I successfully created a sandbox on my system running Arch Linux, though I encountered some hurdles on the way. I want to document them in this issue and let you determine whether it's something that can be fixed by improving documentation or the tool itself.
Missing Z3 library
During sandbox creation, I got the following error:
/home/user/.cache/openlock/bin/v0.6.0/openshell-x86_64-unknown-linux-gnu: error while loading shared libraries: libz3.so.4: cannot open shared object file: No such file or directory
I fixed it by installing z3. On top of that, I needed to manually create the libz3.so.4 symlink, because the Arch package uses only the following for some reason.
usr/lib/libz3.sousr/lib/libz3.so.4.16usr/lib/libz3.so.4.16.0.0
Rootless podman
Then I got the following error:
Error: creating build container: unable to copy from source docker://ubuntu@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b: copying system image from manifest list: writing blob: adding layer with blob "sha256:b40150c1c2717d324cdb17278c8efdfa4dfcd2ffe083e976f0bcedf31115f081"/""/"sha256:538812a4b9bd45adaac2b5e5b967daa6999aa44eb110aa32ae7c69702b906475": unpacking failed (error: exit status 1; output: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /etc/gshadow: invalid argument)
I don't know how it works on other platforms, but on Arch Linux the user is supposed to do some additional setup to make rootless podman work. In particular, I needed to set subuid and subgid and migrate my existing user to use them.
Additionally, openlock uses uid 999999, which is outside of the range recommended by the linked documentation (100000-165535). Fixing that requires removing the old range which in turn requires stopping podman service. This detail should be documented so that people don't run into the same issue.
openlock/supervisor did not resolve to an alias
I also hit this error:
Error: × status: Internal, message: "create sandbox failed: podman API error (500): image pull failed: short-name \"openlock/supervisor:latest\" did not resolve to an alias and no unqualified-search registries are
│ defined in \"/etc/containers/registries.conf\"", details: [], metadata: MetadataMap { headers: {"content-type": "application/grpc", "date": "Fri, 29 May 2026 09:46:27 GMT", "x-request-id": "d881c65f-1f0f-
│ 41c9-b105-a527398370f7"} }
This was most likely caused by running podman system reset previously when I was fixing the rootless podman issues. I didn't realize that openlock/supervisor image is built during the gateway startup.
I was able to fix it by running openlock gateway stop and openlock gateway start.
I successfully created a sandbox on my system running Arch Linux, though I encountered some hurdles on the way. I want to document them in this issue and let you determine whether it's something that can be fixed by improving documentation or the tool itself.
Missing Z3 library
During sandbox creation, I got the following error:
I fixed it by installing z3. On top of that, I needed to manually create the
libz3.so.4symlink, because the Arch package uses only the following for some reason.usr/lib/libz3.sousr/lib/libz3.so.4.16usr/lib/libz3.so.4.16.0.0Rootless podman
Then I got the following error:
I don't know how it works on other platforms, but on Arch Linux the user is supposed to do some additional setup to make rootless podman work. In particular, I needed to set
subuidandsubgidand migrate my existing user to use them.Additionally, openlock uses uid 999999, which is outside of the range recommended by the linked documentation (100000-165535). Fixing that requires removing the old range which in turn requires stopping podman service. This detail should be documented so that people don't run into the same issue.
openlock/supervisordid not resolve to an aliasI also hit this error:
This was most likely caused by running
podman system resetpreviously when I was fixing the rootless podman issues. I didn't realize thatopenlock/supervisorimage is built during the gateway startup.I was able to fix it by running
openlock gateway stopandopenlock gateway start.