From c4f0d7be8ea418f9d4421300b712f4e7ad8a3a6b Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sun, 29 Mar 2026 16:46:01 -0700
Subject: [PATCH] Fix mcp logs permission error for rootless podman journald
 driver

Rootless podman writes container logs to the user journal, but
journalctl without --user only reads the system journal. Add --user
when the agent is running as a non-root user.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/runtime/podman.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/internal/runtime/podman.go b/internal/runtime/podman.go
index 7d0e822..8a759b4 100644
--- a/internal/runtime/podman.go
+++ b/internal/runtime/podman.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 	"time"
@@ -207,8 +208,14 @@ func (p *Podman) Logs(ctx context.Context, containerName string, tail int, follo
 }
 
 // journalLogs returns a journalctl command filtered by container name.
+// For rootless podman, container logs go to the user journal, so we
+// need --user to read them.
 func (p *Podman) journalLogs(ctx context.Context, containerName string, tail int, follow bool, since string) *exec.Cmd {
-	args := []string{"--no-pager", "--output", "cat", "CONTAINER_NAME=" + containerName}
+	args := []string{"--no-pager", "--output", "cat"}
+	if os.Getuid() != 0 {
+		args = append(args, "--user")
+	}
+	args = append(args, "CONTAINER_NAME="+containerName)
 	if tail > 0 {
 		args = append(args, "--lines", fmt.Sprintf("%d", tail))
 	}