Skip to content

fix: project-prefix networks and volumes to prevent cross-project isolation breach #75

Open
Open
fix: project-prefix networks and volumes to prevent cross-project isolation breach#75
Labels
area:containersPodman/containerseffort:MAbout a dayprio:P0Critical — drop everythingstatus:readyTriaged and ready to be worked ontype:bugSomething broken
@Jaro-c

Description

@Jaro-c
Jaro-c
opened on Jun 10, 2026

Problem

Networks and volumes without an explicit name: use the bare compose key (e.g. default, db-data). Two projects with the same key share the same network/volume, breaking isolation and risking data corruption.

Root cause

  • engine/network.rs create_networks: uses bare name when no config.name set
  • engine/volume.rs create_volumes: same issue for volumes
  • resolve_network_name / resolve_network_mode: returns bare key, not prefixed name

Fix

When no explicit name: is set, use {project}_{key}. External networks/volumes are unaffected.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:containersPodman/containerseffort:MAbout a dayprio:P0Critical — drop everythingstatus:readyTriaged and ready to be worked ontype:bugSomething broken

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions