installer: Only mount configured state subdirs into sandbox

This got lost somewhere with the countless refactorings. Let's not
mount a state directory to /var/lib unless one is configured. Most
package managers don't actually store anything there that we care
about and if we use PackageCacheDirectory=/var, we might end up mounting
too much state there, such as the pacman host db lock file.

Fixes #3985

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 8f8b98febb56144daed64f38ee6ea4165c6eb14d..b9f6e41079daea5046ab5aa83c096d4fdc89fc91 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4726,6 +4726,10 @@ def sync_repository_metadata(
     for d in ("cache", "lib"):
         (metadata_dir / d / subdir).mkdir(parents=True, exist_ok=True)
 
+    src = metadata_dir / "lib" / subdir
+    for p in last.distribution.installer.package_manager(last).state_subdirs():
+        (src / p).mkdir(parents=True, exist_ok=True)
+
     (last.package_cache_dir_or_default() / "cache" / subdir).mkdir(parents=True, exist_ok=True)
 
     # Sync repository metadata unless explicitly disabled.
@@ -4753,7 +4757,6 @@ def sync_repository_metadata(
                     context,
                     force=context.args.force > 1 or context.config.cacheonly == Cacheonly.never,
                 )
-
         src = metadata_dir / "cache" / subdir
         dst = last.package_cache_dir_or_default() / "cache" / subdir
 

diff --git a/mkosi/installer/__init__.py b/mkosi/installer/__init__.py
index 471e749bb0ecfa9375d7d70559e942f3cb0c696a..9ebec1b2c41c11114dd6b7ae9667fcafc1b2e9b0 100644 (file)
--- a/mkosi/installer/__init__.py
+++ b/mkosi/installer/__init__.py
@@ -30,7 +30,7 @@ class PackageManager:
         return []
 
     @classmethod
-    def state_subdirs(cls, state: Path) -> list[Path]:
+    def state_subdirs(cls) -> list[Path]:
         return []
 
     @classmethod
@@ -85,7 +85,12 @@ class PackageManager:
         subdir = context.config.distribution.installer.package_manager(context.config).subdir(context.config)
 
         src = context.metadata_dir / "lib" / subdir
-        mounts += ["--bind", src, Path("/var/lib") / subdir]
+        mounts += flatten(
+            ("--bind", src / state_subdir, Path("/var/lib") / subdir / state_subdir)
+            for state_subdir in context.config.distribution.installer.package_manager(
+                context.config
+            ).state_subdirs()
+        )
 
         src = context.metadata_dir / "cache" / subdir
         caches = context.config.distribution.installer.package_manager(context.config).package_subdirs(src)

diff --git a/mkosi/installer/apt.py b/mkosi/installer/apt.py
index 1cd63c2a92944f3fcd06d290d8faf236473810f2..a6338dfd27f671b091252cd8274c94f4e8d0319f 100644 (file)
--- a/mkosi/installer/apt.py
+++ b/mkosi/installer/apt.py
@@ -64,8 +64,8 @@ class Apt(PackageManager):
         return ["*.deb", "*.ddeb"]
 
     @classmethod
-    def state_subdirs(cls, state: Path) -> list[Path]:
-        return [state / "lists"]
+    def state_subdirs(cls) -> list[Path]:
+        return [Path("lists")]
 
     @classmethod
     def dpkg_cmd(cls, command: str) -> list[PathString]:

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
index c416dfda33b6e8b9561a384b614e5a5a275babbd..ffadbb9d3b790c4feae3c377e1330a45b59ef7cb 100644 (file)
--- a/mkosi/installer/pacman.py
+++ b/mkosi/installer/pacman.py
@@ -43,8 +43,8 @@ class Pacman(PackageManager):
         return ["*.pkg.tar*"]
 
     @classmethod
-    def state_subdirs(cls, state: Path) -> list[Path]:
-        return [state / "sync"]
+    def state_subdirs(cls) -> list[Path]:
+        return [Path("sync")]
 
     @classmethod
     def scripts(cls, context: Context) -> dict[str, list[PathString]]: