From: Daan De Meyer Date: Tue, 9 Dec 2025 21:54:03 +0000 (+0100) Subject: Move setup argument to run() instead of sandbox_cmd() X-Git-Tag: v26~14^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=adf3ba86bf8e59c09adc62a5bbfeedafcf7315e4;p=thirdparty%2Fmkosi.git Move setup argument to run() instead of sandbox_cmd() It's a bit up in the air whether this belongs in sandbox_cmd() or spawn() but let's move it to spawn since it shouldn't be impossible to have a setup command without having sandbox. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 008cc28c6..06ce4ec28 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -4250,8 +4250,8 @@ def run_shell(args: Args, config: Config) -> None: network=True, devices=True, options=["--bind", fname, workdir(fname)], - setup=become_root_cmd(), ), + setup=become_root_cmd(), ) # fmt: skip if config.output_format == OutputFormat.directory: @@ -4355,8 +4355,8 @@ def run_shell(args: Args, config: Config) -> None: network=True, relaxed=True, options=["--same-dir"], - setup=become_root_cmd(), ), + setup=become_root_cmd(), ) @@ -4395,8 +4395,8 @@ def run_systemd_tool(tool: str, args: Args, config: Config) -> None: network=True, devices=config.output_format == OutputFormat.disk, relaxed=True, - setup=become_root_cmd() if need_root else [], ), + setup=become_root_cmd() if need_root else [], ) @@ -4435,8 +4435,8 @@ def start_storage_target_mode(config: Config) -> AbstractContextManager[Optional network=True, relaxed=True, options=["--chdir", config.output_dir_or_cwd()], - setup=become_root_cmd(), ), + setup=become_root_cmd(), ) diff --git a/mkosi/burn.py b/mkosi/burn.py index 51f77e737..d1233133f 100644 --- a/mkosi/burn.py +++ b/mkosi/burn.py @@ -45,6 +45,6 @@ def run_burn(args: Args, config: Config) -> None: network=True, relaxed=True, options=["--same-dir"], - setup=become_root_cmd(), ), + setup=become_root_cmd(), ) diff --git a/mkosi/config.py b/mkosi/config.py index 8bf11c8e2..485fb794f 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -2490,7 +2490,6 @@ class Config: scripts: Optional[Path] = None, overlay: Optional[Path] = None, options: Sequence[PathString] = (), - setup: Sequence[PathString] = (), ) -> AbstractContextManager[list[PathString]]: opt: list[PathString] = [*options] @@ -2512,7 +2511,6 @@ class Config: tools=self.tools() if tools else Path("/"), overlay=overlay, options=opt, - setup=setup, extra=self.extra_search_paths, ) diff --git a/mkosi/qemu.py b/mkosi/qemu.py index 9d8dc632e..4d1bec156 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -296,12 +296,10 @@ def start_swtpm(config: Config) -> Iterator[Path]: with spawn( cmdline, pass_fds=(sock.fileno(),), - sandbox=config.sandbox( - options=["--bind", state, workdir(Path(state))], - setup=scope_cmd( - name=f"mkosi-swtpm-{config.machine_or_name()}", - description=f"swtpm for {config.machine_or_name()}", - ), + sandbox=config.sandbox(options=["--bind", state, workdir(Path(state))]), + setup=scope_cmd( + name=f"mkosi-swtpm-{config.machine_or_name()}", + description=f"swtpm for {config.machine_or_name()}", ), ) as proc: yield path @@ -422,11 +420,8 @@ def start_virtiofsd( "--bind", directory, workdir(directory), *(["--become-root"] if uidmap else []), ], - setup=( - scope + - (become_root_in_subuid_range_cmd() if scope and not uidmap else []) - ), ), + setup=scope + (become_root_in_subuid_range_cmd() if scope and not uidmap else []), ) as proc: # fmt: skip yield path proc.terminate() @@ -540,8 +535,8 @@ def start_journal_remote(config: Config, sockfd: int) -> Iterator[None]: "--ro-bind", f.name, "/etc/systemd/journal-remote.conf", "--pack-fds", ], - setup=scope, ), + setup=scope, user=user if not scope else None, group=group if not scope else None, ) as proc: # fmt: skip @@ -1525,12 +1520,12 @@ def run_qemu(args: Args, config: Config) -> None: devices=True, relaxed=True, options=["--same-dir", "--suspend"], - setup=scope_cmd( - name=name, - description=f"mkosi Virtual Machine {name}", - properties=config.unit_properties, - environment=False, - ), + ), + setup=scope_cmd( + name=name, + description=f"mkosi Virtual Machine {name}", + properties=config.unit_properties, + environment=False, ), ) as proc: # We have to close these before we wait for qemu otherwise we'll deadlock as qemu will never diff --git a/mkosi/run.py b/mkosi/run.py index 30d710356..0a4b6b843 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -141,6 +141,7 @@ def run( env: Mapping[str, str] = {}, log: bool = True, success_exit_status: Sequence[int] = (0,), + setup: Sequence[PathString] = (), sandbox: AbstractContextManager[Sequence[PathString]] = contextlib.nullcontext([]), ) -> CompletedProcess: if input is not None: @@ -156,6 +157,7 @@ def run( env=env, log=log, success_exit_status=success_exit_status, + setup=setup, sandbox=sandbox, ) as process: out, err = process.communicate(input) @@ -177,6 +179,7 @@ def spawn( log: bool = True, preexec: Optional[Callable[[], None]] = None, success_exit_status: Sequence[int] = (0,), + setup: Sequence[PathString] = (), sandbox: AbstractContextManager[Sequence[PathString]] = contextlib.nullcontext([]), ) -> Iterator[Popen]: cmd = [os.fspath(x) for x in cmdline] @@ -214,7 +217,7 @@ def spawn( try: proc = subprocess.Popen( - [*prefix, *cmdline], + [*setup, *prefix, *cmdline], stdin=stdin, stdout=stdout, stderr=stderr, @@ -246,10 +249,12 @@ def spawn( if log: log_process_failure(prefix, cmd, returncode) if ARG_DEBUG_SHELL.get(): + # --suspend will freeze the debug shell with no way to unfreeze it so strip it from the + # sandbox if it's there. + if "--suspend" in prefix: + prefix.remove("--suspend") subprocess.run( - # --suspend will freeze the debug shell with no way to unfreeze it so strip it from the - # sandbox if it's there. - [s for s in prefix if s != "--suspend"] + ["bash"], + [*setup, *prefix, "bash"], check=False, stdin=sys.stdin, text=True, @@ -470,7 +475,6 @@ def sandbox_cmd( relaxed: bool = False, overlay: Optional[Path] = None, options: Sequence[PathString] = (), - setup: Sequence[PathString] = (), extra: Sequence[Path] = (), ) -> Iterator[list[PathString]]: assert not (overlay and relaxed) @@ -479,7 +483,6 @@ def sandbox_cmd( module = stack.enter_context(resource_path(sys.modules[__package__ or __name__])) cmdline: list[PathString] = [ - *setup, *(["strace", "--detach-on=execve"] if ARG_DEBUG_SANDBOX.get() else []), sys.executable, "-SI", module / "sandbox.py", "--proc", "/proc", diff --git a/mkosi/sysupdate.py b/mkosi/sysupdate.py index 91f273bf6..ddfd0b3c2 100644 --- a/mkosi/sysupdate.py +++ b/mkosi/sysupdate.py @@ -84,7 +84,6 @@ def run_sysupdate(args: Args, config: Config) -> None: devices=True, network=True, relaxed=True, - setup=become_root_cmd(), options=[ *(["--bind", "/boot", "/boot"] if Path("/boot").exists() else []), *(["--bind", "/efi", "/efi"] if Path("/efi").exists() else []), @@ -101,4 +100,5 @@ def run_sysupdate(args: Args, config: Config) -> None: "--same-dir", ], ), + setup=become_root_cmd(), ) # fmt: skip