container creation: don't apply reserved annotations from image

Do not apply reserved annotations from the image to the container. Reserved annotations are applied during container creation to retrieve certain information (e.g., custom seccomp profile or autoremoval) once a container has been created. Context: #12671 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2025-06-19 08:09:12 +08:00 · 2021-12-22 13:28:36 +01:00
parent cbcab43425
commit 1aa4e4d4d1
3 changed files with 24 additions and 4 deletions
--- a/test/e2e/build_test.go
+++ b/test/e2e/build_test.go
@ -238,19 +238,25 @@ var _ = Describe("Podman build", func() {
 		Expect("sha256:" + data[0].ID).To(Equal(string(id)))
 	})

-	It("podman Test PATH in built image", func() {
+	It("podman Test PATH and reserved annotation in built image", func() {
 		path := "/tmp:/bin:/usr/bin:/usr/sbin"
 		session := podmanTest.Podman([]string{
-			"build", "--pull-never", "-f", "build/basicalpine/Containerfile.path", "-t", "test-path",
+			"build", "--annotation", "io.podman.annotations.seccomp=foobar", "--pull-never", "-f", "build/basicalpine/Containerfile.path", "-t", "test-path",
 		})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))

-		session = podmanTest.Podman([]string{"run", "test-path", "printenv", "PATH"})
+		session = podmanTest.Podman([]string{"run", "--name", "foobar", "test-path", "printenv", "PATH"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
 		stdoutLines := session.OutputToStringArray()
 		Expect(stdoutLines[0]).Should(Equal(path))
+
+		// Reserved annotation should not be applied from the image to the container.
+		session = podmanTest.Podman([]string{"inspect", "foobar"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		Expect(session.OutputToString()).NotTo(ContainSubstring("io.podman.annotations.seccomp"))
 	})

 	It("podman build --http_proxy flag", func() {