Comment # 5 on bug 1222450 from Aleksa Sarai

So, the issue is that systemd is not enabling all of the controllers at the
root (subtree_control is missing a bunch of controllers on your system),
resulting in the container not being able to start because the controllers are
not available. This is a little surprising because crun/runc creates a systemd
transient unit that has all of the restrictions listed.

I can reproduce this somewhat on my machine -- depending on the running
services, the set of subtree_control-enabled controllers varies. If I start
Docker and run a container, all of the controllers are enabled and using podman
works. But if you stop the Docker service, the cpu controller is disabled and
so --cpu-shares no longer works.

This seems like a systemd issue to me. Why is a TransientUnit with all of the
relevant restrictions applied not sufficient to get systemd to enable the
needed controllers?