@@ -63,22 +63,6 @@ run_in_bwrap() {
6363 fi
6464 done
6565
66- # Override resolv.conf for slirp4netns network namespace (DNS at 10.0.2.3)
67- # When /etc is mounted as a whole directory, /etc/resolv.conf may be a symlink
68- # (e.g., → /run/systemd/resolve/stub-resolv.conf). We resolve the symlink and
69- # mount at the real target so bwrap doesn't fail following a dangling symlink.
70- if [ " ${SLIRP_NETWORK:- } " = " 1" ; then
71- local slirp_resolv
72- slirp_resolv=$( mktemp)
73- echo " nameserver 10.0.2.3" > " $slirp_resolv "
74- local resolv_real
75- resolv_real=$( realpath /etc/resolv.conf 2> /dev/null) || resolv_real=" /etc/resolv.conf"
76- if [ " $resolv_real " != " /etc/resolv.conf" ; then
77- bwrap_args+=(--dir " $( dirname " $resolv_real " ) "
78- fi
79- bwrap_args+=(--ro-bind " $slirp_resolv " " $resolv_real "
80- fi
81-
8266 # Mask sensitive paths from config (dirs → tmpfs, files → /dev/null)
8367 local _p
8468 for _p in " ${cfg_bwrap_mask_paths[@]} " ; do
@@ -120,6 +104,23 @@ run_in_bwrap() {
120104 esac
121105 done
122106
107+ # Override resolv.conf for slirp4netns network namespace (DNS at 10.0.2.3)
108+ # Must come AFTER CAGE_MOUNTS (which creates tmpfs at /run).
109+ # When /etc is mounted as a whole directory, /etc/resolv.conf may be a symlink
110+ # (e.g., → /run/systemd/resolve/stub-resolv.conf). We resolve the symlink and
111+ # mount at the real target inside the already-created /run tmpfs.
112+ if [ " ${SLIRP_NETWORK:- } " = " 1" ; then
113+ local slirp_resolv
114+ slirp_resolv=$( mktemp)
115+ echo " nameserver 10.0.2.3" > " $slirp_resolv "
116+ local resolv_real
117+ resolv_real=$( realpath /etc/resolv.conf 2> /dev/null) || resolv_real=" /etc/resolv.conf"
118+ if [ " $resolv_real " != " /etc/resolv.conf" ; then
119+ bwrap_args+=(--dir " $( dirname " $resolv_real " ) "
120+ fi
121+ bwrap_args+=(--ro-bind " $slirp_resolv " " $resolv_real "
122+ fi
123+
123124 # Special filesystems
124125 bwrap_args+=(--proc /proc)
125126 bwrap_args+=(--dev /dev)
0 commit comments