Write containers.conf tmp_dir and force env var inline on podman call

Podman's events engine reads tmp_dir from containers.conf, not from
XDG_RUNTIME_DIR directly. Write both storage.conf and containers.conf
to /tmp/podman-<uid> so no path under /run/user/<uid> is ever used.
Also use `env XDG_RUNTIME_DIR=...` prefix on podman invocation to
override any stale value in the calling shell environment.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/start.sh

@@ -68,20 +68,29 @@ _HIY_RUNTIME="/tmp/podman-$(id -u)"
 mkdir -p "$_HIY_RUNTIME"
 export XDG_RUNTIME_DIR="$_HIY_RUNTIME"
 
-# Also write storage.conf so Podman doesn't read a stale RunRoot from the
+# Write storage.conf and containers.conf so Podman doesn't read stale
-# user's existing ~/.config/containers/storage.conf.
+# RunRoot / tmp_dir values from existing user config files.
 mkdir -p "$HOME/.config/containers"
 cat > "$HOME/.config/containers/storage.conf" <<STOCONF
 [storage]
+  driver = "overlay"
   runroot = "$_HIY_RUNTIME/storage"
+  graphroot = "$HOME/.local/share/containers/storage"
 STOCONF
+cat > "$HOME/.config/containers/containers.conf" <<CCONF
+[engine]
+  tmp_dir = "$_HIY_RUNTIME"
+CCONF
 
 PODMAN_SOCK="${_HIY_RUNTIME}/podman.sock"
 export PODMAN_SOCK
 export DOCKER_HOST="unix://${PODMAN_SOCK}"
 if [ ! -S "$PODMAN_SOCK" ]; then
     echo "[hiy] Starting Podman socket via podman system service…"
-    podman system service --time=0 "unix://${PODMAN_SOCK}" &
+    # Use env to guarantee XDG_RUNTIME_DIR is correct even if the calling
+    # shell environment has it set to a non-writable path.
+    env XDG_RUNTIME_DIR="$_HIY_RUNTIME" \
+        podman system service --time=0 "unix://${PODMAN_SOCK}" &
     # Wait up to 5 s for the socket to appear
     for i in 1 2 3 4 5; do
         [ -S "$PODMAN_SOCK" ] && break