Unconditionally redirect Podman runtime to /tmp; override storage.conf

Stop relying on conditional checks. Always point XDG_RUNTIME_DIR and
storage.conf runroot to /tmp/podman-<uid> so Podman never touches
/run/user/<uid>, which requires PAM/logind to create.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/start.sh

@@ -60,17 +60,23 @@ EOF
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
 # ── Ensure Podman socket is active ────────────────────────────────────────────
-# systemctl --user requires a D-Bus session (not available in non-interactive
+# /run/user/<uid> is created by PAM/logind; it doesn't exist in non-login
-# shells). Use podman system service directly instead.
+# shells. Unconditionally redirect all Podman runtime state to /tmp so we
-# /run/user/<uid> is created by PAM/logind and doesn't exist in non-login
+# never depend on logind, regardless of what XDG_RUNTIME_DIR was set to
-# shells. Podman uses XDG_RUNTIME_DIR for RunRoot, events dirs, and the
+# by the calling environment.
-# default socket path, so we must set it to something writable before any
+_HIY_RUNTIME="/tmp/podman-$(id -u)"
-# podman invocation.
+mkdir -p "$_HIY_RUNTIME"
-if [ ! -d "${XDG_RUNTIME_DIR:-}" ] || [ ! -w "${XDG_RUNTIME_DIR:-}" ]; then
+export XDG_RUNTIME_DIR="$_HIY_RUNTIME"
-    export XDG_RUNTIME_DIR="/tmp/podman-$(id -u)"
+
-    mkdir -p "$XDG_RUNTIME_DIR"
+# Also write storage.conf so Podman doesn't read a stale RunRoot from the
-fi
+# user's existing ~/.config/containers/storage.conf.
-PODMAN_SOCK="${XDG_RUNTIME_DIR}/podman.sock"
+mkdir -p "$HOME/.config/containers"
+cat > "$HOME/.config/containers/storage.conf" <<STOCONF
+[storage]
+  runroot = "$_HIY_RUNTIME/storage"
+STOCONF
+
+PODMAN_SOCK="${_HIY_RUNTIME}/podman.sock"
 export PODMAN_SOCK
 export DOCKER_HOST="unix://${PODMAN_SOCK}"
 if [ ! -S "$PODMAN_SOCK" ]; then