cmd/create: keep host supplementary groups with --group-add keep-groups

src/cmd/create.go

@@ -286,6 +286,17 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 		devPtsMount = []string{"--mount", "type=devpts,destination=/dev/pts"}
 	}
 
+	// Keep the host user's supplementary groups (eg. vboxusers) inside the
+	// container so that group-only device access under /dev keeps working.
+	// Requires Podman >= 3.2.0 where '--group-add keep-groups' was introduced
+	// and only makes sense for non-root (rootless) users. :contentReference[oaicite:0]{index=0}
+	logrus.Debug("Checking if 'podman create' supports '--group-add keep-groups'")
+	var keepGroups []string
+	if currentUser.Uid != "0" && podman.CheckVersion("3.2.0") {
+		logrus.Debug("'podman create' supports '--group-add keep-groups'")
+		keepGroups = []string{"--group-add", "keep-groups"}
+	}
+
 	var usernsArg string
 	if currentUser.Uid == "0" {
 		usernsArg = "host"
@@ -430,6 +441,9 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 		"--dns", "none",
 	}
 
+	// Add '--group-add keep-groups' when available, so the container inherits
+	// the host user's supplementary groups (eg. vboxusers).
+	createArgs = append(createArgs, keepGroups...)
 	createArgs = append(createArgs, toolbxDelayEntryPointEnv...)
 	createArgs = append(createArgs, toolbxFailEntryPointEnv...)