Follow the trail when resolv.conf ain't home

When /etc is mounted as a whole directory, /etc/resolv.conf may be
a symlink (e.g., to /run/systemd/resolve/stub-resolv.conf). Resolve
the symlink and mount the slirp DNS config at the real target path,
creating the parent directory if needed.

Author: zbateson

src/bwrap.sh

@@ -64,11 +64,19 @@ run_in_bwrap() {
     done
 
     # Override resolv.conf for slirp4netns network namespace (DNS at 10.0.2.3)
+    # When /etc is mounted as a whole directory, /etc/resolv.conf may be a symlink
+    # (e.g., → /run/systemd/resolve/stub-resolv.conf). We resolve the symlink and
+    # mount at the real target so bwrap doesn't fail following a dangling symlink.
     if [ "${SLIRP_NETWORK:-}" = "1" ]; then
         local slirp_resolv
         slirp_resolv=$(mktemp)
         echo "nameserver 10.0.2.3" > "$slirp_resolv"
-        bwrap_args+=(--ro-bind "$slirp_resolv" /etc/resolv.conf)
+        local resolv_real
+        resolv_real=$(realpath /etc/resolv.conf 2>/dev/null) || resolv_real="/etc/resolv.conf"
+        if [ "$resolv_real" != "/etc/resolv.conf" ]; then
+            bwrap_args+=(--dir "$(dirname "$resolv_real")")
+        fi
+        bwrap_args+=(--ro-bind "$slirp_resolv" "$resolv_real")
     fi
 
     # Mask sensitive paths from config (dirs → tmpfs, files → /dev/null)