Experimental support for podman.

[oliverchang]

This can be used by setting the environment variable OSS_FUZZ_CONTAINER_TOOL=podman.

For #13966.

[evverx]

I haven't tried to build anything yet but I left a couple of comments.

[evverx]

I think it can be confusing in the sense that podman is often installed with podman-docker pointing docker to podman (https://packages.fedoraproject.org/pkgs/podman/podman-docker/) so CONTAINER_TOOL is docker even though podman is used under the hood. It would probably be safer to call CONTAINER_TOOL to figure out what it is.

$ docker --version
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
podman version 5.6.1

$ podman --version
podman version 5.6.1

The result can then be used to get around differences like #9439.

[oliverchang]

IMO we should avoid handling these differences as much as we can.

For #9439, is this still a problem? Can we just add the makedirs as a default behaviour for docker also?

[evverx]

For #9439, is this still a problem?

I don't know. I have been applying that patch since then. I'll double-check to see if it's still needed a bit later today.

[evverx]

It failed without that patch with

INFO:__main__:Running: docker run --privileged --shm-size=2g --platform linux/amd64 --rm -i -e FUZZING_ENGINE=centipede -e SANITIZER=address -e ARCHITECTURE=x86_64 -e PROJECT_NAME=util-linux -e HELPER=True -e FUZZING_LANGUAGE=c -v /home/vagrant/oss-fuzz/build/out/util-linux/__centipede_address:/out -v /home/vagrant/oss-fuzz/build/work/util-linux:/work -t gcr.io/oss-fuzz/util-linux.
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
Error: statfs /home/vagrant/oss-fuzz/build/out/util-linux/__centipede_address: no such file or directory
ERROR:__main__:Building fuzzers failed.

so it looks like makedirs is still required.

Can we just add the makedirs as a default behaviour for docker also?

I think it should be fine (I'm not 100% sure though)

IMO we should avoid handling these differences as much as we can.

Agreed. I think it should probably be possible to avoid that to cover most use cases but given that for example #4774 was supposed to get it to work with rootless podman containers with SELinux enabled without --privileged I guess at some point it should be necessary to tell docker and podman apart.

[evverx]

I think it should be OK to pass i386 on x86_64 with podman. In theory with qemu(-user) installed it should be able to accept aarch64 but I don't think I have ever built fuzz targets like that using helper.py (as far as I can remember it downloaded various images, launched a bunch qemu-aarch64-static processes and went sideways somewhere along the way)

[oliverchang]

thanks! This is entirely un-tested territory, so I'd prefer not to support this for now.

[evverx]

I have to admit I can't remember where --pull=never came from. I'll try to decipher my comments from #4774 (comment).

[evverx]

I built systemd but check_build failed with

OSS_FUZZ_CONTAINER_TOOL=podman ./infra/helper.py check_build systemd
INFO:__main__:Running: podman run --pull=never --privileged --shm-size=2g --platform linux/amd64 --rm -i -e FUZZING_ENGINE=libfuzzer -e SANITIZER=address -e ARCHITECTURE=x86_64 -e FUZZING_LANGUAGE=c++ -e HELPER=True -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner test_all.py.
Error: gcr.io/oss-fuzz-base/base-runner: image not known
ERROR:__main__:Check build failed.

As far as I can see it ran

/usr/bin/podman run --pull=never --privileged --shm-size=2g --platform linux/amd64 --rm -i -e FUZZING_ENGINE=libfuzzer -e SANITIZER=address -e ARCHITECTURE=x86_64 -e FUZZING_LANGUAGE=c++ -e HELPER=True -v

With my kludges (#13966 (comment)) it doesn't add --pull=never there and runs

./docker run --privileged --shm-size=2g --platform linux/amd64 --rm -i -e FUZZING_ENGINE=libfuzzer -e SANITIZER=address -e ARCHITECTURE=x86_64 -e FUZZING_LANGUAGE=c++ -e HELPER=True -v /home/vagrant/oss-fuzz/build/out/systemd:/out

[oliverchang]

thanks for testing this. I've removed the --pull=never.

is it still required at all?

[evverx]

It has to be used to build projects integrated into OSS-Fuzz a while ago (when those gcr.io/oss-fuzz/ images were still built). For example systemd and zlib fail to build with podman without --pull=never.

I guess it should be possible to remove the images. I don't think they are needed anymore. The latest systemd image was created in 2019 to judge from https://console.cloud.google.com/artifacts/docker/oss-fuzz/us/gcr.io/systemd.

[oliverchang]

Hmm, I'm still a bit unclear on why it was needed at all. Isn't the default behaviour to only pull if the image doesn't exist?

https://docs.podman.io/en/stable/markdown/podman-run.1.html#pull-policy

Docker's documentation says the same thing:

https://docs.docker.com/reference/cli/docker/container/run/#pull

[evverx]

As far as I understand the issue is helper.py ends up with that out-of-date image and tries to build systemd from 2019. It fails with

+ wget -O /out/fuzz-json_seed_corpus.zip https://storage.googleapis.com/skia-fuzzer/oss-fuzz/skjson_seed_corpus.zip
--2025-09-15 10:33:44--  https://storage.googleapis.com/skia-fuzzer/oss-fuzz/skjson_seed_corpus.zip
Resolving storage.googleapis.com (storage.googleapis.com)... 64.233.164.207, 108.177.14.207, 74.125.131.207, ...
Connecting to storage.googleapis.com (storage.googleapis.com)|64.233.164.207|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2025-09-15 10:33:44 ERROR 403: Forbidden.
ERROR:__main__:Building fuzzers failed.

That thing was removed in 2019 in systemd/systemd@2dd9b65 (so helper.py clearly does the wrong thing here).

Based on my comment from #4774 (comment) it looks like it's containers/podman#17063.