Does not work with systemd-resolved

[lunik1]

If a system is using resolved with services.resolved.enable, units using VPN confinement will fail to start with

podman-prowlarr.service: Failed to set up mount namespacing: /run/resolvconf: No such file or directory

It seems /run/resolvconf is not created when using systemd-resolved.

[Maroka-chan]

VPN confinement works fine with systemd-resolved enabled. The problem is that you're trying to mount /run/resolvconf. It's not that the directory isn't created, it's intentionally made inaccessible to services running in the netns. systemd-resolved is a DNS resolver, and we don't want it to resolve to a nameserver from the hosts default network, or in other words, we don't want it to "leak" the DNS. Therefore, the path /run/resolvconf or /var/run/resolvconf is made inaccessible to prevent DNS leaks.

Using fully-fledged containers makes what this module tries to accomplish much easier. So while you can use this module for your containers, since you're using podman, I would rather recommend you take a look at gluetun.

[lunik1]

I get the same error with non-containerised services, and it is fixed by disabling resolved, which causes /run/resolvconf to exist. It also seems to be fixed if I create an empty directory at /run/resolvconf.

[Maroka-chan]

Seems like I jumped to conclusions then. It occurs with just services.prowlarr and services.resolved? I'll try to replicate it when I have time. Thanks for reporting this :)

[lunik1]

It occurs with prowlarr and a custom prowlarr-in-podman service. I haven't tested anything else.

For now creating a systemd tmpfiles rule which ensures /run/resolvconf exists seems to be an effective workaround.