Make sure the private tmpfs in bwrap() doesn't hide workspace

The workspace might be in /tmp so we need to make sure we mount it
first before we mount the workspace so that the workspace is on top
of the private tmpfs.

diff --git a/mkosi/run.py b/mkosi/run.py
index 0fdab9a52c17abe99677ca3220ad5d54e8946d3a..431fb70419ad1ffa71125c01b524d30784b0d81e 100644 (file)
--- a/mkosi/run.py
+++ b/mkosi/run.py
@@ -267,6 +267,7 @@ def bwrap(
         "--ro-bind", "/var", "/var",
         "--ro-bind", "/run", "/run",
         "--bind", "/var/tmp", "/var/tmp",
+        "--tmpfs", "/tmp",
         "--bind", Path.cwd(), Path.cwd(),
         "--chdir", Path.cwd(),
         "--unshare-pid",
@@ -277,7 +278,6 @@ def bwrap(
         "--proc", "/proc",
         "--dev", "/dev",
         "--ro-bind", "/sys", "/sys",
-        "--tmpfs", "/tmp",
         "--setenv", "SYSTEMD_OFFLINE", one_zero(network),
     ]