Rootful Pod with UserNS=auto - Error "/tmp": duplicate mount destination.

[Grimblee]

Hello,

I've been struggling with this issue, when I'm trying to add a container to a pod, I get this duplicate mount destination error.

And I've been looking everywhere but can't find where its coming from, inspected the pod, the image's declared VOLUMES, ran the commands with --debug, I'm at my wits' end.

Podman version: 5.6.0

Pod creation output (ExecStart from quadlet dry-run with --debug added)
/usr/bin/podman --debug pod create --infra-conmon-pidfile=%t/%N.pid --replace --exit-policy stop --userns auto --network systemd-socket-proxy-internal -v /run/podman/podman.sock:/var/run/docker.sock:rw,Z,U --infra-name socket-proxy-pod-infra --name socket-proxy-pod --memory=128m

INFO[0000] /usr/bin/podman filtering at log level debug
DEBU[0000] Called create.PersistentPreRunE(/usr/bin/podman --debug pod create --infra-conmon-pidfile=%t/%N.pid --replace --exit-policy stop --userns auto --network systemd-socket-proxy-internal -v /run/podman/po
dman.sock:/var/run/docker.sock:rw,Z,U --infra-name socket-proxy-pod-infra --name socket-proxy-pod --memory=128m)
INFO[0000] Setting parallel job count to 19
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /var/lib/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /var/lib/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Using OCI runtime "/usr/local/bin/runsc"
DEBU[0000] Error looking up pod "socket-proxy-pod": no pod with name or ID socket-proxy-pod found: no such pod
DEBU[0000] User mount /run/podman/podman.sock:/var/run/docker.sock options [rw Z U]
DEBU[0000] Pod using bridge network mode
DEBU[0000] Created cgroup path machine.slice/machine-libpod_pod_c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498.slice for parent machine.slice and name libpod_pod_c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498
DEBU[0000] Created cgroup machine.slice/machine-libpod_pod_c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498.slice
DEBU[0000] Got pod cgroup as machine.slice/machine-libpod_pod_c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498.slice
DEBU[0000] no command or entrypoint provided, and no CMD or ENTRYPOINT from image: defaulting to empty string
DEBU[0000] using systemd mode: false
DEBU[0000] setting container name socket-proxy-pod-infra
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] Adding mount /proc
DEBU[0000] Adding mount /dev
DEBU[0000] Adding mount /dev/pts
DEBU[0000] Adding mount /dev/mqueue
DEBU[0000] Adding mount /sys
DEBU[0000] Adding mount /sys/fs/cgroup
DEBU[0000] Successfully loaded network systemd-socket-proxy-internal: &{systemd-socket-proxy-internal f79a991735c099f2bcf3f4b8a5ea3d2149b376089917749ab71f2a11999bdd1c bridge podman1 2026-03-14 15:57:43.992632506 +0100 CET [{{{10.0.1.0 ffffff00}} 10.0.1.1 <nil>}] [] false true true [] map[] map[] map[driver:host-local]}
DEBU[0000] Successfully loaded 2 networks
DEBU[0000] Allocated lock 1 for container a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a
DEBU[0000] Cached value indicated that idmapped mounts for overlay are supported
DEBU[0000] Created container "a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a"
DEBU[0000] Container "a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a" has work directory "/var/lib/containers/storage/overlay-containers/a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a/userdata"
DEBU[0000] Container "a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a" has run directory "/run/containers/storage/overlay-containers/a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a/userdata"
c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498
DEBU[0000] Called create.PersistentPostRunE(/usr/bin/podman --debug pod create --infra-conmon-pidfile=%t/%N.pid --replace --exit-policy stop --userns auto --network systemd-socket-proxy-internal -v /run/podman/podman.sock:/var/run/docker.sock:rw,Z,U --infra-name socket-proxy-pod-infra --name socket-proxy-pod --memory=128m)
DEBU[0000] Shutting down engines
INFO[0000] Received shutdown.Stop(), terminating!        PID=463412

Container creation output (ExecStart from quadlet dry-run with --debug added)
usr/bin/podman --debug run --name traefik-socket-proxy --replace --rm --cgroups=split --pids-limit 100 --tz local --network systemd-socket-proxy-internal --sdnotify=conmon -d --security-opt=no-new-privileges --cap-drop all --read-only --label io.containers.autoupdate=registry --label io.containers.autoupdate=image --env SP_ALLOWFROM=traefik --env SP_ALLOWHEALTHCHECK=true --env SP_LISTENIP=0.0.0.0 --env SP_LOGLEVEL=INFO --env SP_PROXYPORT=2375 --env SP_SHUTDOWNGRACETIME=5 --env SP_WATCHDOGINTERVAL=3600 --health-cmd ./healthcheck --health-interval 10s --health-retries 2 --health-start-period 15s --health-timeout 5s --pod socket-proxy-pod ghcr.io/wollomatic/socket-proxy:1

INFO[0000] /usr/bin/podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(/usr/bin/podman --debug run --name traefik-socket-proxy --replace --rm --cgroups=split --pids-limit 100 --tz local --network systemd-socket-proxy-internal --sdnotify=conmon -d --security-opt=no-new-privileges --cap-drop all --read-only --label io.containers.autoupdate=registry --label io.containers.autoupdate=image --env SP_ALLOWFROM=traefik --env SP_ALLOWHEALTHCHECK=true --env SP_LISTENIP=0.0.0.0 --env SP_LOGLEVEL=INFO --env SP_PROXYPORT=2375 --env SP_SHUTDOWNGRACETIME=5 --env SP_WATCHDOGINTERVAL=3600 --health-cmd ./healthcheck --health-interval 10s --health-retries 2 --health-start-period 15s --health-timeout 5s --pod socket-proxy-pod ghcr.io/wollomatic/socket-proxy:1)
INFO[0000] Setting parallel job count to 19
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
DEBU[0000] Using run root /run/containers/storage
DEBU[0000] Using static dir /var/lib/containers/storage/libpod
DEBU[0000] Using tmp dir /run/libpod
DEBU[0000] Using volume path /var/lib/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is being used
DEBU[0000] Cached value indicated that native-diff is not being used
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=true
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Using OCI runtime "/usr/local/bin/runsc"
DEBU[0000] Pulling image ghcr.io/wollomatic/socket-proxy:1 (policy: missing)
DEBU[0000] Looking up image "ghcr.io/wollomatic/socket-proxy:1" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] }
DEBU[0000] Trying "ghcr.io/wollomatic/socket-proxy:1" ...
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19"
DEBU[0000] Found image "ghcr.io/wollomatic/socket-proxy:1" as "ghcr.io/wollomatic/socket-proxy:1" in local containers storage
DEBU[0000] Found image "ghcr.io/wollomatic/socket-proxy:1" as "ghcr.io/wollomatic/socket-proxy:1" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19)
DEBU[0000] exporting opaque data as blob "sha256:2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19"
DEBU[0000] Looking up image "ghcr.io/wollomatic/socket-proxy:1" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] }
DEBU[0000] Trying "ghcr.io/wollomatic/socket-proxy:1" ...
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19"
DEBU[0000] Found image "ghcr.io/wollomatic/socket-proxy:1" as "ghcr.io/wollomatic/socket-proxy:1" in local containers storage
DEBU[0000] Found image "ghcr.io/wollomatic/socket-proxy:1" as "ghcr.io/wollomatic/socket-proxy:1" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19)
DEBU[0000] exporting opaque data as blob "sha256:2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19"
DEBU[0000] Inspecting image 2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19
DEBU[0000] exporting opaque data as blob "sha256:2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19"
DEBU[0000] Inspecting image 2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19
DEBU[0000] Inspecting image 2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19
DEBU[0000] Inspecting image 2a34e341aaf819c29b259d325b5ff52118af752e792303bb67cd9850e2ce0c19
DEBU[0000] Image has volume at "/var/run/docker.sock"
DEBU[0000] Adding anonymous image volume at "/var/run/docker.sock"
Error: "/tmp": duplicate mount destination
DEBU[0000] Shutting down engines

podman pod inspect socket-proxy-pod

[
     {                                                                                                                                                                                                    
          "Id": "c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498",
          "Name": "socket-proxy-pod",
          "Created": "2026-04-08T14:01:36.686434308+02:00",
          "CreateCommand": [
               "/usr/bin/podman",
               "--debug",
               "pod",
               "create",
               "--infra-conmon-pidfile=%t/%N.pid",
               "--replace",
               "--exit-policy",
               "stop",
               "--userns",
               "auto",
               "--network",
               "systemd-socket-proxy-internal",
               "-v",
               "/run/podman/podman.sock:/var/run/docker.sock:rw,Z,U",
               "--infra-name",
               "socket-proxy-pod-infra",
               "--name",
               "socket-proxy-pod",
               "--memory=128m"
          ],
          "ExitPolicy": "stop",
          "State": "Created",
          "Hostname": "",
          "CreateCgroup": true,
          "CgroupParent": "machine.slice",
          "CgroupPath": "machine.slice/machine-libpod_pod_c2524e9e1362813e58e2e75229dcb77e5e7c7b60a7a6f5e070e8d0ef10b61498.slice",
          "CreateInfra": true,
          "InfraContainerID": "a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a",
          "InfraConfig": {
               "PortBindings": {},
               "HostNetwork": false,
               "StaticIP": "",
               "StaticMAC": "",
               "NoManageResolvConf": false,
               "DNSServer": null,
               "DNSSearch": null,
               "DNSOption": null,
               "NoManageHostname": false,
               "NoManageHosts": false,
               "HostAdd": null,
               "HostsFile": "",
               "Networks": [
                    "systemd-socket-proxy-internal"
               ],
               "NetworkOptions": null,
               "pid_ns": "private",
               "userns": "host",
               "uts_ns": "private"
          },
          "SharedNamespaces": [
               "ipc",
               "net",
               "user",
               "uts"
          ],
          "NumContainers": 1,
          "Containers": [
               {
                    "Id": "a870e499db619c0aaf26e53d7209977381918d32f8f195d8ee94d047b95f580a",
                    "Name": "socket-proxy-pod-infra",
                    "State": "created"
               }
          ],
          "mounts": [
               {
                    "Type": "bind",
                    "Source": "/run/podman/podman.sock",
                    "Destination": "/var/run/docker.sock",
                    "Driver": "",
                    "Mode": "Z",
                    "Options": [
                         "U",
                         "nosuid",
                         "nodev",
                         "rbind"
                    ],
                    "RW": true,
                    "Propagation": "rprivate"
               }
          ],
          "memory_limit": 134217728,
          "memory_swap": 268435456,
          "LockNumber": 0
     }
]

Inspecting the pod and infra container
podman inspect socket-proxy-pod-infra --format '{{json .Mounts}}'

[{"Type":"bind","Source":"/run/podman/podman.sock","Destination":"/var/run/docker.sock","Driver":"","Mode":"Z","Options":["U","nosuid","nodev","rbind"],"RW":true,"Propagation":"rprivate"}]

Inspecting the container image
podman image inspect ghcr.io/wollomatic/socket-proxy:1 --format '{{json .Config.Volumes}}'
{"/var/run/docker.sock":{}}

Thank you,

[Grimblee]

So I tried to setup the pod without UserNS=Auto and remove a few hardening options on the container (no new privilages, drop all capabilities, read only) and I still have the same issue.

It's worth to mention that I have a similar setup on another machine, in rootless that one, and this message doesn't appear.

[Grimblee]

Hello again !

I tried with another socket-proxy container, still the same thing so its not tied to the container:

/usr/bin/podman run --name traefik-socket-proxy --replace --rm --cgroups=split --pids-limit 100 --tz local --network systemd-socket-proxy-internal --sdnotify=conmon -d --security-opt=no-new-privileges --cap-drop all --read-only --label io.containers.autoupdate=registry --env CONTAINERS=1 --label io.containers.autoupdate=image --pod socket-proxy-pod docker.io/tecnativa/docker-socket-proxy:latest
Trying to pull docker.io/tecnativa/docker-socket-proxy:latest...
Getting image source signatures
Copying blob 4f4fb700ef54 done   |
Copying blob 536eff87c11a done   |
Copying blob 123b92336b82 done   |
Copying blob e7cee334a64b done   |
Copying blob 9824c27679d3 skipped: already exists
Copying blob 0b2aa9ab96ae done   |
Copying blob 737997a74239 done   |
Copying blob a6a05d67fdc8 done   |
Copying blob 1de46bc47c88 done   |
Copying config 16bbd12097 done   |
Writing manifest to image destination
Error: "/run": duplicate mount destination

/usr/bin/podman run --name traefik-socket-proxy --replace --rm --cgroups=split --pids-limit 100 --tz local --network systemd-socket-proxy-internal --sdnotify=conmon -d --security-opt=no-new-privileges --cap-drop all --read-only --label io.containers.autoupdate=registry --env CONTAINERS=1 --label io.containers.autoupdate=image --pod socket-proxy-pod docker.io/tecnativa/docker-socket-proxy:latest
Error: "/tmp": duplicate mount destination

[Grimblee]

woops it was me, I had added stuff in /etc/containerd/containers.conf

closing.