feat(qemu): add DNS search domains (#2481)

* feat(qemu): add DNS search domains

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/container/qemu_runner.go

@@ -792,7 +792,23 @@ func createMicroVM(ctx context.Context, cfg *Config) error {
 	baseargs = append(baseargs, "-nodefaults")
 	baseargs = append(baseargs, serialArgs...)
 	// use -netdev + -device instead of -nic, as this is better supported by microvm machine type
-	baseargs = append(baseargs, "-netdev", "user,id=id1,hostfwd=tcp:"+cfg.SSHAddress+"-:22,hostfwd=tcp:"+cfg.SSHControlAddress+"-:2223")
+	netdevArgs := "user,id=id1,hostfwd=tcp:" + cfg.SSHAddress + "-:22,hostfwd=tcp:" + cfg.SSHControlAddress + "-:2223"
+	// QEMU_DNS_SEARCH allows configuring DNS search domains inside the guest VM.
+	// This is useful for builds that need to resolve short hostnames via search
+	// domains, or when the build environment requires specific DNS resolution
+	// behavior. The search domains are passed to SLIRP which includes them in DHCP
+	// responses, so the guest receives them naturally via DHCP.
+	// Multiple domains should be comma-separated.
+	// Example: QEMU_DNS_SEARCH="example.com,my.domain.org"
+	if dnsSearch, ok := os.LookupEnv("QEMU_DNS_SEARCH"); ok {
+		domains, err := parseDNSSearchDomains(dnsSearch)
+		if err != nil {
+			return fmt.Errorf("invalid QEMU_DNS_SEARCH value %q: %w", dnsSearch, err)
+		}
+		log.Infof("qemu: QEMU_DNS_SEARCH set to %v, adding %d domain(s) to SLIRP network config", domains, len(domains))
+		netdevArgs += buildDNSSearchNetdevArgs(domains)
+	}
+	baseargs = append(baseargs, "-netdev", netdevArgs)
 	// Set host_mtu to avoid silent packet drops in nested environments (e.g.,
 	// QEMU inside GKE pods). SLIRP defaults to 1500 MTU but the host path MTU
 	// may be lower due to encapsulation (GCP VPC uses 1460, pod networks can be
@@ -2330,6 +2346,65 @@ func getAdditionalPackages(ctx context.Context) []string {
 	return packages
 }
 
+// dnsSearchDomainRegex matches valid DNS search domain characters.
+// Only allows alphanumeric characters, dots, and hyphens.
+// This prevents injection of QEMU netdev options via malicious domain names.
+var (
+	// dnsSearchDomainRegex matches valid DNS search domain characters.
+	// Only allows alphanumeric characters, dots, and hyphens.
+	// This prevents injection of QEMU netdev options via malicious domain names.
+	dnsSearchDomainRegex = regexp.MustCompile(`^[a-zA-Z0-9.-]+$`)
+)
+
+// parseDNSSearchDomains parses and validates DNS search domains from a comma-separated string.
+// Returns an error if the input is empty or contains invalid domain characters.
+func parseDNSSearchDomains(input string) ([]string, error) {
+	input = strings.TrimSpace(input)
+	if input == "" {
+		return nil, fmt.Errorf("empty input")
+	}
+
+	// Only split on commas
+	parts := strings.Split(input, ",")
+
+	domains := make([]string, 0, len(parts))
+	for _, part := range parts {
+		part = strings.TrimSpace(part)
+		if part == "" {
+			continue
+		}
+
+		// Validate domain: only allow [a-zA-Z0-9.-]
+		if !dnsSearchDomainRegex.MatchString(part) {
+			return nil, fmt.Errorf("invalid characters in domain %q: only alphanumeric, dots, and hyphens are allowed", part)
+		}
+
+		domains = append(domains, part)
+	}
+
+	if len(domains) == 0 {
+		return nil, fmt.Errorf("no valid domains found")
+	}
+
+	return domains, nil
+}
+
+// buildDNSSearchNetdevArgs constructs the QEMU netdev dnssearch options string.
+// Returns empty string if no domains provided.
+// Each domain produces a separate ",dnssearch=<domain>" option.
+func buildDNSSearchNetdevArgs(domains []string) string {
+	if len(domains) == 0 {
+		return ""
+	}
+
+	var builder strings.Builder
+	for _, domain := range domains {
+		builder.WriteString(",dnssearch=")
+		builder.WriteString(domain)
+	}
+	return builder.String()
+}
+
 // getPackageCacheSuffix generates a deterministic cache suffix based on the package list.
 // Uses SHA256 hash (first 12 chars) to avoid collisions and keep filenames reasonable.
 // Returns empty string if packages list is empty.

pkg/container/qemu_runner_test.go

@@ -231,6 +231,267 @@ func TestGetAdditionalPackages(t *testing.T) {
 	}
 }
 
+func TestParseDNSSearchDomains(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+		wantErr  bool
+	}{
+		// Valid single domain
+		{
+			name:     "single valid domain",
+			input:    "example.com",
+			expected: []string{"example.com"},
+		},
+		// Valid multiple domains - comma separated
+		{
+			name:     "comma separated domains",
+			input:    "example.com,test.org",
+			expected: []string{"example.com", "test.org"},
+		},
+		// Multiple commas collapsed
+		{
+			name:     "multiple commas collapsed",
+			input:    "a.com,,b.org",
+			expected: []string{"a.com", "b.org"},
+		},
+		// Comma with spaces around domains (trimmed)
+		{
+			name:     "comma with spaces trimmed",
+			input:    "a.com, b.org , c.net",
+			expected: []string{"a.com", "b.org", "c.net"},
+		},
+		// Hyphenated domain
+		{
+			name:     "hyphenated domain",
+			input:    "my-domain.example.com",
+			expected: []string{"my-domain.example.com"},
+		},
+		// Nested subdomains
+		{
+			name:     "nested subdomains",
+			input:    "a.b.c.d.example.com",
+			expected: []string{"a.b.c.d.example.com"},
+		},
+		// Numeric domain parts
+		{
+			name:     "numeric domain parts",
+			input:    "123.example.com",
+			expected: []string{"123.example.com"},
+		},
+		// Empty input
+		{
+			name:    "empty string",
+			input:   "",
+			wantErr: true,
+		},
+		// Only whitespace
+		{
+			name:    "only whitespace",
+			input:   "   ",
+			wantErr: true,
+		},
+		// Only commas
+		{
+			name:    "only commas",
+			input:   ",,,",
+			wantErr: true,
+		},
+		// Space-separated domains (not allowed)
+		{
+			name:    "space separated domains rejected",
+			input:   "example.com test.org",
+			wantErr: true,
+		},
+		// Newline in domain (not allowed)
+		{
+			name:    "newline rejected",
+			input:   "foo\nbar",
+			wantErr: true,
+		},
+		// Tab in domain (not allowed)
+		{
+			name:    "tab rejected",
+			input:   "foo\tbar",
+			wantErr: true,
+		},
+		// Injection with equals sign (netdev option injection)
+		{
+			name:    "injection attempt with equals",
+			input:   "evil=value",
+			wantErr: true,
+		},
+		// Injection with hostfwd attempt
+		{
+			name:    "hostfwd injection attempt",
+			input:   "foo,hostfwd=tcp::8080-:22",
+			wantErr: true,
+		},
+		// Injection with colon
+		{
+			name:    "colon injection (port-like)",
+			input:   "domain:8080",
+			wantErr: true,
+		},
+		// Semicolon injection (command separator)
+		{
+			name:    "semicolon injection",
+			input:   "foo;rm -rf /",
+			wantErr: true,
+		},
+		// Pipe injection
+		{
+			name:    "pipe injection",
+			input:   "foo|cat /etc/passwd",
+			wantErr: true,
+		},
+		// Backtick injection
+		{
+			name:    "backtick injection",
+			input:   "foo`whoami`",
+			wantErr: true,
+		},
+		// Dollar sign injection
+		{
+			name:    "dollar sign injection",
+			input:   "foo$HOME",
+			wantErr: true,
+		},
+		// Quote injection
+		{
+			name:    "double quote injection",
+			input:   `foo"bar`,
+			wantErr: true,
+		},
+		// Single quote injection
+		{
+			name:    "single quote injection",
+			input:   "foo'bar",
+			wantErr: true,
+		},
+		// Ampersand injection
+		{
+			name:    "ampersand injection",
+			input:   "foo&bar",
+			wantErr: true,
+		},
+		// Parentheses injection
+		{
+			name:    "parentheses injection",
+			input:   "foo(bar)",
+			wantErr: true,
+		},
+		// Bracket injection
+		{
+			name:    "bracket injection",
+			input:   "foo[bar]",
+			wantErr: true,
+		},
+		// Brace injection
+		{
+			name:    "brace injection",
+			input:   "foo{bar}",
+			wantErr: true,
+		},
+		// Angle bracket injection
+		{
+			name:    "angle bracket injection",
+			input:   "foo<bar>",
+			wantErr: true,
+		},
+		// Backslash injection
+		{
+			name:    "backslash injection",
+			input:   "foo\\bar",
+			wantErr: true,
+		},
+		// Forward slash (path-like)
+		{
+			name:    "forward slash injection",
+			input:   "foo/bar",
+			wantErr: true,
+		},
+		// One valid, one invalid domain
+		{
+			name:    "mixed valid and invalid domains",
+			input:   "good.com,evil=bad",
+			wantErr: true,
+		},
+		// QEMU dnssearch option injection attempt
+		{
+			name:    "dnssearch option injection",
+			input:   "foo,dnssearch=evil.com",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := parseDNSSearchDomains(tt.input)
+
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("parseDNSSearchDomains(%q) expected error, got nil with result %v", tt.input, result)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("parseDNSSearchDomains(%q) unexpected %v", tt.input, err)
+				return
+			}
+
+			if len(result) != len(tt.expected) {
+				t.Errorf("parseDNSSearchDomains(%q) returned %d domains, expected %d: got %v, want %v",
+					tt.input, len(result), len(tt.expected), result, tt.expected)
+				return
+			}
+
+			for i, domain := range result {
+				if domain != tt.expected[i] {
+					t.Errorf("parseDNSSearchDomains(%q)[%d] = %q, expected %q",
+						tt.input, i, domain, tt.expected[i])
+				}
+			}
+		})
+	}
+}
+
+func TestBuildDNSSearchNetdevArgs(t *testing.T) {
+	tests := []struct {
+		name     string
+		domains  []string
+		expected string
+	}{
+		{
+			name:     "empty domains",
+			domains:  nil,
+			expected: "",
+		},
+		{
+			name:     "single domain",
+			domains:  []string{"example.com"},
+			expected: ",dnssearch=example.com",
+		},
+		{
+			name:     "multiple domains",
+			domains:  []string{"a.com", "b.org", "c.net"},
+			expected: ",dnssearch=a.com,dnssearch=b.org,dnssearch=c.net",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := buildDNSSearchNetdevArgs(tt.domains)
+			if result != tt.expected {
+				t.Errorf("buildDNSSearchNetdevArgs(%v) = %q, expected %q",
+					tt.domains, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestGetPackageCacheSuffix(t *testing.T) {
 	tests := []struct {
 		name     string