Drop unnecessary and wrong group detection on host

[martinpitt]

Don't call get_group_for_sudo() on the host during create(). That runs
on the host, and thus will check which sudo group exists on the host.
But that is entirely irrelevant for sudo inside the container, and it
breaks when trying to create a Debian or Ubuntu based toolbox on a
Fedora host (or vice versa).

Also, there is no point in running the podman create command with an
extra sudo group, normal user privileges are just fine.

init_container() will call get_group_for_sudo() inside the container and
initialize the groups correctly there.

[martinpitt]

This can be demonstrated entirely without toolbox. On a Fedora host there is the wheel group, but not sudo:

❱❱❱ getent group sudo wheel
wheel:x:10:martin

The current detection code looks at the host groups, but that doesn't apply to the container:

❱❱❱ podman run --rm -u nobody --group-add sudo docker.io/library/debian:sid id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup),27(sudo)

❱❱❱ podman run --rm -u nobody --group-add wheel docker.io/library/debian:sid id
Error: error looking up supplemental groups for container 7e66defb63ee61118ddb3af0a8fc8af3d8c76dfdcbaaf8833bff837a5f837ece: Unable to find group wheel

[martinpitt]

With toolbox, the reproducer is this:

toolbox -y create -c sid --image docker.io/debian:sid && podman start sid

[softwarefactory-project-zuul]

Build failed.

• shellcheck : SUCCESS in 1m 54s
• test-with-podman-stable-f30 : FAILURE in 4m 05s
• test-with-podman-stable-f31 : FAILURE in 2m 17s
• test-with-podman-rawhide : FAILURE in 3m 36s

[martinpitt]

This fails the tests as it breaks the init-container stage -- at that point get_group_for_sudo() is called inside the container, where indeed there is no podman command and no image:

++ get_group_for_sudo
+++ podman run --rm '' getent group sudo wheel
/usr/bin/toolbox: line 515: podman: command not found

So the fix is even easier -- just drop the redundant "outer" group detection.

[softwarefactory-project-zuul]

Build failed.

• shellcheck : SUCCESS in 1m 01s
• test-with-podman-stable-f30 : SUCCESS in 2m 56s
• test-with-podman-stable-f31 : FAILURE in 3m 28s
• test-with-podman-rawhide : SUCCESS in 3m 41s

[softwarefactory-project-zuul]

Build succeeded.

• shellcheck : SUCCESS in 58s
• test-with-podman-stable-f30 : SUCCESS in 3m 24s
• test-with-podman-stable-f31 : SUCCESS in 3m 27s
• test-with-podman-rawhide : SUCCESS in 2m 56s

[Jmennius]

This is revealed/caused by a fix in libpod introduced in 1.8.1.
Thanks for the fix!

[masterzen]

Can this be merged in ?
It isn't possible at all to run toolbox with a fedora image on Fedora CoreOS (which has sudo supplemental group) for the moment, and drastically reduces the ability to troubleshoot issues.

[martinpitt]

My hunch is that the maintainers now ignore this project as they are working full steam on the Go rewrite. I haven't tested that at all yet (it's not yet in Fedora 32 or even Rawhide). It would still be nice to land this, as this project is really easy to work on and run straight out of git.

[fslds]

I would also like to see this PR being approved and merged in master and consequently released as a package...
It is currently breaking cross-compatibility between Debian and RedHat derivatives, if one is the host and the other is a container.

[crahan]

I'd like to add my vote for merging this fix as well.

[evan-a-a]

The associated code in the Go variant is here:

https://github.com/containers/toolbox/blob/master/src/cmd/create.go#L193
https://github.com/containers/toolbox/blob/master/src/cmd/create.go#L341

The change to remove this setting in Go can probably be added to this pull request as well to ensure this is remains fixed when the Go version becomes official.

[martymichal]

I took the liberty of updating your PR to reflect your original changes in the new Go code.

I tried this change on a CoreOS host myself and it really makes rootless Toolbox work. @debarshiray, this should be good to be merged.

Thank you very much for working on this!

[softwarefactory-project-zuul]

Build failed.

• shellcheck : SUCCESS in 2m 07s
• test-with-podman-stable-f30 : FAILURE in 2m 42s
• test-with-podman-stable-f31 : FAILURE in 2m 54s
• test-with-podman-rawhide : FAILURE in 3m 39s

[martinpitt]

The tests succeeded in April when I sent this, but the run yesterday (triggered by @HarryMichal ?) now fails with

meson.build:8:0: ERROR: Program(s) ['go'] not found or not executable

That looks like it needs to be fixed in your CI?

[martymichal]

The CI is being fixed in a separate PR.

[Ramblurr]

Any traction on this?

Toolbox is a daily important tool we use. I appreciate the go rewrite, and look forward to it. But the backlog of simple and good bug fixes backing up here is taking its toll.

[softwarefactory-project-zuul]

Build failed.

• shellcheck : SUCCESS in 2m 03s
• system-test-fedora-31 : SUCCESS in 3m 49s
• system-test-fedora-32 : SUCCESS in 3m 27s
• system-test-fedora-rawhide : FAILURE in 3m 05s

[softwarefactory-project-zuul]

Build failed.

• shellcheck : SUCCESS in 2m 04s
• system-test-fedora-31 : SUCCESS in 3m 35s
• system-test-fedora-32 : SUCCESS in 3m 32s
• system-test-fedora-rawhide : FAILURE in 2m 51s

[debarshiray]

Looks like this fix for #423 had an unintended side-effect.

Earlier, inside the container, we'd get:

⬢[rishi@toolbox ~]$ id
uid=1000(rishi) gid=1000(rishi) groups=1000(rishi),10(wheel)

... but now:

⬢[rishi@toolbox ~]$ id
uid=1000(rishi) gid=1000(rishi) groups=1000(rishi)

Notice how the wheel group doesn't get listed. It does show up in id rishi, and doesn't seem to affect sudo capabilities. However, this can still trip up users and programs alike.

[debarshiray]

Looks like this fix for #423 had an unintended side-effect.

Owen chased it down the stack and fixed it in crun:

• Supplemental groups not added for 'podman exec -u <user>' podman#9986
• additional_gids ignored on exec crun#644
• On exec, honor additional_gids from the process spec crun#645

So, all good!