How to share a volume between 2 podman rootless containers when using userns=auto

[DavyLandman]

As far as I've read, userns=auto combined with rootless containers is the best isolation (although some discussion says that rootfull + userns=auto might be even better, and the same issue holds there as well).

I think I've identified 2 issues with userns=auto and volumes:

1. across restarts of the container different ranges of the subuid/gid are handed out, so even your own volume might not be writable after a restart.
2. Sharing a volume between 2 contains that both have their own subuid/gid ranges doesn't work.

But sometimes you have to share some files between containers. For example share a unix socket between 2 containers. Or for example a caddy/nginx and a application that only runs the cgi and leaves the file serving up to the webserver.

For issue 1 I've found the following 2 fixes:

• for the restart issue on your own volumne you can either allocate specic ranges (or names), so that every start you get the same subuid range assigned.
• alternatively you can use the :U modifier on the mount, but that does have the effect of causing a chown on all the files in the mounted volume, which can cause quite a delay (and possible hurt snapshot based backups on systems like btrfs)

For issue 2 I've only found fixes that suggest variants of: "don't use userns=auto" or "use userns=container:<other-container>". Is that correct, is there no way to set this up in a way that allows to isolate the two containers, while still allowing them to share a same volume?

Maybe this could be an interesting blogpost? I've read quite a few, but this one seems to be hinted at only subtly.