docker(role): document gVisor issue with user-def. br. and provide help

Document issue with containers on user-defined bridges and using the
gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.

roles/docker/README.md

@@ -17,6 +17,8 @@ None.
 ## Optional Arguments
 
 - `docker__gvisor_setup`: Whether or not to set up [gVisor](https://gvisor.dev/) (`runsc` runtime).  
+  > Note: gVisor doesn't work with the embedded DNS server Docker forces for user-defined bridges (see the [relevant GitHub issue](https://github.com/google/gvisor/issues/7469)). A workaround would be to bind mount a `resolv.conf` not relying on localhost DNS (note however that this still doesn't provide local container name resolution). When enabling this option such a helper `resolv.conf` pointing to Quad9 gets deployed to `/etc/gvisor-helper-resolv.conf` for bind-mounting. See the file for usage instructions.
+  
   Defaults to `false`.
 
 ## Links & Resources

roles/docker/files/gvisor-helper-resolv.conf

@@ -0,0 +1,9 @@
+# resolv.conf pointing to Quad9 for bind-mounting into containers on user-defined bridges and using the gVisor runsc runtime.
+# Example: docker run --runtime runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true --network your-user-defined-network -it --rm docker.io/library/debian /bin/bash
+
+nameserver 9.9.9.9
+nameserver 149.112.112.112
+nameserver 2620:fe::fe
+nameserver 2620:fe::9
+
+options edns0

roles/docker/tasks/main/03_docker_config.yaml

@@ -10,3 +10,13 @@
     mode: "0644"
   become: true
   notify: restart the docker service
+
+- name: Ensure helper gVisor resolv.conf is deployed
+  when: docker__gvisor_setup
+  ansible.builtin.copy:
+    src: gvisor-helper-resolv.conf
+    dest: /etc/gvisor-helper-resolv.conf
+    owner: root
+    group: root
+    mode: "0644"
+  become: true