From b64195c58ad087355ca32cd607307f9013b2112e Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 22 Mar 2026 10:25:25 +0000
Subject: [PATCH] Always run podman system migrate, not only when subuid/subgid
 entries are added

If entries already existed before this script first ran, _HIY_SUBID_CHANGED
stayed 0 and migrate was skipped, leaving Podman storage out of sync with
the namespace mappings and causing lchown errors on layer extraction.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
---
 infra/start.sh | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/infra/start.sh b/infra/start.sh
index 679c9d5..d5275d8 100755
--- a/infra/start.sh
+++ b/infra/start.sh
@@ -66,17 +66,14 @@ echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 # with "invalid argument" / "insufficient UIDs or GIDs in user namespace".
 # Standard range: 65536 subordinate IDs starting at 100000.
 _HIY_USER="$(id -un)"
-_HIY_SUBID_CHANGED=0
 if ! grep -q "^${_HIY_USER}:" /etc/subuid 2>/dev/null; then
     echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subuid > /dev/null
-    _HIY_SUBID_CHANGED=1
 fi
 if ! grep -q "^${_HIY_USER}:" /etc/subgid 2>/dev/null; then
     echo "${_HIY_USER}:100000:65536" | sudo tee -a /etc/subgid > /dev/null
-    _HIY_SUBID_CHANGED=1
 fi
-# Migrate existing Podman storage to the new mappings when entries were added.
-[ "$_HIY_SUBID_CHANGED" = "1" ] && podman system migrate
+# Always migrate so Podman storage reflects the current subuid/subgid mappings.
+podman system migrate
 
 # ── Allow rootless processes to bind ports 80/443 ─────────────────────────────
 # Rootless Podman cannot bind privileged ports (<1024) by default.