$ dnf install -y podman fuse-overlayfs

$ setcap cap_setuid+ep /usr/bin/newuidmap
$ setcap cap_setgid+ep /usr/bin/newgidmap
$ usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pkiuser
$ loginctl enable-linger pkiuser

$ mkdir -p $HOME/.config/containers
$ cat > $HOME/.config/containers/storage.conf << EOF
[storage]
driver = "overlay"

[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
EOF

$ podman system info
host:
  security:
    rootless: true
store:
  configFile: /home/pkiuser/.config/containers/storage.conf
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs

$ podman pull quay.io/dogtagpki/pki-ca

$ mkdir -p $HOME/.dogtag/pki-ca/certs
$ mkdir -p $HOME/.dogtag/pki-ca/conf
$ mkdir -p $HOME/.dogtag/pki-ca/logs

$ mkdir -p $HOME/.config/containers/systemd
$ cat > $HOME/.config/containers/systemd/pki-ca.container << EOF
[Unit]
Description=PKI CA

[Container]
Image=pki-ca
Network=host

# run CA container as PKI user
User=pkiuser
Group=pkiuser
UserNS=keep-id

# use shared folders in PKI home directory
Volume=$HOME/.dogtag/pki-ca/certs:/certs
Volume=$HOME/.dogtag/pki-ca/conf:/conf
Volume=$HOME/.dogtag/pki-ca/logs:/logs

# configure DS connection
Environment=PKI_DS_URL=ldap://ds.example.com:3389
Environment=PKI_DS_PASSWORD=Secret.123

[Install]
WantedBy=multi-user.target
EOF

$ systemctl --user daemon-reload

$ systemctl --user start pki-ca.service

$ podman ps
CONTAINER ID  IMAGE                           ... NAMES
1297a77a4a65  quay.io/dogtagpki/pki-ca:latest ... systemd-pki-ca