Reorder ExtraSearchPaths mounts before options

When not running in a tools tree the extra search paths are
read-only bind-mounted into the sandbox.

Files are initially created in the workspace tree but then moved
into the output directory after they are complete.

If the directories are on different devices the rename syscall
falls back to a copy then delete.

It is not unusual to have a single build output directory
and you might potentially want your mkosi output directory in there.

If you are adding ExtraSearchPaths to use just-built executables
then this probably points to your `build/` directory.

If search paths are bind-mounted in read-only after the copy command's
sandboxing options, then this generates a command-line with options:
`--bind build/mkosi.output build/mkosi.output ... --bind-ro build build`
which means that the output directory is not writable.

Ordering the sandbox's own mount arguments before the command's options
should ensure the read-only search paths mount doesn't inferfere with
the command's writable bind-mounts.

diff --git a/mkosi/config.py b/mkosi/config.py
index bf4b8b8b52f7f0a371b9a1933a270b358a63e630..b7ff56309ed7f0eb31d85d8f14393934ea2e1a9f 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1565,7 +1565,7 @@ class Config:
             relaxed=relaxed,
             scripts=scripts,
             tools=self.tools(),
-            options=[*options, *mounts],
+            options=[*mounts, *options],
         )