From 3384ede4e7424c7ec87fbe2504a54604bd19da51 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Mon, 28 Oct 2024 21:27:30 +0100 Subject: [PATCH] Remove access to the output directory in build scripts With mkosi -t none, we can rerun the build script without cleaning the output directory. This creates an awkward situation, as the build script might create new outputs but is unable to remove previous ones, which could lead to weird situations where the output directory contains artifacts from multiple builds. Let's tighten this up by disallowing access to the output directory in build scripts. Users can still copy from the build script to the output directory by doing the copy from a post-installation script which is not invoked when we run mkosi -t none so it only runs when we've cleaned up the output directory. --- mkosi/__init__.py | 3 --- mkosi/resources/man/mkosi.1.md | 4 ++-- mkosi/resources/man/mkosi.news.7.md | 4 ++++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 3c5418e99..6968b80ef 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -763,8 +763,6 @@ def run_build_scripts(context: Context) -> None: BUILDROOT="/buildroot", DESTDIR="/work/dest", CHROOT_DESTDIR="/work/dest", - OUTPUTDIR="/work/out", - CHROOT_OUTPUTDIR="/work/out", SRCDIR="/work/src", CHROOT_SRCDIR="/work/src", PACKAGEDIR="/work/packages", @@ -804,7 +802,6 @@ def run_build_scripts(context: Context) -> None: "--ro-bind", script, "/work/build-script", "--ro-bind", json, "/work/config.json", "--bind", context.install_dir, "/work/dest", - "--bind", context.staging, "/work/out", "--bind", context.artifacts, "/work/artifacts", "--bind", context.package_dir, "/work/packages", *( diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md index 626eccb8c..0ce926176 100644 --- a/mkosi/resources/man/mkosi.1.md +++ b/mkosi/resources/man/mkosi.1.md @@ -2408,8 +2408,8 @@ Consult this table for which script receives which environment variables: | `CHROOT_BUILDDIR` | | | | ✓ | | | | | | `DESTDIR` | | | | ✓ | | | | | | `CHROOT_DESTDIR` | | | | ✓ | | | | | -| `OUTPUTDIR` | | | | ✓ | ✓ | ✓ | ✓ | ✓ | -| `CHROOT_OUTPUTDIR` | | | | ✓ | ✓ | ✓ | | | +| `OUTPUTDIR` | | | | | ✓ | ✓ | ✓ | ✓ | +| `CHROOT_OUTPUTDIR` | | | | | ✓ | ✓ | | | | `BUILDROOT` | | | ✓ | ✓ | ✓ | ✓ | | | | `PACKAGEDIR` | | | ✓ | ✓ | ✓ | ✓ | | | | `ARTIFACTDIR` | | | ✓ | ✓ | ✓ | ✓ | | | diff --git a/mkosi/resources/man/mkosi.news.7.md b/mkosi/resources/man/mkosi.news.7.md index bffaf366d..7a00fef0e 100644 --- a/mkosi/resources/man/mkosi.news.7.md +++ b/mkosi/resources/man/mkosi.news.7.md @@ -74,6 +74,10 @@ tools tree when `ToolsTreeCertificates=` is set, since they aren't certificates, use a sandbox tree instead. This allows to override `SignedBy=` keys for APT repositories. - The `agetty.autologin` and `login.noauth` credentials are no longer set unconditionally. +- Access to the output directory in build scripts was removed. To put artifacts + from the build directory into the output directory, copy them from the build directory + to the output directory in a post-installation script which does have access to the build + directory and the output directory. ## v24 -- 2.47.2