Fix guest VM outbound networking and DNS resolution

Add resolv.conf to wrenn-init so guests can resolve DNS, and fix the host MASQUERADE rule to match vpeerIP (the actual source after namespace SNAT) instead of hostIP.
2026-03-11 06:02:31 +06:00
parent b4d8edb65b
commit 0c245e9e1c
2 changed files with 8 additions and 2 deletions
--- a/images/wrenn-init.sh
+++ b/images/wrenn-init.sh
@ -19,5 +19,9 @@ mount -t cgroup2 cgroup2 /sys/fs/cgroup 2>/dev/null || true
 # Set hostname
 hostname sandbox
 # Configure DNS resolver.
 echo "nameserver 8.8.8.8" > /etc/resolv.conf
 echo "nameserver 8.8.4.4" >> /etc/resolv.conf
 # Exec envd as the main process (replaces this script, keeps PID 1).
 exec /usr/local/bin/envd
--- a/internal/network/setup.go
+++ b/internal/network/setup.go
@ -278,9 +278,11 @@ func CreateNetwork(slot *Slot) error {
 	}
 	// MASQUERADE for outbound traffic from sandbox.
 	// After SNAT inside the namespace, outbound packets arrive on the host
 	// with source = vpeerIP, so we match on that (not hostIP).
 	if err := iptablesHost(
 		"-t", "nat", "-A", "POSTROUTING",
-		"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
+		"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
 		"-o", defaultIface,
 		"-j", "MASQUERADE",
 	); err != nil {
@ -314,7 +316,7 @@ func RemoveNetwork(slot *Slot) error {
 		)
 		iptablesHost(
 			"-t", "nat", "-D", "POSTROUTING",
-			"-s", fmt.Sprintf("%s/32", slot.HostIP.String()),
+			"-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()),
 			"-o", defaultIface,
 			"-j", "MASQUERADE",
 		)