Bug: Rootless Podman-in-Podman on WSL

[dvorst]

Issue Description

Running rootless Podman inside a rootless Podman container on WSL fails because the default user's SUB_UID and SUB_GID ranges inside the machine are too short.

Steps to reproduce the issue

1. On Windows, start Podman:

   podman machine start

2. Open a Debian container without root:

   podman run -it debian bash

3. Inside the container:

   useradd -m testuser
   apt-get install -y podman
   su - testuser
   podman images

Describe the results you received

Running podman images as the non-root user fails with:

ERRO[0000] running `/usr/bin/newuidmap 52258 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

Running with sudo works:

sudo podman images

Describe the results you expected

Cause

The default user inside the Podman machine has limited sub-ID ranges:

$ cat /etc/subuid /etc/subgid
user:100000:65536
user:100000:65536

Meanwhile, inside the container, the ID mappings are:

$ cat /proc/self/uid_map
         0       1000          1
         1     100000      65536

Same for /proc/self/gid_map.

This is because the user SUB_UID/SUB_GID ranges (100000–165535) are smaller than the mapped range (100000:), nested rootless Podman cannot allocate sufficient IDs, causing namespace setup to fail.

Workaround

Manually increasing the user’s sub-ID range inside the Podman machine by editing /etc/subuids and /etc/subgids, then restarting the machine, solves the issue.

podman info output

N/A

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

WSL on Windows

Additional information

No response

[dvorst]

I would like to pick up this issue myself
PR: #27412