Reject --cpus above host CPU count on podman machine init and set

Honny1 · Honny1 · commit bb4dda485501 · 2026-03-23T18:22:14.000+01:00
Fixes: #28322 Signed-off-by: Jan Rodák <hony.com@seznam.cz>
diff --git a/cmd/podman/machine/init.go b/cmd/podman/machine/init.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime"
 	"slices"
 
 	"github.com/containers/podman/v6/cmd/podman/registry"
@@ -257,6 +258,9 @@ func initMachine(cmd *cobra.Command, args []string) error {
 			return err
 		}
 	}
+	if err := checkMaxCPUs(initOpts.CPUS); err != nil {
+		return err
+	}
 
 	// initOpts.SkipTlsVerify defaults to OptionalBoolUndefined, which means the backend library
 	// decides whether to verify TLS. We only explicitly set it if the user specifies the
@@ -320,3 +324,12 @@ func checkMaxMemory(newMem strongunits.MiB) error {
 	}
 	return nil
 }
+
+// checkMaxCPUs compares requested CPUs to the host (runtime.NumCPU).
+func checkMaxCPUs(requestedCPUs uint64) error {
+	hostCPUs := uint64(runtime.NumCPU())
+	if requestedCPUs > hostCPUs {
+		return fmt.Errorf("requested number of CPUs (%d) greater than number of host CPUs (%d)", requestedCPUs, hostCPUs)
+	}
+	return nil
+}
diff --git a/cmd/podman/machine/set.go b/cmd/podman/machine/set.go
@@ -98,6 +98,9 @@ func setMachine(cmd *cobra.Command, args []string) error {
 		setOpts.Rootful = &setFlags.Rootful
 	}
 	if cmd.Flags().Changed("cpus") {
+		if err := checkMaxCPUs(setFlags.CPUs); err != nil {
+			return err
+		}
 		setOpts.CPUs = &setFlags.CPUs
 	}
 	if cmd.Flags().Changed("memory") {
diff --git a/pkg/machine/e2e/init_test.go b/pkg/machine/e2e/init_test.go
@@ -81,6 +81,12 @@ var _ = Describe("podman machine init", func() {
 		Expect(err).ToNot(HaveOccurred())
 		Expect(badMemSession.errorToString()).To(ContainSubstring(fmt.Sprintf("greater than total system memory (%d MB)", systemMem)))
 		Expect(badMemSession).To(Exit(125))
+
+		badCPU := initMachine{}
+		badCPUSession, err := mb.setCmd(badCPU.withCPUs(9999999)).run()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(badCPUSession).To(Exit(125))
+		Expect(badCPUSession.errorToString()).To(ContainSubstring("greater than number of host CPUs"))
 	})
 
 	It("init volume check", func() {
diff --git a/pkg/machine/e2e/set_test.go b/pkg/machine/e2e/set_test.go
@@ -13,6 +13,21 @@ import (
 )
 
 var _ = Describe("podman machine set", func() {
+	It("machine set rejects excessive cpus", func() {
+		skipIfWSL("WSL cannot change cpus via set")
+		name := randomString()
+		i := new(initMachine)
+		session, err := mb.setName(name).setCmd(i.withImage(mb.imagePath)).run()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(session).To(Exit(0))
+
+		badSet := setMachine{}
+		badCPUSession, err := mb.setName(name).setCmd(badSet.withCPUs(9999999)).run()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(badCPUSession).To(Exit(125))
+		Expect(badCPUSession.errorToString()).To(ContainSubstring("greater than number of host CPUs"))
+	})
+
 	It("set machine cpus, disk, memory", func() {
 		skipIfWSL("WSL cannot change set properties of disk, processor, or memory")
 		name := randomString()

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,9 @@ func setMachine(cmd *cobra.Command, args []string) error {`
`98`	`98`	`setOpts.Rootful = &setFlags.Rootful`
`99`	`99`	`}`
`100`	`100`	`if cmd.Flags().Changed("cpus") {`
	`101`	`+ if err := checkMaxCPUs(setFlags.CPUs); err != nil {`
	`102`	`+ return err`
	`103`	`+ }`
`101`	`104`	`setOpts.CPUs = &setFlags.CPUs`
`102`	`105`	`}`
`103`	`106`	`if cmd.Flags().Changed("memory") {`