Open lunik1 opened 1 month ago
VPN confinement works fine with systemd-resolved enabled. The problem is that you're trying to mount /run/resolvconf
. It's not that the directory isn't created, it's intentionally made inaccessible to services running in the netns.
systemd-resolved is a DNS resolver, and we don't want it to resolve to a nameserver from the hosts default network, or in other words, we don't want it to "leak" the DNS. Therefore, the path /run/resolvconf
or /var/run/resolvconf
is made inaccessible to prevent DNS leaks.
Using fully-fledged containers makes what this module tries to accomplish much easier. So while you can use this module for your containers, since you're using podman, I would rather recommend you take a look at gluetun.
I get the same error with non-containerised services, and it is fixed by disabling resolved, which causes /run/resolvconf
to exist. It also seems to be fixed if I create an empty directory at /run/resolvconf
.
Seems like I jumped to conclusions then. It occurs with just services.prowlarr
and services.resolved
?
I'll try to replicate it when I have time. Thanks for reporting this :)
It occurs with prowlarr and a custom prowlarr-in-podman service. I haven't tested anything else.
For now creating a systemd tmpfiles rule which ensures /run/resolvconf
exists seems to be an effective workaround.
If a system is using resolved with services.resolved.enable, units using VPN confinement will fail to start with
It seems
/run/resolvconf
is not created when using systemd-resolved.