From fdd9eadad1dfd135c6e3eb4858db4c49f419e68b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Thu, 21 May 2026 04:44:16 +0200
Subject: [PATCH] docker(role): document gVisor issue with user-def. br. and
 provide help

Document issue with containers on user-defined bridges and using the
gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.
---
 roles/docker/README.md                        |  2 ++
 roles/docker/files/gvisor-helper-resolv.conf  |  9 +++++++++
 roles/docker/tasks/main/03_docker_config.yaml | 10 ++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 roles/docker/files/gvisor-helper-resolv.conf

diff --git a/roles/docker/README.md b/roles/docker/README.md
index befc005..0a28265 100644
--- a/roles/docker/README.md
+++ b/roles/docker/README.md
@@ -17,6 +17,8 @@ None.
 ## Optional Arguments
 
 - `docker__gvisor_setup`: Whether or not to set up [gVisor](https://gvisor.dev/) (`runsc` runtime).  
+  > Note: gVisor doesn't work with the embedded DNS server Docker forces for user-defined bridges (see the [relevant GitHub issue](https://github.com/google/gvisor/issues/7469)). A workaround would be to bind mount a `resolv.conf` not relying on localhost DNS (note however that this still doesn't provide local container name resolution). When enabling this option such a helper `resolv.conf` pointing to Quad9 gets deployed to `/etc/gvisor-helper-resolv.conf` for bind-mounting. See the file for usage instructions.
+  
   Defaults to `false`.
 
 ## Links & Resources
diff --git a/roles/docker/files/gvisor-helper-resolv.conf b/roles/docker/files/gvisor-helper-resolv.conf
new file mode 100644
index 0000000..f047a80
--- /dev/null
+++ b/roles/docker/files/gvisor-helper-resolv.conf
@@ -0,0 +1,9 @@
+# resolv.conf pointing to Quad9 for bind-mounting into containers on user-defined bridges and using the gVisor runsc runtime.
+# Example: docker run --runtime runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true --network your-user-defined-network -it --rm docker.io/library/debian /bin/bash
+
+nameserver 9.9.9.9
+nameserver 149.112.112.112
+nameserver 2620:fe::fe
+nameserver 2620:fe::9
+
+options edns0
diff --git a/roles/docker/tasks/main/03_docker_config.yaml b/roles/docker/tasks/main/03_docker_config.yaml
index 88ee96b..8c145b2 100644
--- a/roles/docker/tasks/main/03_docker_config.yaml
+++ b/roles/docker/tasks/main/03_docker_config.yaml
@@ -10,3 +10,13 @@
     mode: "0644"
   become: true
   notify: restart the docker service
+
+- name: Ensure helper gVisor resolv.conf is deployed
+  when: docker__gvisor_setup
+  ansible.builtin.copy:
+    src: gvisor-helper-resolv.conf
+    dest: /etc/gvisor-helper-resolv.conf
+    owner: root
+    group: root
+    mode: "0644"
+  become: true