[dusanh]

Replying to my own comment for posterity. I was able to figure it out!

In the LXC, I created a new non-root user and then set it's uid and git to a LOWER number than what every tutorial about rootless Podman recommends (devel being my non-root user here):

  # cat /etc/subuid /etc/subgid
  devel:10000:5000
  devel:10000:5000

Then I also had to edit configuration for the LXC itself on the Proxmox host to allow tun and have it created on container boot:

   # cat /etc/pve/lxc/{lxc_vmid}.conf
   ...truncated...
   lxc.cgroup2.devices.allow: c 10:200 rwm
   lxc.mount.entry: /dev/net dev/net none bind,create=dir

Note: I have no idea why a lower number of ids works...

[Helmut10001]

Ah.. apologies for my misguidance below. It made me realize that I wrote these blog posts with a VM on another Hypervisor, not on my Proxmox/LXC (just the Docker guide that I haven't yet transitioned to rootless-in-unprivileged-lxc).

See the explanation here [1]: Unprivileged LXC on Proxmox seem to be restricted to the uid range below 65536 UIDs/GIDs (to be used _inside_ the LXC -> to be mapped to > 100000:165536 outside the LXC/on the host).

In order to use subuids/gids > 65536 inside the LXC, add a mapping to the LXC config:

    root:100000:65536

to /etc/subgid and /etc/subuid.

Now you'll have 100000 to 165536 available inside the LXC, where you can add:

    devel:100000:65536

to the /etc/subgid and /etc/subuid inside the LXC, for nested rootless podman/docker.

As a consequence, you're mapping the devel user to the same range as the LXC root user. In other words, processes inside the LXC and inside the rootless podman could run in the same namespace on the Proxmox host. If you don't want that, you'll need to provide additional ranges to the LXC (e.g. root:100000:165536 and then map `devel` to (e.g.) 200000 to 265536 (devel:200000:265536).

* I did not actually test all stated above.

[1] https://forum.proxmox.com/threads/how-to-use-uids-gids-highe...