From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 8 Jan 2024 13:49:04 +0000 (+0100)
Subject: Don't rely on /tmp being mounted into the sandbox
X-Git-Tag: v20~6^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8208669f045eb1806f79fb5015bec92dc266bb5;p=thirdparty%2Fmkosi.git

Don't rely on /tmp being mounted into the sandbox

Let's not rely on /tmp implicitly being mounted in the sandbox.
---

diff --git a/mkosi/distributions/debian.py b/mkosi/distributions/debian.py
index 1cc98cf63..89d89c2ff 100644
--- a/mkosi/distributions/debian.py
+++ b/mkosi/distributions/debian.py
@@ -109,17 +109,26 @@ class Installer(DistributionInstaller):
                 (context.root / d).symlink_to(f"usr/{d}")
                 (context.root / f"usr/{d}").mkdir(parents=True, exist_ok=True)
 
+        invoke_apt(context, "apt-get", "update", apivfs=False)
+
         # Next, we invoke apt-get install to download all the essential packages. With DPkg::Pre-Install-Pkgs,
         # we specify a shell command that will receive the list of packages that will be installed on stdin.
         # By configuring Debug::pkgDpkgPm=1, apt-get install will not actually execute any dpkg commands, so
         # all it does is download the essential debs and tell us their full in the apt cache without actually
         # installing them.
-        with tempfile.NamedTemporaryFile(dir="/tmp", mode="r") as f:
-            cls.install_packages(context, [
-                "-oDebug::pkgDPkgPm=1",
-                f"-oDPkg::Pre-Install-Pkgs::=cat >{f.name}",
-                "?essential", "?name(usr-is-merged)",
-            ], apivfs=False)
+        with tempfile.NamedTemporaryFile(mode="r") as f:
+            invoke_apt(
+                context,
+                "apt-get",
+                "install",
+                [
+                    "-oDebug::pkgDPkgPm=1",
+                    f"-oDPkg::Pre-Install-Pkgs::=cat >{f.name}",
+                    "?essential", "?name(usr-is-merged)",
+                ],
+                apivfs=False,
+                mounts=("--bind", f.name, f.name),
+            )
 
             essential = f.read().strip().splitlines()
 
diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 5be99e4a4..496e25675 100644
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -96,7 +96,9 @@ def invoke_apt(
     command: str,
     operation: str,
     packages: Sequence[str] = (),
+    *,
     apivfs: bool = True,
+    mounts: Sequence[PathString] = (),
 ) -> None:
     run(
         apt_cmd(context, command) + [operation, *sort_packages(packages)],
@@ -108,6 +110,7 @@ def invoke_apt(
                     "--bind", context.cache_dir, context.cache_dir,
                     "--ro-bind", context.workspace / "apt.conf", context.workspace / "apt.conf",
                     *finalize_crypto_mounts(tools=context.config.tools()),
+                    *mounts,
                 ],
             ) + (apivfs_cmd(context.root, tools=context.config.tools()) if apivfs else [])
         ),