DNS resolution breaks on NixOS when having static resolv.conf

[dasJ]

This breaks on NixOS when having static resolv.conf. Nix now copies the /etc/resolv.conf symlink (pointing to /etc/static) to the sandbox, resulting in a dangling symlink and breaking all DNS resolution inside the sandbox.

2.19.4:

2.19.5:

Originally posted by @dasJ in #10456 (comment)

[kjahn-feti]

Hi, @dasJ, could you please include the command you used to produce the above screenshots or a MWE, so I could learn and try to reproduce the issue for myself? Many thx!

[dasJ]

Yeah would've been an obvious thing to do :D

nix-build -E '(import <nixpkgs> {}).runCommand "test" {outputHashMode = "recursive"; outputHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";} "ls -la /etc"'

[roberth]

I think the simplest solution is to make a copy of the resolv.conf contents.

Alternatively, we could resolve the symlink and add its target to the sandbox-paths for FODs. That's more accurate, but also more complicated and riskier.

Yet another alternative is to make NixOS point /etc/resolve.conf directly into the store instead of /etc/static, so that NixOS can add it to sandbox-paths. That's less atomic, but atomic switching is a bit of misnomer anyway, considering the limitations of systemd.

Note that these options all need to work to support changes to resolv.conf during a build (e.g. switching wifi while building, or nixos-rebuild switch on a server with concurrent Nix users), but here again the solution to just copy the contents seems simplest, by not having to change sandbox-paths after creating the sandbox.

[dasJ]

Yet another alternative is to make NixOS point /etc/resolve.conf directly into the store

Would work in this specific case, but would not work on non-nixos-systems with systemd-resolved: https://wiki.archlinux.org/title/Systemd-resolved#DNS