fix(storage): drop rootful runroot/graphroot so non-root users default-rootless

Kabuki94 · claude · Kabuki94 · commit 830604bef4b5 · 2026-05-06T18:54:21.000-04:00
Visible in the operator's 18:47 paste at every `wsl -d
podman-MiOS-DEV` entry:

    WARN[0000] RunRoot is pointing to a path (/run/containers/storage)
               which is not writable. Most likely podman will fail.:
               permission denied
    Error: cannot evaluate symlinks on DB run root path
               "/run/containers/storage": lstat /run/containers/storage:
               permission denied

Cause: /etc/containers/storage.conf set:

    [storage]
    runroot = "/run/containers/storage"
    graphroot = "/var/lib/containers/storage"

containers/storage's resolution chain reads /etc/containers/
storage.conf for ALL users, so non-root podman invocations
inherited the rootful paths -- which they cannot read or write
because the dirs are root-owned mode 0700. The WARN fires twice
per `wsl -d` entry (once before the systemd-nspawn entry banner,
once after) because machine-os's bundled startup probes podman
state for display.

Fix: omit `runroot` and `graphroot` from /etc/containers/
storage.conf. containers/storage falls through to per-UID
defaults:

    root        -&gt; /run/containers/storage + /var/lib/containers/storage
                   (the exact paths this file used to set explicitly)
    non-root    -&gt; $XDG_RUNTIME_DIR/containers
                   + $HOME/.local/share/containers/storage
                   (rootless paths, writable by the user)

The other settings in this file (driver=overlay, empty
mount_program, mountopt=nodev,metacopy=on,userxattr) stay; those
are runtime-correct for both user types and are why we have a
custom /etc/containers/storage.conf in the first place (the
ucore-hci base image's mount_program=/usr/bin/fuse-overlayfs
default fails inside WSL2 where /dev/fuse is missing).

Operators who want to override paths still can via their per-user
~/.config/containers/storage.conf -- /etc wins for fields that
ARE set in /etc, but absent fields fall through.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/etc/containers/storage.conf b/etc/containers/storage.conf
@@ -30,8 +30,32 @@
 
 [storage]
 driver = "overlay"
-runroot = "/run/containers/storage"
-graphroot = "/var/lib/containers/storage"
+# runroot / graphroot intentionally OMITTED.
+#
+# Why: containers/storage's resolution chain reads /etc/containers/
+# storage.conf for ALL users (root and non-root). When this file
+# explicitly sets runroot=/run/containers/storage and
+# graphroot=/var/lib/containers/storage, NON-ROOT podman invocations
+# inherit those paths and fail at startup:
+#
+#     WARN[0000] RunRoot is pointing to a path (/run/containers/storage)
+#                which is not writable. Most likely podman will fail.:
+#                permission denied
+#     Error: cannot evaluate symlinks on DB run root path
+#                "/run/containers/storage": lstat /run/containers/storage:
+#                permission denied
+#
+# (visible at every `wsl -d podman-MiOS-DEV` entry on 2026-05-06 paste
+# until this fix). The default `user` (UID 1000) and the mios user can
+# only write rootless paths. Letting podman default per-UID gives:
+#   * root          : /run/containers/storage + /var/lib/containers/storage
+#                     (the same paths this file used to set explicitly)
+#   * non-root user : $XDG_RUNTIME_DIR/containers + ~/.local/share/containers/storage
+#                     (rootless, writable by the user)
+#
+# Operators who want to override either path do so in their per-user
+# ~/.config/containers/storage.conf -- /etc wins for fields that ARE
+# set here, but absent fields fall through to per-UID defaults.
 
 [storage.options]
 additionalimagestores = []
