I don’t have this defined, do I need it?
/etc/default/lxc:
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
per this post https://discuss.linuxcontainers.org/t/solved-arch-linux-containers-only-run-when-security-privileged-true/4006/5?u=blurry