Skip to content

fix: create resolv.conf in chroot when not mounted #549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 2 commits into from
Feb 6, 2026
Merged

fix: create resolv.conf in chroot when not mounted #549

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
350b0f4
fix: create resolv.conf in chroot when not mounted
Mossaka Feb 6, 2026
6972b0c
fix: use curl -f in chroot HTTP blocking test
Mossaka Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 23 additions & 6 deletions containers/agent/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,15 +162,28 @@ if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
# NOTE: We backup the host's original resolv.conf and set up a trap to restore it
RESOLV_BACKUP="/host/etc/resolv.conf.awf-backup-$$"
RESOLV_MODIFIED=false
if cp /host/etc/resolv.conf "$RESOLV_BACKUP" 2>/dev/null; then
if cp /etc/resolv.conf /host/etc/resolv.conf.awf 2>/dev/null; then
mv /host/etc/resolv.conf.awf /host/etc/resolv.conf 2>/dev/null && RESOLV_MODIFIED=true
echo "[entrypoint] DNS configuration copied to chroot (backup at $RESOLV_BACKUP)"
RESOLV_CREATED=false
if [ -f /host/etc/resolv.conf ]; then
# File exists: backup original and replace with AWF DNS configuration
if cp /host/etc/resolv.conf "$RESOLV_BACKUP" 2>/dev/null; then
if cp /etc/resolv.conf /host/etc/resolv.conf.awf 2>/dev/null; then
mv /host/etc/resolv.conf.awf /host/etc/resolv.conf 2>/dev/null && RESOLV_MODIFIED=true
echo "[entrypoint] DNS configuration copied to chroot (backup at $RESOLV_BACKUP)"
else
echo "[entrypoint][WARN] Could not copy DNS configuration to chroot"
fi
else
echo "[entrypoint][WARN] Could not copy DNS configuration to chroot"
echo "[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override"
fi
else
echo "[entrypoint][WARN] Could not backup host resolv.conf, skipping DNS override"
# File doesn't exist: selective /etc mounts don't include resolv.conf
# Create it from the container's resolv.conf (which has AWF DNS config)
if cp /etc/resolv.conf /host/etc/resolv.conf 2>/dev/null; then
RESOLV_CREATED=true
echo "[entrypoint] DNS configuration created in chroot (/host/etc/resolv.conf)"
else
echo "[entrypoint][WARN] Could not create DNS configuration in chroot"
fi
fi

# Determine working directory inside the chroot
Expand Down Expand Up @@ -291,6 +304,10 @@ AWFEOF
CHROOT_RESOLV_BACKUP="${RESOLV_BACKUP#/host}"
CLEANUP_CMD="${CLEANUP_CMD}; mv '${CHROOT_RESOLV_BACKUP}' /etc/resolv.conf 2>/dev/null || true"
echo "[entrypoint] DNS configuration will be restored on exit"
elif [ "$RESOLV_CREATED" = "true" ]; then
# File was created by us; remove it on exit to leave no trace
CLEANUP_CMD="${CLEANUP_CMD}; rm -f /etc/resolv.conf 2>/dev/null || true"
echo "[entrypoint] DNS configuration will be removed on exit"
fi

exec chroot /host /bin/bash -c "
Expand Down
2 changes: 1 addition & 1 deletion tests/integration/chroot-edge-cases.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ describe('Chroot Edge Cases', () => {
}, 60000);

test('should block HTTP to non-whitelisted domains', async () => {
const result = await runner.runWithSudo('curl -s --connect-timeout 5 http://example.com 2>&1', {
const result = await runner.runWithSudo('curl -f --connect-timeout 5 http://example.com 2>&1', {
allowDomains: ['github.com'],
logLevel: 'debug',
timeout: 30000,
Expand Down
Loading