[workspacekit] Make resolv.conf writeable

components/workspacekit/cmd/rings.go

@@ -343,6 +343,14 @@ var ring1Cmd = &cobra.Command{
 			}
 		}
 
+		// We deliberately do not bind mount `/etc/resolv.conf`, but instead place a copy
+		// so that users in the workspace can modify the file.
+		err = copyResolvConf(ring2Root)
+		if err != nil {
+			log.WithError(err).Error("cannot copy resolv.conf")
+			return
+		}
+
 		env := make([]string, 0, len(os.Environ()))
 		for _, e := range os.Environ() {
 			if strings.HasPrefix(e, "WORKSPACEKIT_") {
@@ -565,7 +573,9 @@ var (
 		"/dev",
 		"/etc/hosts",
 		"/etc/hostname",
-		"/etc/resolv.conf",
+	}
+	rejectMountPaths = map[string]struct{}{
+		"/etc/resolv.conf": {},
 	}
 )
 
@@ -613,6 +623,11 @@ func findBindMountCandidates(procMounts io.Reader, readlink func(path string) (d
 			continue
 		}
 
+		// reject known paths
+		if _, ok := rejectMountPaths[path]; ok {
+			continue
+		}
+
 		// test remaining candidates if they're a Kubernetes configMap or secret
 		ln, err := readlink(filepath.Join(path, "..data"))
 		if err != nil {
@@ -627,6 +642,33 @@ func findBindMountCandidates(procMounts io.Reader, readlink func(path string) (d
 	return mounts, scanner.Err()
 }
 
+// copyResolvConf copies /etc/resolv.conf to <ring2root>/etc/resolv.conf
+func copyResolvConf(ring2root string) error {
+	stat, err := os.Stat("/etc/resolv.conf")
+	if err != nil {
+		return err
+	}
+
+	org, err := os.Open(stat.Name())
+	if err != nil {
+		return err
+	}
+	defer org.Close()
+
+	dst, err := os.OpenFile(filepath.Join(ring2root, "etc", "resolv.conf"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, stat.Mode())
+	if err != nil {
+		return err
+	}
+	defer dst.Close()
+
+	_, err = io.Copy(dst, org)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func receiveSeccmpFd(conn *net.UnixConn) (libseccomp.ScmpFd, error) {
 	buf := make([]byte, unix.CmsgSpace(4))