From d2cba788ab54e27f936c220fd09f61b50b784a8f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 22 Mar 2026 08:02:10 +0000
Subject: [PATCH] Fix rootless Podman by owning /run/user/<uid> instead of
 redirecting to /tmp

Podman rootless unconditionally resets XDG_RUNTIME_DIR to /run/user/<uid>
if that directory exists, overriding any env var we set. Redirecting to
/tmp is therefore ineffective.

Instead, ensure /run/user/<uid> exists and is owned by the current user
(using sudo if needed), mirroring what PAM/logind does for login sessions.
All Podman runtime state (socket, events, netavark) then works correctly.

Remove the now-unnecessary storage.conf/containers.conf writes and the
inline env override on podman system service.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
---
 infra/start.sh | 41 +++++++++++++++--------------------------
 1 file changed, 15 insertions(+), 26 deletions(-)

diff --git a/infra/start.sh b/infra/start.sh
index 9eb8a34..6d9b0cf 100755
--- a/infra/start.sh
+++ b/infra/start.sh
@@ -60,37 +60,26 @@ EOF
 echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
 
 # ── Ensure Podman socket is active ────────────────────────────────────────────
-# /run/user/<uid> is created by PAM/logind; it doesn't exist in non-login
-# shells. Unconditionally redirect all Podman runtime state to /tmp so we
-# never depend on logind, regardless of what XDG_RUNTIME_DIR was set to
-# by the calling environment.
-_HIY_RUNTIME="/tmp/podman-$(id -u)"
-mkdir -p "$_HIY_RUNTIME"
-export XDG_RUNTIME_DIR="$_HIY_RUNTIME"
+# Podman rootless resets XDG_RUNTIME_DIR to /run/user/<uid> if that directory
+# exists (regardless of what the caller set). So we must ensure that directory
+# exists and is writable by the current user — this is normally done by
+# PAM/logind but doesn't happen in non-login shells.
+_HIY_XDG="/run/user/$(id -u)"
+if [ ! -d "$_HIY_XDG" ]; then
+    sudo mkdir -p "$_HIY_XDG"
+fi
+if [ ! -w "$_HIY_XDG" ]; then
+    sudo chown "$(id -u):$(id -g)" "$_HIY_XDG"
+    sudo chmod 0700 "$_HIY_XDG"
+fi
+export XDG_RUNTIME_DIR="$_HIY_XDG"
 
-# Write storage.conf and containers.conf so Podman doesn't read stale
-# RunRoot / tmp_dir values from existing user config files.
-mkdir -p "$HOME/.config/containers"
-cat > "$HOME/.config/containers/storage.conf" <<STOCONF
-[storage]
-  driver = "overlay"
-  runroot = "$_HIY_RUNTIME/storage"
-  graphroot = "$HOME/.local/share/containers/storage"
-STOCONF
-cat > "$HOME/.config/containers/containers.conf" <<CCONF
-[engine]
-  tmp_dir = "$_HIY_RUNTIME"
-CCONF
-
-PODMAN_SOCK="${_HIY_RUNTIME}/podman.sock"
+PODMAN_SOCK="${_HIY_XDG}/podman.sock"
 export PODMAN_SOCK
 export DOCKER_HOST="unix://${PODMAN_SOCK}"
 if [ ! -S "$PODMAN_SOCK" ]; then
     echo "[hiy] Starting Podman socket via podman system service…"
-    # Use env to guarantee XDG_RUNTIME_DIR is correct even if the calling
-    # shell environment has it set to a non-writable path.
-    env XDG_RUNTIME_DIR="$_HIY_RUNTIME" \
-        podman system service --time=0 "unix://${PODMAN_SOCK}" &
+    podman system service --time=0 "unix://${PODMAN_SOCK}" &
     # Wait up to 5 s for the socket to appear
     for i in 1 2 3 4 5; do
         [ -S "$PODMAN_SOCK" ] && break