From 4f5c2e84320711b0c2e7006b3bed713eba4cf43a Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 22 Mar 2026 10:19:21 +0000 Subject: [PATCH] Add subuid/subgid entries for rootless Podman user namespace mapping Without entries in /etc/subuid and /etc/subgid, Podman cannot map the UIDs/GIDs present in image layers (e.g. gid 42 for /etc/shadow) into the user namespace, causing 'lchown: invalid argument' on layer extraction. Add a 65536-ID range starting at 100000 for the current user if missing, then run podman system migrate so existing storage is updated. https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH --- infra/start.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/infra/start.sh b/infra/start.sh index eab899f..679c9d5 100755 --- a/infra/start.sh +++ b/infra/start.sh @@ -59,6 +59,25 @@ EOF echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}" +# ── Ensure subuid/subgid entries exist for rootless Podman ──────────────────── +# Rootless Podman maps UIDs/GIDs inside containers using subordinate ID ranges +# from /etc/subuid and /etc/subgid. Without a sufficient range, pulling or +# building images whose layers contain files owned by non-root UIDs/GIDs fails +# with "invalid argument" / "insufficient UIDs or GIDs in user namespace". +# Standard range: 65536 subordinate IDs starting at 100000. +_HIY_USER="$(id -un)" +_HIY_SUBID_CHANGED=0 +if ! grep -q "^${_HIY_USER}:" /etc/subuid 2>/dev/null; then + echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subuid > /dev/null + _HIY_SUBID_CHANGED=1 +fi +if ! grep -q "^${_HIY_USER}:" /etc/subgid 2>/dev/null; then + echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subgid > /dev/null + _HIY_SUBID_CHANGED=1 +fi +# Migrate existing Podman storage to the new mappings when entries were added. +[ "$_HIY_SUBID_CHANGED" = "1" ] && podman system migrate + # ── Allow rootless processes to bind ports 80/443 ───────────────────────────── # Rootless Podman cannot bind privileged ports (<1024) by default. # Lower the threshold to 80 for this boot, and persist it across reboots.