From 33db50ab24ccafcc98601a1a7a67dc36481dfd92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Sj=C3=B6lund?= <erik.sjolund@gmail.com>
Date: Mon, 11 May 2026 07:56:57 +0200
Subject: [PATCH] troubleshooting: document setgroups requirement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
---
 troubleshooting.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/troubleshooting.md b/troubleshooting.md
index 24c2cb3643..4f25e9bead 100644
--- a/troubleshooting.md
+++ b/troubleshooting.md
@@ -531,8 +531,9 @@ Any access inside the container is rejected with "Permission denied".
 
 The runtime uses `setgroups(2)` hence the process loses all additional groups
 the non-root user has. Use the `--group-add keep-groups` flag to pass the
-user's supplementary group access into the container. Currently only available
-with the `crun` OCI runtime.
+user's supplementary group access into the container. For it to work,
+the container itself must not call `setgroups()`.
+Currently only available with the `crun` OCI runtime.
 
 ### 21) A rootless container running in detached mode is closed at logout
 <!-- This is the same as section 17 above and should be deleted -->