Rootless podman needs write permissions on rootfs with overlay

[chetan-reddy]

Even with the :O flag, the permissions in the lower rootfs directory seem to matter in rootless mode.

## create the rootfs at ./guix_root
$ guix shell -F -C -r guix_root bash -- bash -c ""
$ podman run -it --rm --network=none -v /gnu/store:/gnu/store:ro --rootfs ./guix_root:O /bin/bash -c "echo hello"
Error: creating /etc/mtab symlink: permission denied
## make a writeable copy of the rootfs
$ mkdir guix_root_writable
$ cp -r guix_root/* guix_root_writable/
$ podman run -it --rm --network=none -v /gnu/store:/gnu/store:ro --rootfs ./guix_root_writable:O /bin/bash -c "echo hello"
hello

I was curious if I was missing an option that might allow using the guix profile/rootfs directly in rootless podman. I tried playing with the idmap flag, but no luck. I think this is related to #10917 (comment)

I've fully switched to rootful containers now, but I thought I'd document this oddity of rootless containers in case it saves someone else time in the future.

[Luap99]

Overlay still keeps the same permissions as in the source so if /etc is nor writeable to you users than we cannot create the symlink.