Mount entire /etc from package manager tree into sandbox

Instead of mounting individual directories, let's just mount the
entire /etc into the sandbox. This allows any tool we run through
the sandbox to pick up configuration from the package manager tree
without having to add explicit support for it in mkosi.

This also removes our special casing for uki.conf. ukify will now
pick up its configuration from its canonical location just like all
the other tools.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 1bf5db032df66e0366e28cc889a31636f1c5a403..c0f60dda2a8d7a2a2a3e1b02cabdc66c4c0f8e23 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1299,6 +1299,9 @@ def install_package_manager_trees(state: MkosiState) -> None:
         for tree in state.config.package_manager_trees:
             install_tree(state, tree.source, state.workspace / "pkgmngr", tree.target)
 
+    # Ensure /etc exists in the package manager tree
+    (state.pkgmngr / "etc").mkdir(exist_ok=True)
+
 
 def install_extra_trees(state: MkosiState) -> None:
     if not state.config.extra_trees:
@@ -1553,11 +1556,6 @@ def build_uki(
         for p in state.config.extra_search_paths:
             cmd += ["--tools", p]
 
-    for d in ("etc/kernel", "usr/lib/kernel"):
-        uki_config = state.pkgmngr / d / "uki.conf"
-        if uki_config.exists():
-            cmd += ["--config", uki_config]
-
     if state.config.secure_boot:
         assert state.config.secure_boot_key
         assert state.config.secure_boot_certificate

diff --git a/mkosi/bubblewrap.py b/mkosi/bubblewrap.py
index 937c60f7c06aab486fcc010dbe283094679bea41..006141625849e3e3be8aef7e9835228c76709b5e 100644 (file)
--- a/mkosi/bubblewrap.py
+++ b/mkosi/bubblewrap.py
@@ -36,25 +36,6 @@ def have_effective_cap(capability: Capability) -> bool:
 
 def finalize_mounts(state: MkosiState) -> list[str]:
     mounts = [
-        (state.pkgmngr / subdir, Path("/") / subdir, True)
-        for subdir in (
-            Path("etc/apt"),
-            Path("etc/rpm"),
-            Path("etc/dnf"),
-            Path("etc/pacman.conf"),
-            Path("etc/pacman.d"),
-            Path("etc/zypp"),
-            Path("etc/yum.repos.d"),
-        )
-        if (state.pkgmngr / subdir).exists()
-    ]
-
-    dirs = [
-        "/var/log/apt",
-        "/var/lib/dnf",
-    ]
-
-    mounts += [
         ((state.config.tools_tree or Path("/")) / subdir, Path("/") / subdir, True)
         for subdir in (
             Path("etc/pki"),
@@ -79,7 +60,7 @@ def finalize_mounts(state: MkosiState) -> list[str]:
         ["--ro-bind" if readonly else "--bind", os.fspath(src), os.fspath(target)]
         for src, target, readonly
         in sorted(set(mounts), key=lambda s: s[1])
-    ) + flatten(["--dir", d] for d in dirs)
+    )
 
 
 def bwrap(
@@ -102,6 +83,9 @@ def bwrap(
         "bwrap",
         "--ro-bind", "/usr", "/usr",
         "--ro-bind-try", "/nix/store", "/nix/store",
+        # This mount is writable so bwrap can create extra directories or symlinks inside of it as needed. This isn't a
+        # problem as the package manager directory is created by mkosi and thrown away when the build finishes.
+        "--bind", state.pkgmngr / "etc", "/etc",
         "--bind", "/var/tmp", "/var/tmp",
         "--bind", "/tmp", "/tmp",
         "--bind", Path.cwd(), Path.cwd(),

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 525a380895567e5bce44dd4e3bb105d0ecd0195f..9ccf001e20cabab28093fab8470e806a577bf738 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -69,6 +69,7 @@ def apt_cmd(state: MkosiState, command: str) -> list[PathString]:
         "-o", f"Dir::State={state.cache_dir / 'apt'}",
         "-o", f"Dir::State::Status={state.root / 'var/lib/dpkg/status'}",
         "-o", f"Dir::Etc::Trusted={trustedkeys}",
+        "-o", f"Dir::Log={state.workspace}",
         "-o", f"Dir::Bin::DPkg={shutil.which('dpkg')}",
         "-o", "Debug::NoLocking=true",
         "-o", f"DPkg::Options::=--root={state.root}",

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index ea55abf7560f8b5b72ae1e009b8471bb2bbe2189..ba2ba02fc7ca3a0f90a8e3c109281dccf833b166 100644 (file)
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -2213,11 +2213,6 @@ Note that despite the name, qemu's `-append` option replaces
 the default kernel commandline embedded in the kernel
 and any previous `-append` specifications.
 
-`mkosi` builds a Unified Kernel Image (UKI).
-Further customization, e.g. a splash image, can be applied using a configuration
-for `ukify` in `/etc/kernel/uki.conf` inside the skeleton tree.
-`ukify` is run from the same working directory as mkosi itself.
-
 The UKI is also copied into the output directory and may be booted directly:
 ```console
 $ mkosi qemu -kernel mkosi.output/fedora~38/image.efi