Merge pull request #2986 from behrmann/nochown

sandbox: introduce the MKOSI_CHROOT_SUPPRESS_CHOWN variable
systemd · Aug 30, 2024 · 1757e44 · 1757e44
2 parents c7b9792 + 89c50da
commit 1757e44
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 29 deletions.
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -49,6 +49,7 @@
     Verb,
     Vmm,
     format_bytes,
+    parse_boolean,
     parse_config,
     summary,
     systemd_tool_version,
@@ -66,8 +67,10 @@
 from mkosi.partition import Partition, finalize_root, finalize_roothash
 from mkosi.qemu import KernelType, copy_ephemeral, run_qemu, run_ssh, start_journal_remote
 from mkosi.run import (
+    apivfs_options,
     chroot_cmd,
-    chroot_script_cmd,
+    chroot_options,
+    finalize_interpreter,
     finalize_passwd_mounts,
     find_binary,
     fork_and_wait,
@@ -567,9 +570,21 @@ def script_maybe_chroot_sandbox(
     network: bool,
 ) -> Iterator[list[PathString]]:
     options = ["--dir", "/work/src", "--chdir", "/work/src", *options]
+    suppress_chown = parse_boolean(context.config.environment.get("MKOSI_CHROOT_SUPPRESS_CHOWN", "0"))
 
     helpers = {
-        "mkosi-chroot": chroot_script_cmd(tools=bool(context.config.tools_tree), network=network, work=True),
+        "mkosi-chroot": [
+            finalize_interpreter(bool(context.config.tools_tree)), "-SI", "/sandbox.py",
+            "--bind", "/buildroot", "/",
+            "--bind", "/var/tmp", "/var/tmp",
+            *apivfs_options(root=Path("/")),
+            *chroot_options(),
+            "--bind", "/work", "/work",
+            "--chdir", "/work/src",
+            *(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"] if network else []),
+            *(["--suppress-chown"] if suppress_chown else []),
+            "--",
+        ],
         "mkosi-as-caller": mkosi_as_caller(),
         **context.config.distribution.package_manager(context.config).scripts(context),
     }
@@ -589,6 +604,9 @@ def script_maybe_chroot_sandbox(
             ) as sandbox:
                 yield sandbox
         else:
+            if suppress_chown:
+                options += ["--suppress-chown"]
+
             with chroot_cmd(
                 root=context.root,
                 network=network,

diff --git a/mkosi/installer/__init__.py b/mkosi/installer/__init__.py
@@ -6,7 +6,7 @@
 from mkosi.config import Config, ConfigFeature, OutputFormat
 from mkosi.context import Context
 from mkosi.mounts import finalize_crypto_mounts
-from mkosi.run import apivfs_options, apivfs_script_cmd, finalize_passwd_mounts, find_binary
+from mkosi.run import apivfs_options, finalize_interpreter, finalize_passwd_mounts, find_binary
 from mkosi.tree import rmtree
 from mkosi.types import PathString
 from mkosi.util import flatten, startswith
@@ -114,7 +114,15 @@ def options(cls, *, root: PathString, apivfs: bool = True) -> list[PathString]:
 
     @classmethod
     def apivfs_script_cmd(cls, context: Context) -> list[PathString]:
-        return apivfs_script_cmd(tools=bool(context.config.tools_tree), options=cls.options(root="/buildroot"))
+        return [
+            finalize_interpreter(bool(context.config.tools_tree)), "-SI", "/sandbox.py",
+            "--bind", "/", "/",
+            "--same-dir",
+            "--bind", "/var/tmp", "/buildroot/var/tmp",
+            *apivfs_options(),
+            *cls.options(root="/buildroot"),
+            "--",
+        ]
 
     @classmethod
     def sandbox(cls, context: Context, *, apivfs: bool) -> AbstractContextManager[list[PathString]]:

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
@@ -2730,6 +2730,11 @@ Note that the minimum required Python version is 3.9.
   changing ownership to root will work but changing ownership to any other user
   or group will fail.
 
+  Note that chown calls are only suppressed when running package managers, but
+  not when running scripts. If this is required, e.g. for a build script, you
+  can set the `MKOSI_CHROOT_SUPPRESS_CHOWN` variable to a true value (`1`,
+  `yes`, `true`) to suppress chown calls in `mkosi-chroot` and `.chroot` scripts.
+
   If this behavior causes applications running in your image to misbehave, you
   can consider running `mkosi` as root which avoids this problem. Alternatively,
   if running `mkosi` as root is not desired, you can use

diff --git a/mkosi/run.py b/mkosi/run.py
@@ -560,19 +560,6 @@ def apivfs_options(*, root: Path = Path("/buildroot")) -> list[PathString]:
     ]
 
 
-def apivfs_script_cmd(*, tools: bool, options: Sequence[PathString] = ()) -> list[PathString]:
-    exe = Path(sys.executable)
-    return [
-        "python3" if tools or not exe.is_relative_to("/usr") else exe, "-SI", "/sandbox.py",
-        "--bind", "/", "/",
-        "--same-dir",
-        "--bind", "/var/tmp", "/buildroot/var/tmp",
-        *apivfs_options(),
-        *options,
-        "--",
-    ]
-
-
 def chroot_options() -> list[PathString]:
     return [
         # Let's always run as (fake) root when we chroot inside the image as tools executed within the image could
@@ -616,15 +603,12 @@ def chroot_cmd(
         yield [*cmdline, *options, "--"]
 
 
-def chroot_script_cmd(*, tools: bool, network: bool = False, work: bool = False) -> list[PathString]:
-    exe = Path(sys.executable)
-    return [
-        "python3" if tools or not exe.is_relative_to("/usr") else exe, "-SI", "/sandbox.py",
-        "--bind", "/buildroot", "/",
-        "--bind", "/var/tmp", "/var/tmp",
-        *apivfs_options(root=Path("/")),
-        *chroot_options(),
-        *(["--bind", "/work", "/work", "--chdir", "/work/src"] if work else []),
-        *(["--ro-bind-try", "/etc/resolv.conf", "/etc/resolv.conf"] if network else []),
-        "--",
-    ]
+def finalize_interpreter(tools: bool) -> str:
+    if tools:
+        return "python3"
+
+    exe = sys.executable
+    if Path(exe).is_relative_to("/usr"):
+        return exe
+
+    return "python3"