I’ve thought that pam_cgfs.so is mandatory to run unprivileged container in order that non-root user could handle cgroup.
According to “https://blog.linuxplumbersconf.org/2016/ocw/system/presentations/3951/original/unprivlxc.pdf”,
PAM seems to be not as crucial.
Delegated cgroup pam - not as crucial echo "session optional pam_cgfs.so -c freezer,memory,name=systemd" >> /etc/pam.d/common-services
Is it possible to run unprivileged container without PAM or pam_cgfs.so ?