Fix DNS resolution in ephemeral guests

Configure QEMU user-mode networking to use host DNS servers from
/etc/resolv.conf instead of the default 10.0.2.3, which doesn't work
when QEMU runs inside containers.

Signed-off-by: gursewak1997 <[email protected]>

Author: gursewak1997

crates/kit/src/qemu.rs

@@ -22,6 +22,38 @@ use nix::sys::socket::{accept, bind, getsockname, socket, AddressFamily, SockFla
 use tracing::{debug, trace, warn};
 use vsock::VsockAddr;
 
+/// Read DNS servers from /etc/resolv.conf
+/// Returns a vector of DNS server IP addresses, or None if unable to read/parse
+pub fn read_dns_servers() -> Option<Vec<String>> {
+    let resolv_conf = match std::fs::read_to_string("/etc/resolv.conf") {
+        Ok(content) => content,
+        Err(e) => {
+            debug!("Failed to read /etc/resolv.conf: {}", e);
+            return None;
+        }
+    };
+
+    let mut dns_servers = Vec::new();
+    for line in resolv_conf.lines() {
+        let line = line.trim();
+        // Parse lines like "nameserver 8.8.8.8" or "nameserver 2001:4860:4860::8888"
+        if let Some(server) = line.strip_prefix("nameserver ") {
+            let server = server.trim();
+            if !server.is_empty() {
+                dns_servers.push(server.to_string());
+            }
+        }
+    }
+
+    if dns_servers.is_empty() {
+        debug!("No DNS servers found in /etc/resolv.conf");
+        None
+    } else {
+        debug!("Found DNS servers: {:?}", dns_servers);
+        Some(dns_servers)
+    }
+}
+
 /// The device for vsock allocation
 pub const VHOST_VSOCK: &str = "/dev/vhost-vsock";
 
@@ -80,12 +112,17 @@ pub enum NetworkMode {
     User {
         /// Port forwarding rules: "tcp::2222-:22" format
         hostfwd: Vec<String>,
+        /// DNS servers to use (if None, QEMU's default 10.0.2.3 will be used)
+        dns_servers: Option<Vec<String>>,
     },
 }
 
 impl Default for NetworkMode {
     fn default() -> Self {
-        NetworkMode::User { hostfwd: vec![] }
+        NetworkMode::User {
+            hostfwd: vec![],
+            dns_servers: None,
+        }
     }
 }
 
@@ -322,8 +359,13 @@ impl QemuConfig {
     pub fn enable_ssh_access(&mut self, host_port: Option<u16>) -> &mut Self {
         let port = host_port.unwrap_or(2222); // Default to port 2222 on host
         let hostfwd = format!("tcp::{}-:22", port); // Forward host port to guest port 22
+        // Preserve existing DNS servers if any
+        let dns_servers = match &self.network_mode {
+            NetworkMode::User { dns_servers, .. } => dns_servers.clone(),
+        };
         self.network_mode = NetworkMode::User {
             hostfwd: vec![hostfwd],
+            dns_servers,
         };
         self
     }
@@ -522,23 +564,29 @@ fn spawn(
 
     // Configure network (only User mode supported now)
     match &config.network_mode {
-        NetworkMode::User { hostfwd } => {
-            if hostfwd.is_empty() {
-                cmd.args([
-                    "-netdev",
-                    "user,id=net0",
-                    "-device",
-                    "virtio-net-pci,netdev=net0",
-                ]);
-            } else {
-                let hostfwd_arg = format!("user,id=net0,hostfwd={}", hostfwd.join(",hostfwd="));
-                cmd.args([
-                    "-netdev",
-                    &hostfwd_arg,
-                    "-device",
-                    "virtio-net-pci,netdev=net0",
-                ]);
+        NetworkMode::User { hostfwd, dns_servers } => {
+            let mut netdev_parts = vec!["user".to_string(), "id=net0".to_string()];
+            
+            // Add DNS servers if specified
+            if let Some(dns_list) = dns_servers {
+                if !dns_list.is_empty() {
+                    let dns_arg = format!("dns={}", dns_list.join(","));
+                    netdev_parts.push(dns_arg);
+                }
             }
+            
+            // Add port forwarding rules
+            for fwd in hostfwd {
+                netdev_parts.push(format!("hostfwd={}", fwd));
+            }
+            
+            let netdev_arg = netdev_parts.join(",");
+            cmd.args([
+                "-netdev",
+                &netdev_arg,
+                "-device",
+                "virtio-net-pci,netdev=net0",
+            ]);
         }
     }
 

crates/kit/src/run_ephemeral.rs

@@ -283,6 +283,11 @@ pub struct RunEphemeralOpts {
 
     #[clap(long = "karg", help = "Additional kernel command line arguments")]
     pub kernel_args: Vec<String>,
+
+    /// Host DNS servers (read on host, passed to container for QEMU configuration)
+    /// Not a CLI option - populated automatically from host's /etc/resolv.conf
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub host_dns_servers: Option<Vec<String>>,
 }
 
 /// Launch privileged container with QEMU+KVM for ephemeral VM, spawning as subprocess.
@@ -499,8 +504,20 @@ fn prepare_run_command_with_temp(
         cmd.args(["-v", &format!("{}:/run/systemd-units:ro", units_dir)]);
     }
 
+    // Read host DNS servers before entering container
+    // QEMU's slirp will use these instead of container's unreachable bridge DNS servers
+    let host_dns_servers = crate::qemu::read_dns_servers();
+    if let Some(ref dns) = host_dns_servers {
+        debug!("Read host DNS servers: {:?}", dns);
+    } else {
+        debug!("No DNS servers found in host /etc/resolv.conf, QEMU will use default 10.0.2.3");
+    }
+
     // Pass configuration as JSON via BCK_CONFIG environment variable
-    let config = serde_json::to_string(&opts).unwrap();
+    // Include host DNS servers in the config so they're available inside the container
+    let mut opts_with_dns = opts.clone();
+    opts_with_dns.host_dns_servers = host_dns_servers;
+    let config = serde_json::to_string(&opts_with_dns).unwrap();
     cmd.args(["-e", &format!("BCK_CONFIG={config}")]);
 
     // Handle --execute output files and virtio-serial devices
@@ -1229,13 +1246,44 @@ Options=
     qemu_config.add_virtio_serial_out("org.bcvk.journal", "/run/journal.log".to_string(), false);
     debug!("Added virtio-serial device for journal streaming to /run/journal.log");
 
+    // Configure DNS servers from host's /etc/resolv.conf
+    // This fixes DNS resolution issues when QEMU runs inside containers.
+    // QEMU's slirp reads /etc/resolv.conf from the container's network namespace,
+    // which contains unreachable bridge DNS servers (e.g., 169.254.1.1, 10.x.y.z).
+    // By passing host DNS servers via QEMU's dns= parameter, we bypass slirp's
+    // resolv.conf reading and use the host's actual DNS servers.
+    let dns_servers = opts.host_dns_servers.clone();
+    if let Some(ref dns) = dns_servers {
+        debug!("Using host DNS servers (from host /etc/resolv.conf): {:?}", dns);
+    } else {
+        debug!("No host DNS servers available, QEMU will use default 10.0.2.3");
+    }
+
+    // Configure DNS servers in network mode before enabling SSH (if needed)
+    if let Some(ref dns) = dns_servers {
+        match &mut qemu_config.network_mode {
+            crate::qemu::NetworkMode::User { dns_servers: dns_opt, .. } => {
+                *dns_opt = Some(dns.clone());
+            }
+        }
+    }
+
     if opts.common.ssh_keygen {
         qemu_config.enable_ssh_access(None); // Use default port 2222
         debug!("Enabled SSH port forwarding: host port 2222 -> guest port 22");
 
         // We need to extract the public key from the SSH credential to inject it via SMBIOS
         // For now, the credential is already being passed via kernel cmdline
         // TODO: Add proper SMBIOS credential injection if needed
+    } else {
+        // Even without SSH, ensure DNS is configured if we have DNS servers
+        if let Some(dns) = dns_servers {
+            match &mut qemu_config.network_mode {
+                crate::qemu::NetworkMode::User { dns_servers: dns_opt, .. } => {
+                    *dns_opt = Some(dns);
+                }
+            }
+        }
     }
 
     // Set main virtiofs configuration for root filesystem (will be spawned by QEMU)

crates/kit/src/to_disk.rs

@@ -430,6 +430,7 @@ pub fn run(opts: ToDiskOpts) -> Result<()> {
     // - Attach target disk via virtio-blk
     // - Disable networking (using local storage only)
     let ephemeral_opts = RunEphemeralOpts {
+        host_dns_servers: None,
         image: opts.get_installer_image().to_string(),
         common: common_opts,
         podman: crate::run_ephemeral::CommonPodmanOptions {