Prevent build processes from modifying the cache, it is only needed
during provisioning anyway. A malicious build could still use sudo to
change the cache, but this is more to prevent mistaken modifications.
# does not need a custom mount
if cachedir != 'buildserver/cache':
vagrantfile += """
- config.vm.synced_folder '{0}', '/vagrant/cache'
+ config.vm.synced_folder '{0}', '/vagrant/cache',
+ owner: 'root', group: 'root', create: true
""".format(cachedir)
# cache .deb packages on the host via a mount trick