Merge pull request #3275 from DaanDeMeyer/pacman-priority

pacman: Make sure repositories from dropins take priority
systemd · Dec 13, 2024 · ed87abe · ed87abe
2 parents 91f4f06 + a32b809
commit ed87abe
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/action.yaml b/action.yaml
@@ -45,6 +45,15 @@ runs:
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
         sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
 
+    - name: Create missing mountpoints
+      shell: bash
+      run: |
+        for p in /etc/pki /etc/pacman.d/gnupg /etc/ssl /etc/ca-certificates /var/lib/ca-certificates /etc/crypto-policies; do
+          if [[ ! -e "$p" ]]; then
+            sudo mkdir -p "$p"
+          fi
+        done
+
     # Both the unix-chkpwd and swtpm profiles are broken (https://gitlab.com/apparmor/apparmor/-/issues/402) so let's
     # just disable and remove apparmor completely. It's not relevant in this context anyway.
     # TODO: Remove if https://github.com/actions/runner-images/issues/10015 is ever fixed.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
@@ -3768,7 +3768,20 @@ def run_sandbox(args: Args, config: Config) -> None:
     # If we're not using tools tree certificates we don't have to do anything since the relaxed sandbox will
     # already have /etc and /var from the host so we don't need to do anything extra.
     if config.tools_tree_certificates:
-        options += finalize_crypto_mounts(config)
+        mounts = finalize_crypto_mounts(config)
+
+        # Since we reuse almost every top level directory from the host except /usr, the crypto mountpoints
+        # have to exist already in these directories or we'll fail with a permission error. Let's check this
+        # early and show a better error and a suggestion on how users can fix this issue. We use slice
+        # notation to get every 3rd item from the mounts list which is the destination path.
+        for dst in mounts[2::3]:
+            if not Path(dst).exists():
+                die(
+                    f"Missing mountpoint {dst}",
+                    hint=f"Create an empty directory at {dst} using 'mkdir -p {dst}' as root and try again",
+                )
+
+        options += mounts
 
     run(
         cmdline,

diff --git a/mkosi/installer/pacman.py b/mkosi/installer/pacman.py
@@ -119,23 +119,23 @@ def setup(cls, context: Context, repositories: Sequence[PacmanRepository]) -> No
             # This has to go first so that our local repository always takes precedence over any other ones.
             f.write("Include = /etc/mkosi-local.conf\n")
 
-            for repo in repositories:
+            if any((context.sandbox_tree / "etc/pacman.d/").glob("*.conf")):
                 f.write(
                     textwrap.dedent(
-                        f"""\
+                        """\
 
-                        [{repo.id}]
-                        Server = {repo.url}
+                        Include = /etc/pacman.d/*.conf
                         """
                     )
                 )
 
-            if any((context.sandbox_tree / "etc/pacman.d/").glob("*.conf")):
+            for repo in repositories:
                 f.write(
                     textwrap.dedent(
-                        """\
+                        f"""\
 
-                        Include = /etc/pacman.d/*.conf
+                        [{repo.id}]
+                        Server = {repo.url}
                         """
                     )
                 )