From 2f06efa6cb903da8ca1179efff2ac386d43fc206 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 20 Dec 2024 12:35:06 +0100 Subject: [PATCH] Run ssh and ssh-keygen as fake root We can't always resolve the current user in the sandbox which ssh insists on being able to do so let's become root which is always resolvable. --- mkosi/qemu.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mkosi/qemu.py b/mkosi/qemu.py index ea993e9b6..f17620bf8 100644 --- a/mkosi/qemu.py +++ b/mkosi/qemu.py @@ -860,8 +860,9 @@ def finalize_credentials(config: Config) -> dict[str, str]: ["ssh-keygen", "-f", "/dev/stdin", "-i", "-m", "PKCS8"], input=pubkey, stdout=subprocess.PIPE, - # ssh-keygen needs to be able to resolve the current user. - sandbox=config.sandbox(options=["--ro-bind", "/etc", "/etc", "--ro-bind", "/run", "/run"]), + # ssh-keygen insists on being able to resolve the current user which doesn't always work + # (think sssd or similar) so let's switch to root which is always resolvable. + sandbox=config.sandbox(options=["--become-root", "--ro-bind", "/etc/passwd", "/etc/passwd"]), ).stdout.strip() creds["ssh.authorized_keys.root"] = sshpubkey elif config.ssh: @@ -1459,6 +1460,8 @@ def run_ssh(args: Args, config: Config) -> None: network=True, devices=True, relaxed=True, - options=["--same-dir"], + # ssh insists on being able to resolve the current user which doesn't always work (think sssd or + # similar) so let's switch to root which is always resolvable. + options=["--same-dir", "--become-root"], ), ) -- 2.47.2