toolbox: failed to create container: open /dev/vboxusb: permission denied

[zapateo]

When I run the command

$ toolbox create -c mycontainer

I get the output:

toolbox: failed to create container mycontainer

Running toolbox with the -v option I get

$ toolbox -v create -c mycontainer
toolbox: resolved absolute path for /usr/bin/toolbox to /usr/bin/toolbox
toolbox: checking if /etc/subgid and /etc/subuid have entries for user gianluca
toolbox: TOOLBOX_PATH is /usr/bin/toolbox
toolbox: checking if 'podman system migrate' exists
toolbox: migration not needed: 1.5.1 is unchanged
toolbox: Fedora generational core is f30
toolbox: base image is fedora-toolbox:30
toolbox: container is mycontainer
toolbox: checking value /var/run/.heim_org.h5l.kcm-socket (Stream) of property Listen in sssd-kcm.socket
toolbox: parsing value /var/run/.heim_org.h5l.kcm-socket (Stream) of property Listen in sssd-kcm.socket
toolbox: checking if 'podman create' supports --dns=none and --no-hosts
toolbox: 'podman create' supports --dns=none and --no-hosts
toolbox: looking for image localhost/fedora-toolbox:30
toolbox: looking for image registry.fedoraproject.org/f30/fedora-toolbox:30
toolbox: base image fedora-toolbox:30 resolved to registry.fedoraproject.org/f30/fedora-toolbox:30
toolbox: checking if container mycontainer already exists
toolbox: /home/gianluca canonicalized to /home/gianluca
toolbox: checking if /home is a symbolic link to /var/home
toolbox: calling org.freedesktop.Flatpak.SessionHelper.RequestSession
toolbox: creating container mycontainer
Error: open /dev/vboxusb: permission denied
toolbox: failed to create container mycontainer

The problem seems to be in line: Error: open /dev/vboxusb: permission denied

System informations

• Toolbox version 0.0.12
• Podman version 1.5.1

[HarryMichal]

Hi @zapateo, thanks for the ticket. Did this issue appear after you updated your system? Also you are using classic Fedora Workstation, right?

[zapateo]

toolbox used to work properly on my system; after that, I updated/installed/removed software many times before finding out that it stopped working, so I can't establish what broke it.

Yes, I'm using Fedora Workstation.

[wesleysliao]

I'm having the same issue. I'm running Fedora 30 Silverblue with virtualbox layered:

 ● ostree://fedora:fedora/30/x86_64/silverblue

                   Version: 30.20190905.0 (2019-09-05T11:27:32Z)
                BaseCommit: 8790382b1796482b1ab144f2c3c44e625d0d3b674ba31413d93b30644635c5c4
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: VirtualBox fedora-workstation-repositories gnome-tweaks kmod-nvidia xcape xorg-x11-drv-nvidia xorg-x11-drv-nvidia-libs
             LocalPackages: rpmfusion-free-release-30-1.noarch rpmfusion-nonfree-release-30-1.noarch

Looking at the permissions of /dev/vboxusb:
drwxr-x---. 3 root vboxusers 60 Sep 5 17:32 vboxusb
I thought maybe to add myself to the vboxusers group with this method but that also fails:

# sudo grep -E '^vboxusers:' /usr/lib/group >> /etc/group
bash: /etc/group: Permission denied

I have no problem entering the existing toolboxes I have, but I can't create any new ones. I also am not sure when this stopped working, I've had several updates since last creating a toolbox.

[HarryMichal]

I successfully reproduced the issue in a VM. I believe this has to be resolved in VirtualBox itself. The problem seems to be with bind mounting the /dev directory. The vboxusb directory (and the one nested inside) has 750 permission while it should have 755.

To temporarily solve this, you can chmod the permissions manually as administrator. But I recommend checking the permissions of the character device called '002' because you don't want bad permissions :).

[debarshiray]

toolbox-0.0.11 was the first version where we started bind mounting the entire /dev from the host into the container. That might be when this broke for you.

[zapateo]

I manually added myself to the vboxusers group; now I can create and enter containers successfully:

$ toolbox create -c mycontainer
Created container: mycontainer
Enter with: toolbox enter --container mycontainer
$ toolbox enter -c mycontainer
⬢[gianluca@toolbox ~]$ 

but when I run a command using sudo I get the following error:

⬢[gianluca@toolbox ~]$ sudo dnf upgrade
sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

Not sure if this problem is related to the current issue. Note that sudo works without any problem on the host and used to work perfectly in containers too (until I have encountered the problem reported in this issue).

System informations

• toolbox version 0.0.12
• Linux version 5.2.13-200
• Running on Fedora 30 Workstation

[HarryMichal]

@zapateo, is the issue still happening? Recently I had to deal with VirtualBox on Silverblue and /dev/vboxusb did not have permission set in a bad way anymore.

[zapateo]

@zapateo, is the issue still happening? Recently I had to deal with VirtualBox on Silverblue and /dev/vboxusb did not have permission set in a bad way anymore.

No, the issue is not happening anymore. Now I can use toolbox without encountering the problem on:

• Fedora 32 (Workstation Edition)
• Fedora 32 (Silverblue, on a virtual machine)

I think that this issue is resolved 🙂

One thing, not sure if related: on both F32 Workstation and F32 Silverblue when I run a command with sudo inside a toolbox this warning is printed on the console:

sudo: setrlimit(RLIMIT_CORE): Operation not permitted

but it seems that everything works as expected.

[HarryMichal]

Great! Thanks for confirming this!

The issue you're mentioning should already be resolved (#450). Either re-pull your f32/fedora-toolbox images or simply run dnf upgrade in the container.

[debarshiray]

The root cause here might be #1348

[debarshiray]

Duplicate of #1348