jail: do not hack /etc/resolv.conf on container rootfs

While useful for slim containers, this violates OCI spec and breaks
containers like pihole.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index c350be280fdfe3d4d6ced2beeacd41aa68a1cd91..cf3127a1715d59678d492981f41fd4f1072b3312 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -689,7 +689,7 @@ static int build_jail_fs(void)
                create_dev_console(jail_root);
 
        /* make sure /etc/resolv.conf exists if in new network namespace */
-       if (opts.namespace & CLONE_NEWNET) {
+       if (!opts.extroot && opts.namespace & CLONE_NEWNET) {
                char jailetc[PATH_MAX], jaillink[PATH_MAX];
 
                snprintf(jailetc, PATH_MAX, "%s/etc", jail_root);