Can't create two containers using userns=auto

[ZaiBouz]

Hello everybody !!

I have a problem when I try to create two containers with the flag --userns=auto.

Here's the situation :
I'm trying to run containers in root mode but in different user namespaces. For starters, I wanted to test out the --userns flag to see what really happens. So I have created an alpine container using this command and added a "containers" entry to the /etc/subuid and /etc/subgid files :
podman run -dit alpine
And as expected a new user namespace was created. Therefore, the next step for me was to create different containers using the same flag to see how the isolation functions.
And that's when I get the error, when trying to create a second container with the same command :
Error: runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied

I have been unable to understand the reason behind it.

Here's more information about my set up :

• Custom Yocto distribution
• Podman version : v4.0.3
• cgroup2 supported
• max_user_namespaces : 111492

[Luap99]

Please try a newer podman, we only support the latest version upstream.
Also it is possible that there is/was a bug in runc so use try the latest version there as well or use crun instead of runc.

[ZaiBouz]

Thank you for the answer.

So I have updated Podman to v5.0.2. But I still get the same error as before :
Error: runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied