Fix setpgid logic

Make sure we append the setpgid command after all the options. Let's
also use -- to avoid any potential confusion about whether the following
arguments are options or not.

diff --git a/mkosi/run.py b/mkosi/run.py
index 7b0f18b0ea64a87dc09a4765432da0a2b3c75633..b9d5f62f40a3e13647da3ca23c0baf1a4ab288bb 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -347,7 +347,7 @@ def bwrap(
         ]
 
         if setpgid := find_binary("setpgid"):
-            cmdline += [setpgid, "--foreground"]
+            cmdline += [setpgid, "--foreground", "--"]
 
         try:
             result = run([*cmdline, *cmd], env=env, log=False, stdin=stdin, stdout=stdout, input=input)
@@ -397,15 +397,15 @@ def apivfs_cmd(root: Path) -> list[PathString]:
         "--unsetenv", "TMPDIR",
     ]
 
-    if setpgid := find_binary("setpgid"):
-        cmdline += [setpgid, "--foreground"]
-
     if (root / "etc/machine-id").exists():
         # Make sure /etc/machine-id is not overwritten by any package manager post install scripts.
         cmdline += ["--ro-bind", root / "etc/machine-id", root / "etc/machine-id"]
 
     cmdline += finalize_passwd_mounts(root)
 
+    if setpgid := find_binary("setpgid"):
+        cmdline += [setpgid, "--foreground", "--"]
+
     chmod = f"chmod 1777 {root / 'tmp'} {root / 'var/tmp'} {root / 'dev/shm'}"
     # Make sure anything running in the root directory thinks it's in a container. $container can't always be
     # accessed so we write /run/host/container-manager as well which is always accessible.
@@ -443,7 +443,7 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt
     ]
 
     if setpgid := find_binary("setpgid", root):
-        cmdline += [setpgid, "--foreground"]
+        cmdline += [setpgid, "--foreground", "--"]
 
     return apivfs_cmd(root) + cmdline