From cc1fa7487339d31ae43e85228df355e95685c744 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Fri, 10 Nov 2023 11:28:00 +0100 Subject: [PATCH] Only mount over /etc/resolv.conf if network access is enabled This allows users to mess with /etc/resolv.conf in postinst scripts without having to unmount it first. --- mkosi/__init__.py | 4 ++++ mkosi/run.py | 26 +++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/mkosi/__init__.py b/mkosi/__init__.py index f941e6321..6343595a0 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -420,6 +420,7 @@ def run_prepare_scripts(state: MkosiState, build: bool) -> None: helpers = { "mkosi-chroot": chroot_cmd( state.root, + resolve=True, options=[ "--bind", script, "/work/prepare", "--bind", Path.cwd(), "/work/src", @@ -482,6 +483,7 @@ def run_build_scripts(state: MkosiState) -> None: helpers = { "mkosi-chroot": chroot_cmd( state.root, + resolve=state.config.with_network, options=[ "--bind", script, "/work/build-script", "--bind", state.install_dir, "/work/dest", @@ -541,6 +543,7 @@ def run_postinst_scripts(state: MkosiState) -> None: helpers = { "mkosi-chroot": chroot_cmd( state.root, + resolve=state.config.with_network, options=[ "--bind", script, "/work/postinst", "--bind", state.staging, "/work/out", @@ -594,6 +597,7 @@ def run_finalize_scripts(state: MkosiState) -> None: helpers = { "mkosi-chroot": chroot_cmd( state.root, + resolve=state.config.with_network, options=[ "--bind", script, "/work/finalize", "--bind", state.staging, "/work/out", diff --git a/mkosi/run.py b/mkosi/run.py index 51c067105..a862c9e91 100644 --- a/mkosi/run.py +++ b/mkosi/run.py @@ -425,7 +425,7 @@ def apivfs_cmd(root: Path) -> list[PathString]: return cmdline -def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathString]: +def chroot_cmd(root: Path, *, resolve: bool = False, options: Sequence[PathString] = ()) -> list[PathString]: cmdline: list[PathString] = [ "sh", "-c", # No exec here because we need to clean up the /work directory afterwards. @@ -437,19 +437,19 @@ def chroot_cmd(root: Path, *, options: Sequence[PathString] = ()) -> list[PathSt "--setenv", "PATH", "/work/scripts:/usr/bin:/usr/sbin", ] - resolve = Path("etc/resolv.conf") - if (root / resolve).is_symlink(): - # For each component in the target path, bubblewrap will try to create it if it doesn't exist - # yet. If a component in the path is a dangling symlink, bubblewrap will end up calling - # mkdir(symlink) which obviously fails if multiple components of the dangling symlink path don't - # exist yet. As a workaround, we resolve the symlink ourselves so that bubblewrap will correctly - # create all missing components in the target path. - resolve = resolve.parent / (root / resolve).readlink() + if resolve: + p = Path("etc/resolv.conf") + if (root / p).is_symlink(): + # For each component in the target path, bubblewrap will try to create it if it doesn't exist + # yet. If a component in the path is a dangling symlink, bubblewrap will end up calling + # mkdir(symlink) which obviously fails if multiple components of the dangling symlink path don't + # exist yet. As a workaround, we resolve the symlink ourselves so that bubblewrap will correctly + # create all missing components in the target path. + p = p.parent / (root / p).readlink() - cmdline += [ - "--ro-bind", "/etc/resolv.conf", Path("/") / resolve, - *options, - ] + cmdline += ["--ro-bind", "/etc/resolv.conf", Path("/") / p] + + cmdline += [*options] if setpgid := find_binary("setpgid", root): cmdline += [setpgid, "--foreground", "--"]