Mount pkgmngr/etc as a whole instead of individual files in it.

We stopped doing this because bubblewrap would create the /etc/mtab
in the package manager tree /etc and leave it there after exiting,
which would cause bubblewrap to fail the next time we executed it as
the symlink already existed.

To avoid reintroducing this issue, we only have bubblewrap create the
symlink if nothing's going to be mounted to /etc and create the symlink
ourselves in the pkgmngr/etc.

These changes also make sure that the mounts from finalize_passwd_mounts()
take precedence over the passwd and group files from pkgmngr/etc.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 743feefd2d0099152e45fa59653f09e40776a1e7..ef06b859179c7a4a230ce592625413909ecd4e51 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1492,6 +1492,9 @@ def install_package_manager_trees(context: Context) -> None:
     # Ensure /etc exists in the package manager tree
     (context.pkgmngr / "etc").mkdir(exist_ok=True)
 
+    # Backwards compatibility symlink.
+    (context.pkgmngr / "etc/mtab").symlink_to("../proc/self/mounts")
+
     # Required to be able to access certificates in the sandbox when running from nix.
     if Path("/etc/static").is_symlink():
         (context.pkgmngr / "etc/static").symlink_to(Path("/etc/static").readlink())

diff --git a/mkosi/context.py b/mkosi/context.py
index 6b630fbfaafbaa1118e7e2b7a84be9ebac1a63b1..81ce10dd592865f3ddab88a72671ee54140d8431 100644 (file)
--- a/mkosi/context.py
+++ b/mkosi/context.py
@@ -81,16 +81,13 @@ class Context:
             devices=devices,
             scripts=scripts,
             mounts=[
-                # These mounts are writable so bubblewrap can create extra directories or symlinks inside of it as
-                # needed. This isn't a problem as the package manager directory is created by mkosi and thrown away
-                # when the build finishes.
-                *[
-                    Mount(self.pkgmngr / "etc" / p.name, f"/etc/{p.name}")
-                    for p in (self.pkgmngr / "etc").iterdir()
-                ],
-                *mounts,
+                # This mount is writable so bubblewrap can create extra directories or symlinks inside of it as needed.
+                # This isn't a problem as the package manager directory is created by mkosi and thrown away when the
+                # build finishes.
+                Mount(self.pkgmngr / "etc", "/etc"),
                 Mount(self.pkgmngr / "var/log", "/var/log"),
                 *([Mount(p, p, ro=True)] if (p := self.pkgmngr / "usr").exists() else []),
+                *mounts,
             ],
             options=[
                 "--uid", "0",

diff --git a/mkosi/sandbox.py b/mkosi/sandbox.py
index e1c34b0626c77dbc7112f6d3907fd311e04b32f3..a89b53457792fe91b720a9c7abf6a505797a4180 100644 (file)
--- a/mkosi/sandbox.py
+++ b/mkosi/sandbox.py
@@ -203,9 +203,6 @@ def sandbox_cmd(
 
     cmdline += ["--setenv", "PATH", f"/scripts:{path}", *options]
 
-    if not relaxed:
-        cmdline += ["--symlink", "../proc/self/mounts", "/etc/mtab"]
-
     # If we're using /usr from a tools tree, we have to use /etc/alternatives from the tools tree as well if it
     # exists since that points directly back to /usr. Apply this after the options so the caller can mount
     # something else to /etc without overriding this mount. In relaxed mode, we only do this if /etc/alternatives
@@ -222,6 +219,9 @@ def sandbox_cmd(
 
     cmdline += finalize_mounts(mounts)
 
+    if not any(Path(m.dst) == Path("/etc") for m in mounts):
+        cmdline += ["--symlink", "../proc/self/mounts", "/etc/mtab"]
+
     # bubblewrap creates everything with a restricted mode so relax stuff as needed.
     ops = []
     if not devices and not relaxed: