Secret mounts with relative paths do not take WORKDIR into account

[defanator]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Building a container from Dockerfile with WORKDIR + using --mount=type=secret with relative destination path leads to inconsistent behavior.

Steps to reproduce the issue:

1. Create Dockerfile and Makefile:

Dockerfile:

FROM docker.io/ubuntu:22.04

WORKDIR /somedir

RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt \
     printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt && \
     cp secret1.txt /root/secret-foo.txt && \
     cp secret2.txt /root/secret-bar.txt

Makefile:

DOCKER ?= docker

.PHONY: build-container

build-container:
	rm -rf build
	mkdir build
	echo "secret:foo" >build/secret1.txt
	echo "secret:bar" >build/secret2.txt
	DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain $(DOCKER) build --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 .
	$(DOCKER) run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt
	$(DOCKER) run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt
	$(DOCKER) rmi defanator/example:tag1

2. Run DOCKER=podman make.

Describe the results you received:

Secrets are being created in /, while commands are being executed under /somedir:

$ DOCKER=podman make
rm -rf build
mkdir build
echo "secret:foo" >build/secret1.txt
echo "secret:bar" >build/secret2.txt
DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain podman build --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 .
STEP 1/3: FROM docker.io/ubuntu:22.04
STEP 2/3: WORKDIR /somedir
--> 6c8838cf3a4
STEP 3/3: RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt      printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt &&      cp secret1.txt /root/secret-foo.txt &&      cp secret2.txt /root/secret-bar.txt
PWD=/somedir
total 0
drwxr-xr-x.  2 root root  80 Jan  2 10:55 .
dr-xr-xr-x. 18 root root 100 Jan  2 10:55 ..
total 8
dr-xr-xr-x.  18 root   root     100 Jan  2 10:55 .
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 bin -> usr/bin
drwxr-xr-x.   2 root   root      40 Apr 18  2022 boot
drwxr-xr-x.   5 root   root     340 Jan  2 10:55 dev
drwxr-xr-x.  31 root   root    1440 Nov 30 02:07 etc
drwxr-xr-x.   2 root   root      40 Apr 18  2022 home
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 lib -> usr/lib
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib32 -> usr/lib32
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib64 -> usr/lib64
lrwxrwxrwx.   1 root   root      10 Nov 30 02:04 libx32 -> usr/libx32
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 media
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 mnt
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 opt
dr-xr-xr-x. 307 nobody nogroup    0 Jan  2 10:55 proc
drwx------.   2 root   root      80 Nov 30 02:07 root
drwxr-xr-x.   6 root   root      80 Jan  2 10:55 run
lrwxrwxrwx.   1 root   root       8 Nov 30 02:04 sbin -> usr/sbin
-r--------.   1 root   root      11 Jan  2 10:55 secret1.txt
-r--------.   1 root   root      11 Jan  2 10:55 secret2.txt
drwxr-xr-x.   2 root   root      80 Jan  2 10:55 somedir
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 srv
dr-xr-xr-x.  13 nobody nogroup    0 Jan  2 05:48 sys
drwxrwxrwt.   2 root   root      40 Nov 30 02:07 tmp
drwxr-xr-x.  14 root   root     280 Nov 30 02:04 usr
drwxr-xr-x.  11 root   root     260 Nov 30 02:07 var
stat: cannot statx 'secret1.txt': No such file or directory
Error: building at STEP "RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt &&      cp secret1.txt /root/secret-foo.txt &&      cp secret2.txt /root/secret-bar.txt": while running runtime: exit status 1
make: *** [Makefile:9: build-container] Error 1

Describe the results you expected:

Successful build + run with secrets created in /somedir:

% DOCKER=docker make
rm -rf build
mkdir build
echo "secret:foo" >build/secret1.txt
echo "secret:bar" >build/secret2.txt
DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 .
containers/podman#1 [internal] load build definition from Dockerfile
containers/podman#1 sha256:956e81e187c4ea4dc450871b18ae84ab976c49582e3bea65caf50ea0a79a9705
containers/podman#1 transferring dockerfile: 37B done
containers/podman#1 DONE 0.0s

containers/podman#2 [internal] load .dockerignore
containers/podman#2 sha256:7c24936d078707145f864038bef4b8e7b4e5a03304c2868a047c035c62162948
containers/podman#2 transferring context: 2B done
containers/podman#2 DONE 0.0s

containers/podman#3 [internal] load metadata for docker.io/library/ubuntu:22.04
containers/podman#3 sha256:bb6615d6728e62d4ed2a35dd58ee60e0f7b38bf575e6e24f49f6804d1f20ad90
containers/podman#3 DONE 0.0s

containers/podman#4 [1/3] FROM docker.io/library/ubuntu:22.04
containers/podman#4 sha256:cdc6c23330729686ac5f85a03a4f1099b9aac0474f5235d6e7014170e77af427
containers/podman#4 DONE 0.0s

containers/podman#5 [2/3] WORKDIR /somedir
containers/podman#5 sha256:de48d2aee164955e5a46b60b23669598af66b88de3d5de6d7376cf5b8f7c2a06
containers/podman#5 CACHED

containers/podman#6 [3/3] RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt      printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt &&      cp secret1.txt /root/secret-foo.txt &&      cp secret2.txt /root/secret-bar.txt
containers/podman#6 sha256:311ee95bba27f37488c9149037523cdf14690b288661537cc5bafca7e2ac4274
containers/podman#6 0.243 PWD=/somedir
containers/podman#6 0.246 total 16
containers/podman#6 0.246 drwxr-xr-x 1 root root 4096 Jan  2 10:55 .
containers/podman#6 0.246 drwxr-xr-x 1 root root 4096 Jan  2 10:55 ..
containers/podman#6 0.246 -r-------- 1 root root   11 Jan  2 10:55 secret1.txt
containers/podman#6 0.246 -r-------- 1 root root   11 Jan  2 10:55 secret2.txt
containers/podman#6 0.248 total 60
containers/podman#6 0.248 drwxr-xr-x   1 root root 4096 Jan  2 10:55 .
containers/podman#6 0.248 drwxr-xr-x   1 root root 4096 Jan  2 10:55 ..
containers/podman#6 0.248 lrwxrwxrwx   1 root root    7 Aug 15 11:54 bin -> usr/bin
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Apr 18  2022 boot
containers/podman#6 0.248 drwxr-xr-x   5 root root  340 Jan  2 10:55 dev
containers/podman#6 0.248 drwxr-xr-x  31 root root 4096 Aug 15 12:13 etc
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Apr 18  2022 home
containers/podman#6 0.248 lrwxrwxrwx   1 root root    7 Aug 15 11:54 lib -> usr/lib
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Aug 15 11:54 media
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Aug 15 11:54 mnt
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Aug 15 11:54 opt
containers/podman#6 0.248 dr-xr-xr-x 208 root root    0 Jan  2 10:55 proc
containers/podman#6 0.248 drwx------   2 root root 4096 Aug 15 12:13 root
containers/podman#6 0.248 drwxr-xr-x   5 root root 4096 Aug 15 12:13 run
containers/podman#6 0.248 lrwxrwxrwx   1 root root    8 Aug 15 11:54 sbin -> usr/sbin
containers/podman#6 0.248 drwxr-xr-x   1 root root 4096 Jan  2 10:55 somedir
containers/podman#6 0.248 drwxr-xr-x   2 root root 4096 Aug 15 11:54 srv
containers/podman#6 0.248 dr-xr-xr-x  13 root root    0 Jan  2 10:55 sys
containers/podman#6 0.248 drwxrwxrwt   2 root root 4096 Aug 15 12:13 tmp
containers/podman#6 0.248 drwxr-xr-x  11 root root 4096 Aug 15 11:54 usr
containers/podman#6 0.248 drwxr-xr-x  11 root root 4096 Aug 15 12:13 var
containers/podman#6 0.249   File: secret1.txt
containers/podman#6 0.249   Size: 11        	Blocks: 8          IO Block: 4096   regular file
containers/podman#6 0.249 Device: 94h/148d	Inode: 2           Links: 1
containers/podman#6 0.249 Access: (0400/-r--------)  Uid: (    0/    root)   Gid: (    0/    root)
containers/podman#6 0.249 Access: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.249 Modify: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.249 Change: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.249  Birth: -
containers/podman#6 0.250   File: secret2.txt
containers/podman#6 0.250   Size: 11        	Blocks: 8          IO Block: 4096   regular file
containers/podman#6 0.250 Device: 95h/149d	Inode: 2           Links: 1
containers/podman#6 0.250 Access: (0400/-r--------)  Uid: (    0/    root)   Gid: (    0/    root)
containers/podman#6 0.250 Access: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.250 Modify: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.250 Change: 2023-01-02 10:55:56.046869011 +0000
containers/podman#6 0.250  Birth: -
containers/podman#6 DONE 0.3s

containers/podman#7 exporting to image
containers/podman#7 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
containers/podman#7 exporting layers done
containers/podman#7 writing image sha256:f767695a2ecb38dc27477fa3c1f0b534233a6ce938eccbf234635921abd610c9 done
containers/podman#7 naming to docker.io/defanator/example:tag1 done
containers/podman#7 DONE 0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
docker run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt
secret:foo
docker run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt
secret:bar
docker rmi defanator/example:tag1
Untagged: defanator/example:tag1
Deleted: sha256:f767695a2ecb38dc27477fa3c1f0b534233a6ce938eccbf234635921abd610c9

Running podman with WORKDIR commented in Dockerfile works:

$ DOCKER=podman make
rm -rf build
mkdir build
echo "secret:foo" >build/secret1.txt
echo "secret:bar" >build/secret2.txt
DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain podman build --no-cache --secret id=secret-foo,src=build/secret1.txt --secret id=secret-bar,src=build/secret2.txt -t defanator/example:tag1 .
STEP 1/2: FROM docker.io/ubuntu:22.04
STEP 2/2: RUN --mount=type=secret,id=secret-foo,dst=secret1.txt --mount=type=secret,id=secret-bar,dst=secret2.txt      printf "PWD=%s\n" "$(pwd)" && ls -la && ls -la / && stat secret1.txt && stat secret2.txt &&      cp secret1.txt /root/secret-foo.txt &&      cp secret2.txt /root/secret-bar.txt
PWD=/
total 8
dr-xr-xr-x.  17 root   root      80 Jan  2 10:57 .
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 bin -> usr/bin
drwxr-xr-x.   2 root   root      40 Apr 18  2022 boot
drwxr-xr-x.   5 root   root     340 Jan  2 10:57 dev
drwxr-xr-x.  31 root   root    1440 Nov 30 02:07 etc
drwxr-xr-x.   2 root   root      40 Apr 18  2022 home
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 lib -> usr/lib
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib32 -> usr/lib32
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib64 -> usr/lib64
lrwxrwxrwx.   1 root   root      10 Nov 30 02:04 libx32 -> usr/libx32
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 media
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 mnt
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 opt
dr-xr-xr-x. 313 nobody nogroup    0 Jan  2 10:57 proc
drwx------.   2 root   root      80 Nov 30 02:07 root
drwxr-xr-x.   6 root   root      80 Jan  2 10:57 run
lrwxrwxrwx.   1 root   root       8 Nov 30 02:04 sbin -> usr/sbin
-r--------.   1 root   root      11 Jan  2 10:57 secret1.txt
-r--------.   1 root   root      11 Jan  2 10:57 secret2.txt
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 srv
dr-xr-xr-x.  13 nobody nogroup    0 Jan  2 05:48 sys
drwxrwxrwt.   2 root   root      40 Nov 30 02:07 tmp
drwxr-xr-x.  14 root   root     280 Nov 30 02:04 usr
drwxr-xr-x.  11 root   root     260 Nov 30 02:07 var
total 8
dr-xr-xr-x.  17 root   root     100 Jan  2 10:57 .
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 bin -> usr/bin
drwxr-xr-x.   2 root   root      40 Apr 18  2022 boot
drwxr-xr-x.   5 root   root     340 Jan  2 10:57 dev
drwxr-xr-x.  31 root   root    1440 Nov 30 02:07 etc
drwxr-xr-x.   2 root   root      40 Apr 18  2022 home
lrwxrwxrwx.   1 root   root       7 Nov 30 02:04 lib -> usr/lib
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib32 -> usr/lib32
lrwxrwxrwx.   1 root   root       9 Nov 30 02:04 lib64 -> usr/lib64
lrwxrwxrwx.   1 root   root      10 Nov 30 02:04 libx32 -> usr/libx32
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 media
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 mnt
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 opt
dr-xr-xr-x. 313 nobody nogroup    0 Jan  2 10:57 proc
drwx------.   2 root   root      80 Nov 30 02:07 root
drwxr-xr-x.   6 root   root      80 Jan  2 10:57 run
lrwxrwxrwx.   1 root   root       8 Nov 30 02:04 sbin -> usr/sbin
-r--------.   1 root   root      11 Jan  2 10:57 secret1.txt
-r--------.   1 root   root      11 Jan  2 10:57 secret2.txt
drwxr-xr-x.   2 root   root      40 Nov 30 02:04 srv
dr-xr-xr-x.  13 nobody nogroup    0 Jan  2 05:48 sys
drwxrwxrwt.   2 root   root      40 Nov 30 02:07 tmp
drwxr-xr-x.  14 root   root     280 Nov 30 02:04 usr
drwxr-xr-x.  11 root   root     260 Nov 30 02:07 var
  File: secret1.txt
  Size: 11        	Blocks: 8          IO Block: 4096   regular file
Device: 32h/50d	Inode: 511286      Links: 1
Access: (0400/-r--------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-01-02 10:57:02.245219286 +0000
Modify: 2023-01-02 10:57:02.245219286 +0000
Change: 2023-01-02 10:57:02.245219286 +0000
 Birth: 2023-01-02 10:57:02.245219286 +0000
  File: secret2.txt
  Size: 11        	Blocks: 8          IO Block: 4096   regular file
Device: 32h/50d	Inode: 511287      Links: 1
Access: (0400/-r--------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-01-02 10:57:02.246219299 +0000
Modify: 2023-01-02 10:57:02.246219299 +0000
Change: 2023-01-02 10:57:02.246219299 +0000
 Birth: 2023-01-02 10:57:02.246219299 +0000
COMMIT defanator/example:tag1
--> 5422152c019
Successfully tagged localhost/defanator/example:tag1
5422152c019436fb30262db43c1c58653a88b6077db9293ab30ef10a48cb2ce8
podman run --rm -t -i defanator/example:tag1 cat /root/secret-foo.txt
secret:foo
podman run --rm -t -i defanator/example:tag1 cat /root/secret-bar.txt
secret:bar
podman rmi defanator/example:tag1
Untagged: localhost/defanator/example:tag1
Deleted: 5422152c019436fb30262db43c1c58653a88b6077db9293ab30ef10a48cb2ce8

Obviously, using absolute paths both in mount dst= option and after in commands also works.

Additional information you deem important (e.g. issue happens only occasionally):

100% reproducible, tested in root-less mode only.

Output of podman version:

$ podman version
Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.18.7
Built:        Fri Nov 11 15:24:13 2022
OS/Arch:      linux/amd64

Output of podman info:

$ podman info
host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 99.4
    systemPercent: 0.21
    userPercent: 0.4
  cpus: 16
  distribution:
    distribution: fedora
    variant: cloud
    version: "36"
  eventLogger: journald
  hostname: builder-testrunner-amd64.amp.nginx.com
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 9999
      size: 1
    - container_id: 1
      host_id: 755360
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 9999
      size: 1
    - container_id: 1
      host_id: 755360
      size: 65536
  kernel: 6.0.15-200.fc36.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 21277806592
  memTotal: 32932081664
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-2.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /run/user/9999/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/user/9999/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 5h 5m 27.00s (Approximately 0.21 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/builder/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.9-6.fc36.x86_64
      Version: |-
        fusermount3 version: 3.10.5
        fuse-overlayfs: version 1.9
        FUSE library version 3.10.5
        using FUSE kernel interface version 7.31
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /run/user/9999/containers/storage
  graphRootAllocated: 16466038784
  graphRootUsed: 7435571200
  graphStatus:
    Backing Filesystem: tmpfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 240
  runRoot: /run/user/9999/containers
  volumePath: /run/user/9999/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668180253
  BuiltTime: Fri Nov 11 15:24:13 2022
  GitCommit: ""
  GoVersion: go1.18.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

$ rpm -qi podman
Name        : podman
Epoch       : 4
Version     : 4.3.1
Release     : 1.fc36
Architecture: x86_64
Install Date: Mon 02 Jan 2023 05:47:13 AM UTC
Group       : Unspecified
Size        : 42535481
License     : ASL 2.0 and BSD and ISC and MIT and MPLv2.0
Signature   : RSA/SHA256, Fri 11 Nov 2022 04:37:04 PM UTC, Key ID 999f7cbf38ab71f4
Source RPM  : podman-4.3.1-1.fc36.src.rpm
Build Date  : Fri 11 Nov 2022 03:24:09 PM UTC
Build Host  : buildvm-x86-04.iad2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://podman.io/
Bug URL     : https://bugz.fedoraproject.org/podman
Summary     : Manage Pods, Containers and Container Images
Description :
podman (Pod Manager) is a fully featured container engine that is a simple
daemonless tool.  podman provides a Docker-CLI comparable command line that
eases the transition from other container engines and allows the management of
pods, containers and images.  Simply put: alias docker=podman.
Most podman commands can be run as a regular user, without requiring
additional privileges.

podman uses Buildah(1) internally to create container images.
Both tools share image (not container) storage, hence each can use or
manipulate images (but not containers) created by the other.

Manage Pods, Containers and Container Images
podman Simple management tool for pods, containers and images

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

No

Additional environment details (AWS, VirtualBox, physical, etc.):

OS details:

$ cat /etc/os-release 
NAME="Fedora Linux"
VERSION="36 (Cloud Edition)"
ID=fedora
VERSION_ID=36
VERSION_CODENAME=""
PLATFORM_ID="platform:f36"
PRETTY_NAME="Fedora Linux 36 (Cloud Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:36"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f36/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=36
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=36
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
SUPPORT_END=2023-05-16
VARIANT="Cloud Edition"
VARIANT_ID=cloud

[flouthoc]

Looks similar to this one #4452, I'll create a PR for this.

[flouthoc]

Hi @defanator , Thanks for the reporting the issue i was able to recreate it from the reproducer shared and I have created a PR #4509 which should close this.