cmd/create: keep host supplementary groups with --group-add keep-groups

[Knogle]

Toolbx currently fails to create or start containers on hosts where the user has group-only access to device nodes under /dev, for example when VirtualBox creates /dev/vboxusb/* owned by root:vboxusers with 0750 permissions. In this situation a rootless Toolbx container inherits /dev from the host, the /dev/vboxusb directory is visible, but the container process has no group membership for vboxusers. When the OCI runtime walks /dev it eventually tries to open or create device nodes under /dev/vboxusb and fails with an OCI permission denied error, so toolbox enter aborts with "failed to start container".

This behaviour is described in #1348, which generalizes the problem to any directory under /dev with 0750 permissions where the user only has access via a supplementary group (eg. dialout, vboxusers, docker). It is also the root cause behind reports like #1297 and the older #247, and matches similar issues seen with rootless Podman and VirtualBox in other projects (distrobox, crun, Debian bug reports).

Rootless Podman already has a mechanism to address this class of problems: passing --group-add keep-groups to podman create or podman run tells Podman to keep the caller's supplementary groups instead of dropping them during container setup. The Podman documentation explicitly recommends this flag for cases where device access is granted only via group membership and notes that otherwise accessing such devices from rootless containers will fail with permission errors.

This patch wires that mechanism into Toolbx by adding --group-add keep-groups to the podman create invocation used by the toolbox create command when running as a non-root user and when the Podman version is >= 3.2.0, which is when the flag became available. The call is gated through the existing podman.CheckVersion helper, so older Podman versions are not affected and keep the previous behaviour.

With this change, the OCI runtime sees the same supplementary groups as the host process, so a user who is a member of vboxusers (or dialout, docker, etc.) can access devices that are only group readable from inside a rootless Toolbx container. On systems with VirtualBox installed this fixes errors of the form:

crun: creating /dev/vboxusb/00x/00y: openat2 dev/vboxusb:
Permission denied: OCI permission denied

when entering a freshly created Toolbx container.

This patch intentionally does not change how /dev is mounted into the container and does not implement the more invasive /dev filtering approach discussed in #1348. It is a minimal, backwards compatible improvement that fixes the common VirtualBox and other group-only device cases by leveraging Podman's existing --group-add keep-groups support.

Tests:

• On Fedora 42 with VirtualBox installed and the user in the vboxusers group, verified that toolbox create logs the podman create command including --group-add keep-groups.
• Confirmed that toolbox enter succeeds for a new container where it previously failed with an OCI permission denied on /dev/vboxusb.
• Verified that behaviour is unchanged on a system without VirtualBox and that the flag is not added when running as root.

Fixes: #1348
Related: #1297, #247

[gemini-code-assist]

Summary of Changes

Hello @Knogle, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a crucial enhancement to Toolbx's container creation process, specifically targeting rootless environments. It resolves persistent permission denied errors encountered when containers attempt to access device nodes under /dev that are only accessible via a host user's supplementary groups (like vboxusers or dialout). By conditionally adding the --group-add keep-groups flag to podman create for non-root users with compatible Podman versions (3.2.0+), Toolbx containers will now correctly inherit these essential group memberships, thereby enabling seamless access to devices such as VirtualBox USB devices. This change provides a minimal yet effective fix for a long-standing issue, improving the reliability of rootless Toolbx containers.

Highlights

• Device Access in Rootless Containers: Addresses issues where rootless Toolbx containers fail to access group-only device nodes (e.g., /dev/vboxusb) due to missing supplementary group memberships, resolving problems described in Toolbox can't start if user has any group-only permissions for device nodes in folders #1348, toolbox enter failed with "Error: failed to start container fedora-toolbox-37" #1297, and toolbox: failed to create container: open /dev/vboxusb: permission denied #247.
• Podman Integration: Integrates Podman's --group-add keep-groups flag into toolbox create for non-root users, allowing containers to inherit the host user's supplementary groups.
• Conditional Application: The --group-add keep-groups flag is only applied when running as a non-root user and when the detected Podman version is 3.2.0 or newer, ensuring backward compatibility.
• Minimal and Effective Fix: Provides a targeted, backward-compatible solution by leveraging existing Podman functionality, avoiding more invasive changes to /dev mounting.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly adds the --group-add keep-groups flag to podman create for non-root users on systems with a compatible Podman version. This is a good fix for the reported issue of device access from within rootless Toolbx containers. The logic is sound and the change is well-contained. My review includes a couple of minor suggestions to fix indentation inconsistencies to align with Go's standard formatting practices.

[softwarefactory-project-zuul]

Build failed.
https://softwarefactory-project.io/zuul/t/local/buildset/a01c755f791b433ea1dbb175754aff33

✔️ unit-test SUCCESS in 2m 06s
✔️ unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 29s
✔️ unit-test-restricted SUCCESS in 2m 05s
❌ system-test-fedora-rawhide-commands-options FAILURE in 1h 18m 20s
❌ system-test-fedora-rawhide-runtime-environment-arch-fedora FAILURE in 1h 03m 34s
❌ system-test-fedora-rawhide-runtime-environment-ubuntu FAILURE in 15m 24s
❌ system-test-fedora-42-commands-options FAILURE in 1h 20m 29s
❌ system-test-fedora-42-runtime-environment-arch-fedora FAILURE in 1h 09m 42s
❌ system-test-fedora-42-runtime-environment-ubuntu FAILURE in 19m 43s
❌ system-test-fedora-41-commands-options FAILURE in 1h 21m 27s
❌ system-test-fedora-41-runtime-environment-arch-fedora FAILURE in 1h 01m 54s
❌ system-test-fedora-41-runtime-environment-ubuntu FAILURE in 19m 52s