if context.config.find_binary(binary):
scripts[binary] = (binary, "--root", "/buildroot")
if ukify := context.config.find_binary("ukify"):
- # A script will always run with the tools tree mounted, so we pass binary=None to disable
- # the conditional search logic of python_binary() depending on whether the binary is in an
- # extra search path or not.
- scripts["ukify"] = (python_binary(context.config, binary=None), ukify)
+ scripts["ukify"] = (python_binary(context.config), ukify)
return finalize_scripts(context.config, scripts | dict(helpers))
["/work/configure"],
env=env | config.environment,
sandbox=config.sandbox(
- binary=None,
options=[
"--dir", "/work/src",
"--chdir", "/work/src",
env=env | config.environment,
stdin=sys.stdin,
sandbox=config.sandbox(
- binary=None,
network=True,
options=options,
overlay=Path(sandbox_tree),
with finalize_host_scripts(context, helpers) as hd:
if script.suffix != ".chroot":
with context.sandbox(
- binary=None,
network=network,
options=[
*options,
["/work/postoutput"],
env=env | context.config.environment,
sandbox=context.sandbox(
- binary=None,
# postoutput scripts should run as (fake) root so that file ownership is
# always recorded as if owned by root.
options=[
["systemd-dissect", "--copy-from", workdir(src), "/", workdir(t)],
env=dict(SYSTEMD_DISSECT_VERITY_EMBEDDED="no", SYSTEMD_DISSECT_VERITY_SIDECAR="no"),
sandbox=config.sandbox(
- binary="systemd-dissect",
devices=True,
network=True,
options=[
(context.workspace / "cmdline").write_text(f"{' '.join(cmdline)}\x00")
cmd = [
- python_binary(context.config, binary=ukify),
+ python_binary(context.config),
ukify,
"build",
*arguments,
),
env=context.config.environment,
sandbox=context.sandbox(
- binary=ukify,
options=[*opt, *options],
devices=context.config.secure_boot_key_source.type != KeySourceType.file,
),
# new .ucode section support?
if (
systemd_tool_version(
- python_binary(context.config, binary=ukify),
+ python_binary(context.config),
ukify,
sandbox=context.sandbox,
)
not in run(
["kernel-install", "--help"],
stdout=subprocess.PIPE,
- sandbox=context.sandbox(binary="kernel-install"),
+ sandbox=context.sandbox(),
).stdout
)
or systemd_tool_version("kernel-install", sandbox=context.sandbox) < "255.1"
output = json.loads(
run(
["kernel-install", "--root=/buildroot", "--json=pretty", "inspect"],
- sandbox=context.sandbox(
- binary="kernel-install", options=["--ro-bind", context.root, "/buildroot"]
- ),
+ sandbox=context.sandbox(options=["--ro-bind", context.root, "/buildroot"]),
stdout=subprocess.PIPE,
env={"BOOT_ROOT": "/boot"},
).stdout
src.unlink()
with dst.open("wb") as o:
- run(cmd, stdin=i, stdout=o, sandbox=context.sandbox(binary=cmd[0]))
+ run(cmd, stdin=i, stdout=o, sandbox=context.sandbox())
def copy_nspawn_settings(context: Context) -> None:
run(
cmdline,
env=env,
- sandbox=context.sandbox(
- binary="gpg",
- options=options,
- ),
+ sandbox=context.sandbox(options=options),
)
stdin=i,
stdout=o,
sandbox=context.sandbox(
- binary=context.config.openpgp_tool,
options=[
"--bind", context.config.key, "/signing-key.pgp",
"--bind", context.staging, workdir(context.staging),
) -> None:
ukify = check_tool(config, "ukify", "/usr/lib/systemd/ukify", reason=reason, hint=hint)
- v = systemd_tool_version(python_binary(config, binary=ukify), ukify, sandbox=config.sandbox)
+ v = systemd_tool_version(python_binary(config), ukify, sandbox=config.sandbox)
if v < version:
die(
f"Found '{ukify}' with version {v} but version {version} or newer is required to {reason}.",
with complete_step("Generating system users"):
run(
["systemd-sysusers", "--root=/buildroot"],
- sandbox=context.sandbox(
- binary="systemd-sysusers", options=["--bind", context.root, "/buildroot"]
- ),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
# as success by the systemd-tmpfiles service so we handle those as success as well.
success_exit_status=(0, 65, 73),
sandbox=context.sandbox(
- binary="systemd-tmpfiles",
options=[
"--bind", context.root, "/buildroot",
# systemd uses acl.h to parse ACLs in tmpfiles snippets which uses the host's
with complete_step("Applying presets…"):
run(
["systemctl", "--root=/buildroot", "preset-all"],
- sandbox=context.sandbox(binary="systemctl", options=["--bind", context.root, "/buildroot"]),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
run(
["systemctl", "--root=/buildroot", "--global", "preset-all"],
- sandbox=context.sandbox(binary="systemctl", options=["--bind", context.root, "/buildroot"]),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
with complete_step("Generating hardware database"):
run(
["systemd-hwdb", "--root=/buildroot", "--usr", "--strict", "update"],
- sandbox=context.sandbox(binary="systemd-hwdb", options=["--bind", context.root, "/buildroot"]),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
# Remove any existing hwdb in /etc in favor of the one we just put in /usr.
if password and not hashed:
password = run(
["openssl", "passwd", "-stdin", "-6"],
- sandbox=context.sandbox(binary="openssl"),
+ sandbox=context.sandbox(),
input=password,
stdout=subprocess.PIPE,
).stdout.strip()
with complete_step("Applying first boot settings"):
run(
["systemd-firstboot", "--root=/buildroot", "--force", *options],
- sandbox=context.sandbox(
- binary="systemd-firstboot", options=["--bind", context.root, "/buildroot"]
- ),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
# Initrds generally don't ship with only /usr so there's not much point in putting the
with complete_step(f"Relabeling files using {policy} policy"):
run(
[setfiles, "-mFr", "/buildroot", "-c", binpolicy, fc, "/buildroot"],
- sandbox=context.sandbox(binary=setfiles, options=["--bind", context.root, "/buildroot"]),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
check=context.config.selinux_relabel == ConfigFeature.enabled,
)
input=new,
check=False,
sandbox=config.sandbox(
- binary="diff",
tools=False,
options=["--bind", manifest, workdir(manifest)],
),
def sandbox(
*,
- binary: Optional[PathString],
options: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]:
- return config.sandbox(binary=binary, options=[*options, *exclude])
+ return config.sandbox(options=[*options, *exclude])
copy_tree(src, subdst, sandbox=sandbox)
env=os.environ | {"MKOSI_IN_SANDBOX": "1"},
log=False,
sandbox=config.sandbox(
- binary=cmdline[0],
devices=True,
network=True,
relaxed=True,
stdin=sys.stdin,
env=config.environment,
sandbox=config.sandbox(
- binary="systemd-repart",
network=True,
devices=True,
options=["--bind", fname, workdir(fname)],
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary="systemd-nspawn",
devices=True,
network=True,
relaxed=True,
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary=tool_path,
network=True,
devices=config.output_format == OutputFormat.disk,
relaxed=True,
"""Serve the output directory via a tiny HTTP server"""
run(
- [python_binary(config, binary=None), "-m", "http.server", "8081"],
+ [python_binary(config), "-m", "http.server", "8081"],
stdin=sys.stdin,
stdout=sys.stdout,
sandbox=config.sandbox(
- binary=python_binary(config, binary=None),
network=True,
relaxed=True,
options=["--chdir", config.output_dir_or_cwd()],
["/work/clean"],
env=env | config.environment,
sandbox=config.sandbox(
- binary=None,
tools=False,
options=[
"--dir", "/work/src",
stdout=f,
# Make sure tar uses user/group information from the root directory instead of the host.
sandbox=sandbox(
- binary="tar",
options=[
"--ro-bind", src, workdir(src, sandbox),
*finalize_passwd_symlinks(workdir(src, sandbox)),
*options,
],
sandbox=sandbox(
- binary="tar",
# Make sure tar uses user/group information from the root directory instead of the host.
options=[
"--ro-bind", src, workdir(src, sandbox),
input="\0".join(os.fspath(f) for f in files),
stdout=f,
sandbox=sandbox(
- binary="cpio",
options=[
"--ro-bind", src, workdir(src, sandbox),
*finalize_passwd_symlinks(workdir(src, sandbox))
*modules,
],
sandbox=context.sandbox(
- binary=mkimage,
options=[
"--bind", directory, "/grub",
"--ro-bind", earlyconfig.name, workdir(Path(earlyconfig.name)),
return None
-def python_binary(config: Config, *, binary: Optional[PathString]) -> PathString:
- tools = (
- not binary
- or not (path := config.find_binary(binary))
- or not any(path.is_relative_to(d) for d in config.extra_search_paths)
- )
-
+def python_binary(config: Config) -> PathString:
# If there's no tools tree, prefer the interpreter from MKOSI_INTERPRETER. If there is a tools
# tree, just use the default python3 interpreter.
exe = Path(sys.executable)
- return "python3" if (tools and config.tools_tree) or not exe.is_relative_to("/usr") else exe
+ return "python3" if config.tools_tree or not exe.is_relative_to("/usr") else exe
def extract_pe_section(context: Context, binary: Path, section: str, output: Path) -> Path:
with open(output, "wb") as f:
result = run(
- [python_binary(context.config, binary=None)],
+ [python_binary(context.config)],
input=pefile,
stdout=f,
sandbox=context.sandbox(
- binary=python_binary(context.config, binary=None),
options=["--ro-bind", binary, workdir(binary)],
),
success_exit_status=(0, 67),
workdir(context.staging / context.config.output_with_format),
],
sandbox=context.sandbox(
- binary=setup,
options=[
"--bind", directory, "/grub",
"--bind", context.staging, workdir(context.staging),
"-in", workdir(certificate),
],
stdout=subprocess.PIPE,
- sandbox=context.sandbox(binary="openssl", options=["--ro-bind", certificate, workdir(certificate)]),
+ sandbox=context.sandbox(options=["--ro-bind", certificate, workdir(certificate)]),
).stdout # fmt: skip
for line in output.splitlines():
cmdline,
stdout=stdout,
env={**config.environment, **env},
- sandbox=config.sandbox(binary=cmdline[0], options=options, devices=devices),
+ sandbox=config.sandbox(options=options, devices=devices),
)
assert certificate
stdout=stdout,
env={**config.environment, **env},
sandbox=config.sandbox(
- binary=cmd[0],
options=opt,
devices=(
devices
],
stdout=f,
sandbox=context.sandbox(
- binary="openssl",
options=[
"--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key),
"--ro-bind", context.config.secure_boot_certificate, workdir(context.config.secure_boot_certificate), # noqa: E501
"-d", workdir(context.workspace / "pesign"),
],
sandbox=context.sandbox(
- binary="pk12util",
options=[
"--ro-bind", context.workspace / "secure-boot.p12", workdir(context.workspace / "secure-boot.p12"), # noqa: E501
"--ro-bind", context.workspace / "pesign", workdir(context.workspace / "pesign"),
),
env=context.config.environment,
sandbox=context.sandbox(
- binary="sbsign",
options=options,
devices=context.config.secure_boot_key_source.type != KeySourceType.file,
),
),
env=context.config.environment,
sandbox=context.sandbox(
- binary="pesign",
options=[
"--ro-bind", context.workspace / "pesign", workdir(context.workspace / "pesign"),
"--ro-bind", input, workdir(input),
"-out", workdir(context.workspace / "mkosi.der"),
],
sandbox=context.sandbox(
- binary="openssl",
options=[
"--ro-bind",
context.config.secure_boot_certificate,
workdir(context.workspace / "mkosi.der"),
],
sandbox=context.sandbox(
- binary="sbsiglist",
options=[
"--bind", context.workspace, workdir(context.workspace),
"--ro-bind", context.workspace / "mkosi.der", workdir(context.workspace / "mkosi.der"), # noqa: E501
else subprocess.DEVNULL
),
sandbox=context.sandbox(
- binary="sbvarsign",
options=options,
devices=context.config.secure_boot_key_source.type != KeySourceType.file,
),
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary="systemd-repart",
devices=True,
network=True,
relaxed=True,
secret: bool = False,
absolute: bool = False,
directory: bool = False,
+ exclude: Sequence[PathString] = (),
constants: Sequence[str] = (),
) -> Path:
if value in constants:
if absolute and not path.is_absolute():
die(f"{value} must be an absolute path")
+ for e in exclude:
+ if path.is_relative_to(e):
+ die(f"{path} can not be relative to {e}")
+
if resolve:
path = path.resolve()
expanduser: bool = True,
expandvars: bool = True,
secret: bool = False,
+ exclude: Sequence[PathString] = (),
constants: Sequence[str] = (),
) -> Callable[[str], Path]:
return functools.partial(
expanduser=expanduser,
expandvars=expandvars,
secret=secret,
+ exclude=exclude,
constants=constants,
)
def sandbox(
self,
*,
- binary: Optional[PathString],
network: bool = False,
devices: bool = False,
relaxed: bool = False,
setup: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]:
opt: list[PathString] = [*options]
+
if not relaxed:
+ opt += flatten(("--ro-bind", d, d) for d in self.extra_search_paths)
+
if p := self.proxy_peer_certificate:
opt += ["--ro-bind", os.fspath(p), "/proxy.cacert"]
if p := self.proxy_client_certificate:
if p := self.proxy_client_key:
opt += ["--ro-bind", os.fspath(p), "/proxy.clientkey"]
- if (
- binary
- and (path := self.find_binary(binary, tools=tools))
- and any(path.is_relative_to(d) for d in self.extra_search_paths)
- ):
- tools = False
- opt += flatten(("--ro-bind", d, d) for d in self.extra_search_paths if not relaxed)
-
return sandbox_cmd(
network=network,
devices=devices,
long="--extra-search-path",
metavar="PATH",
section="Build",
- parse=config_make_list_parser(delimiter=",", parse=make_path_parser()),
+ parse=config_make_list_parser(delimiter=",", parse=make_path_parser(exclude=["/usr"])),
help="List of comma-separated paths to look for programs before looking in PATH",
scope=SettingScope.universal,
),
policy = run(
["sh", "-c", f". {workdir(selinux)} && echo $SELINUXTYPE"],
- sandbox=config.sandbox(binary="sh", options=["--ro-bind", selinux, workdir(selinux)]),
+ sandbox=config.sandbox(options=["--ro-bind", selinux, workdir(selinux)]),
stdout=subprocess.PIPE,
).stdout.strip()
if not policy:
run(
[*tool, "--version"],
stdout=subprocess.PIPE,
- sandbox=sandbox(binary=tool[-1]),
+ sandbox=sandbox(),
)
.stdout.split()[2]
.strip("()")
def sandbox(
self,
*,
- binary: Optional[PathString],
network: bool = False,
devices: bool = False,
scripts: Optional[Path] = None,
options: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]:
return self.config.sandbox(
- binary=binary,
network=network,
devices=devices,
scripts=scripts,
url,
],
sandbox=config.sandbox(
- binary="curl",
network=True,
options=["--bind", output_dir, workdir(output_dir), *finalize_crypto_mounts(config)],
),
["dpkg-deb", "--fsys-tarfile", "/dev/stdin"],
stdin=i,
stdout=o,
- sandbox=context.sandbox(binary="dpkg-deb"),
+ sandbox=context.sandbox(),
)
extract_tar(
Path(o.name),
f"/{candidate}.dpkg",
f"/{candidate}",
],
- sandbox=context.sandbox(
- binary="dpkg-divert", options=["--bind", context.root, "/buildroot"]
- ),
+ sandbox=context.sandbox(options=["--bind", context.root, "/buildroot"]),
)
newosrelease.rename(osrelease)
*(key.removeprefix("file://") for key in gpgkeys),
],
sandbox=context.sandbox(
- binary="rpm",
options=[
"--bind", context.root, "/buildroot",
*finalize_crypto_mounts(context.config),
options: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]:
return context.sandbox(
- binary=cls.executable(context.config),
network=True,
options=[
"--bind", context.root, "/buildroot",
*(d.name for glob in PACKAGE_GLOBS for d in context.repository.glob(glob) if "deb" in glob),
],
sandbox=context.sandbox(
- binary="reprepro",
options=[
"--bind", context.repository, workdir(context.repository),
"--chdir", workdir(context.repository),
def createrepo(cls, context: Context) -> None:
run(
["createrepo_c", workdir(context.repository)],
- sandbox=context.sandbox(
- binary="createrepo_c", options=["--bind", context.repository, workdir(context.repository)]
- ),
+ sandbox=context.sandbox(options=["--bind", context.repository, workdir(context.repository)]),
)
(context.sandbox_tree / "etc/yum.repos.d/mkosi-local.repo").write_text(
key=lambda p: GenericVersion(Path(p).name),
),
],
- sandbox=context.sandbox(
- binary="repo-add",
- options=["--bind", context.repository, workdir(context.repository)],
- ),
+ sandbox=context.sandbox(options=["--bind", context.repository, workdir(context.repository)]),
)
(context.sandbox_tree / "etc/mkosi-local.conf").write_text(
plugindir = Path(
run(
["rpm", "--eval", "%{__plugindir}"],
- sandbox=context.sandbox(binary="rpm"),
+ sandbox=context.sandbox(),
stdout=subprocess.PIPE,
).stdout.strip()
)
def createrepo(cls, context: Context) -> None:
run(
["createrepo_c", workdir(context.repository)],
- sandbox=context.sandbox(
- binary="createrepo_c",
- options=["--bind", context.repository, workdir(context.repository)],
- ),
+ sandbox=context.sandbox(options=["--bind", context.repository, workdir(context.repository)]),
)
(context.sandbox_tree / "etc/zypp/repos.d/mkosi-local.repo").write_text(
],
stdout=subprocess.PIPE,
sandbox=(
- self.context.sandbox(binary="rpm", options=["--ro-bind", self.context.root, "/buildroot"])
+ self.context.sandbox(options=["--ro-bind", self.context.root, "/buildroot"])
),
) # fmt: skip
],
stdout=subprocess.PIPE,
stderr=subprocess.DEVNULL,
- sandbox=self.context.sandbox(
- binary="rpm",
- options=["--ro-bind", self.context.root, "/buildroot"],
- ),
+ sandbox=self.context.sandbox(options=["--ro-bind", self.context.root, "/buildroot"]),
)
changelog = c.stdout.strip()
source = SourcePackageManifest(srpm, changelog)
"--showformat", r"${Package}\t${source:Package}\t${Version}\t${Architecture}\t${Installed-Size}\t${db-fsys:Last-Modified}\n", # noqa: E501
],
stdout=subprocess.PIPE,
- sandbox=self.context.sandbox(
- binary="dpkg-query",
- options=["--ro-bind", self.context.root, "/buildroot"],
- ),
+ sandbox=self.context.sandbox(options=["--ro-bind", self.context.root, "/buildroot"]),
) # fmt: skip
packages = sorted(c.stdout.splitlines())
["systemd-repart", "--json=short", workdir(image, sandbox)],
stdout=subprocess.PIPE,
stderr=subprocess.DEVNULL,
- sandbox=sandbox(binary="systemd-repart", options=["--ro-bind", image, workdir(image, sandbox)]),
+ sandbox=sandbox(options=["--ro-bind", image, workdir(image, sandbox)]),
).stdout
)
return [Partition.from_dict(d) for d in output]
type = run(
["bootctl", "kernel-identify", workdir(path)],
stdout=subprocess.PIPE,
- sandbox=config.sandbox(binary="bootctl", options=["--ro-bind", path, workdir(path)]),
+ sandbox=config.sandbox(options=["--ro-bind", path, workdir(path)]),
).stdout.strip()
try:
vars_format: str
-def find_ovmf_firmware(config: Config, qemu: Path, firmware: QemuFirmware) -> Optional[OvmfConfig]:
+def find_ovmf_firmware(config: Config, firmware: QemuFirmware) -> Optional[OvmfConfig]:
if not firmware.is_uefi():
return None
- tools = Path("/") if any(qemu.is_relative_to(d) for d in config.extra_search_paths) else config.tools()
-
- desc = list((tools / "usr/share/qemu/firmware").glob("*"))
- if tools == Path("/"):
- desc += list((tools / "etc/qemu/firmware").glob("*"))
+ desc = list((config.tools() / "usr/share/qemu/firmware").glob("*"))
+ if config.tools() == Path("/"):
+ desc += list((config.tools() / "etc/qemu/firmware").glob("*"))
arch = config.architecture.to_qemu()
machine = config.architecture.default_qemu_machine()
logging.debug(f"Using {p.name} firmware description")
return OvmfConfig(
- description=Path("/") / p.relative_to(tools),
+ description=Path("/") / p.relative_to(config.tools()),
firmware=Path(j["mapping"]["executable"]["filename"]),
format=j["mapping"]["executable"]["format"],
vars=Path(j["mapping"]["nvram-template"]["filename"]),
"sha256",
"--config", "/dev/null",
],
- sandbox=config.sandbox(
- binary="swtpm_setup",
- options=["--bind", state, workdir(Path(state))],
- ),
+ sandbox=config.sandbox(options=["--bind", state, workdir(Path(state))]),
stdout=None if ARG_DEBUG.get() else subprocess.DEVNULL,
) # fmt: skip
cmdline,
pass_fds=(sock.fileno(),),
sandbox=config.sandbox(
- binary="swtpm",
options=["--bind", state, workdir(Path(state))],
setup=scope_cmd(
name=f"mkosi-swtpm-{config.machine_or_name()}",
if path:
cmdline += ["--path"]
- return run(
- cmdline, stdout=subprocess.PIPE, sandbox=config.sandbox(binary="systemd-escape")
- ).stdout.strip()
+ return run(cmdline, stdout=subprocess.PIPE, sandbox=config.sandbox()).stdout.strip()
@contextlib.contextmanager
# features.
preexec_fn=become_root_in_subuid_range if not scope and not uidmap else None,
sandbox=config.sandbox(
- binary=virtiofsd,
options=[
"--bind", directory, workdir(directory),
*(["--become-root"] if uidmap else []),
["chattr", "+C", workdir(path)],
check=False,
stderr=subprocess.DEVNULL if not ARG_DEBUG.get() else None,
- sandbox=config.sandbox(binary="chattr", options=["--bind", path, workdir(path)]),
+ sandbox=config.sandbox(options=["--bind", path, workdir(path)]),
)
],
pass_fds=(sockfd,),
sandbox=config.sandbox(
- binary=bin,
options=[
"--bind", config.forward_journal.parent, workdir(config.forward_journal.parent),
"--ro-bind", f.name, "/etc/systemd/journal-remote.conf",
if config.output_format in (OutputFormat.disk, OutputFormat.esp):
attr = run(
["lsattr", "-l", workdir(src)],
- sandbox=config.sandbox(binary="lsattr", options=["--ro-bind", src, workdir(src)]),
+ sandbox=config.sandbox(options=["--ro-bind", src, workdir(src)]),
stdout=subprocess.PIPE,
).stdout
run(
[binary, "--version"],
stdout=subprocess.PIPE,
- sandbox=config.sandbox(binary=binary),
+ sandbox=config.sandbox(),
).stdout.split()[3]
)
run(
[f"mkfs.{fs}", "-L", "scratch", *extra.split(), workdir(Path(scratch.name))],
stdout=subprocess.DEVNULL,
- sandbox=config.sandbox(
- binary=f"mkfs.{fs}",
- options=["--bind", scratch.name, workdir(Path(scratch.name))],
- ),
+ sandbox=config.sandbox(options=["--bind", scratch.name, workdir(Path(scratch.name))]),
)
yield Path(scratch.name)
"--loglevel", "WARNING",
],
sandbox=config.sandbox(
- binary=qemu,
options=[
"--bind", ovmf_vars.name, workdir(Path(ovmf_vars.name)),
"--ro-bind", ovmf.vars, workdir(ovmf.vars),
),
) # fmt: skip
else:
- tools = (
- Path("/") if any(qemu.is_relative_to(d) for d in config.extra_search_paths) else config.tools()
- )
vars = (
- tools / ovmf.vars.relative_to("/")
+ config.tools() / ovmf.vars.relative_to("/")
if config.qemu_firmware_variables == Path("microsoft") or not config.qemu_firmware_variables
else config.qemu_firmware_variables
)
"--offline=yes",
workdir(image),
],
- sandbox=config.sandbox(binary="systemd-repart", options=["--bind", image, workdir(image)]),
+ sandbox=config.sandbox(options=["--bind", image, workdir(image)]),
) # fmt: skip
], # fmt: skip
foreground=False,
env=os.environ | config.environment,
- sandbox=config.sandbox(binary="busctl", relaxed=True),
+ sandbox=config.sandbox(relaxed=True),
# systemd-machined might not be installed so let's ignore any failures unless running in debug mode.
check=ARG_DEBUG.get(),
stderr=None if ARG_DEBUG.get() else subprocess.DEVNULL,
"or provide a -kernel argument to mkosi qemu"
)
- ovmf = find_ovmf_firmware(config, qemu, firmware)
+ ovmf = find_ovmf_firmware(config, firmware)
# A shared memory backend might increase ram usage so only add one if actually necessary for virtiofsd.
shm = []
workdir(fname),
], # fmt: skip
sandbox=config.sandbox(
- binary="systemd-repart",
options=[
"--bind", fname.parent, workdir(fname.parent),
"--ro-bind", src, workdir(src),
env=os.environ | config.environment,
foreground=True,
sandbox=config.sandbox(
- binary=qemu,
network=True,
devices=True,
relaxed=True,
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary="ssh",
network=True,
devices=True,
relaxed=True,
but the `mkosi.tools/` directory is found in the local directory it is
automatically used for this purpose with the root directory as target.
- Note if a binary is found in any of the paths configured with
- `ExtraSearchPaths=`, the binary will be executed on the host.
+ Note that binaries found in any of the paths configured with
+ `ExtraSearchPaths=` will be executed with `/usr/` from the tools
+ tree instead of from the host. If the host distribution or release
+ does not match the tools tree distribution or release respectively,
+ this might result in failures when trying to execute binaries from
+ any of the extra search paths.
If set to `default`, mkosi will automatically add an extra tools tree
image and use it as the tools tree.
def __call__(
self,
*,
- binary: Optional[PathString],
options: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]: ...
def nosandbox(
*,
- binary: Optional[PathString],
options: Sequence[PathString] = (),
) -> AbstractContextManager[list[PathString]]:
return contextlib.nullcontext([])
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary=sysupdate,
devices=True,
network=True,
relaxed=True,
return GenericVersion(
run(
["cp", "--version"],
- sandbox=sandbox(binary="cp"),
+ sandbox=sandbox(),
stdout=subprocess.PIPE,
)
.stdout.splitlines()[0]
if use_subvolumes != ConfigFeature.disabled:
result = run(
["btrfs", "subvolume", "create", workdir(path, sandbox)],
- sandbox=sandbox(binary="btrfs", options=["--bind", path.parent, workdir(path.parent, sandbox)]),
+ sandbox=sandbox(options=["--bind", path.parent, workdir(path.parent, sandbox)]),
check=use_subvolumes == ConfigFeature.enabled,
).returncode
else:
if src.is_dir():
cmdline += ["--no-target-directory"]
- run(cmdline, sandbox=sandbox(binary="cp", options=options))
+ run(cmdline, sandbox=sandbox(options=options))
# Subvolumes always have inode 256 so we can use that to check if a directory is a subvolume.
if (
result = run(
["btrfs", "subvolume", "snapshot", workdir(src, sandbox), workdir(dst, sandbox)],
check=use_subvolumes == ConfigFeature.enabled,
- sandbox=sandbox(binary="btrfs", options=options),
+ sandbox=sandbox(options=options),
).returncode
if result != 0:
["btrfs", "subvolume", "delete", *(workdir(p, sandbox) for p in subvolumes)],
check=False,
sandbox=sandbox(
- binary="btrfs",
options=flatten(("--bind", p.parent, workdir(p.parent, sandbox)) for p in subvolumes),
),
stdout=subprocess.DEVNULL if not ARG_DEBUG.get() else None,
run(
["rm", "-rf", "--", *(workdir(p, sandbox) for p in filtered)],
sandbox=sandbox(
- binary="rm",
options=flatten(("--bind", p.parent, workdir(p.parent, sandbox)) for p in filtered),
),
)
env=os.environ | config.environment,
log=False,
sandbox=config.sandbox(
- binary=cmdline[0],
network=True,
devices=True,
relaxed=True,
projects / thirdparty / mkosi.git / commitdiff
