From: Daan De Meyer Date: Fri, 22 Dec 2023 14:29:06 +0000 (+0100) Subject: Mount entire /etc from package manager tree into sandbox X-Git-Tag: v20~36^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6fe5a0b7f0293c351545e3b440ab23bdfd4878c;p=thirdparty%2Fmkosi.git Mount entire /etc from package manager tree into sandbox Instead of mounting individual directories, let's just mount the entire /etc into the sandbox. This allows any tool we run through the sandbox to pick up configuration from the package manager tree without having to add explicit support for it in mkosi. This also removes our special casing for uki.conf. ukify will now pick up its configuration from its canonical location just like all the other tools. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 1bf5db032..c0f60dda2 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -1299,6 +1299,9 @@ def install_package_manager_trees(state: MkosiState) -> None: for tree in state.config.package_manager_trees: install_tree(state, tree.source, state.workspace / "pkgmngr", tree.target) + # Ensure /etc exists in the package manager tree + (state.pkgmngr / "etc").mkdir(exist_ok=True) + def install_extra_trees(state: MkosiState) -> None: if not state.config.extra_trees: @@ -1553,11 +1556,6 @@ def build_uki( for p in state.config.extra_search_paths: cmd += ["--tools", p] - for d in ("etc/kernel", "usr/lib/kernel"): - uki_config = state.pkgmngr / d / "uki.conf" - if uki_config.exists(): - cmd += ["--config", uki_config] - if state.config.secure_boot: assert state.config.secure_boot_key assert state.config.secure_boot_certificate diff --git a/mkosi/bubblewrap.py b/mkosi/bubblewrap.py index 937c60f7c..006141625 100644 --- a/mkosi/bubblewrap.py +++ b/mkosi/bubblewrap.py @@ -36,25 +36,6 @@ def have_effective_cap(capability: Capability) -> bool: def finalize_mounts(state: MkosiState) -> list[str]: mounts = [ - (state.pkgmngr / subdir, Path("/") / subdir, True) - for subdir in ( - Path("etc/apt"), - Path("etc/rpm"), - Path("etc/dnf"), - Path("etc/pacman.conf"), - Path("etc/pacman.d"), - Path("etc/zypp"), - Path("etc/yum.repos.d"), - ) - if (state.pkgmngr / subdir).exists() - ] - - dirs = [ - "/var/log/apt", - "/var/lib/dnf", - ] - - mounts += [ ((state.config.tools_tree or Path("/")) / subdir, Path("/") / subdir, True) for subdir in ( Path("etc/pki"), @@ -79,7 +60,7 @@ def finalize_mounts(state: MkosiState) -> list[str]: ["--ro-bind" if readonly else "--bind", os.fspath(src), os.fspath(target)] for src, target, readonly in sorted(set(mounts), key=lambda s: s[1]) - ) + flatten(["--dir", d] for d in dirs) + ) def bwrap( @@ -102,6 +83,9 @@ def bwrap( "bwrap", "--ro-bind", "/usr", "/usr", "--ro-bind-try", "/nix/store", "/nix/store", + # This mount is writable so bwrap can create extra directories or symlinks inside of it as needed. This isn't a + # problem as the package manager directory is created by mkosi and thrown away when the build finishes. + "--bind", state.pkgmngr / "etc", "/etc", "--bind", "/var/tmp", "/var/tmp", "--bind", "/tmp", "/tmp", "--bind", Path.cwd(), Path.cwd(), diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py index 525a38089..9ccf001e2 100644 --- a/mkosi/installer/apt.py +++ b/mkosi/installer/apt.py @@ -69,6 +69,7 @@ def apt_cmd(state: MkosiState, command: str) -> list[PathString]: "-o", f"Dir::State={state.cache_dir / 'apt'}", "-o", f"Dir::State::Status={state.root / 'var/lib/dpkg/status'}", "-o", f"Dir::Etc::Trusted={trustedkeys}", + "-o", f"Dir::Log={state.workspace}", "-o", f"Dir::Bin::DPkg={shutil.which('dpkg')}", "-o", "Debug::NoLocking=true", "-o", f"DPkg::Options::=--root={state.root}", diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md index ea55abf75..ba2ba02fc 100644 --- a/mkosi/resources/mkosi.md +++ b/mkosi/resources/mkosi.md @@ -2213,11 +2213,6 @@ Note that despite the name, qemu's `-append` option replaces the default kernel commandline embedded in the kernel and any previous `-append` specifications. -`mkosi` builds a Unified Kernel Image (UKI). -Further customization, e.g. a splash image, can be applied using a configuration -for `ukify` in `/etc/kernel/uki.conf` inside the skeleton tree. -`ukify` is run from the same working directory as mkosi itself. - The UKI is also copied into the output directory and may be booted directly: ```console $ mkosi qemu -kernel mkosi.output/fedora~38/image.efi