Fix DNS queries in images with systemd-resolved on hosts without it

[debarshiray]

On some Toolbx images with systemd-resolved(8), like the fedora-toolbox images for Fedora 39 onwards, /etc/resolv.conf can end up being a symbolic link inside the container that expects the host operating system to also use systemd-resolved(8):

  $ ls -l /etc/resolv.conf
  lrwxrwxrwx. 1 root root 39 Nov 28 08:50 /etc/resolv.conf ->
    ../run/systemd/resolve/stub-resolv.conf

This happens because systemd-resolved(8) already makes /etc/resolv.conf a symbolic link inside the image, and, hence, the container's entry point doesn't change it to point at the host's copy of the file at /run/host/etc/resolv.conf. Instead, it's left pointing at the host's copy of the files maintained by systemd-resolved(8) under /run/systemd/resolve, which happen to be also available inside the container [1].

If the host OS doesn't use systemd-resolved(8), like Red Hat Enterprise Linux 9, then this leads to a dangling symbolic link and breaks DNS queries.

Note that the presence of systemd-resolved(8) in the recent fedora-toolbox images is a regression caused by the ToolbxReleaseBlocker Change [2] for Fedora 39 where the image was rewritten in terms of fedora-kickstarts and pungi-fedora instead of a Container/Dockerfile. By mistake, systemd crept in as an RPM needed by the image [3], which in turn pulled in the systemd-resolved RPM as a weak dependency [4].

Hopefully, that will get fixed. However, it's also not practical to keep track of all the Toolbx images out there in the wild, so it's wise to make toolbox(1) more resilient to such things.

This will have the downside of overwriting some custom user-made modifications to the container's /etc/resolv.conf. While that's unfortunate, it's more important to have Toolbx images produce working containers on a wide range of host OSes. It will be better to come up with a more explicit way to support custom user-made modifications to the container's configuration. Perhaps with a persistent stamp file.

[1] Commit af602c7d227617d2 https://github.com/containers/toolbox/commit/af602c7d227617d2 https://github.com/containers/toolbox/pull/707

[2] https://fedoraproject.org/wiki/Changes/ToolbxReleaseBlocker

[3] fedora-kickstarts commit 48e2c3b5598de32f https://pagure.io/fedora-kickstarts/c/48e2c3b5598de32f

[4] fedora-kickstarts commit 49306cb6eada8777 https://pagure.io/fedora-kickstarts/c/49306cb6eada8777

https://github.com/containers/toolbox/issues/1410

[softwarefactory-project-zuul[bot]]

Build succeeded. https://softwarefactory-project.io/zuul/t/local/buildset/d4d7c02f4149490f8be84e81b8e6214b

:heavy_check_mark: unit-test SUCCESS in 6m 46s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 08s :heavy_check_mark: unit-test-restricted SUCCESS in 5m 48s :heavy_check_mark: system-test-fedora-rawhide SUCCESS in 31m 18s :heavy_check_mark: system-test-fedora-39 SUCCESS in 29m 58s :heavy_check_mark: system-test-fedora-38 SUCCESS in 29m 44s

[softwarefactory-project-zuul[bot]]

Build failed. https://softwarefactory-project.io/zuul/t/local/buildset/39dd11f1f2484e71bd2d32ec89912cb2

:heavy_check_mark: unit-test SUCCESS in 6m 51s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 09s :heavy_check_mark: unit-test-restricted SUCCESS in 5m 53s :x: system-test-fedora-rawhide FAILURE in 28m 53s :x: system-test-fedora-39 FAILURE in 28m 41s :x: system-test-fedora-38 FAILURE in 29m 50s

[debarshiray]

Cool, the tests do fail if /etc/resolv.conf inside the Toolbx container is not a symbolic link:

fedora-rawhide | not ok 195 network: /etc/resolv.conf inside the default container in 1724ms
fedora-rawhide | # (from function `assert_success' in file test/system/libs/bats-assert/src/assert.bash, line 114,
fedora-rawhide | #  in test file test/system/203-network.bats, line 70)
fedora-rawhide | #   `assert_success' failed
fedora-rawhide | #
fedora-rawhide | # -- command failed --
fedora-rawhide | # status : 1
fedora-rawhide | # output :
fedora-rawhide | # --

I had replaced /etc/resolv.conf with /etc/bashrc to test the tests. :P

[softwarefactory-project-zuul[bot]]

Build succeeded. https://softwarefactory-project.io/zuul/t/local/buildset/958d94ccb32345f29b09a51292716648

:heavy_check_mark: unit-test SUCCESS in 7m 04s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 17s :heavy_check_mark: unit-test-restricted SUCCESS in 6m 02s :heavy_check_mark: system-test-fedora-rawhide SUCCESS in 29m 17s :heavy_check_mark: system-test-fedora-39 SUCCESS in 27m 49s :heavy_check_mark: system-test-fedora-38 SUCCESS in 28m 07s

[softwarefactory-project-zuul[bot]]

Build succeeded. https://softwarefactory-project.io/zuul/t/local/buildset/6c1757ec399b40dfb4f647622a5ef1f5

:heavy_check_mark: unit-test SUCCESS in 6m 51s :heavy_check_mark: unit-test-migration-path-for-coreos-toolbox SUCCESS in 3m 08s :heavy_check_mark: unit-test-restricted SUCCESS in 5m 55s :heavy_check_mark: system-test-fedora-rawhide SUCCESS in 33m 22s :heavy_check_mark: system-test-fedora-39 SUCCESS in 32m 17s :heavy_check_mark: system-test-fedora-38 SUCCESS in 31m 40s