containers
cmd/create: keep host supplementary groups with --group-add keep-groups
Toolbx currently fails to create or start containers on hosts where the user has group-only access to device nodes under /dev, for example when VirtualBox creates /dev/vboxusb/* owned by root:vboxusers with 0750 permissions. In this situation a rootless Toolbx container inherits /dev from the host, the /dev/vboxusb directory is visible, but the container process has no group membership for vboxusers. When the OCI runtime walks /dev it eventually tries to open or create device nodes under /dev/vboxusb and fails with an OCI permission denied error, so toolbox enter aborts with "failed to start container".
This behaviour is described in #1348, which generalizes the problem to any directory under /dev with 0750 permissions where the user only has access via a supplementary group (eg. dialout, vboxusers, docker). It is also the root cause behind reports like #1297 and the older #247, and matches similar issues seen with rootless Podman and VirtualBox in other projects (distrobox, crun, Debian bug reports).
Rootless Podman already has a mechanism to address this class of problems: passing --group-add keep-groups to podman create or podman run tells Podman to keep the caller's supplementary groups instead of dropping them during container setup. The Podman documentation explicitly recommends this flag for cases where device access is granted only via group membership and notes that otherwise accessing such devices from rootless containers will fail with permission errors.
This patch wires that mechanism into Toolbx by adding --group-add keep-groups to the podman create invocation used by the toolbox create command when running as a non-root user and when the Podman version is >= 3.2.0, which is when the flag became available. The call is gated through the existing podman.CheckVersion helper, so older Podman versions are not affected and keep the previous behaviour.
With this change, the OCI runtime sees the same supplementary groups as the host process, so a user who is a member of vboxusers (or dialout, docker, etc.) can access devices that are only group readable from inside a rootless Toolbx container. On systems with VirtualBox installed this fixes errors of the form:
crun: creating /dev/vboxusb/00x/00y: openat2 dev/vboxusb:
Permission denied: OCI permission denied
when entering a freshly created Toolbx container.
This patch intentionally does not change how /dev is mounted into the container and does not implement the more invasive /dev filtering approach discussed in #1348. It is a minimal, backwards compatible improvement that fixes the common VirtualBox and other group-only device cases by leveraging Podman's existing --group-add keep-groups support.
Tests:
- On Fedora 42 with VirtualBox installed and the user in the vboxusers group, verified that
toolbox createlogs thepodman createcommand including--group-add keep-groups. - Confirmed that
toolbox entersucceeds for a new container where it previously failed with an OCI permission denied on /dev/vboxusb. - Verified that behaviour is unchanged on a system without VirtualBox and that the flag is not added when running as root.
Fixes: #1348 Related: #1297, #247
Summary of Changes
Hello @Knogle, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces a crucial enhancement to Toolbx's container creation process, specifically targeting rootless environments. It resolves persistent permission denied errors encountered when containers attempt to access device nodes under /dev that are only accessible via a host user's supplementary groups (like vboxusers or dialout). By conditionally adding the --group-add keep-groups flag to podman create for non-root users with compatible Podman versions (3.2.0+), Toolbx containers will now correctly inherit these essential group memberships, thereby enabling seamless access to devices such as VirtualBox USB devices. This change provides a minimal yet effective fix for a long-standing issue, improving the reliability of rootless Toolbx containers.
Highlights
- Device Access in Rootless Containers: Addresses issues where rootless Toolbx containers fail to access group-only device nodes (e.g., /dev/vboxusb) due to missing supplementary group memberships, resolving problems described in #1348, #1297, and #247.
-
Podman Integration: Integrates Podman's --group-add keep-groups flag into
toolbox createfor non-root users, allowing containers to inherit the host user's supplementary groups. - Conditional Application: The --group-add keep-groups flag is only applied when running as a non-root user and when the detected Podman version is 3.2.0 or newer, ensuring backward compatibility.
- Minimal and Effective Fix: Provides a targeted, backward-compatible solution by leveraging existing Podman functionality, avoiding more invasive changes to /dev mounting.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.
![gemini-code-assist[bot] avatar](https://avatars.githubusercontent.com/in/956858?v=4 "Published by a pub.dev verified publisher"){kind=small}
Build failed. https://softwarefactory-project.io/zuul/t/local/buildset/a01c755f791b433ea1dbb175754aff33
:heavy_check_mark: unit-test SUCCESS in 2m 06s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 29s :heavy_check_mark: unit-test-restricted SUCCESS in 2m 05s :x: system-test-fedora-rawhide-commands-options FAILURE in 1h 18m 20s :x: system-test-fedora-rawhide-runtime-environment-arch-fedora FAILURE in 1h 03m 34s :x: system-test-fedora-rawhide-runtime-environment-ubuntu FAILURE in 15m 24s :x: system-test-fedora-42-commands-options FAILURE in 1h 20m 29s :x: system-test-fedora-42-runtime-environment-arch-fedora FAILURE in 1h 09m 42s :x: system-test-fedora-42-runtime-environment-ubuntu FAILURE in 19m 43s :x: system-test-fedora-41-commands-options FAILURE in 1h 21m 27s :x: system-test-fedora-41-runtime-environment-arch-fedora FAILURE in 1h 01m 54s :x: system-test-fedora-41-runtime-environment-ubuntu FAILURE in 19m 52s
![softwarefactory-project-zuul[bot] avatar](https://avatars.githubusercontent.com/in/6924?v=4 "Published by a pub.dev verified publisher"){kind=small}
Build failed. https://softwarefactory-project.io/zuul/t/local/buildset/a65365bf06fd44c591c349ce0b2af143
:heavy_check_mark: unit-test SUCCESS in 2m 19s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 19s :heavy_check_mark: unit-test-restricted SUCCESS in 2m 15s :x: system-test-fedora-rawhide-commands-options FAILURE in 1h 20m 19s :x: system-test-fedora-rawhide-runtime-environment-arch-fedora FAILURE in 1h 05m 29s :x: system-test-fedora-rawhide-runtime-environment-ubuntu FAILURE in 13m 59s :x: system-test-fedora-43-commands-options FAILURE in 1h 09m 54s :x: system-test-fedora-43-runtime-environment-arch-fedora FAILURE in 49m 06s :x: system-test-fedora-43-runtime-environment-ubuntu FAILURE in 12m 14s :x: system-test-fedora-42-commands-options FAILURE in 1h 09m 07s :x: system-test-fedora-42-runtime-environment-arch-fedora FAILURE in 1h 12m 06s :x: system-test-fedora-42-runtime-environment-ubuntu FAILURE in 18m 01s