Always run podman system migrate, not only when subuid/subgid entries are added

If entries already existed before this script first ran, _HIY_SUBID_CHANGED stayed 0 and migrate was skipped, leaving Podman storage out of sync with the namespace mappings and causing lchown errors on layer extraction. https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
2026-03-22 10:25:25 +00:00 · 2026-03-22 10:25:25 +00:00 · b64195c58a
commit b64195c58a
parent 4f5c2e8432
1 changed files with 2 additions and 5 deletions
--- a/infra/start.sh
+++ b/infra/start.sh
@ -66,17 +66,14 @@ echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 # with "invalid argument" / "insufficient UIDs or GIDs in user namespace".
 # Standard range: 65536 subordinate IDs starting at 100000.
 _HIY_USER="$(id -un)"
-_HIY_SUBID_CHANGED=0
 if ! grep -q "^${_HIY_USER}:" /etc/subuid 2>/dev/null; then
    echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subuid > /dev/null
-    _HIY_SUBID_CHANGED=1
 fi
 if ! grep -q "^${_HIY_USER}:" /etc/subgid 2>/dev/null; then
    echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subgid > /dev/null
-    _HIY_SUBID_CHANGED=1
 fi
-# Migrate existing Podman storage to the new mappings when entries were added.
-[ "$_HIY_SUBID_CHANGED" = "1" ] && podman system migrate
+# Always migrate so Podman storage reflects the current subuid/subgid mappings.
+podman system migrate

 # ── Allow rootless processes to bind ports 80/443 ─────────────────────────────
 # Rootless Podman cannot bind privileged ports (<1024) by default.