[BUG] Doesnt work on rootless podman

[Gibbz]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The current image doesnt run on rootless podman. It fails to set permissions.

Expected Behavior

Rootless podman should work.

Steps To Reproduce

ran as the script bellow using systemd containers and pod files

Environment

- OS: arch linux
- How docker service was installed: podman

CPU architecture

x86-64

Docker creation

the following in a sh script:

#!/bin/bash

#
# Unifi rootless
#

NAME=unifi
DIR=~/.config/containers/systemd/
DEBUG=false

# init
echo "Installing $NAME..."
mkdir -p "$DIR"

# pod
tee "$DIR/$NAME.pod" > /dev/null << EOL
[Pod]
PodName=unifi
Network=host
UserNS=keep-id:uid=1000,gid=1000
EOL

# config db
tee "$DIR/$NAME-db.container" > /dev/null << EOL
[Unit]
Description=UniFi database container

[Service]
Restart=on-failure
TimeoutStartSec=300

[Container]
Pod=$NAME.pod
Image=docker.io/library/mongo:8.2.1
Timezone=local

Environment=MONGO_INITDB_ROOT_USERNAME=root
Environment=MONGO_INITDB_ROOT_PASSWORD=root
Environment=MONGO_USER=unifi
Environment=MONGO_PASS=unifi
Environment=MONGO_DBNAME=unifi
Environment=MONGO_AUTHSOURCE=admin

Volume=%h/Containers/unifi/database:/data/db:Z

[Install]
WantedBy=default.target
EOL

# config unifi
tee "$DIR/$NAME.container" > /dev/null << EOL
[Unit]
Description=UniFi container
After=unifi-db.service
Requires=unifi-db.service

[Service]
Restart=on-failure
TimeoutStartSec=300

[Container]
Pod=$NAME.pod
Image=lscr.io/linuxserver/unifi-network-application:latest
Timezone=local

Environment=PUID=1000
Environment=PGID=1000
Environment=MONGO_USER=unifi
Environment=MONGO_PASS=unifi
Environment=MONGO_HOST=localhost
Environment=MONGO_PORT=27017
Environment=MONGO_DBNAME=unifi
Environment=MONGO_AUTHSOURCE=admin
      
Volume=%h/Containers/unifi/config:/config:Z

[Install]
WantedBy=default.target
EOL

# reload systemd for user
systemctl --user daemon-reexec && systemctl --user daemon-reload

# debug
if [ "$DEBUG" = true ]; then
    echo -e "\nOutput systemd container file:"
    systemctl --user cat "$NAME-db" --no-pager
    echo -e "\n"
    systemctl --user cat "$NAME" --no-pager
    echo -e "\nQuadlet journal logs:"
    journalctl --user -xe | grep -i quadlet
fi

# start
systemctl --user restart "$NAME-db"
systemctl --user status "$NAME-db" --no-pager -l
systemctl --user restart "$NAME"
systemctl --user status "$NAME" --no-pager -l
echo -e "\nDone!"

Container logs

/package/admin/s6-overlay/libexec/preinit: info: /run belongs to uid 0 instead of 1000 - fixing it
╔═════════════════════════════════════════════════════════════════════════╗
║                                                                         ║
║           You are running this container as a non-root user:            ║
║   UMASK, custom services, & docker mod functionality will be disabled   ║
║      and the PUID/PGID environment variables will have no effect.       ║
║                                                                         ║
╚═════════════════════════════════════════════════════════════════════════╝
[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: v9.5.21-ls106
Build-date: 2025-10-21T17:56:54+00:00
───────────────────────────────────────
    
ln: failed to create symbolic link '/usr/lib/unifi/data': Permission denied
ln: failed to create symbolic link '/usr/lib/unifi/logs': Permission denied
ln: failed to create symbolic link '/usr/lib/unifi/run': Permission denied
chown: changing ownership of '/config': Operation not permitted
chown: changing ownership of '/config/logs': Operation not permitted
chown: changing ownership of '/config/data': Operation not permitted
chown: changing ownership of '/config/data/system.properties': Operation not permitted
chown: changing ownership of '/config/data/keystore': Operation not permitted
chown: changing ownership of '/run/unifi': Operation not permitted
chown: changing ownership of '/run/unifi/work': Operation not permitted
chown: changing ownership of '/run/unifi/work/ROOT': Operation not permitted
**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
**** The app may not work properly and we will not provide support for it. ****
chown: changing ownership of '/config/data/keystore': Operation not permitted
**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
**** The app may not work properly and we will not provide support for it. ****
[custom-init] No custom files found, skipping...
s6-applyuidgid: fatal: unable to set supplementary group list: Operation not permitted
s6-applyuidgid: fatal: unable to set supplementary group list: Operation not permitted

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

We don't provide formal support for rootless podman: https://docs.linuxserver.io/misc/support-policy/#reasonable-endeavours-support

But you're welcome to seek assistance in our discord