Only mount package manager specific directories into sandbox

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 496e25675fd633c018a93762a7e4f234d4e60404..594bdb6b0b5b6401549a058d90bb6349f2c38c15 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -107,7 +107,8 @@ def invoke_apt(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "lib/apt", context.cache_dir / "lib/apt",
+                    "--bind", context.cache_dir / "cache/apt", context.cache_dir / "cache/apt",
                     "--ro-bind", context.workspace / "apt.conf", context.workspace / "apt.conf",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                     *mounts,

diff --git a/mkosi/installer/dnf.py b/mkosi/installer/dnf.py
index eccfb1fcc47b02dd7ca89540c53c81490a0deef7..c410c7141786d68a05df30b777029f1daa2feecc 100644 (file)
--- a/mkosi/installer/dnf.py
+++ b/mkosi/installer/dnf.py
@@ -19,10 +19,18 @@ def dnf_executable(context: Context) -> str:
     return Path(dnf or find_binary("dnf5", root=root) or find_binary("dnf", root=root) or "yum").name
 
 
+def dnf_subdir(context: Context) -> str:
+    dnf = dnf_executable(context)
+    return "libdnf5" if dnf.endswith("dnf5") else "dnf"
+
+
 def setup_dnf(context: Context, repositories: Iterable[RpmRepository], filelists: bool = True) -> None:
     (context.pkgmngr / "etc/dnf/vars").mkdir(exist_ok=True, parents=True)
     (context.pkgmngr / "etc/yum.repos.d").mkdir(exist_ok=True, parents=True)
 
+    (context.cache_dir / "cache" / dnf_subdir(context)).mkdir(exist_ok=True, parents=True)
+    (context.cache_dir / "lib" / dnf_subdir(context)).mkdir(exist_ok=True, parents=True)
+
     config = context.pkgmngr / "etc/dnf/dnf.conf"
 
     if not config.exists():
@@ -78,8 +86,8 @@ def dnf_cmd(context: Context) -> list[PathString]:
         f"--releasever={context.config.release}",
         f"--installroot={context.root}",
         "--setopt=keepcache=1",
-        f"--setopt=cachedir={context.cache_dir / 'cache' / ('libdnf5' if dnf.endswith('dnf5') else 'dnf')}",
-        f"--setopt=persistdir={context.cache_dir / 'lib' / ('libdnf5' if dnf.endswith('dnf5') else 'dnf')}",
+        f"--setopt=cachedir={context.cache_dir / 'cache' / dnf_subdir(context)}",
+        f"--setopt=persistdir={context.cache_dir / 'lib' / dnf_subdir(context)}",
         f"--setopt=install_weak_deps={int(context.config.with_recommends)}",
         "--setopt=check_config_file_age=0",
         "--disable-plugin=*" if dnf.endswith("dnf5") else "--disableplugin=*",
@@ -123,7 +131,12 @@ def invoke_dnf(context: Context, command: str, packages: Iterable[str], apivfs:
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind",
+                    context.cache_dir / "cache" / dnf_subdir(context),
+                    context.cache_dir / "cache" / dnf_subdir(context),
+                    "--bind",
+                    context.cache_dir / "lib" / dnf_subdir(context),
+                    context.cache_dir / "lib" / dnf_subdir(context),
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index 5ba5749e6d21a26a1161f27f63f40764275b36a7..1c3cfd90570028d1c4f6b9363fe31afd8b2f4548 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -96,7 +96,7 @@ def invoke_pacman(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "cache/pacman/pkg", context.cache_dir / "cache/pacman/pkg",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])

diff --git a/mkosi/installer/zypper.py b/mkosi/installer/zypper.py
index 58998135c26a1ce944f5af440b8b6fa2abb150d1..c800038f9bf4dfd0a2ab0612a79125f255048012 100644 (file)
--- a/mkosi/installer/zypper.py
+++ b/mkosi/installer/zypper.py
@@ -15,6 +15,8 @@ def setup_zypper(context: Context, repos: Sequence[RpmRepository]) -> None:
     config = context.pkgmngr / "etc/zypp/zypp.conf"
     config.parent.mkdir(exist_ok=True, parents=True)
 
+    (context.cache_dir / "cache/zypp").mkdir(exist_ok=True, parents=True)
+
     # rpm.install.excludedocs can only be configured in zypp.conf so we append
     # to any user provided config file. Let's also bump the refresh delay to
     # the same default as dnf which is 48 hours.
@@ -82,7 +84,7 @@ def invoke_zypper(
                 network=True,
                 options=[
                     "--bind", context.root, context.root,
-                    "--bind", context.cache_dir, context.cache_dir,
+                    "--bind", context.cache_dir / "cache/zypp", context.cache_dir / "cache/zypp",
                     *finalize_crypto_mounts(tools=context.config.tools()),
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])