Add /var/lib/containers/storage/ to illegal mount validation.

Due to the virtiofs filesystem limitations, it cannot deal with
multiple uids/gids that are required for the container storage.

Fixes: #27183
Signed-off-by: Lili Nie <[email protected]>

Author: skycastlelily

docs/source/markdown/podman-machine-init.1.md.in

@@ -157,9 +157,11 @@ options are:
 * **security_model=[model]**: specify 9p security model (see below)
 
 Note: The following destinations are forbidden for volumes: `/bin`, `/boot`, `/dev`, `/etc`,
-`/home`, `/proc`, `/root`, `/run`, `/sbin`, `/sys`, `/tmp`, `/usr`, and `/var`. Subdirectories
-of these destinations are allowed but users should be careful to not mount to important directories
-as unexpected results may occur.
+`/home`, `/proc`, `/root`, `/run`, `/sbin`, `/sys`, `/tmp`, `/usr`, and `/var`. Additionally,
+`/var/lib/containers/storage/` is forbidden due to virtiofs filesystem limitations that cannot
+handle the multiple UIDs/GIDs required for container storage (particularly relevant on macOS and
+other platforms using virtiofs). Subdirectories of these destinations are allowed but users should
+be careful to not mount to important directories as unexpected results may occur.
 
 
 The 9p security model [determines] https://wiki.qemu.org/Documentation/9psetup#Starting_the_Guest_directly

pkg/machine/shim/host.go

@@ -820,19 +820,20 @@ func Reset(mps []vmconfigs.VMProvider, _ machine.ResetOptions) error {
 func validateDestinationPaths(dest string) error {
 	// illegalMounts are locations at the / level of the podman machine where we do want users mounting directly over
 	illegalMounts := map[string]struct{}{
-		"/bin":  {},
-		"/boot": {},
-		"/dev":  {},
-		"/etc":  {},
-		"/home": {},
-		"/proc": {},
-		"/root": {},
-		"/run":  {},
-		"/sbin": {},
-		"/sys":  {},
-		"/tmp":  {},
-		"/usr":  {},
-		"/var":  {},
+		"/bin":                         {},
+		"/boot":                        {},
+		"/dev":                         {},
+		"/etc":                         {},
+		"/home":                        {},
+		"/proc":                        {},
+		"/root":                        {},
+		"/run":                         {},
+		"/sbin":                        {},
+		"/sys":                         {},
+		"/tmp":                         {},
+		"/usr":                         {},
+		"/var":                         {},
+		"/var/lib/containers/storage/": {},
 	}
 	mountTarget := path.Clean(dest)
 	if _, ok := illegalMounts[mountTarget]; ok {

pkg/machine/shim/host_test.go

@@ -47,6 +47,11 @@ func Test_validateDestinationPaths(t *testing.T) {
 			dest:    "/foobar",
 			wantErr: false,
 		},
+		{
+			name:    "/var/lib/containers/storage/ should fail",
+			dest:    "/var/lib/containers/storage/",
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {