Only mount ephemeral build sources for package managers when running as root

If we're not running as root, we won't have permissions to do the overlay
mount. Hopefully bubblewrap will eventually get overlayfs support which would
make this possible.

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 0234cdd8a66cd3835e39734d862d4b8ef9fa7944..3e9ab6cafe152f719544a85bf53a98288811d46a 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1+
+import os
 import textwrap
 from collections.abc import Iterable, Sequence
 from pathlib import Path
@@ -174,7 +175,10 @@ class Apt(PackageManager):
         mounts: Sequence[PathString] = (),
         stdout: _FILE = None,
     ) -> CompletedProcess:
-        with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources:
+        with finalize_source_mounts(
+            context.config,
+            ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral,
+        ) as sources:
             return run(
                 cls.cmd(context, "apt-get") + [operation, *arguments],
                 sandbox=(

diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py
index ca831c4a68ee736851727464b56e7bebeb5de746..3a745099038ca51b2892885ecf7a93116431ebfe 100644 (file)
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1+
+import os
 import textwrap
 from collections.abc import Iterable, Sequence
 from pathlib import Path
@@ -160,7 +161,10 @@ class Dnf(PackageManager):
         stdout: _FILE = None,
     ) -> CompletedProcess:
         try:
-            with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources:
+            with finalize_source_mounts(
+                context.config,
+                ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral,
+            ) as sources:
                 return run(
                     cls.cmd(context) + [operation,*arguments],
                     sandbox=(

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index 2ecb988376e3476944e6a548a6c9f0dd4f792841..de240f5314dca038f51022492d43188d53546f9c 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1+
+import os
 import shutil
 import textwrap
 from collections.abc import Iterable, Sequence
@@ -150,7 +151,10 @@ class Pacman(PackageManager):
         apivfs: bool = False,
         stdout: _FILE = None,
     ) -> CompletedProcess:
-        with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources:
+        with finalize_source_mounts(
+            context.config,
+            ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral,
+        ) as sources:
             return run(
                 cls.cmd(context) + [operation, *arguments],
                 sandbox=(

diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py
index 6e09c9b68ecb94d4c93c55dfed5684c20c083669..148aba5632f5de0560309bd3246a86d7bc3cba37 100644 (file)
--- a/mkosi/installer/zypper.py
+++ b/mkosi/installer/zypper.py
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: LGPL-2.1+
 import hashlib
+import os
 import textwrap
 from collections.abc import Iterable, Sequence
 from pathlib import Path
@@ -120,7 +121,10 @@ class Zypper(PackageManager):
         apivfs: bool = False,
         stdout: _FILE = None,
     ) -> CompletedProcess:
-        with finalize_source_mounts(context.config, ephemeral=context.config.build_sources_ephemeral) as sources:
+        with finalize_source_mounts(
+            context.config,
+            ephemeral=os.getuid() == 0 and context.config.build_sources_ephemeral,
+        ) as sources:
             return run(
                 cls.cmd(context) + [operation, *arguments],
                 sandbox=(