Hi guys.

I've only migrated, in-place, Centos 9 to 10, yep, non-standard & not supported technique but, in case it's no steaming from this "migration" and is a separate issue;
I cannot create/run a container, I try like this:

rootfull container, first start/creation
-> $ { export _DOM=mine.priv _H=ipa-dzien _IP=10.2.1.202; _NAME="freeipa.${_DOM}".c9s; export _PATH=/devs/ROOTFUL.containers/${_NAME}; echo; mkdir -p ${_PATH}/{,root,data}; }; podman run -ti --tz=local --cap-add=CAP_SYS_TIME --add-host=${_H}.${_DOM}:${_IP} --network=off-host-1021 --ip=${_IP} --volume=${_PATH}/root:/root:z --volume=${_PATH}/data:/data:z --volume=${_PATH}/etc_resolv.conf:/etc/resolv.conf:z --volume=${_PATH}/etc_hosts:/etc/hosts:z --hostname ${_H}.${_DOM} --name ${_NAME} localhost/freeipa-server-c9s

Error: OCI runtime error: crun: systemd failed to install eBPF device filter on cgroup `/sys/fs/cgroup/machine.slice/libpod-ca3a11932a1106278ee01571b53346a766d53f6df54784590962193706d2e7cb.scope`

This still works in Centos 9 - I'm hoping that I'm missing something which is new (to me) in Centos 10 - would you know what this might be?
I see SELinux denials - I have fcontext labesls for this custom mount points - making SE permissive allow container to start.

selinux back to enforcing:
-> $ podman container restart freeipa.mine.priv.c9s
WARN[0010] StopSignal (37) failed to stop container freeipa.mine.priv.c9s in 10 seconds, resorting to SIGKILL 
Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...

but before tampering with SE I thought I'd ask.

many thanks, L.