What could cause the user mapping to change on a rootless container started with userns=auto?

[silentcreek]

I'm running a few rootless containers with podman using the userns=auto option. The containers are all set up in quadlets and launch automatically at boot. This morning, I ran into the issue that one specific container failed to launch properly after I rebooted the host (a Debian 13 system) because of permission errors with its data volume. It turned out that the user in the container could not access the data anymore because the uid mapping seems to have changed. I restarted the container in question again with the volume mount option :U and that resolved the issue (the files are now owned by a different uid/gid on the host/outside the container). But I don't understand how this could happen in the first place. I assumed that uid mappings for a specific container are stable. And for the past year or two that I've been running my containers this way, this was true - also for this particular container (which I use for more than a year now).

So, what can go wrong to cause a change in the uid mapping of a container with userns=auto?

Btw. since I also use podman-auto-update, I did check whether the image was updated recently. But that is not the case. The image is about 2 months old (it's docker.io/freshrss/freshrss:latest). So, something else must have gone wrong.

In addition: Is there a place where podman stores uid or namespace mappings? Then I could take a look to see if that file/these files have changed.

Thanks!

[Lombra]

Exactly why it should happen I don't know, but my understanding is that this is the intended behaviour of the auto option, and the main reason the U volume option exists. If you expect stable mappings you should be explicit about it.

[silentcreek]

Oh, so, the uid mappings with userns=auto are not supposed to be stable at all? Then I must have been really lucky that it worked for so long without an issue. I assumed the :U option was meant for cases where you e.g. migrate volumes and need to fix permissions once.

[Lombra]

I can't find any definitive information regarding its behaviour, but as far as I understand it simply does something like picking the first available namespace at container startup time. So, if your containers always start in the same order, they might get the same IDs every time.