {
                    "Name": "",
                    "MaximumRetryCount": 0
               },
               "AutoRemove": false,
               "VolumeDriver": "",
               "VolumesFrom": null,
               "CapAdd": [],
               "CapDrop": [],
               "Dns": [],
               "DnsOptions": [],
               "DnsSearch": [],
               "ExtraHosts": [],
               "GroupAdd": [],
               "IpcMode": "shareable",
               "Cgroup": "",
               "Cgroups": "default",
               "Links": null,
               "OomScoreAdj": 0,
               "PidMode": "private",
               "Privileged": true,
               "PublishAllPorts": false,
               "ReadonlyRootfs": true,
               "SecurityOpt": [
                    "seccomp=unconfined",
                    "unmask=all"
               ],
               "Tmpfs": {
                    "/run": "rw,rprivate,nosuid,nodev,tmpcopyup",
                    "/system": "rw,rprivate,nosuid,nodev,tmpcopyup",
                    "/tmp": "rw,rprivate,nosuid,nodev,tmpcopyup"
               },
               "UTSMode": "private",
               "UsernsMode": "",
               "ShmSize": 65536000,
               "Runtime": "oci",
               "ConsoleSize": [
                    0,
                    0
               ],
               "Isolation": "",
               "CpuShares": 0,
               "Memory": 0,
               "NanoCpus": 0,
               "CgroupParent": "",
               "BlkioWeight": 0,
               "BlkioWeightDevice": null,
               "BlkioDeviceReadBps": null,
               "BlkioDeviceWriteBps": null,
               "BlkioDeviceReadIOps": null,
               "BlkioDeviceWriteIOps": null,
               "CpuPeriod": 0,
               "CpuQuota": 0,
               "CpuRealtimePeriod": 0,
               "CpuRealtimeRuntime": 0,
               "CpusetCpus": "",
               "CpusetMems": "",
               "Devices": [],
               "DiskQuota": 0,
               "KernelMemory": 0,
               "MemoryReservation": 0,
               "MemorySwap": 0,
               "MemorySwappiness": 0,
               "OomKillDisable": false,
               "PidsLimit": 2048,
               "Ulimits": [
                    {
                         "Name": "RLIMIT_NPROC",
                         "Soft": 262144,
                         "Hard": 262144
                    }
               ],
               "CpuCount": 0,
               "CpuPercent": 0,
               "IOMaximumIOps": 0,
               "IOMaximumBandwidth": 0,
               "CgroupConf": null
          }
     }
]

And a network that matches this network inspect dump:

[
     {
          "name": "taloslinux-projectplatform-src",
          "id": "bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955",
          "driver": "ipvlan",
          "network_interface": "ens3",
          "created": "2024-06-28T13:48:55.009641169+02:00",
          "subnets": [
               {
                    "subnet": "172.16.128.0/24",
                    "gateway": "172.16.128.1"
               },
               {
                    "subnet": "fde5:c139:5e49:5ad6::/63",
                    "gateway": "fde5:c139:5e49:5ad6::1"
               }
          ],
          "ipv6_enabled": true,
          "internal": false,
          "dns_enabled": false,
          "labels": {
               "app": "taloslinux-projectplatform-src"
          },
          "options": {
               "mode": "l3s"
          },
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

Describe the results you received

Sometimes (not always, with the same invocation) another IP-address in a custom network's subnet is assigned. Sometimes, the custom network isn't selected but rather the default network podman, and IP-addresses in its subnet.

Describe the results you expected

I expect any fault condition, such as specifying a custom network that cannot be found or used for some reason, to cause a fatal fault, rather than silently reverting to the default network. I also expect that custom networks can be specified including IP address assignment.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1build2_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 99.07
    systemPercent: 0.41
    userPercent: 0.51
  cpus: 8
  databaseBackend: sqlite
  distribution:
    codename: noble
    distribution: ubuntu
    version: "24.04"
  eventLogger: journald
  freeLocks: 2008
  hostname: projectplatform.u-shapedassembl.src.surf-hosted.nl
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.8.0-36-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 28175257600
  memTotal: 33655078912
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.11.0
  ociRuntime:
    name: crun
    package: crun_1.14.1-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.1
      commit: de537a7965bfbe9992e2cfae0baeb56a08128171
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240220.1e6f92b-1_amd64
    version: |
      pasta unknown version
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1build2_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 1h 40m 52.00s (Approximately 0.04 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 5
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 20617822208
  graphRootUsed: 9570705408
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.9.3
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.3

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.1
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64

[Luap99]

Please share the exact command you use to create the container and how do you run them. Without a proper reproducer it will be impossible to debug this.

From your given container inspect it seems the container ignored the given network and just uses the default podman one. Are you using using podman network connect/disconnect by any chance?

[sanmai-NL]

The command is in the podman info dump, isn't it? I have not yet touched podman network connect but was planning to try that, will report back in ot.

[sanmai-NL]

Aargh, I now noticed the problem. There's a stray --device parameter right before the networking parameters. That's new and that's why IPAM did work before. Still a defect to solve on Podman side, to validate the --device parameter and to raise a fault.

[Luap99]

$ podman run --device "--network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2" quay.io/libpod/testimage:20240123 
Error: stat --network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955: no such file or directory

That already creates an error for me, it is not clear how you managed to create the container like this.

[sanmai-NL]

@Luap99 What's confusing by the way, is what way of specifying static IP addresses is supported given how many IP addresses, networking mode, number of networks. Ideally there would be a single way. Also, the difference between bridge mode and other modes in this respect, for instance in being able to connect networks by ID vs. name, seems to differ from Docker engine's CLI.

[sanmai-NL]

$ podman run --device "--network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2" quay.io/libpod/testimage:20240123 
Error: stat --network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955: no such file or directory

That already creates an error for me, it is not clear how you managed to create the container like this.

Which Podman version have you tested?

[sanmai-NL]

By the way, I use create and then run.

[Luap99]

@Luap99 What's confusing by the way, is what way of specifying static IP addresses is supported given how many IP addresses, networking mode, number of networks. Ideally there would be a single way. Also, the difference between bridge mode and other modes in this respect, for instance in being able to connect networks by ID vs. name, seems to differ from Docker engine's CLI.

Please be specific, using name of ID should not matter, the reason there are several ways is because --ip doesn't scale if you use more than one network. This is the reason why we added the --network name:<options> syntax, of course we still have this support the other syntax for docker compat.

I tested with podman 4.9.4 and main, and using create results in the same error.

[sanmai-NL]

$ podman run --device "--network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2" quay.io/libpod/testimage:20240123 
Error: stat --network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955: no such file or directory

That already creates an error for me, it is not clear how you managed to create the container like this.

I have minimal reproducer of the defect:

podman container create --device --network=bb7c9de1d0966a607e8d2d219210641f570e8d947f8d886e3694990bfad19955:ip=172.16.128.2,ip6=fde5:c139:5e49:5ad6::2 --privileged -- ghcr.io/siderolabs/talos:v1.7.5

The --privileged parameter seems to result in silent acceptance of the invalid --device value.

[Luap99]

Ah yes with --privileged it works. privileged maps all devices so it really doesn't matter what device you give there.
Of course that does not mean we should not validate the option at all.

[sanmai-NL]

@Luap99 What's confusing by the way, is what way of specifying static IP addresses is supported given how many IP addresses, networking mode, number of networks. Ideally there would be a single way. Also, the difference between bridge mode and other modes in this respect, for instance in being able to connect networks by ID vs. name, seems to differ from Docker engine's CLI.

Please be specific, using name of ID should not matter, the reason there are several ways is because --ip doesn't scale if you use more than one network. This is the reason why we added the --network name:<options> syntax, of course we still have this support the other syntax for docker compat.

I tested with podman 4.9.4 and main, and using create results in the same error.

If you mean with specific, provide more support for the claim that ID vs. name is accepted based on networking mode, then please consider this excerpt from the podman create docs:

[:OPTIONS,…]: Connect to a user-defined network; this is the network name or ID from a network created by podman network create. Using the network name implies the bridge network mode. It is possible to specify the same options described under the bridge mode above.

As my custom network has ipvlan mode, identifying the network by name does not respect the instructions here.

[Luap99]

Bridge network mode != bridge network driver, the bridge mode is really more of a internal detail and is the same thing as the custom (user-defined) networks

[sanmai-NL]

I suppose you can see why that's confusing. Perhaps it's possible to move implementation or design details from the user docs to dev docs.

[Luap99]

yes of course
I suppose Using the network name implies the bridge network mode can be dropped entirely it doesn't add any helpful context. The It is possible to specify the same options described under the bridge mode above. is the relevant part for users.